Merge branch '#4_better_certs' into 'main'

acme: each server is now responsible for the certs tehy request

Closes #4

See merge request compsoc1/skynet/nixos!3
This commit is contained in:
Brendan Golden 2023-08-06 19:31:14 +00:00
commit 5739518f82
8 changed files with 71 additions and 23 deletions

View file

@ -1,29 +1,42 @@
{ config, ... }:{ { config, pkgs, lib, ... }:
# group that will own the certificates with lib;
users.groups.acme = {}; let
cfg = config.skynet_acme;
in {
imports = [];
age.secrets.acme.file = ../secrets/dns_certs.secret.age; options.skynet_acme = {
domains = lib.mkOption {
security.acme = { default = [ ];
preliminarySelfsigned = false; type = lib.types.listOf lib.types.str;
acceptTerms = true; description = ''
A list of domains to use for this server.
defaults = { '';
email = "admin_acme@skynet.ie";
# we use our own dns authorative server for verifying we own the domain.
dnsProvider = "rfc2136";
credentialsFile = config.age.secrets.acme.path;
}; };
};
certs = { config = {
"skynet" = { # group that will own the certificates
domain = "skynet.ie"; users.groups.acme = {};
extraDomainNames = [
"*.skynet.ie" age.secrets.acme.file = ../secrets/dns_certs.secret.age;
"*.minecraft.games.skynet.ie"
"*.pages.skynet.ie" security.acme = {
"api.account.skynet.ie" preliminarySelfsigned = false;
]; acceptTerms = true;
defaults = {
email = "admin_acme@skynet.ie";
# we use our own dns authorative server for verifying we own the domain.
dnsProvider = "rfc2136";
credentialsFile = config.age.secrets.acme.path;
};
certs = {
"skynet" = {
domain = "skynet.ie";
extraDomainNames = cfg.domains;
};
}; };
}; };
}; };

View file

@ -97,6 +97,10 @@
age.secrets.ldap_pw.file = ../secrets/ldap/pw.age; age.secrets.ldap_pw.file = ../secrets/ldap/pw.age;
skynet_acme.domains = [
"${cfg.sub}.${cfg.domain}"
];
# set up dns record for it # set up dns record for it
skynet_dns.records = [ skynet_dns.records = [
# basic one # basic one

View file

@ -53,6 +53,15 @@
"ip daddr ${cfg.host.ip} tcp dport 25565 counter packets 0 bytes 0 accept" "ip daddr ${cfg.host.ip} tcp dport 25565 counter packets 0 bytes 0 accept"
]; ];
skynet_acme.domains = [
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
"config.${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
"compsoc_classic.${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
"compsoc.${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
"gsoc.${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
"gsoc_abridged.${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
];
skynet_dns.records = [ skynet_dns.records = [
# the minecraft (web) config server # the minecraft (web) config server
{record="config.${cfg.domain.sub}"; r_type="CNAME"; value=cfg.host.name;} {record="config.${cfg.domain.sub}"; r_type="CNAME"; value=cfg.host.name;}

View file

@ -93,6 +93,11 @@
group = cfg.user; group = cfg.user;
}; };
skynet_acme.domains = [
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
"*.pages.${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
];
# using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide # using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide
skynet_dns.records = [ skynet_dns.records = [
{record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;} {record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;}

View file

@ -77,6 +77,10 @@ Gonna use a priper nixos module for this
group = "openldap"; group = "openldap";
}; };
skynet_acme.domains = [
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
];
skynet_dns.records = [ skynet_dns.records = [
{record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;} {record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;}
]; ];

View file

@ -49,6 +49,10 @@
age.secrets.ldap_self_service.file = ../../secrets/ldap/self_service.age; age.secrets.ldap_self_service.file = ../../secrets/ldap/self_service.age;
skynet_acme.domains = [
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
];
skynet_dns.records = [ skynet_dns.records = [
{record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;} {record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;}
]; ];

View file

@ -21,6 +21,11 @@
}; };
config = { config = {
skynet_acme.domains = [
# the root one is already covered by teh certificate
"2016.skynet.ie"
];
skynet_dns.records = [ skynet_dns.records = [
# means root domain, so skynet.ie # means root domain, so skynet.ie
{record="@"; r_type="A"; value=cfg.host.ip;} {record="@"; r_type="A"; value=cfg.host.ip;}

View file

@ -50,6 +50,10 @@
8000 8000
]; ];
skynet_acme.domains = [
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
];
skynet_dns.records = [ skynet_dns.records = [
{record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;} {record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;}
]; ];