Merge branch '#4_better_certs' into 'main'
acme: each server is now responsible for the certs tehy request Closes #4 See merge request compsoc1/skynet/nixos!3
This commit is contained in:
commit
5739518f82
8 changed files with 71 additions and 23 deletions
|
@ -1,29 +1,42 @@
|
||||||
{ config, ... }:{
|
{ config, pkgs, lib, ... }:
|
||||||
# group that will own the certificates
|
with lib;
|
||||||
users.groups.acme = {};
|
let
|
||||||
|
cfg = config.skynet_acme;
|
||||||
|
in {
|
||||||
|
imports = [];
|
||||||
|
|
||||||
age.secrets.acme.file = ../secrets/dns_certs.secret.age;
|
options.skynet_acme = {
|
||||||
|
domains = lib.mkOption {
|
||||||
security.acme = {
|
default = [ ];
|
||||||
preliminarySelfsigned = false;
|
type = lib.types.listOf lib.types.str;
|
||||||
acceptTerms = true;
|
description = ''
|
||||||
|
A list of domains to use for this server.
|
||||||
defaults = {
|
'';
|
||||||
email = "admin_acme@skynet.ie";
|
|
||||||
# we use our own dns authorative server for verifying we own the domain.
|
|
||||||
dnsProvider = "rfc2136";
|
|
||||||
credentialsFile = config.age.secrets.acme.path;
|
|
||||||
};
|
};
|
||||||
|
};
|
||||||
|
|
||||||
certs = {
|
config = {
|
||||||
"skynet" = {
|
# group that will own the certificates
|
||||||
domain = "skynet.ie";
|
users.groups.acme = {};
|
||||||
extraDomainNames = [
|
|
||||||
"*.skynet.ie"
|
age.secrets.acme.file = ../secrets/dns_certs.secret.age;
|
||||||
"*.minecraft.games.skynet.ie"
|
|
||||||
"*.pages.skynet.ie"
|
security.acme = {
|
||||||
"api.account.skynet.ie"
|
preliminarySelfsigned = false;
|
||||||
];
|
acceptTerms = true;
|
||||||
|
|
||||||
|
defaults = {
|
||||||
|
email = "admin_acme@skynet.ie";
|
||||||
|
# we use our own dns authorative server for verifying we own the domain.
|
||||||
|
dnsProvider = "rfc2136";
|
||||||
|
credentialsFile = config.age.secrets.acme.path;
|
||||||
|
};
|
||||||
|
|
||||||
|
certs = {
|
||||||
|
"skynet" = {
|
||||||
|
domain = "skynet.ie";
|
||||||
|
extraDomainNames = cfg.domains;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -97,6 +97,10 @@
|
||||||
|
|
||||||
age.secrets.ldap_pw.file = ../secrets/ldap/pw.age;
|
age.secrets.ldap_pw.file = ../secrets/ldap/pw.age;
|
||||||
|
|
||||||
|
skynet_acme.domains = [
|
||||||
|
"${cfg.sub}.${cfg.domain}"
|
||||||
|
];
|
||||||
|
|
||||||
# set up dns record for it
|
# set up dns record for it
|
||||||
skynet_dns.records = [
|
skynet_dns.records = [
|
||||||
# basic one
|
# basic one
|
||||||
|
|
|
@ -53,6 +53,15 @@
|
||||||
"ip daddr ${cfg.host.ip} tcp dport 25565 counter packets 0 bytes 0 accept"
|
"ip daddr ${cfg.host.ip} tcp dport 25565 counter packets 0 bytes 0 accept"
|
||||||
];
|
];
|
||||||
|
|
||||||
|
skynet_acme.domains = [
|
||||||
|
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
|
||||||
|
"config.${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
|
||||||
|
"compsoc_classic.${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
|
||||||
|
"compsoc.${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
|
||||||
|
"gsoc.${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
|
||||||
|
"gsoc_abridged.${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
|
||||||
|
];
|
||||||
|
|
||||||
skynet_dns.records = [
|
skynet_dns.records = [
|
||||||
# the minecraft (web) config server
|
# the minecraft (web) config server
|
||||||
{record="config.${cfg.domain.sub}"; r_type="CNAME"; value=cfg.host.name;}
|
{record="config.${cfg.domain.sub}"; r_type="CNAME"; value=cfg.host.name;}
|
||||||
|
|
|
@ -93,6 +93,11 @@
|
||||||
group = cfg.user;
|
group = cfg.user;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
skynet_acme.domains = [
|
||||||
|
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
|
||||||
|
"*.pages.${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
|
||||||
|
];
|
||||||
|
|
||||||
# using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide
|
# using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide
|
||||||
skynet_dns.records = [
|
skynet_dns.records = [
|
||||||
{record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;}
|
{record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;}
|
||||||
|
|
|
@ -77,6 +77,10 @@ Gonna use a priper nixos module for this
|
||||||
group = "openldap";
|
group = "openldap";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
skynet_acme.domains = [
|
||||||
|
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
|
||||||
|
];
|
||||||
|
|
||||||
skynet_dns.records = [
|
skynet_dns.records = [
|
||||||
{record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;}
|
{record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;}
|
||||||
];
|
];
|
||||||
|
|
|
@ -49,6 +49,10 @@
|
||||||
|
|
||||||
age.secrets.ldap_self_service.file = ../../secrets/ldap/self_service.age;
|
age.secrets.ldap_self_service.file = ../../secrets/ldap/self_service.age;
|
||||||
|
|
||||||
|
skynet_acme.domains = [
|
||||||
|
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
|
||||||
|
];
|
||||||
|
|
||||||
skynet_dns.records = [
|
skynet_dns.records = [
|
||||||
{record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;}
|
{record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;}
|
||||||
];
|
];
|
||||||
|
|
|
@ -21,6 +21,11 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
config = {
|
config = {
|
||||||
|
skynet_acme.domains = [
|
||||||
|
# the root one is already covered by teh certificate
|
||||||
|
"2016.skynet.ie"
|
||||||
|
];
|
||||||
|
|
||||||
skynet_dns.records = [
|
skynet_dns.records = [
|
||||||
# means root domain, so skynet.ie
|
# means root domain, so skynet.ie
|
||||||
{record="@"; r_type="A"; value=cfg.host.ip;}
|
{record="@"; r_type="A"; value=cfg.host.ip;}
|
||||||
|
|
|
@ -50,6 +50,10 @@
|
||||||
8000
|
8000
|
||||||
];
|
];
|
||||||
|
|
||||||
|
skynet_acme.domains = [
|
||||||
|
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
|
||||||
|
];
|
||||||
|
|
||||||
skynet_dns.records = [
|
skynet_dns.records = [
|
||||||
{record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;}
|
{record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;}
|
||||||
];
|
];
|
||||||
|
|
Loading…
Reference in a new issue