privatevoid.net/depot
1
1
Fork 0
Code Issues 23 Pull requests 2 Projects 3 Releases Packages Wiki Activity Actions

cluster/services/acme-client: init

Browse source
This commit is contained in:
Max Headroom 2022-08-07 21:06:17 +02:00
parent cfd82880e4
commit 52459c42c1
6 changed files with 17 additions and 30 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
cluster/services/acme-client/client.nix Normal file
View file

@ -0,0 +1,10 @@
{ cluster, config, pkgs, ... }:
{
age.secrets.pdns-api-key-acme = cluster.config.vars.pdns-api-key-secret // { owner = "acme"; };
security.acme.defaults.credentialsFile = pkgs.writeText "acme-pdns-credentials" ''
PDNS_API_URL=${cluster.config.links.powerdns-api.url}
PDNS_API_KEY_FILE=${config.age.secrets.pdns-api-key-acme.path}
'';
}

6
cluster/services/acme-client/default.nix Normal file
View file

@ -0,0 +1,6 @@
{
services.acme-client = {
nodes.client = [ "VEGAS" ];
nixos.client = ./client.nix;
};
}

5
hosts/VEGAS/services/ipfs/default.nix
View file

@ -83,14 +83,11 @@ in
}; };
services.oauth2_proxy.nginx.virtualHosts = [ "ipfs.admin.${domain}" ]; services.oauth2_proxy.nginx.virtualHosts = [ "ipfs.admin.${domain}" ];
inherit (tools.acme.dns01) age;
security.acme.certs."ipfs.${domain}" = { security.acme.certs."ipfs.${domain}" = {
domain = "*.ipfs.${domain}"; domain = "*.ipfs.${domain}";
extraDomainNames = [ "*.ipns.${domain}" ]; extraDomainNames = [ "*.ipns.${domain}" ];
dnsProvider = "rfc2136"; dnsProvider = "pdns";
group = "nginx"; group = "nginx";
inherit (tools.acme.dns01) credentialsFile;
}; };
services.nginx.virtualHosts."ipfs.${domain}" = vhosts.basic // { services.nginx.virtualHosts."ipfs.${domain}" = vhosts.basic // {

1
secrets.nix
View file

@ -14,7 +14,6 @@ in with hosts;
"cluster/services/patroni/passwords/superuser.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ]; "cluster/services/patroni/passwords/superuser.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
"cluster/services/wireguard/mesh-keys/VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "cluster/services/wireguard/mesh-keys/VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"cluster/services/wireguard/mesh-keys/prophet.age".publicKeys = max ++ map systemKeys [ prophet ]; "cluster/services/wireguard/mesh-keys/prophet.age".publicKeys = max ++ map systemKeys [ prophet ];
"secrets/acme-dns-key.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"secrets/coturn-static-auth.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "secrets/coturn-static-auth.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"secrets/gitlab-initial-root-password.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "secrets/gitlab-initial-root-password.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"secrets/gitlab-openid-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "secrets/gitlab-openid-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];

24
tools/acme.nix
View file

@ -1,24 +0,0 @@
# internal interface
{ toolsets }:
# external interface
{ config ? null, nameserver ? (toolsets.identity {}).dns.master.addr, ... }:
let
tools = (self: {
dns01 = {
age.secrets.acme-dns-key = {
file = ../secrets/acme-dns-key.age;
owner = "acme";
group = "acme";
mode = "0400";
};
credentialsFile = builtins.toFile "acme-dns01-env" ''
RFC2136_NAMESERVER=${nameserver}
RFC2136_TSIG_KEY=acme-challenge.void
RFC2136_TSIG_ALGORITHM=hmac-sha256
RFC2136_TSIG_SECRET_FILE=${config.age.secrets.acme-dns-key.path}
'';
};
}) tools;
in tools

1
tools/default.nix
View file

@ -1,7 +1,6 @@
let toolsets = { let toolsets = {
meta = import ./meta.nix; meta = import ./meta.nix;
acme = import ./acme.nix { inherit toolsets; };
identity = import ./identity.nix { inherit toolsets; }; identity = import ./identity.nix { inherit toolsets; };
networks = import ./networks.nix { inherit toolsets; }; networks = import ./networks.nix { inherit toolsets; };
nginx = import ./nginx.nix { inherit toolsets; }; nginx = import ./nginx.nix { inherit toolsets; };