cluster/services/acme-client: init

2022-08-07 21:06:17 +02:00 · 2022-08-07 21:06:17 +02:00 · 52459c42c1
commit 52459c42c1
parent cfd82880e4
6 changed files with 17 additions and 30 deletions
--- a/cluster/services/acme-client/client.nix
+++ b/cluster/services/acme-client/client.nix
@ -0,0 +1,10 @@
+{ cluster, config, pkgs, ... }:
+
+{
+  age.secrets.pdns-api-key-acme = cluster.config.vars.pdns-api-key-secret // { owner = "acme"; };
+
+  security.acme.defaults.credentialsFile = pkgs.writeText "acme-pdns-credentials" ''
+    PDNS_API_URL=${cluster.config.links.powerdns-api.url}
+    PDNS_API_KEY_FILE=${config.age.secrets.pdns-api-key-acme.path}
+  '';
+}
--- a/cluster/services/acme-client/default.nix
+++ b/cluster/services/acme-client/default.nix
@ -0,0 +1,6 @@
+{
+  services.acme-client = {
+    nodes.client = [ "VEGAS" ];
+    nixos.client = ./client.nix;
+  };
+}
--- a/hosts/VEGAS/services/ipfs/default.nix
+++ b/hosts/VEGAS/services/ipfs/default.nix
@ -83,14 +83,11 @@ in
  };
  services.oauth2_proxy.nginx.virtualHosts = [ "ipfs.admin.${domain}" ];

-  inherit (tools.acme.dns01) age;
-
  security.acme.certs."ipfs.${domain}" = {
    domain = "*.ipfs.${domain}";
    extraDomainNames = [ "*.ipns.${domain}" ];
-    dnsProvider = "rfc2136";
+    dnsProvider = "pdns";
    group = "nginx";
-    inherit (tools.acme.dns01) credentialsFile;
  };

  services.nginx.virtualHosts."ipfs.${domain}" = vhosts.basic // {
--- a/secrets.nix
+++ b/secrets.nix
@ -14,7 +14,6 @@ in with hosts;
  "cluster/services/patroni/passwords/superuser.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
  "cluster/services/wireguard/mesh-keys/VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
  "cluster/services/wireguard/mesh-keys/prophet.age".publicKeys = max ++ map systemKeys [ prophet ];
-  "secrets/acme-dns-key.age".publicKeys = max ++ map systemKeys [ VEGAS ];
  "secrets/coturn-static-auth.age".publicKeys = max ++ map systemKeys [ VEGAS ];
  "secrets/gitlab-initial-root-password.age".publicKeys = max ++ map systemKeys [ VEGAS ];
  "secrets/gitlab-openid-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
--- a/tools/acme.nix
+++ b/tools/acme.nix
@ -1,24 +0,0 @@
-# internal interface
-{ toolsets }:
-# external interface
-{ config ? null, nameserver ? (toolsets.identity {}).dns.master.addr, ... }:
-let
-  tools = (self: {
-
-    dns01 = {
-      age.secrets.acme-dns-key = {
-        file = ../secrets/acme-dns-key.age;
-        owner = "acme";
-        group = "acme";
-        mode = "0400";
-      };
-      credentialsFile = builtins.toFile "acme-dns01-env" ''
-        RFC2136_NAMESERVER=${nameserver}
-        RFC2136_TSIG_KEY=acme-challenge.void
-        RFC2136_TSIG_ALGORITHM=hmac-sha256
-        RFC2136_TSIG_SECRET_FILE=${config.age.secrets.acme-dns-key.path}
-      '';
-    };
-
-  }) tools;
-in tools
--- a/tools/default.nix
+++ b/tools/default.nix
@ -1,7 +1,6 @@
 let toolsets = {
    meta = import ./meta.nix;

-    acme = import ./acme.nix { inherit toolsets; };
    identity = import ./identity.nix { inherit toolsets; };
    networks = import ./networks.nix { inherit toolsets; };
    nginx = import ./nginx.nix { inherit toolsets; };