diff options
| author | sinanmohd <sinan@sinanmohd.com> | 2024-02-08 19:02:22 +0530 | 
|---|---|---|
| committer | sinanmohd <sinan@sinanmohd.com> | 2024-02-09 17:19:24 +0530 | 
| commit | 05c7f64bd12d56f3fc066f61fc01351acb0ddb7b (patch) | |
| tree | c0ba7b4967a18336cfcfaa0574942af3a96ebe95 /hosts/kay/modules | |
| parent | 08a6d64d9d71489196838ee63ae52a92f0147508 (diff) | |
kay/acme/rfc2136: init
Diffstat (limited to 'hosts/kay/modules')
| -rw-r--r-- | hosts/kay/modules/acme.nix | 23 | ||||
| -rw-r--r-- | hosts/kay/modules/dns/default.nix | 40 | ||||
| -rw-r--r-- | hosts/kay/modules/dns/sinanmohd.com.zone | 4 | ||||
| -rw-r--r-- | hosts/kay/modules/www.nix | 20 | 
4 files changed, 77 insertions, 10 deletions
| diff --git a/hosts/kay/modules/acme.nix b/hosts/kay/modules/acme.nix new file mode 100644 index 0000000..f4ded0a --- /dev/null +++ b/hosts/kay/modules/acme.nix @@ -0,0 +1,23 @@ +{ config, pkgs, ... }: let +  email = config.userdata.email; +  domain = config.userdata.domain; + +  environmentFile = +    pkgs.writeText "acme-dns" "RFC2136_NAMESERVER='[2001:470:ee65::1]:53'"; +in { +  security.acme = { +    acceptTerms = true; +    defaults.email = email; + +    certs.${domain} = { +      inherit domain; +      extraDomainNames = [ "*.${domain}" ]; + +      dnsProvider = "rfc2136"; +      dnsPropagationCheck = false; # local DNS server + +      inherit environmentFile; +      group = config.services.nginx.group; +    }; +  }; +} diff --git a/hosts/kay/modules/dns/default.nix b/hosts/kay/modules/dns/default.nix index 28e48c5..1146cc3 100644 --- a/hosts/kay/modules/dns/default.nix +++ b/hosts/kay/modules/dns/default.nix @@ -1,5 +1,18 @@ -{ config, ... }: let +{ config, pkgs, ... }: let    listen_addr = "2001:470:ee65::1"; + +  acmeSOA = pkgs.writeText "acmeSOA" '' +    $TTL 2d + +    @	IN	SOA	ns1.sinanmohd.com.	sinan.sinanmohd.com. ( +                        2024020505 ; serial +                        2h         ; refresh +                        5m         ; retry +                        1d         ; expire +                        5m )       ; nx ttl + +        IN	NS	ns1.sinanmohd.com. +  '';  in {    imports = [ ./ddns.nix ]; @@ -58,6 +71,12 @@ in {            update-type = [ "A" "AAAA" ];            action = "update";          } +        { +          id = "acme"; +          address = [ listen_addr ]; +          update-type = [ "TXT" ]; +          action = "update"; +        }        ];        mod-rrl = [{ @@ -74,13 +93,25 @@ in {          }          {            id = "master"; +          semantic-checks = "on"; +            dnssec-signing = "on";            dnssec-policy = "gtld-servers.net"; -          semantic-checks = "on"; +            notify = [ "ns1.he.net" ];            acl = [ "ns1.he.net" "localhost" ]; + +          zonefile-sync = "-1"; +          zonefile-load = "difference"; +        } +        { +          id = "acme"; +          semantic-checks = "on"; +          acl = [ "acme" ]; +            zonefile-sync = "-1";            zonefile-load = "difference"; +          journal-content = "changes";          }        ]; @@ -91,6 +122,11 @@ in {            template = "master";          }          { +          domain = "_acme-challenge.sinanmohd.com"; +          file = acmeSOA; +          template = "acme"; +        } +        {            domain = "5.6.e.e.0.7.4.0.1.0.0.2.ip6.arpa";            file = ./5.6.e.e.0.7.4.0.1.0.0.2.ip6.arpa.zone;          } diff --git a/hosts/kay/modules/dns/sinanmohd.com.zone b/hosts/kay/modules/dns/sinanmohd.com.zone index 1c92366..2ea2925 100644 --- a/hosts/kay/modules/dns/sinanmohd.com.zone +++ b/hosts/kay/modules/dns/sinanmohd.com.zone @@ -2,7 +2,7 @@ $ORIGIN sinanmohd.com.  $TTL 2d  @	IN	SOA	ns1	sinan ( -			2024020400 ; serial +			2024020800 ; serial  			2h         ; refresh  			5m         ; retry  			1d         ; expire @@ -23,3 +23,5 @@ www	IN	CNAME	@  git	IN	CNAME	@  bin	IN	CNAME	@  static	IN	CNAME	@ + +_acme-challenge	IN	NS	ns1 diff --git a/hosts/kay/modules/www.nix b/hosts/kay/modules/www.nix index 7d0e646..a0b9c20 100644 --- a/hosts/kay/modules/www.nix +++ b/hosts/kay/modules/www.nix @@ -2,7 +2,6 @@  let    domain = config.userdata.domain; -  email = config.userdata.email;    fscusat = "fscusat.org";    mark = "themark.ing";    storage = "/hdd/users/sftp/shr"; @@ -19,11 +18,6 @@ in      allowedUDPPorts = [ 443 ];    }; -  security.acme = { -    acceptTerms = true; -    defaults.email = email; -  }; -    services.nginx = {       enable = true;      package = pkgs.nginxQuic; @@ -42,7 +36,7 @@ in          quic = true;          http3 = true;          forceSSL = true; -        enableACME = true; +        useACMEHost = domain;        };      in {        "${domain}" = defaultOpts // { @@ -93,9 +87,15 @@ in        };        "${fscusat}" = defaultOpts // { +        useACMEHost = null; +        enableACME = true; +          globalRedirect = "www.${fscusat}";        };        "www.${fscusat}" = defaultOpts // { +        useACMEHost = null; +        enableACME = true; +          locations."/" = {            return = "200 '<h1>under construction</h1>'";            extraConfig = "add_header Content-Type text/html;"; @@ -103,9 +103,15 @@ in        };        "${mark}" = defaultOpts // { +        useACMEHost = null; +        enableACME = true; +          globalRedirect = "www.${mark}";        };        "www.${mark}" = defaultOpts // { +        useACMEHost = null; +        enableACME = true; +          locations."/" = {            return = "200 '<h1>under construction, see you soon</h1>'";            extraConfig = "add_header Content-Type text/html;"; | 
