parent
6d1c9ff2dc
commit
ba28ad8d03
4 changed files with 114 additions and 0 deletions
61
nix/modules/nixos/security/acme/default.nix
Normal file
61
nix/modules/nixos/security/acme/default.nix
Normal file
|
|
@ -0,0 +1,61 @@
|
||||||
|
{ config, lib, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.khscodes.security.acme;
|
||||||
|
vaultAgentCredentialsFile = "/var/lib/vault-agent/acme/cloudflare-api-token";
|
||||||
|
cloudflareSecret = "opentofu/data/cloudflare";
|
||||||
|
acmeServicesToRestart = lib.lists.map (a: "acme-${a}.service") (
|
||||||
|
lib.attrsets.attrNames config.security.certs
|
||||||
|
);
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.khscodes.security.acme = {
|
||||||
|
enable = lib.mkEnableOption "Enables acme";
|
||||||
|
dns01Enabled = lib.mkOption {
|
||||||
|
type = lib.types.bool;
|
||||||
|
description = "Whether to use DNS01 instead of http-01 challenges. This will make the approle gain policy to retrieve the needed cloudflare secrets to manage dns.";
|
||||||
|
default = config.khscodes.infrastructure.khs-openstack-instance.enable;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
config = lib.mkIf cfg.enable {
|
||||||
|
security.acme = {
|
||||||
|
acceptTerms = true;
|
||||||
|
defaults =
|
||||||
|
{
|
||||||
|
email = "kaare@kaareskovgaard.net";
|
||||||
|
}
|
||||||
|
// lib.attrsets.optionalAttrs cfg.dns01Enabled {
|
||||||
|
dnsProvider = "cloudflare";
|
||||||
|
dnsResolver = "1.1.1.1:53";
|
||||||
|
credentialsFile = vaultAgentCredentialsFile;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
khscodes.infrastructure.vault-server-approle = {
|
||||||
|
enable = true;
|
||||||
|
policy = [
|
||||||
|
{
|
||||||
|
"${cloudflareSecret}" = {
|
||||||
|
capabilities = [ "read" ];
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
khscodes.services.vault-agent = (cfg.dns01Enabled && acmeServicesToRestart != [ ]) {
|
||||||
|
enable = true;
|
||||||
|
templates = [
|
||||||
|
{
|
||||||
|
contents = ''
|
||||||
|
{{- with secret "${cloudflareSecret}" -}}
|
||||||
|
CLOUDFLARE_DNS_API_TOKEN={{ .Data.data.TF_VAR_cloudflare_token }}
|
||||||
|
CLOUDFLARE_DNS_EMAIL={{ .Data.data.TF_VAR_cloudflare_email }}
|
||||||
|
{{- end -}}
|
||||||
|
'';
|
||||||
|
destination = vaultAgentCredentialsFile;
|
||||||
|
perms = "0600";
|
||||||
|
owner = "acme";
|
||||||
|
group = "acme";
|
||||||
|
restartUnits = acmeServicesToRestart;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
41
nix/modules/nixos/services/nginx/default.nix
Normal file
41
nix/modules/nixos/services/nginx/default.nix
Normal file
|
|
@ -0,0 +1,41 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
let
|
||||||
|
cfg = config.khscodes.services.nginx;
|
||||||
|
vhostOption = lib.khscodes.mkSubmodule {
|
||||||
|
description = "nginx vhost";
|
||||||
|
options = {
|
||||||
|
useACMEHost = lib.mkOption {
|
||||||
|
type = lib.types.nullOr lib.types.str;
|
||||||
|
description = "Makes the virtual host use the certificate of another acme host";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.khscodes.services.nginx = {
|
||||||
|
enable = lib.mkEnableOption "Enables nginx";
|
||||||
|
virtualHosts = lib.mkOption {
|
||||||
|
type = lib.types.attrsOf vhostOption;
|
||||||
|
description = "Virtual hosts settings";
|
||||||
|
default = { };
|
||||||
|
};
|
||||||
|
};
|
||||||
|
config = lib.mkIf cfg.enable {
|
||||||
|
khscodes.security.acme.enable = true;
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
package = lib.mkDefault pkgs.nginxStable;
|
||||||
|
sslDhparam = lib.mkDefault "${config.security.dhparams.params."nginx".path}";
|
||||||
|
recommendedTlsSettings = lib.mkDefault true;
|
||||||
|
recommendedGzipSettings = lib.mkDefault true;
|
||||||
|
recommendedOptimisation = lib.mkDefault true;
|
||||||
|
recommendedZstdSettings = lib.mkDefault true;
|
||||||
|
recommendedProxySettings = lib.mkDefault true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
@ -19,6 +19,7 @@ in
|
||||||
roleIdFilePath = config.khscodes.services.vault-agent.vault.roleIdFilePath;
|
roleIdFilePath = config.khscodes.services.vault-agent.vault.roleIdFilePath;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
services.khscodes.vault-agent.enable = true;
|
||||||
systemd.services."openstack-read-vault-auth-from-userdata" = {
|
systemd.services."openstack-read-vault-auth-from-userdata" = {
|
||||||
enable = true;
|
enable = true;
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
|
|
||||||
|
|
@ -34,6 +34,7 @@ let
|
||||||
name = "restart-command";
|
name = "restart-command";
|
||||||
runtimeInputs = [ pkgs.systemd ];
|
runtimeInputs = [ pkgs.systemd ];
|
||||||
text = ''
|
text = ''
|
||||||
|
chown ${lib.escapeShellArg template.owner}:${lib.escapeShellArg template.group} ${lib.escapeShellArg template.destination}
|
||||||
${restartUnits template.restartUnits}
|
${restartUnits template.restartUnits}
|
||||||
${reloadOrRestartUnits template.reloadOrRestartUnits}
|
${reloadOrRestartUnits template.reloadOrRestartUnits}
|
||||||
${template.exec}
|
${template.exec}
|
||||||
|
|
@ -133,6 +134,16 @@ in
|
||||||
description = "Permissions of the generated file, by default will only be readable by root";
|
description = "Permissions of the generated file, by default will only be readable by root";
|
||||||
default = "0600";
|
default = "0600";
|
||||||
};
|
};
|
||||||
|
owner = lib.mkOption {
|
||||||
|
type = lib.types.str;
|
||||||
|
description = "Owner (user) of the generated file";
|
||||||
|
default = "root";
|
||||||
|
};
|
||||||
|
group = lib.mkOption {
|
||||||
|
type = lib.types.str;
|
||||||
|
description = "Group of the generated file";
|
||||||
|
default = "root";
|
||||||
|
};
|
||||||
exec = lib.mkOption {
|
exec = lib.mkOption {
|
||||||
type = lib.types.lines;
|
type = lib.types.lines;
|
||||||
default = '''';
|
default = '''';
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue