rebase: certs nginx stuff
Eval nix flake / evals (push) Failing after 2m27s Details
Eval nix flake / evals (pull_request) Failing after 2m27s Details

This commit is contained in:
Oystein Kristoffer Tveit 2024-04-01 18:19:22 +02:00
parent 02f817145f
commit 503f27ae0c
Signed by: oysteikt
GPG Key ID: 9F2F7D8250F35146
2 changed files with 96 additions and 10 deletions

View File

@ -3,6 +3,7 @@
{ {
imports = [ imports = [
./users ./users
./modules/snakeoil-certs.nix
]; ];
networking.domain = "pvv.ntnu.no"; networking.domain = "pvv.ntnu.no";
@ -82,20 +83,29 @@
settings.PermitRootLogin = "yes"; settings.PermitRootLogin = "yes";
}; };
# nginx 404 for nonexistent virtualhosts
sops.age = { sops.age = {
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
keyFile = "/var/lib/sops-nix/key.txt"; keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true; generateKey = true;
}; };
sops.secrets = lib.mkIf (config.services.nginx.enable) { # nginx 404 for nonexistent virtualhosts
"snakeoil_cert/public" = {
owner = "nginx"; # sops.secrets = lib.mkIf (config.services.nginx.enable) {
group = "nginx"; # "snakeoil_cert/public" = {
sopsFile = ./secrets/common.yaml; # owner = "nginx";
}; # group = "nginx";
"snakeoil_cert/private" = { # sopsFile = ./secrets/common.yaml;
# };
# "snakeoil_cert/private" = {
# owner = "nginx";
# group = "nginx";
# sopsFile = ./secrets/common.yaml;
# };
# };
environment.snakeoil-certs = lib.mkIf (config.services.nginx.enable) {
"/etc/certs/nginx" = {
owner = "nginx"; owner = "nginx";
group = "nginx"; group = "nginx";
sopsFile = ./secrets/common.yaml; sopsFile = ./secrets/common.yaml;
@ -103,8 +113,8 @@
}; };
services.nginx.virtualHosts."_" = lib.mkIf (config.services.nginx.enable) { services.nginx.virtualHosts."_" = lib.mkIf (config.services.nginx.enable) {
sslCertificate = config.sops.secrets."snakeoil_cert/public".path; sslCertificate = "/etc/certs/nginx.crt";
sslCertificateKey = config.sops.secrets."snakeoil_cert/private".path; sslCertificateKey = "/etc/certs/nginx.key";
addSSL = true; addSSL = true;
extraConfig = "return 444;"; extraConfig = "return 444;";
}; };

View File

@ -0,0 +1,76 @@
{ config, pkgs, lib, ... }:
let
cfg = config.environment.snakeoil-certs;
in
{
options.environment.snakeoil-certs = lib.mkOption {
default = { };
description = "TODO";
type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
owner = lib.mkOption {
type = lib.types.str;
default = "root";
};
group = lib.mkOption {
type = lib.types.str;
default = "root";
};
mode = lib.mkOption {
type = lib.types.str;
default = "0770";
};
daysValid = lib.mkOption {
type = lib.types.str;
default = "90";
};
opensslOptions = lib.mkOption {
type = with lib.types; listOf str;
default = [ ];
};
certificate = lib.mkOption {
type = lib.types.str;
default = "${name}.crt";
};
certificateKey = lib.mkOption {
type = lib.types.str;
default = "${name}.key";
};
}));
};
config = {
systemd.services."gen-snakeoil-certs" = {
enable = true;
serviceConfig.Type = "oneshot";
script = let
openssl = lib.getExe pkgs.openssl;
in lib.concatMapStringsSep "\n" ({ name, value }: ''
mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}")
if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate}
then
echo "Regenerating '${value.certificate}'"
${openssl} req \
-newkey rsa:4096 \
-new -x509 \
-days "${toString value.daysValid}" \
-nodes \
-out "${value.certificate}" \
-keyout "${value.certificateKey}" \
${lib.escapeShellArgs value.opensslOptions}
fi
chown "${value.owner}:${value.group}" "${value.certificate}"
chown "${value.owner}:${value.group}" "${value.certificateKey}"
chmod "${value.mode}" "${value.certificate}"
chmod "${value.mode}" "${value.certificateKey}"
'') (lib.attrsToList cfg);
};
systemd.timers."gen-snakeoil-certs" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "*-*-* 02:00:00";
Persistent = true;
Unit = "gen-snakeoil-certs.service";
};
};
};
}