kay/acme/rfc2136: init

author: sinanmohd <sinan@sinanmohd.com> 2024-02-08 19:02:22 +0530
committer: sinanmohd <sinan@sinanmohd.com> 2024-02-09 17:19:24 +0530
commit: 05c7f64bd12d56f3fc066f61fc01351acb0ddb7b (patch)
tree: c0ba7b4967a18336cfcfaa0574942af3a96ebe95
parent: 08a6d64d9d71489196838ee63ae52a92f0147508 (diff)
5 files changed, 78 insertions, 10 deletions
diff --git a/hosts/kay/configuration.nix b/hosts/kay/configuration.nix
index 7009a2a..97172d0 100644
--- a/hosts/kay/configuration.nix
+++ b/hosts/kay/configuration.nix
@@ -6,6 +6,7 @@
     ./modules/network.nix
     ./modules/www.nix
     ./modules/sftp.nix
+    ./modules/acme.nix
     ./modules/dns
     ../../common.nix
   ];
diff --git a/hosts/kay/modules/acme.nix b/hosts/kay/modules/acme.nix
new file mode 100644
index 0000000..f4ded0a
--- /dev/null
+++ b/hosts/kay/modules/acme.nix
@@ -0,0 +1,23 @@
+{ config, pkgs, ... }: let
+  email = config.userdata.email;
+  domain = config.userdata.domain;
+
+  environmentFile =
+    pkgs.writeText "acme-dns" "RFC2136_NAMESERVER='[2001:470:ee65::1]:53'";
+in {
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = email;
+
+    certs.${domain} = {
+      inherit domain;
+      extraDomainNames = [ "*.${domain}" ];
+
+      dnsProvider = "rfc2136";
+      dnsPropagationCheck = false; # local DNS server
+
+      inherit environmentFile;
+      group = config.services.nginx.group;
+    };
+  };
+}
diff --git a/hosts/kay/modules/dns/default.nix b/hosts/kay/modules/dns/default.nix
index 28e48c5..1146cc3 100644
--- a/hosts/kay/modules/dns/default.nix
+++ b/hosts/kay/modules/dns/default.nix
@@ -1,5 +1,18 @@
-{ config, ... }: let
+{ config, pkgs, ... }: let
   listen_addr = "2001:470:ee65::1";
+
+  acmeSOA = pkgs.writeText "acmeSOA" ''
+    $TTL 2d
+
+    @	IN	SOA	ns1.sinanmohd.com.	sinan.sinanmohd.com. (
+                        2024020505 ; serial
+                        2h         ; refresh
+                        5m         ; retry
+                        1d         ; expire
+                        5m )       ; nx ttl
+
+        IN	NS	ns1.sinanmohd.com.
+  '';
 in {
   imports = [ ./ddns.nix ];
 
@@ -58,6 +71,12 @@ in {
           update-type = [ "A" "AAAA" ];
           action = "update";
         }
+        {
+          id = "acme";
+          address = [ listen_addr ];
+          update-type = [ "TXT" ];
+          action = "update";
+        }
       ];
 
       mod-rrl = [{
@@ -74,13 +93,25 @@ in {
         }
         {
           id = "master";
+          semantic-checks = "on";
+
           dnssec-signing = "on";
           dnssec-policy = "gtld-servers.net";
-          semantic-checks = "on";
+
           notify = [ "ns1.he.net" ];
           acl = [ "ns1.he.net" "localhost" ];
+
+          zonefile-sync = "-1";
+          zonefile-load = "difference";
+        }
+        {
+          id = "acme";
+          semantic-checks = "on";
+          acl = [ "acme" ];
+
           zonefile-sync = "-1";
           zonefile-load = "difference";
+          journal-content = "changes";
         }
       ];
 
@@ -91,6 +122,11 @@ in {
           template = "master";
         }
         {
+          domain = "_acme-challenge.sinanmohd.com";
+          file = acmeSOA;
+          template = "acme";
+        }
+        {
           domain = "5.6.e.e.0.7.4.0.1.0.0.2.ip6.arpa";
           file = ./5.6.e.e.0.7.4.0.1.0.0.2.ip6.arpa.zone;
         }
diff --git a/hosts/kay/modules/dns/sinanmohd.com.zone b/hosts/kay/modules/dns/sinanmohd.com.zone
index 1c92366..2ea2925 100644
--- a/hosts/kay/modules/dns/sinanmohd.com.zone
+++ b/hosts/kay/modules/dns/sinanmohd.com.zone
@@ -2,7 +2,7 @@ $ORIGIN sinanmohd.com.
 $TTL 2d
 
 @	IN	SOA	ns1	sinan (
-			2024020400 ; serial
+			2024020800 ; serial
 			2h         ; refresh
 			5m         ; retry
 			1d         ; expire
@@ -23,3 +23,5 @@ www	IN	CNAME	@
 git	IN	CNAME	@
 bin	IN	CNAME	@
 static	IN	CNAME	@
+
+_acme-challenge	IN	NS	ns1
diff --git a/hosts/kay/modules/www.nix b/hosts/kay/modules/www.nix
index 7d0e646..a0b9c20 100644
--- a/hosts/kay/modules/www.nix
+++ b/hosts/kay/modules/www.nix
@@ -2,7 +2,6 @@
 
 let
   domain = config.userdata.domain;
-  email = config.userdata.email;
   fscusat = "fscusat.org";
   mark = "themark.ing";
   storage = "/hdd/users/sftp/shr";
@@ -19,11 +18,6 @@ in
     allowedUDPPorts = [ 443 ];
   };
 
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = email;
-  };
-
   services.nginx = { 
     enable = true;
     package = pkgs.nginxQuic;
@@ -42,7 +36,7 @@ in
         quic = true;
         http3 = true;
         forceSSL = true;
-        enableACME = true;
+        useACMEHost = domain;
       };
     in {
       "${domain}" = defaultOpts // {
@@ -93,9 +87,15 @@ in
       };
 
       "${fscusat}" = defaultOpts // {
+        useACMEHost = null;
+        enableACME = true;
+
         globalRedirect = "www.${fscusat}";
       };
       "www.${fscusat}" = defaultOpts // {
+        useACMEHost = null;
+        enableACME = true;
+
         locations."/" = {
           return = "200 '<h1>under construction</h1>'";
           extraConfig = "add_header Content-Type text/html;";
@@ -103,9 +103,15 @@ in
       };
 
       "${mark}" = defaultOpts // {
+        useACMEHost = null;
+        enableACME = true;
+
         globalRedirect = "www.${mark}";
       };
       "www.${mark}" = defaultOpts // {
+        useACMEHost = null;
+        enableACME = true;
+
         locations."/" = {
           return = "200 '<h1>under construction, see you soon</h1>'";
           extraConfig = "add_header Content-Type text/html;";
author	sinanmohd <sinan@sinanmohd.com>	2024-02-08 19:02:22 +0530
committer	sinanmohd <sinan@sinanmohd.com>	2024-02-09 17:19:24 +0530
commit	05c7f64bd12d56f3fc066f61fc01351acb0ddb7b (patch)
tree	c0ba7b4967a18336cfcfaa0574942af3a96ebe95
parent	08a6d64d9d71489196838ee63ae52a92f0147508 (diff)