feat(linkal): Start setting up DNS-01 verification on *.cal.dgnum.eu

2023-09-29 13:27:27 +02:00 · 2023-09-29 13:27:27 +02:00 · d48a9bcc4b
commit d48a9bcc4b
parent 10f16665b2
5 changed files with 49 additions and 20 deletions
--- a/machines/web01/linkal/default.nix
+++ b/machines/web01/linkal/default.nix
@ -1,11 +1,11 @@
 _:

 let
-  host = "linkal.dgnum.eu";
+  host = "cal.dgnum.eu";

  calendarGroups = {
    luj-current = {
-      port = 8443;
+      port = 8444;
      calendars = {
        "https://cloud.eleves.ens.fr/remote.php/dav/public-calendars/LLWm8qK9iC5YGrrR" = {
          name = "Délégation Générale";
--- a/machines/web01/linkal/module.nix
+++ b/machines/web01/linkal/module.nix
@ -47,25 +47,54 @@ in {
        };
      }) cfg.calendarGroups;

+    # Configure bind for DNS certificate validation on *.cal.dgnum.eu.
+    services.bind = {
+      enable = true;
+      ipv4Only = true;
+      extraConfig = ''
+        include "${config.age.secrets."named-bind_dnskeys_conf".path}";
+      '';
+
+      zones = [rec {
+        name = "cal.dgnum.eu";
+        file = "/var/db/bind/${name}";
+        master = true;
+        extraConfig = ''
+          allow-update { key "rfc2136key.cal.dgnum.eu"; };
+        '';
+      }];
+    };
+
+    networking.firewall = {
+      allowedTCPPorts = [ 53 ];
+      allowedUDPPorts = [ 53 ];
+    };
+
+    dgn-secrets.options = [{ named-bind_dnskeys_conf.owner = "named"; }];
+
+    # Configure ACME for DNS certificate validation
+    security.acme = {
+      acceptTerms = true;
+      defaults = {
+        dnsProvider = "rfc2136";
+        credentialsFile = config.age.secrets."acme-certs_secret".path;
+        dnsPropagationCheck = false;
+      };
+    };
+
    services.nginx = {
      enable = true;

-      virtualHosts.${cfg.domain} = {
-        enableACME = true;
-        forceSSL = true;
+      virtualHosts = mapAttrs' (name:
+        { port, ... }:
+        nameValuePair "${name}.${cfg.domain}" {
+          enableACME = true;
+          acmeRoot = null; # Use DNS-01 validation
+          forceSSL = true;

-        locations = mapAttrs' (name:
-          { port, ... }:
-          nameValuePair "^~ /${name}" {
-            proxyPass = "http://127.0.0.1:${builtins.toString port}/";
-            # extraConfig = ''
-            #   proxy_set_header    X-Real-IP  $remote_addr;
-            #   proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
-            #   proxy_set_header    Host $host;
-            #   proxy_redirect      off;
-            # '';
-          }) cfg.calendarGroups;
-      };
+          locations."/".proxyPass =
+            "http://127.0.0.1:${builtins.toString port}/";
+        }) cfg.calendarGroups;
    };
  };
 }
--- a/machines/web01/secrets/acme-certs_secret
+++ b/machines/web01/secrets/acme-certs_secret
--- a/machines/web01/secrets/named-bind_dnskeys_conf
+++ b/machines/web01/secrets/named-bind_dnskeys_conf
--- a/machines/web01/secrets/secrets.nix
+++ b/machines/web01/secrets/secrets.nix
@ -1,9 +1,9 @@
 let
  lib = import ../../../lib { };
  publicKeys = lib.getNodeKeys "web01";
-in
-
-lib.setDefault { inherit publicKeys; } [
+in lib.setDefault { inherit publicKeys; } [
+  "acme-certs_secret"
+  "named-bind_dnskeys_conf"
  "plausible_admin-user-password-file"
  "plausible_secret-key-base-file"
  "plausible_release-cookie-file"