cluster/services/acme-client: implement augment for external ACME services
This commit is contained in:
parent
d9317cd69a
commit
79478c44ed
2 changed files with 61 additions and 0 deletions
60
cluster/services/acme-client/augment.nix
Normal file
60
cluster/services/acme-client/augment.nix
Normal file
|
@ -0,0 +1,60 @@
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
lift = config;
|
||||||
|
in
|
||||||
|
|
||||||
|
{
|
||||||
|
nowhere.names = {
|
||||||
|
"acme-v02.api.letsencrypt.org" = "stepCa";
|
||||||
|
"api.buypass.com" = "stepCa";
|
||||||
|
};
|
||||||
|
|
||||||
|
nodes.nowhere = { config, ... }: {
|
||||||
|
links.stepCa.protocol = "https";
|
||||||
|
|
||||||
|
environment.etc.step-ca-password.text = "";
|
||||||
|
|
||||||
|
services = {
|
||||||
|
step-ca = {
|
||||||
|
enable = true;
|
||||||
|
address = config.links.stepCa.ipv4;
|
||||||
|
inherit (config.links.stepCa) port;
|
||||||
|
intermediatePasswordFile = "/etc/step-ca-password";
|
||||||
|
settings = {
|
||||||
|
root = "${lift.nowhere.certs.ca}/ca.pem";
|
||||||
|
crt = "${lift.nowhere.certs.intermediate}/cert.pem";
|
||||||
|
key = "${lift.nowhere.certs.intermediate}/cert-key.pem";
|
||||||
|
address = config.links.stepCa.tuple;
|
||||||
|
db = {
|
||||||
|
type = "badgerv2";
|
||||||
|
dataSource = "/var/lib/step-ca/db";
|
||||||
|
};
|
||||||
|
authority.provisioners = [
|
||||||
|
{
|
||||||
|
type = "ACME";
|
||||||
|
name = "snakeoil";
|
||||||
|
challenges = [
|
||||||
|
"dns-01"
|
||||||
|
"http-01"
|
||||||
|
];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
nginx.virtualHosts = {
|
||||||
|
"acme-v02.api.letsencrypt.org".locations."/".extraConfig = ''
|
||||||
|
rewrite /directory /acme/snakeoil/directory break;
|
||||||
|
'';
|
||||||
|
"api.buypass.com".locations."/".extraConfig = ''
|
||||||
|
rewrite /acme/directory /acme/snakeoil/directory break;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
defaults.environment.etc."dummy-secrets/acmeDnsApiKey".text = "ACME_DNS_DIRECT_STATIC_KEY=simulacrum";
|
||||||
|
defaults.environment.etc."dummy-secrets/acmeDnsDirectKey".text = "ACME_DNS_DIRECT_STATIC_KEY=simulacrum";
|
||||||
|
defaults.environment.etc."dummy-secrets/acmeDnsDbCredentials".text = "PGPASSWORD=simulacrum";
|
||||||
|
}
|
|
@ -2,5 +2,6 @@
|
||||||
services.acme-client = {
|
services.acme-client = {
|
||||||
nodes.client = [ "checkmate" "grail" "thunderskin" "VEGAS" "prophet" ];
|
nodes.client = [ "checkmate" "grail" "thunderskin" "VEGAS" "prophet" ];
|
||||||
nixos.client = ./client.nix;
|
nixos.client = ./client.nix;
|
||||||
|
simulacrum.augments = ./augment.nix;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue