env/acme: move domains, certs out of dmz

3 files changed, 57 insertions, 0 deletions

diff --git a/env/acme/default.nix b/env/acme/default.nix
new file mode 100644
index 0000000..779b4e2
--- /dev/null
+++ b/env/acme/default.nix
@@ -0,0 +1,44 @@
+{ config, lib, ... }:
+with lib; let
+  cfg = config.local;
+in
+{
+  options.local = with types; {
+    domains = mkOption {
+      type = attrsOf (attrsOf str);
+    };
+
+    certs = mapAttrs
+      (_: _: {
+        enable = mkEnableOption "TLS cert for ${name}";
+      })
+      cfg.domains;
+  };
+
+  config = {
+    security.acme = {
+      acceptTerms = true;
+
+      defaults = {
+        email = "security@${config.networking.domain}";
+        renewInterval = "weekly";
+      };
+
+      certs =
+        let
+          domainSort = sort (a: b: splitString "." a < splitString "." b);
+
+          certConfig = domains: {
+            domain = domains.main;
+            extraDomainNames = domainSort (attrValues (filterAttrs (k: _: k != "main") domains));
+            webroot = "/var/lib/acme/acme-challenge";
+          };
+        in
+        mapAttrs'
+          (_: value: nameValuePair value.main (certConfig value))
+          (filterAttrs (name: _: cfg.certs.${name}.enable) cfg.domains);
+    };
+
+    local.domains = import ./domains.nix;
+  };
+}
diff --git a/env/acme/domains.nix b/env/acme/domains.nix
new file mode 100644
index 0000000..0412391
--- /dev/null
+++ b/env/acme/domains.nix
@@ -0,0 +1,12 @@
+{
+  host = {
+    main = "34project.org";
+    www = "www.34project.org";
+    mail = "mail.34project.org";
+  };
+
+  smtp.main = "smtp.34project.org";
+  imap.main = "imap.34project.org";
+
+  git.main = "git.cluster451.org";
+}
diff --git a/env/default.nix b/env/default.nix
index 0290518..ab68406 100644
--- a/env/default.nix
+++ b/env/default.nix
@@ -1,6 +1,7 @@
 { lib, ... }:
 with lib; {
   imports = [
+    ./acme
     ./users
   ];
 }