diff --git a/constants.nix b/constants.nix index e8de9ad..91b8456 100644 --- a/constants.nix +++ b/constants.nix @@ -30,7 +30,7 @@ rec { port = 8085; }; netdata = { - # fqdn = "mon." + domain; + fqdn = "mon." + domain; port = 19999; }; open-webui-oci = { diff --git a/hosts/rx4/services/nginx.nix b/hosts/rx4/services/nginx.nix index cae8e31..c4c24af 100644 --- a/hosts/rx4/services/nginx.nix +++ b/hosts/rx4/services/nginx.nix @@ -7,8 +7,6 @@ let cfg = config.services.nginx; - - inherit (constants) domain; in { imports = [ @@ -36,21 +34,4 @@ in }; }; }; - - security.acme = { - acceptTerms = true; - defaults = { - email = "admin@${domain}"; - dnsProvider = "hetzner"; - credentialFiles = { - HETZNER_API_TOKEN_FILE = config.sops.secrets.hetzner-api-key.path; - }; - }; - }; - - sops.secrets.hetzner-api-key = { - mode = "0400"; - owner = "acme"; - group = "acme"; - }; } diff --git a/hosts/rx4/services/vaultwarden.nix b/hosts/rx4/services/vaultwarden.nix index cffaeae..eed5712 100644 --- a/hosts/rx4/services/vaultwarden.nix +++ b/hosts/rx4/services/vaultwarden.nix @@ -62,10 +62,18 @@ in }; }; - security.acme.certs."pw-custom" = { - domain = fqdn; - postRun = "systemctl restart vaultwarden.service"; - group = "nginx"; + security.acme = { + acceptTerms = true; + defaults.email = "admin@${domain}"; + certs."pw-custom" = { + domain = fqdn; + dnsProvider = "hetzner"; + dnsResolver = "1.1.1.1:53"; + credentialFiles = { + HETZNER_API_TOKEN_FILE = config.sops.secrets.hetzner-api-key.path; + }; + group = "nginx"; + }; }; sops = @@ -82,6 +90,11 @@ in "vaultwarden/smtp-password" = { inherit owner group mode; }; + hetzner-api-key = { + inherit mode; + owner = "acme"; + group = "acme"; + }; }; templates = { "vaultwarden/env-file" = { diff --git a/hosts/sid/services/coredns.nix b/hosts/sid/services/coredns.nix new file mode 100644 index 0000000..b7e2f37 --- /dev/null +++ b/hosts/sid/services/coredns.nix @@ -0,0 +1,31 @@ +{ constants, ... }: + +{ + services.resolved.enable = false; + networking.resolvconf.enable = false; + + networking.nameservers = [ "127.0.0.1" ]; + + services.coredns = { + enable = true; + config = with constants; '' + .:53 { + bind 0.0.0.0 + hosts { + ${hosts.sid.ip} ${ca-fqdn} + + ${hosts.sid.ip} ${services.netdata.fqdn} + + fallthrough + } + forward . 1.1.1.1 8.8.8.8 + cache 30 + log + errors + } + ''; + }; + + networking.firewall.allowedUDPPorts = [ 53 ]; + networking.firewall.allowedTCPPorts = [ 53 ]; +} diff --git a/hosts/sid/services/default.nix b/hosts/sid/services/default.nix index 7ca9678..9baf6fb 100644 --- a/hosts/sid/services/default.nix +++ b/hosts/sid/services/default.nix @@ -17,5 +17,8 @@ ./nginx.nix ./radicale.nix ./rss-bridge.nix + + # ./coredns.nix + # ./step-ca.nix ]; } diff --git a/hosts/sid/services/headscale.nix b/hosts/sid/services/headscale.nix index 0d4a03f..b9492db 100644 --- a/hosts/sid/services/headscale.nix +++ b/hosts/sid/services/headscale.nix @@ -31,6 +31,11 @@ type = "A"; value = constants.hosts.rx4.ip; } + { + name = constants.services.netdata.fqdn; + type = "A"; + value = constants.hosts.sid.ip; + } ]; }; } diff --git a/hosts/sid/services/step-ca.nix b/hosts/sid/services/step-ca.nix new file mode 100644 index 0000000..e2570c9 --- /dev/null +++ b/hosts/sid/services/step-ca.nix @@ -0,0 +1,105 @@ +{ + constants, + config, + pkgs, + ... +}: + +let + cfg = config.services.step-ca; +in +{ + services.step-ca = { + enable = true; + address = "0.0.0.0"; + port = 8443; + openFirewall = true; + intermediatePasswordFile = config.sops.secrets."step-ca/password".path; + # nix-shell -p step-cli --run "step ca init" + settings = { + # FIXME: nix-store paths do not work + # root = ../../../certs/root_ca.crt; + # crt = ../../../certs/intermediate_ca.crt; + # FIXME: not reproducible + root = "/var/lib/step-ca/certs/root_ca.crt"; + crt = "/var/lib/step-ca/certs/intermediate_ca.crt"; + key = config.sops.secrets."step-ca/intermediate-key".path; + dnsNames = [ + constants.ca-fqdn + constants.hosts.sid.ip + ]; + logger = { + format = "text"; + }; + db = { + type = "badgerv2"; + dataSource = "/var/lib/step-ca/db"; + }; + authority = { + provisioners = [ + { + type = "ACME"; + name = "acme"; + } + { + type = "JWK"; + name = "sid@sid.ovh"; + key = { + use = "sig"; + kty = "EC"; + kid = "w3fV4U-frlyTnBMg4yNYrLsn8_mY98H8HthoscpoVrg"; + crv = "P-256"; + alg = "ES256"; + x = "KZCDecn4sb87T3UO6JsIzJVtr4Aa0UcYzYDNBUM6F7M"; + y = "CbGHn9tXQbV0Ur2VuXITLnWgfxCRmKEoUdMUmrP9Qkw"; + }; + encryptedKey = "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiZS1MUDhDYlE4dzVuMF9nUGhXOWtGdyJ9.rgsqo58rJFWaociSqiPg3E1alAeqoHWubJi4n2uoUFYp3YTWaYZzqA.6P6oimHsKGdCWruo.fNaDr50IXCtCe7W7VIXuS3rlfin_R0nogNpIJ9C6szYg8k10UylircUs14Zl1EHQ9lFeJovb1y1uljzBajMGkOAGlMvashrphVkXiSxHWKDhzbrItJx3qChLtSLJJtXiXPbJQKCAeBjztqPuTw6dI4Z6IR9---kiTvzF6I9KE8afGFlMSubGjr9FnqgiOb2JiZuTfcBGDx78puxdWzUrEEVlliHdv2agbKhY0b13x-obaTIWwlqLFbasv7kPneJ8Ggp7IHHr5uDcUrqVKkTfBrD0lelXm6SwJTHGMkty6inlwSflT9mxvkNq7OGV9triPQc8AGVv0c7t7dHoX_E.tSjJqttCS6zLI_-7zPdXNQ"; + } + ]; + }; + tls = { + cipherSuites = [ + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" + ]; + renegotiation = false; + }; + }; + }; + + environment.systemPackages = [ + pkgs.step-cli + ]; + + systemd.tmpfiles.rules = [ + "d /var/lib/acme/acme-challenge 0755 acme nginx" + ]; + + security.acme = { + certs."sid-internal" = { + # domain = constants.intranet; + domain = constants.services.netdata.fqdn; + extraDomainNames = [ + ]; + server = "https://${constants.ca-fqdn}:${toString cfg.port}/acme/acme/directory"; + group = "nginx"; + }; + }; + + sops = + let + owner = "step-ca"; + group = "step-ca"; + mode = "0400"; + in + { + secrets = { + "step-ca/password" = { + inherit owner group mode; + }; + "step-ca/intermediate-key" = { + inherit owner group mode; + }; + }; + }; +}