diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index f8f85da..6b79fe8 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -88,8 +88,6 @@ deploy: deploy_gitlab: stage: deploy - needs: - - deploy tags: - nix before_script: diff --git a/applications/acme.nix b/applications/acme.nix index 103a639..3018c5a 100644 --- a/applications/acme.nix +++ b/applications/acme.nix @@ -1,29 +1,42 @@ -{ config, ... }:{ - # group that will own the certificates - users.groups.acme = {}; +{ config, pkgs, lib, ... }: + with lib; + let + cfg = config.skynet_acme; + in { + imports = []; - age.secrets.acme.file = ../secrets/dns_certs.secret.age; - - security.acme = { - preliminarySelfsigned = false; - acceptTerms = true; - - defaults = { - email = "admin_acme@skynet.ie"; - # we use our own dns authorative server for verifying we own the domain. - dnsProvider = "rfc2136"; - credentialsFile = config.age.secrets.acme.path; + options.skynet_acme = { + domains = lib.mkOption { + default = [ ]; + type = lib.types.listOf lib.types.str; + description = '' + A list of domains to use for this server. + ''; }; + }; - certs = { - "skynet" = { - domain = "skynet.ie"; - extraDomainNames = [ - "*.skynet.ie" - "*.minecraft.games.skynet.ie" - "*.pages.skynet.ie" - "api.account.skynet.ie" - ]; + config = { + # group that will own the certificates + users.groups.acme = {}; + + age.secrets.acme.file = ../secrets/dns_certs.secret.age; + + security.acme = { + preliminarySelfsigned = false; + acceptTerms = true; + + defaults = { + email = "admin_acme@skynet.ie"; + # we use our own dns authorative server for verifying we own the domain. + dnsProvider = "rfc2136"; + credentialsFile = config.age.secrets.acme.path; + }; + + certs = { + "skynet" = { + domain = "skynet.ie"; + extraDomainNames = cfg.domains; + }; }; }; }; diff --git a/applications/email.nix b/applications/email.nix index b69cb58..265fc45 100644 --- a/applications/email.nix +++ b/applications/email.nix @@ -97,6 +97,10 @@ age.secrets.ldap_pw.file = ../secrets/ldap/pw.age; + skynet_acme.domains = [ + "${cfg.sub}.${cfg.domain}" + ]; + # set up dns record for it skynet_dns.records = [ # basic one diff --git a/applications/games/minecraft.nix b/applications/games/minecraft.nix index c8cdf8b..4fc1a17 100644 --- a/applications/games/minecraft.nix +++ b/applications/games/minecraft.nix @@ -53,6 +53,11 @@ "ip daddr ${cfg.host.ip} tcp dport 25565 counter packets 0 bytes 0 accept" ]; + skynet_acme.domains = [ + "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" + "*.${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" + ]; + skynet_dns.records = [ # the minecraft (web) config server {record="config.${cfg.domain.sub}"; r_type="CNAME"; value=cfg.host.name;} diff --git a/applications/gitlab.nix b/applications/gitlab.nix index 32ca33f..4ec060f 100644 --- a/applications/gitlab.nix +++ b/applications/gitlab.nix @@ -93,6 +93,12 @@ group = cfg.user; }; + skynet_acme.domains = [ + "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" + # Lets Encrypt seems to have a 4 levels limit for certs + "*.pages.${cfg.domain.base}.${cfg.domain.tld}" + ]; + # using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide skynet_dns.records = [ {record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;} diff --git a/applications/ldap.nix b/applications/ldap.nix index ff1ccc0..98554d8 100644 --- a/applications/ldap.nix +++ b/applications/ldap.nix @@ -77,6 +77,10 @@ Gonna use a priper nixos module for this group = "openldap"; }; + skynet_acme.domains = [ + "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" + ]; + skynet_dns.records = [ {record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;} ]; diff --git a/applications/ldap/ldap_backend.nix b/applications/ldap/ldap_backend.nix index e68eb3d..b8192fb 100644 --- a/applications/ldap/ldap_backend.nix +++ b/applications/ldap/ldap_backend.nix @@ -49,6 +49,10 @@ age.secrets.ldap_self_service.file = ../../secrets/ldap/self_service.age; + skynet_acme.domains = [ + "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" + ]; + skynet_dns.records = [ {record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;} ]; diff --git a/applications/skynet.ie.nix b/applications/skynet.ie.nix index 5c5ccb4..d36e434 100644 --- a/applications/skynet.ie.nix +++ b/applications/skynet.ie.nix @@ -21,6 +21,11 @@ }; config = { + skynet_acme.domains = [ + # the root one is already covered by teh certificate + "2016.skynet.ie" + ]; + skynet_dns.records = [ # means root domain, so skynet.ie {record="@"; r_type="A"; value=cfg.host.ip;} diff --git a/applications/ulfm.nix b/applications/ulfm.nix index 7c101b8..f970e0d 100644 --- a/applications/ulfm.nix +++ b/applications/ulfm.nix @@ -50,6 +50,10 @@ 8000 ]; + skynet_acme.domains = [ + "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" + ]; + skynet_dns.records = [ {record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;} ];