fix(network): uqdn

2026-02-09 12:29:19 -08:00 · 2022-09-26 08:52:51 -07:00 · 2022-09-26 08:52:51 -07:00 · 58992ff283
commit 58992ff283
parent d1dc6a0e72
6 changed files with 53 additions and 36 deletions
--- a/nixos/network.nix
+++ b/nixos/network.nix
@ -46,6 +46,10 @@
            type = nullOr str;
            default = null;
          };
+          uqdn = mkOption {
+            type = nullOr str;
+            default = (if config.domain == "@" then (removeSuffix "." config.zone) else (removeSuffix "." config.target));
+          };
          zone = mkOption {
            type = nullOr str;
            default = "kittywit.ch.";
@ -177,7 +181,7 @@
          };
          uqdn = mkOption {
            type = nullOr str;
-            default = lib.removeSuffix "." config.target;
+            default = (if config.domain == "@" then (removeSuffix "." config.zone) else (removeSuffix "." config.target));
          };
          target = mkOption {
            type = nullOr str;
@ -271,7 +275,7 @@
        # Merge the result of a map upon address_families to mapAttrs'
        networks'' = map (family: mapAttrs' (network: settings:
          nameValuePair "${network}-${family}-${settings.domain}-${settings.zone}" ({
-            inherit (settings) zone;
+            inherit (settings) zone domain;
          } // (if family == "ipv6" then {
            aaaa.address = settings.ipv6;
            enable = mkForce settings.ipv6_defined;
@ -279,10 +283,7 @@
            enable = mkForce settings.ipv4_defined;
            a.address = settings.ipv4;
          })
-        ) // optionalAttrs (settings.domain != "@" && settings.domain != "" && settings.domain != null) {
-          inherit (settings) domain;
-        } // optionalAttrs (settings.domain == "@" || settings.domain == "" || settings.domain == null) {
-        }) networks') address_families;
+        )) networks') address_families;
      in mkMerge (if tf.state.enable then (networks'' ++  domains' ++ [ extraDomains ]) else []);

      acme = let
@ -303,9 +304,9 @@
          };
        };
        certs = let
-          nvP = network: settings: nameValuePair "${removeSuffix "." settings.target}" {
+          nvP = network: settings: nameValuePair settings.uqdn {
            keyType = "4096";
-            dnsNames = [ (removeSuffix "." settings.target) ] ++ (lib.optionals (settings ? extra_domains) settings.extra_domains);
+            dnsNames = [ settings.uqdn ] ++ (lib.optionals (settings ? extra_domains) settings.extra_domains);
          };
          network_certs = mapAttrs' nvP (filterAttrs (network: settings: settings.create_cert) sane_networks);
          domain_certs = mapAttrs' nvP (filterAttrs (network: settings: settings.create_cert) config.domains);
@ -338,34 +339,33 @@
    };

    secrets.files = let
-          fixedTarget = settings: removeSuffix "." settings.target;
          networks = mapAttrs' (network: settings:
-            nameValuePair "${fixedTarget settings}-cert" {
-              text = tf.acme.certs.${fixedTarget settings}.out.refFullchainPem;
+            nameValuePair "${settings.uqdn}-cert" {
+              text = tf.acme.certs.${settings.uqdn}.out.refFullchainPem;
              owner = "nginx";
              group = "domain-auth";
              mode = "0440";
            }
          ) (filterAttrs (_: settings: settings.create_cert) sane_networks);
          networks' = mapAttrs' (network: settings:
-            nameValuePair "${fixedTarget settings}-key" {
-              text = tf.acme.certs.${fixedTarget settings}.out.refPrivateKeyPem;
+            nameValuePair "${settings.uqdn}-key" {
+              text = tf.acme.certs.${settings.uqdn}.out.refPrivateKeyPem;
              owner = "nginx";
              group = "domain-auth";
              mode = "0440";
            }
          ) (filterAttrs (_: settings: settings.create_cert) sane_networks);
          domains = mapAttrs' (network: settings:
-            nameValuePair "${fixedTarget settings}-cert" {
-              text = tf.acme.certs.${fixedTarget settings}.out.refFullchainPem;
+            nameValuePair "${settings.uqdn}-cert" {
+              text = tf.acme.certs.${settings.uqdn}.out.refFullchainPem;
              owner = settings.owner;
              group = settings.group;
              mode = "0440";
            }
          ) (filterAttrs (network: settings: settings.create_cert) config.domains);
          domains' = mapAttrs' (network: settings:
-            nameValuePair "${fixedTarget settings}-key" {
-              text = tf.acme.certs.${fixedTarget settings}.out.refPrivateKeyPem;
+            nameValuePair "${settings.uqdn}-key" {
+              text = tf.acme.certs.${settings.uqdn}.out.refPrivateKeyPem;
              owner = settings.owner;
              group = settings.group;
              mode = "0440";
@ -374,18 +374,17 @@
          in networks // networks' // domains // domains';

    services.nginx.virtualHosts = let
-          networkVirtualHosts = concatLists (mapAttrsToList (network: settings: map(domain: nameValuePair (if domain != "@" then domain else "root") {
+          networkVirtualHosts = concatLists (mapAttrsToList (network: settings: map(domain: nameValuePair (if domain != "@" then domain else settings.zone) {
            forceSSL = true;
-            sslCertificate = config.secrets.files."${removeSuffix "." settings.target}-cert".path;
-            sslCertificateKey = config.secrets.files."${removeSuffix "." settings.target}-key".path;
-          }) ([ settings.target ] ++ settings.extra_domains)) (filterAttrs (_: settings: settings.create_cert) sane_networks));
-          domainVirtualHosts = (attrValues (mapAttrs (network: settings: removeSuffix "." settings.target) (filterAttrs (network: settings:  settings.create_cert) config.domains)));
-          domainVirtualHosts' = (map (hostname2: let
-            hostname = if hasPrefix "@" hostname2 then "root" else hostname2;
-          in nameValuePair hostname  {
+            sslCertificate = config.secrets.files."${settings.uqdn}-cert".path;
+            sslCertificateKey = config.secrets.files."${settings.uqdn}-key".path;
+          }) ([ settings.uqdn ] ++ settings.extra_domains)) (filterAttrs (_: settings: settings.create_cert) sane_networks));
+          domainVirtualHosts = (filterAttrs (network: settings:  settings.create_cert) config.domains);
+          domainVirtualHosts' = (mapAttrsToList (network: settings: let
+          in nameValuePair settings.uqdn  {
              forceSSL = true;
-              sslCertificate = mkDefault config.secrets.files."${hostname}-cert".path;
-              sslCertificateKey = mkDefault config.secrets.files."${hostname}-key".path;
+              sslCertificate = mkDefault config.secrets.files."${settings.uqdn}-cert".path;
+              sslCertificateKey = mkDefault config.secrets.files."${settings.uqdn}-key".path;
          }) domainVirtualHosts);
        in listToAttrs (networkVirtualHosts ++ (lib.optionals config.services.nginx.enable domainVirtualHosts'));

--- a/nixos/systems/tewi/mosquitto.nix
+++ b/nixos/systems/tewi/mosquitto.nix
@ -11,6 +11,11 @@
    field = "z2m";
  };

+  kw.secrets.variables.systemd-pass = {
+    path = "secrets/mosquitto";
+    field = "systemd";
+  };
+
  kw.secrets.variables.hass-pass = {
    path = "secrets/mosquitto";
    field = "hass";
@ -22,6 +27,12 @@
    group = "mosquitto";
  };

+  secrets.files.systemd-pass = {
+    text = tf.variables.systemd-pass.ref;
+    owner = "mosquitto";
+    group = "mosquitto";
+  };
+
  secrets.files.hass-pass = {
    text = tf.variables.hass-pass.ref;
    owner = "mosquitto";
@ -36,14 +47,20 @@
        "pattern readwrite #"
      ];
      users = {
-        hass = {
-          passwordFile = config.secrets.files.hass-pass.path;
+        z2m = {
+          passwordFile = config.secrets.files.z2m-pass.path;
          acl = [
            "readwrite #"
          ];
        };
-        z2m = {
-          passwordFile = config.secrets.files.z2m-pass.path;
+        systemd = {
+          passwordFile = config.secrets.files.systemd-pass.path;
+          acl = [
+            "readwrite #"
+          ];
+        };
+        hass = {
+          passwordFile = config.secrets.files.hass-pass.path;
          acl = [
            "readwrite #"
          ];
--- a/overlays/local/irlsite.nix
+++ b/overlays/local/irlsite.nix
@ -4,7 +4,7 @@
    owner = "kittywitch";
    repo = "inskip.me";
    rev = "3789d9ae2b0135828a6d92e2e6846aec42a29d88";
-    sha256 = "sha256-EYtlGmfEjJ0n2F2OKgKD59SgvKHZC109jgRsyawqGNw=";
+    sha256 = "sha256-nIAeZRxZ86QuZxGnHTIaawySiTEdw8ZQ4L8eR/2Mdy0=";
  };
  buildPhase = ''
  '';
--- a/services/keycloak.nix
+++ b/services/keycloak.nix
@ -1,7 +1,7 @@
 { config, pkgs, lib, tf, ... }: with lib; let
  id = tf.acme.certs."auth.kittywit.ch".out.resource.getAttr "id";
 in {
-  services.keycloak = {
+  services.keycloak = lib.mkIf (tf.state.enable) {
    enable = builtins.getEnv "CI_PLATFORM" == "impure";
    package = (pkgs.keycloak.override {
      jre = pkgs.openjdk11;
@ -33,12 +33,12 @@ in {
    members = [ "keycloak" "openldap" ];
  };

-  systemd.services.keycloak.script  = lib.mkBefore ''
+  systemd.services.keycloak.script = lib.mkIf (tf.state.enable) (lib.mkBefore ''
    mkdir -p /run/keycloak
    if [[ ! -e /run/keycloak/${id}.jks ]]; then
      ${pkgs.adoptopenjdk-jre-bin}/bin/keytool -import -alias auth.kittywit.ch -noprompt -keystore /run/keycloak/${id}.jks -keypass ${id} -storepass ${id} -file ${config.domains.kittywitch-keycloak.cert_path}
    fi
-  '';
+  '');

  users.groups.keycloak = { };

--- a/services/vaultwarden.nix
+++ b/services/vaultwarden.nix
@ -71,5 +71,6 @@
    network = "internet";
    type = "cname";
    domain = "vault";
+    zone = "kittywit.ch.";
  };
 }
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit b437fcdf335a6ac1fd710603c4f9b9033752922e
+Subproject commit abf696684d586e054efc3de9abb7829b8171e91e