From 58992ff283a3fa9e9c5aa50c52f489399ccc4f94 Mon Sep 17 00:00:00 2001 From: kat Date: Mon, 26 Sep 2022 08:52:51 -0700 Subject: [PATCH] fix(network): uqdn --- nixos/network.nix | 53 ++++++++++++++++---------------- nixos/systems/tewi/mosquitto.nix | 25 ++++++++++++--- overlays/local/irlsite.nix | 2 +- services/keycloak.nix | 6 ++-- services/vaultwarden.nix | 1 + tf | 2 +- 6 files changed, 53 insertions(+), 36 deletions(-) diff --git a/nixos/network.nix b/nixos/network.nix index c9fad468..ab99730d 100644 --- a/nixos/network.nix +++ b/nixos/network.nix @@ -46,6 +46,10 @@ type = nullOr str; default = null; }; + uqdn = mkOption { + type = nullOr str; + default = (if config.domain == "@" then (removeSuffix "." config.zone) else (removeSuffix "." config.target)); + }; zone = mkOption { type = nullOr str; default = "kittywit.ch."; @@ -177,7 +181,7 @@ }; uqdn = mkOption { type = nullOr str; - default = lib.removeSuffix "." config.target; + default = (if config.domain == "@" then (removeSuffix "." config.zone) else (removeSuffix "." config.target)); }; target = mkOption { type = nullOr str; @@ -271,7 +275,7 @@ # Merge the result of a map upon address_families to mapAttrs' networks'' = map (family: mapAttrs' (network: settings: nameValuePair "${network}-${family}-${settings.domain}-${settings.zone}" ({ - inherit (settings) zone; + inherit (settings) zone domain; } // (if family == "ipv6" then { aaaa.address = settings.ipv6; enable = mkForce settings.ipv6_defined; @@ -279,10 +283,7 @@ enable = mkForce settings.ipv4_defined; a.address = settings.ipv4; }) - ) // optionalAttrs (settings.domain != "@" && settings.domain != "" && settings.domain != null) { - inherit (settings) domain; - } // optionalAttrs (settings.domain == "@" || settings.domain == "" || settings.domain == null) { - }) networks') address_families; + )) networks') address_families; in mkMerge (if tf.state.enable then (networks'' ++ domains' ++ [ extraDomains ]) else []); acme = let @@ -303,9 +304,9 @@ }; }; certs = let - nvP = network: settings: nameValuePair "${removeSuffix "." settings.target}" { + nvP = network: settings: nameValuePair settings.uqdn { keyType = "4096"; - dnsNames = [ (removeSuffix "." settings.target) ] ++ (lib.optionals (settings ? extra_domains) settings.extra_domains); + dnsNames = [ settings.uqdn ] ++ (lib.optionals (settings ? extra_domains) settings.extra_domains); }; network_certs = mapAttrs' nvP (filterAttrs (network: settings: settings.create_cert) sane_networks); domain_certs = mapAttrs' nvP (filterAttrs (network: settings: settings.create_cert) config.domains); @@ -338,34 +339,33 @@ }; secrets.files = let - fixedTarget = settings: removeSuffix "." settings.target; networks = mapAttrs' (network: settings: - nameValuePair "${fixedTarget settings}-cert" { - text = tf.acme.certs.${fixedTarget settings}.out.refFullchainPem; + nameValuePair "${settings.uqdn}-cert" { + text = tf.acme.certs.${settings.uqdn}.out.refFullchainPem; owner = "nginx"; group = "domain-auth"; mode = "0440"; } ) (filterAttrs (_: settings: settings.create_cert) sane_networks); networks' = mapAttrs' (network: settings: - nameValuePair "${fixedTarget settings}-key" { - text = tf.acme.certs.${fixedTarget settings}.out.refPrivateKeyPem; + nameValuePair "${settings.uqdn}-key" { + text = tf.acme.certs.${settings.uqdn}.out.refPrivateKeyPem; owner = "nginx"; group = "domain-auth"; mode = "0440"; } ) (filterAttrs (_: settings: settings.create_cert) sane_networks); domains = mapAttrs' (network: settings: - nameValuePair "${fixedTarget settings}-cert" { - text = tf.acme.certs.${fixedTarget settings}.out.refFullchainPem; + nameValuePair "${settings.uqdn}-cert" { + text = tf.acme.certs.${settings.uqdn}.out.refFullchainPem; owner = settings.owner; group = settings.group; mode = "0440"; } ) (filterAttrs (network: settings: settings.create_cert) config.domains); domains' = mapAttrs' (network: settings: - nameValuePair "${fixedTarget settings}-key" { - text = tf.acme.certs.${fixedTarget settings}.out.refPrivateKeyPem; + nameValuePair "${settings.uqdn}-key" { + text = tf.acme.certs.${settings.uqdn}.out.refPrivateKeyPem; owner = settings.owner; group = settings.group; mode = "0440"; @@ -374,18 +374,17 @@ in networks // networks' // domains // domains'; services.nginx.virtualHosts = let - networkVirtualHosts = concatLists (mapAttrsToList (network: settings: map(domain: nameValuePair (if domain != "@" then domain else "root") { + networkVirtualHosts = concatLists (mapAttrsToList (network: settings: map(domain: nameValuePair (if domain != "@" then domain else settings.zone) { forceSSL = true; - sslCertificate = config.secrets.files."${removeSuffix "." settings.target}-cert".path; - sslCertificateKey = config.secrets.files."${removeSuffix "." settings.target}-key".path; - }) ([ settings.target ] ++ settings.extra_domains)) (filterAttrs (_: settings: settings.create_cert) sane_networks)); - domainVirtualHosts = (attrValues (mapAttrs (network: settings: removeSuffix "." settings.target) (filterAttrs (network: settings: settings.create_cert) config.domains))); - domainVirtualHosts' = (map (hostname2: let - hostname = if hasPrefix "@" hostname2 then "root" else hostname2; - in nameValuePair hostname { + sslCertificate = config.secrets.files."${settings.uqdn}-cert".path; + sslCertificateKey = config.secrets.files."${settings.uqdn}-key".path; + }) ([ settings.uqdn ] ++ settings.extra_domains)) (filterAttrs (_: settings: settings.create_cert) sane_networks)); + domainVirtualHosts = (filterAttrs (network: settings: settings.create_cert) config.domains); + domainVirtualHosts' = (mapAttrsToList (network: settings: let + in nameValuePair settings.uqdn { forceSSL = true; - sslCertificate = mkDefault config.secrets.files."${hostname}-cert".path; - sslCertificateKey = mkDefault config.secrets.files."${hostname}-key".path; + sslCertificate = mkDefault config.secrets.files."${settings.uqdn}-cert".path; + sslCertificateKey = mkDefault config.secrets.files."${settings.uqdn}-key".path; }) domainVirtualHosts); in listToAttrs (networkVirtualHosts ++ (lib.optionals config.services.nginx.enable domainVirtualHosts')); diff --git a/nixos/systems/tewi/mosquitto.nix b/nixos/systems/tewi/mosquitto.nix index 62454c55..8f3c7ec9 100644 --- a/nixos/systems/tewi/mosquitto.nix +++ b/nixos/systems/tewi/mosquitto.nix @@ -11,6 +11,11 @@ field = "z2m"; }; + kw.secrets.variables.systemd-pass = { + path = "secrets/mosquitto"; + field = "systemd"; + }; + kw.secrets.variables.hass-pass = { path = "secrets/mosquitto"; field = "hass"; @@ -22,6 +27,12 @@ group = "mosquitto"; }; + secrets.files.systemd-pass = { + text = tf.variables.systemd-pass.ref; + owner = "mosquitto"; + group = "mosquitto"; + }; + secrets.files.hass-pass = { text = tf.variables.hass-pass.ref; owner = "mosquitto"; @@ -36,14 +47,20 @@ "pattern readwrite #" ]; users = { - hass = { - passwordFile = config.secrets.files.hass-pass.path; + z2m = { + passwordFile = config.secrets.files.z2m-pass.path; acl = [ "readwrite #" ]; }; - z2m = { - passwordFile = config.secrets.files.z2m-pass.path; + systemd = { + passwordFile = config.secrets.files.systemd-pass.path; + acl = [ + "readwrite #" + ]; + }; + hass = { + passwordFile = config.secrets.files.hass-pass.path; acl = [ "readwrite #" ]; diff --git a/overlays/local/irlsite.nix b/overlays/local/irlsite.nix index 051c41e1..4ad55336 100644 --- a/overlays/local/irlsite.nix +++ b/overlays/local/irlsite.nix @@ -4,7 +4,7 @@ owner = "kittywitch"; repo = "inskip.me"; rev = "3789d9ae2b0135828a6d92e2e6846aec42a29d88"; - sha256 = "sha256-EYtlGmfEjJ0n2F2OKgKD59SgvKHZC109jgRsyawqGNw="; + sha256 = "sha256-nIAeZRxZ86QuZxGnHTIaawySiTEdw8ZQ4L8eR/2Mdy0="; }; buildPhase = '' ''; diff --git a/services/keycloak.nix b/services/keycloak.nix index a931e539..2763ca8f 100644 --- a/services/keycloak.nix +++ b/services/keycloak.nix @@ -1,7 +1,7 @@ { config, pkgs, lib, tf, ... }: with lib; let id = tf.acme.certs."auth.kittywit.ch".out.resource.getAttr "id"; in { - services.keycloak = { + services.keycloak = lib.mkIf (tf.state.enable) { enable = builtins.getEnv "CI_PLATFORM" == "impure"; package = (pkgs.keycloak.override { jre = pkgs.openjdk11; @@ -33,12 +33,12 @@ in { members = [ "keycloak" "openldap" ]; }; - systemd.services.keycloak.script = lib.mkBefore '' + systemd.services.keycloak.script = lib.mkIf (tf.state.enable) (lib.mkBefore '' mkdir -p /run/keycloak if [[ ! -e /run/keycloak/${id}.jks ]]; then ${pkgs.adoptopenjdk-jre-bin}/bin/keytool -import -alias auth.kittywit.ch -noprompt -keystore /run/keycloak/${id}.jks -keypass ${id} -storepass ${id} -file ${config.domains.kittywitch-keycloak.cert_path} fi - ''; + ''); users.groups.keycloak = { }; diff --git a/services/vaultwarden.nix b/services/vaultwarden.nix index b0058914..6873b11d 100644 --- a/services/vaultwarden.nix +++ b/services/vaultwarden.nix @@ -71,5 +71,6 @@ network = "internet"; type = "cname"; domain = "vault"; + zone = "kittywit.ch."; }; } diff --git a/tf b/tf index b437fcdf..abf69668 160000 --- a/tf +++ b/tf @@ -1 +1 @@ -Subproject commit b437fcdf335a6ac1fd710603c4f9b9033752922e +Subproject commit abf696684d586e054efc3de9abb7829b8171e91e