From 79478c44ed402b56920ba681930d0b7cadeaf31d Mon Sep 17 00:00:00 2001
From: Max <max@privatevoid.net>
Date: Sat, 10 Aug 2024 13:37:36 +0200
Subject: [PATCH] cluster/services/acme-client: implement augment for external
 ACME services

---
 cluster/services/acme-client/augment.nix | 60 ++++++++++++++++++++++++
 cluster/services/acme-client/default.nix |  1 +
 2 files changed, 61 insertions(+)
 create mode 100644 cluster/services/acme-client/augment.nix

diff --git a/cluster/services/acme-client/augment.nix b/cluster/services/acme-client/augment.nix
new file mode 100644
index 0000000..a16a559
--- /dev/null
+++ b/cluster/services/acme-client/augment.nix
@@ -0,0 +1,60 @@
+{ config, pkgs, ... }:
+
+let
+  lift = config;
+in
+
+{
+  nowhere.names = {
+    "acme-v02.api.letsencrypt.org" = "stepCa";
+    "api.buypass.com" = "stepCa";
+  };
+
+  nodes.nowhere = { config, ... }: {
+    links.stepCa.protocol = "https";
+
+    environment.etc.step-ca-password.text = "";
+
+    services = {
+      step-ca = {
+        enable = true;
+        address = config.links.stepCa.ipv4;
+        inherit (config.links.stepCa) port;
+        intermediatePasswordFile = "/etc/step-ca-password";
+        settings = {
+          root = "${lift.nowhere.certs.ca}/ca.pem";
+          crt = "${lift.nowhere.certs.intermediate}/cert.pem";
+          key = "${lift.nowhere.certs.intermediate}/cert-key.pem";
+          address = config.links.stepCa.tuple;
+          db = {
+            type = "badgerv2";
+            dataSource = "/var/lib/step-ca/db";
+          };
+          authority.provisioners = [
+            {
+              type = "ACME";
+              name = "snakeoil";
+              challenges = [
+                "dns-01"
+                "http-01"
+              ];
+            }
+          ];
+        };
+      };
+
+      nginx.virtualHosts = {
+        "acme-v02.api.letsencrypt.org".locations."/".extraConfig = ''
+          rewrite /directory /acme/snakeoil/directory break;
+        '';
+        "api.buypass.com".locations."/".extraConfig = ''
+          rewrite /acme/directory /acme/snakeoil/directory break;
+        '';
+      };
+    };
+  };
+
+  defaults.environment.etc."dummy-secrets/acmeDnsApiKey".text = "ACME_DNS_DIRECT_STATIC_KEY=simulacrum";
+  defaults.environment.etc."dummy-secrets/acmeDnsDirectKey".text = "ACME_DNS_DIRECT_STATIC_KEY=simulacrum";
+  defaults.environment.etc."dummy-secrets/acmeDnsDbCredentials".text = "PGPASSWORD=simulacrum";
+}
diff --git a/cluster/services/acme-client/default.nix b/cluster/services/acme-client/default.nix
index 07346c2..ed2c82d 100644
--- a/cluster/services/acme-client/default.nix
+++ b/cluster/services/acme-client/default.nix
@@ -2,5 +2,6 @@
   services.acme-client = {
     nodes.client = [ "checkmate" "grail" "thunderskin" "VEGAS" "prophet" ];
     nixos.client = ./client.nix;
+    simulacrum.augments = ./augment.nix;
   };
 }