From abc355d1b63bebbb8c62376ee4fde030a6dc0329 Mon Sep 17 00:00:00 2001 From: Brendan Golden Date: Sun, 6 Aug 2023 19:56:22 +0100 Subject: [PATCH 1/9] acme: going to be a tad mroe selective --- applications/acme.nix | 58 +++++++++++++++++++++++++++---------------- 1 file changed, 37 insertions(+), 21 deletions(-) diff --git a/applications/acme.nix b/applications/acme.nix index 103a639..a89e209 100644 --- a/applications/acme.nix +++ b/applications/acme.nix @@ -1,29 +1,45 @@ -{ config, ... }:{ - # group that will own the certificates - users.groups.acme = {}; +{ pkgs, lib, ... }: + with lib; + let + cfg = config.services.skynet_acme; + in { - age.secrets.acme.file = ../secrets/dns_certs.secret.age; + imports = []; - security.acme = { - preliminarySelfsigned = false; - acceptTerms = true; + options.services.skynet_acme = { + enable = mkEnableOption "Skynet Lets Encrypt certs"; - defaults = { - email = "admin_acme@skynet.ie"; - # we use our own dns authorative server for verifying we own the domain. - dnsProvider = "rfc2136"; - credentialsFile = config.age.secrets.acme.path; + domains = lib.mkOption { + default = [ ]; + type = lib.types.listOf lib.types.str; + description = '' + A list of domains to use for this server. + ''; }; + }; - certs = { - "skynet" = { - domain = "skynet.ie"; - extraDomainNames = [ - "*.skynet.ie" - "*.minecraft.games.skynet.ie" - "*.pages.skynet.ie" - "api.account.skynet.ie" - ]; + config = { + # group that will own the certificates + users.groups.acme = {}; + + age.secrets.acme.file = ../secrets/dns_certs.secret.age; + + security.acme = { + preliminarySelfsigned = false; + acceptTerms = true; + + defaults = { + email = "admin_acme@skynet.ie"; + # we use our own dns authorative server for verifying we own the domain. + dnsProvider = "rfc2136"; + credentialsFile = config.age.secrets.acme.path; + }; + + certs = { + "skynet" = { + domain = "skynet.ie"; + extraDomainNames = cfg.domains; + }; }; }; }; From 2ae70acf563463878155c02d02afd00bd5a5a495 Mon Sep 17 00:00:00 2001 From: Brendan Golden Date: Sun, 6 Aug 2023 20:09:15 +0100 Subject: [PATCH 2/9] acme: each server is now responsible for the certs tehy request Closes #4 --- applications/acme.nix | 2 -- applications/email.nix | 4 ++++ applications/games/minecraft.nix | 9 +++++++++ applications/gitlab.nix | 5 +++++ applications/ldap.nix | 4 ++++ applications/ldap/ldap_backend.nix | 4 ++++ applications/skynet.ie.nix | 5 +++++ applications/ulfm.nix | 4 ++++ 8 files changed, 35 insertions(+), 2 deletions(-) diff --git a/applications/acme.nix b/applications/acme.nix index a89e209..edcf37e 100644 --- a/applications/acme.nix +++ b/applications/acme.nix @@ -7,8 +7,6 @@ imports = []; options.services.skynet_acme = { - enable = mkEnableOption "Skynet Lets Encrypt certs"; - domains = lib.mkOption { default = [ ]; type = lib.types.listOf lib.types.str; diff --git a/applications/email.nix b/applications/email.nix index b69cb58..3f87dce 100644 --- a/applications/email.nix +++ b/applications/email.nix @@ -97,6 +97,10 @@ age.secrets.ldap_pw.file = ../secrets/ldap/pw.age; + skynet_acme.domains = [ + "mail.${cfg.domain.domain}" + ]; + # set up dns record for it skynet_dns.records = [ # basic one diff --git a/applications/games/minecraft.nix b/applications/games/minecraft.nix index c8cdf8b..7e1d2c3 100644 --- a/applications/games/minecraft.nix +++ b/applications/games/minecraft.nix @@ -53,6 +53,15 @@ "ip daddr ${cfg.host.ip} tcp dport 25565 counter packets 0 bytes 0 accept" ]; + skynet_acme.domains = [ + "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" + "config.${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" + "compsoc_classic.${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" + "compsoc.${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" + "gsoc.${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" + "gsoc_abridged.${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" + ]; + skynet_dns.records = [ # the minecraft (web) config server {record="config.${cfg.domain.sub}"; r_type="CNAME"; value=cfg.host.name;} diff --git a/applications/gitlab.nix b/applications/gitlab.nix index 32ca33f..add72dd 100644 --- a/applications/gitlab.nix +++ b/applications/gitlab.nix @@ -93,6 +93,11 @@ group = cfg.user; }; + skynet_acme.domains = [ + "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" + "*.pages.${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" + ]; + # using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide skynet_dns.records = [ {record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;} diff --git a/applications/ldap.nix b/applications/ldap.nix index ff1ccc0..98554d8 100644 --- a/applications/ldap.nix +++ b/applications/ldap.nix @@ -77,6 +77,10 @@ Gonna use a priper nixos module for this group = "openldap"; }; + skynet_acme.domains = [ + "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" + ]; + skynet_dns.records = [ {record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;} ]; diff --git a/applications/ldap/ldap_backend.nix b/applications/ldap/ldap_backend.nix index e68eb3d..b8192fb 100644 --- a/applications/ldap/ldap_backend.nix +++ b/applications/ldap/ldap_backend.nix @@ -49,6 +49,10 @@ age.secrets.ldap_self_service.file = ../../secrets/ldap/self_service.age; + skynet_acme.domains = [ + "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" + ]; + skynet_dns.records = [ {record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;} ]; diff --git a/applications/skynet.ie.nix b/applications/skynet.ie.nix index 5c5ccb4..d36e434 100644 --- a/applications/skynet.ie.nix +++ b/applications/skynet.ie.nix @@ -21,6 +21,11 @@ }; config = { + skynet_acme.domains = [ + # the root one is already covered by teh certificate + "2016.skynet.ie" + ]; + skynet_dns.records = [ # means root domain, so skynet.ie {record="@"; r_type="A"; value=cfg.host.ip;} diff --git a/applications/ulfm.nix b/applications/ulfm.nix index 7c101b8..f970e0d 100644 --- a/applications/ulfm.nix +++ b/applications/ulfm.nix @@ -50,6 +50,10 @@ 8000 ]; + skynet_acme.domains = [ + "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" + ]; + skynet_dns.records = [ {record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;} ]; From 3521bface9717b732e71e60a3b0750d9618cb274 Mon Sep 17 00:00:00 2001 From: Brendan Golden Date: Sun, 6 Aug 2023 20:12:05 +0100 Subject: [PATCH 3/9] ci: seems the needs was fecking things up a tad --- .gitlab-ci.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index f8f85da..6b79fe8 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -88,8 +88,6 @@ deploy: deploy_gitlab: stage: deploy - needs: - - deploy tags: - nix before_script: From 546a6f5cd3eba0e69c1a0d555cd877463ba33930 Mon Sep 17 00:00:00 2001 From: Brendan Golden Date: Sun, 6 Aug 2023 20:13:13 +0100 Subject: [PATCH 4/9] ci: seems the needs was fecking things up a tad --- .gitlab-ci.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index f8f85da..6b79fe8 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -88,8 +88,6 @@ deploy: deploy_gitlab: stage: deploy - needs: - - deploy tags: - nix before_script: From ea818273750d853e6c80543c081e06f535c44c7b Mon Sep 17 00:00:00 2001 From: Brendan Golden Date: Sun, 6 Aug 2023 20:16:09 +0100 Subject: [PATCH 5/9] fix: formatting --- applications/acme.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/applications/acme.nix b/applications/acme.nix index edcf37e..f746182 100644 --- a/applications/acme.nix +++ b/applications/acme.nix @@ -3,7 +3,6 @@ let cfg = config.services.skynet_acme; in { - imports = []; options.services.skynet_acme = { From 62689132d39c944ae895a06aeba4bc7bc6435f9e Mon Sep 17 00:00:00 2001 From: Brendan Golden Date: Sun, 6 Aug 2023 20:29:24 +0100 Subject: [PATCH 6/9] fix: wasnt compiling --- applications/acme.nix | 6 +++--- applications/email.nix | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/applications/acme.nix b/applications/acme.nix index f746182..3018c5a 100644 --- a/applications/acme.nix +++ b/applications/acme.nix @@ -1,11 +1,11 @@ -{ pkgs, lib, ... }: +{ config, pkgs, lib, ... }: with lib; let - cfg = config.services.skynet_acme; + cfg = config.skynet_acme; in { imports = []; - options.services.skynet_acme = { + options.skynet_acme = { domains = lib.mkOption { default = [ ]; type = lib.types.listOf lib.types.str; diff --git a/applications/email.nix b/applications/email.nix index 3f87dce..265fc45 100644 --- a/applications/email.nix +++ b/applications/email.nix @@ -98,7 +98,7 @@ age.secrets.ldap_pw.file = ../secrets/ldap/pw.age; skynet_acme.domains = [ - "mail.${cfg.domain.domain}" + "${cfg.sub}.${cfg.domain}" ]; # set up dns record for it From 89dcf295b3152d91349a61e5fb91bf6dca920b2f Mon Sep 17 00:00:00 2001 From: Brendan Golden Date: Sun, 6 Aug 2023 20:50:01 +0100 Subject: [PATCH 7/9] fix: hopefully this works for acme --- applications/games.nix | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/applications/games.nix b/applications/games.nix index 7c7b126..7d1edc4 100644 --- a/applications/games.nix +++ b/applications/games.nix @@ -5,7 +5,7 @@ in { imports = [ ./dns.nix - + ./acme.nix ./games/minecraft.nix ]; @@ -44,6 +44,10 @@ config = mkIf cfg.enable { + skynet_acme.domains = [ + "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" + ]; + skynet_dns.records = [ # need a base domain {record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;} From 4251032e03652330e523ab6b3c573bdc94056f74 Mon Sep 17 00:00:00 2001 From: Brendan Golden Date: Sun, 6 Aug 2023 20:53:04 +0100 Subject: [PATCH 8/9] fix: use a wildcard for the minecraft servers --- applications/games.nix | 6 +----- applications/games/minecraft.nix | 8 ++------ 2 files changed, 3 insertions(+), 11 deletions(-) diff --git a/applications/games.nix b/applications/games.nix index 7d1edc4..7c7b126 100644 --- a/applications/games.nix +++ b/applications/games.nix @@ -5,7 +5,7 @@ in { imports = [ ./dns.nix - ./acme.nix + ./games/minecraft.nix ]; @@ -44,10 +44,6 @@ config = mkIf cfg.enable { - skynet_acme.domains = [ - "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" - ]; - skynet_dns.records = [ # need a base domain {record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;} diff --git a/applications/games/minecraft.nix b/applications/games/minecraft.nix index 7e1d2c3..4fc1a17 100644 --- a/applications/games/minecraft.nix +++ b/applications/games/minecraft.nix @@ -54,12 +54,8 @@ ]; skynet_acme.domains = [ - "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" - "config.${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" - "compsoc_classic.${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" - "compsoc.${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" - "gsoc.${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" - "gsoc_abridged.${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" + "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" + "*.${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" ]; skynet_dns.records = [ From 3239516270e0ede39c5d50a54ac774a9ca29cc6e Mon Sep 17 00:00:00 2001 From: Brendan Golden Date: Sun, 6 Aug 2023 21:08:50 +0100 Subject: [PATCH 9/9] fix: gitlab domain cert --- applications/gitlab.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/applications/gitlab.nix b/applications/gitlab.nix index add72dd..4ec060f 100644 --- a/applications/gitlab.nix +++ b/applications/gitlab.nix @@ -94,8 +94,9 @@ }; skynet_acme.domains = [ - "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" - "*.pages.${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" + "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" + # Lets Encrypt seems to have a 4 levels limit for certs + "*.pages.${cfg.domain.base}.${cfg.domain.tld}" ]; # using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide