From 99b8c155d916d65fda93cc55e92052531abd8bba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charlotte=20=F0=9F=A6=9D=20Delenk?= Date: Fri, 14 Jan 2022 17:44:25 +0100 Subject: [PATCH] Add acme certificates --- config/nixos-8gb-fsn1-1.nix | 2 +- config/services/acme.nix | 23 +++++++++++++++++++++++ config/services/haproxy.nix | 2 ++ config/sops.nix | 1 + secrets/nixos-8gb-fsn1-1/secrets.yaml | 7 +++++-- 5 files changed, 32 insertions(+), 3 deletions(-) create mode 100644 config/services/acme.nix create mode 100644 config/services/haproxy.nix diff --git a/config/nixos-8gb-fsn1-1.nix b/config/nixos-8gb-fsn1-1.nix index fe0d2797..8cf79055 100644 --- a/config/nixos-8gb-fsn1-1.nix +++ b/config/nixos-8gb-fsn1-1.nix @@ -7,6 +7,7 @@ ./grub.nix ./server.nix ./containers/named.nix + ./services/acme.nix ]; boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ]; @@ -14,7 +15,6 @@ boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; boot.supportedFilesystems = [ "zfs" ]; - boot.kernelParams = [ "zfs_force=1" ]; # Remove after next boot boot.loader.grub.devices = [ "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-0-0-0" ]; boot.loader.timeout = 5; boot.initrd.luks.devices = { diff --git a/config/services/acme.nix b/config/services/acme.nix new file mode 100644 index 00000000..4d4c52ec --- /dev/null +++ b/config/services/acme.nix @@ -0,0 +1,23 @@ +{ ... }: { + security.acme = { + acceptTerms = true; + email = "lotte@chir.rs"; + certs."darkkirb.de" = { + domain = "*.darkkirb.de"; + extraDomains = [ "darkkirb.de" ]; + dnsProvider = "rfc2136"; + credentialsFile = "/run/secrets/security/acme/dns"; + }; + certs."chir.rs" = { + domain = "*.chir.rs"; + extraDomains = [ "chir.rs" ]; + dnsProvider = "rfc2136"; + credentialsFile = "/run/secrets/security/acme/dns"; + }; + certs."int.chir.rs" = { + domain = "*.int.chir.rs"; + dnsProvider = "rfc2136"; + credentialsFile = "/run/secrets/security/acme/dns"; + }; + }; +} diff --git a/config/services/haproxy.nix b/config/services/haproxy.nix new file mode 100644 index 00000000..58334e60 --- /dev/null +++ b/config/services/haproxy.nix @@ -0,0 +1,2 @@ +# Mostly future-proofing, but also for the transition to this infra +{ ... }: { } diff --git a/config/sops.nix b/config/sops.nix index ba5241bc..e72e2665 100644 --- a/config/sops.nix +++ b/config/sops.nix @@ -3,4 +3,5 @@ sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.defaultSopsFile = ../secrets + "/${config.networking.hostName}/secrets.yaml"; sops.secrets."network/wireguard/privkey" = { }; + sops.secrets."security/acme/dns" = { }; } diff --git a/secrets/nixos-8gb-fsn1-1/secrets.yaml b/secrets/nixos-8gb-fsn1-1/secrets.yaml index 7b7b5d77..99202711 100644 --- a/secrets/nixos-8gb-fsn1-1/secrets.yaml +++ b/secrets/nixos-8gb-fsn1-1/secrets.yaml @@ -1,6 +1,9 @@ network: wireguard: privkey: ENC[AES256_GCM,data:+avWYsJmrVYFnwi6T6NqQiXH1U+q3DsvMUT+pG4P2zJ+typzA3dQ+85HBVc=,iv:mdf2+p+7FOUPUNAmfS+CAMkw6xTHrjxQDTVDAHF4qbA=,tag:Ano//8t7dDjqfFVmdQXsfw==,type:str] +security: + acme: + dns: ENC[AES256_GCM,data:BxBOnnQZLgs9Y6VSL5umzCHmvQTgxDyTRftnR7zbzARJXaRQP5tnUyZFB4oBhO5d/s4TUEwXhSbbdjBttEuI1drh8X2iNTnWtKaSx7TPFhJJXD0jN4eOSgEyZ0GQYieLCYilpiMOgpkTnSdsFkKkQylCsRcu6eXAgtvZYVg/c9SxnNgT7syC2C+VqsgkhYdrHdtguoGigpyfQ3wA4hOABjDipYGw46NHCx1jPAi1mw2txg04/GCCCggvwV6b/EQZ2rA8bBKM2Stw4wYZXvU7V+XaNZngt1vxBSR4OqU=,iv:Gw3mM1G89NdddGdiCrxuOfChudsIXEvABpoSysQfXp0=,tag:2I9lq1h37OhFEflkaj5/BQ==,type:str] sops: kms: [] gcp_kms: [] @@ -25,8 +28,8 @@ sops: QkkzbUVrVWtYMWhLa0N5MzJ2KzV4MW8KEAtd2cnwNH01rYUFr+qWyAhHvUsqsxXg not2RQLEIGbo80Z7CMIwqCIpUYOL4m70KlEKrFzflXFbOFX2en82iA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-01-14T14:10:36Z" - mac: ENC[AES256_GCM,data:IJi2TNEG41bgjekGE67iwQrt1ZlmtN7QS8A4M4i417hao+g7IORArXSHDRTWrYT0Gw9xE7NEWtrnRue9ompPcgTV1bGt0Re2EAB+5TI4/7fFbxuIvpYZqhqIFUFEmOyYl+QqkvUH6yKdfdsVj4WgVI8mucxF890F5cWJ1abMaww=,iv:Rr9R3whv7gdBcj/nrsmqTm/JhqvhzdIgMh/Q8EFKP1s=,tag:sFlL5fyP/HWckrmZSgj5zA==,type:str] + lastmodified: "2022-01-14T16:42:55Z" + mac: ENC[AES256_GCM,data:babQDlZhTXrjanhrKPUQhZl4hdzvXWq8cqg0VSpGgyUsVcAreZ2g1WBxHZaNukMb9SsRKQ1URIbsMzenAFGxVOQGMxqMgKYiRyeRzYixnU2BuPnUGBWjgmmfad0lsxeFUK5UwsXHYHCDvjWslx95cIFwnmW/GezVoDebAnM9OEQ=,iv:Oa7OGzY8DP5RBenonU5Oso/Op9G3z0hYiNTxlnR9Z2Q=,tag:ZQZYCXZotkSsaTAaiS3RgA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.1