From d48a9bcc4bc7b6fae848079b1554723cde397382 Mon Sep 17 00:00:00 2001
From: Tom Hubrecht <tom@hubrecht.ovh>
Date: Fri, 29 Sep 2023 13:27:27 +0200
Subject: [PATCH] feat(linkal): Start setting up DNS-01 verification on
 *.cal.dgnum.eu

---
 machines/web01/linkal/default.nix             |   4 +-
 machines/web01/linkal/module.nix              |  59 +++++++++++++-----
 machines/web01/secrets/acme-certs_secret      | Bin 0 -> 1518 bytes
 .../web01/secrets/named-bind_dnskeys_conf     | Bin 0 -> 1439 bytes
 machines/web01/secrets/secrets.nix            |   6 +-
 5 files changed, 49 insertions(+), 20 deletions(-)
 create mode 100644 machines/web01/secrets/acme-certs_secret
 create mode 100644 machines/web01/secrets/named-bind_dnskeys_conf

diff --git a/machines/web01/linkal/default.nix b/machines/web01/linkal/default.nix
index 4e0b99c..e67fb89 100644
--- a/machines/web01/linkal/default.nix
+++ b/machines/web01/linkal/default.nix
@@ -1,11 +1,11 @@
 _:
 
 let
-  host = "linkal.dgnum.eu";
+  host = "cal.dgnum.eu";
 
   calendarGroups = {
     luj-current = {
-      port = 8443;
+      port = 8444;
       calendars = {
         "https://cloud.eleves.ens.fr/remote.php/dav/public-calendars/LLWm8qK9iC5YGrrR" = {
           name = "Délégation Générale";
diff --git a/machines/web01/linkal/module.nix b/machines/web01/linkal/module.nix
index a584337..9162607 100644
--- a/machines/web01/linkal/module.nix
+++ b/machines/web01/linkal/module.nix
@@ -47,25 +47,54 @@ in {
         };
       }) cfg.calendarGroups;
 
+    # Configure bind for DNS certificate validation on *.cal.dgnum.eu.
+    services.bind = {
+      enable = true;
+      ipv4Only = true;
+      extraConfig = ''
+        include "${config.age.secrets."named-bind_dnskeys_conf".path}";
+      '';
+
+      zones = [rec {
+        name = "cal.dgnum.eu";
+        file = "/var/db/bind/${name}";
+        master = true;
+        extraConfig = ''
+          allow-update { key "rfc2136key.cal.dgnum.eu"; };
+        '';
+      }];
+    };
+
+    networking.firewall = {
+      allowedTCPPorts = [ 53 ];
+      allowedUDPPorts = [ 53 ];
+    };
+
+    dgn-secrets.options = [{ named-bind_dnskeys_conf.owner = "named"; }];
+
+    # Configure ACME for DNS certificate validation
+    security.acme = {
+      acceptTerms = true;
+      defaults = {
+        dnsProvider = "rfc2136";
+        credentialsFile = config.age.secrets."acme-certs_secret".path;
+        dnsPropagationCheck = false;
+      };
+    };
+
     services.nginx = {
       enable = true;
 
-      virtualHosts.${cfg.domain} = {
-        enableACME = true;
-        forceSSL = true;
+      virtualHosts = mapAttrs' (name:
+        { port, ... }:
+        nameValuePair "${name}.${cfg.domain}" {
+          enableACME = true;
+          acmeRoot = null; # Use DNS-01 validation
+          forceSSL = true;
 
-        locations = mapAttrs' (name:
-          { port, ... }:
-          nameValuePair "^~ /${name}" {
-            proxyPass = "http://127.0.0.1:${builtins.toString port}/";
-            # extraConfig = ''
-            #   proxy_set_header    X-Real-IP  $remote_addr;
-            #   proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
-            #   proxy_set_header    Host $host;
-            #   proxy_redirect      off;
-            # '';
-          }) cfg.calendarGroups;
-      };
+          locations."/".proxyPass =
+            "http://127.0.0.1:${builtins.toString port}/";
+        }) cfg.calendarGroups;
     };
   };
 }
diff --git a/machines/web01/secrets/acme-certs_secret b/machines/web01/secrets/acme-certs_secret
new file mode 100644
index 0000000000000000000000000000000000000000..4e46046164d605269846d0bfc55a7377ae9d2207
GIT binary patch
literal 1518
zcmZY9+sovH83yno1=px}po@Z72I|6YXTP0fl1wI)ZJlIhGD#+r)8xn&%;cQOX_A>7
z#<EviS}ZG+7Ay<h(%M@u-1S5+TI+>)00os^C@x;C2XJ9UVL@D}ABEnmf5DH3_jz8+
zcMsguF4}w>X6dP{@Ou>m9Q?dfmcfDR^idSTJ0Pt}t5Ij6lwFUq5oS@vbP6&1s7zwN
z53UxWXc%1&Ppl}?hhURVfcZkADvBnEwYWtKcgM1(3L}j>5|>^Nmk0ATn7NGDL*UV^
z8bdYM!tb~PK9XTj=W4ysD}Jhof?Wy&u`2dXI3wycGov<Bvp*3HfH2vDASRT^EC+TE
z>pARXP1$f=XEK~2hB-UTG2+v7jVrfm5v_Z|sACFUI2p8UpsxhZmdOR!ltzi^o4G_r
zRKppFJzNjQP&HEkYOhdnuN`y626EKZ(t;5%ZT$WiEvNa~5V!`LhVwa?Pv~1UF_s8i
z?8HbZ!n$Hb={REYQC{w2%1?ZW%9j?^LvwC|Vd_Gr9Vr90LnjpMM$rXzmfG{F#}NSu
zfs#Y*w>_g)9j3)RLnW)Nf2&q>Q?@5|sz%$6cwBP?Zf9X>U+@dLp@(#o1bez~X|YGf
zdOO1Tu?Q%8f@fEnGu&A7n8ZC<T1$0}R12Zvd1l)M#W*VI+BY-f|5{O6opqs+a}gkB
z<$#_9_<D>sP%E^YI_FEuj<K8#b+}Thx}NggU@1B*IFw3J)V+3LLJh1*87(I%uxND@
zp%W|2vXNb{97|WHRM>8Y)e^N#(MZFJF6Aoe1(Z5#cW$8|Nsc9YL*fj#b6bEMEsH#&
z2A*BP0b;l=M@R9HiQ5fEL_<(XM(~X1qj*f`qOh^-oy61#D-94?u@Q|g0dwZ>_jL|B
zkT!&^NWg21U}h$}TkdE4eyr{&GSho1h{EJd<7=ii7@Bc6dZQv`S8&FF8V^Q@?DZKA
zK?IRr1skpz`N&|(`$QD76IvUhnK4<nL_zMx@iu|li7CWjKx~%MREq#Nf&zITvYrwV
zRy<sc2@RyaciUc7i?-Mi4m%T@{VY|sQZqAV!{tC?hbs)lonp^0VJH=BDCeoQtbt(H
zs%G8{0(zq9P-PPRv7s8?3eA?JZ<e8K*V?!oGyV2^D*+`OJ6uWMg>%S;7J|Y}Cv+zH
zaYo6FFn8;LCVNvb2oiP9@`9j@fMF0qTMUZI4e8=Dli)W#h_Az$H;$!EV3X>^*rirq
z=qmry!sB{H9QcK6m2L-%&**0XnM*P$Y@Ah+FoHRcRy=5}_7FrYx%F5>L@ZdMt~Swv
zEvI{Y3zri%!EnlA?YLWcxd3GP3T$I62@ZeE!9k~nimAb)C<RZ0vMj`<nS({;*)rYQ
zFhupa#c1G3Ye*zPz-4~e9{co>tMD1*y;mQ5_m98%&;8eM{p3?ukG_~LZ=CwoE9q@t
z{Qh?G+pEfj(|3GeL_dD?$UC2%d*J0O&z=AE({ExIAGz`T`<L;5{^TS5&&tO~PoKNq
z_3r!STX(*2<OiR;5?#Zu-+xU#|9JZEOUGWn@AS{E{G+}x|Hbs-caA^*FY%@5p}Rl6
z_oVaSS3kOR{^Hr~PoMl-iUv<BA9gQ1^~Q<I$2-^GyZ7@4k6gO>hi_gx^CWck>vJd2
wH=g<3(XaE!xWc`C^Vt_Zj6eDEiI<bRlzaa4-@g>*iNCJj{Ov{l?@rr(2iU0&ZvX%Q

literal 0
HcmV?d00001

diff --git a/machines/web01/secrets/named-bind_dnskeys_conf b/machines/web01/secrets/named-bind_dnskeys_conf
new file mode 100644
index 0000000000000000000000000000000000000000..773ae35bb1528a3b0c16db49b2eb7e4edef3b847
GIT binary patch
literal 1439
zcmZY9&Fk9)7zc2{gBT{hfd@|&VW8P>X_|K&Lf+FfNt-lD(@X|wlBP|X=Cw@|PlBKz
z;!tF}h{M4=h<FeM5npk75kv(Q4+`$0cu|K3ck<^!5A!ehJa6B}i^8LD>z8d_ue0sx
ztc;*N3>-b$tE$ye7z{8Brh5IMZ7k^C0Jg?mQ>yV~LPP@uV#soJ@ZG7CBZpcRB$c6O
z3S-XbO$IC#Ti*~B2_qfPGgEuc&{mc~l$84*#~Lu*l-pFmczW2}tjXem(4wBy$fJCr
zwI;lt<A*%ahMQDh4l$5d>7ZoT#OTO9yoQ>T1d1+1Mrbo+RVC?`#!5>dkM%7S$%L}m
znhB*XyuqR|lQOzli-*o~LifgfpC?m;Bj-xWwquz@aXcw(c#7qcW#jHR*h(`F4)w?f
zTF4UVa?F%+Efkbk<cBTPjoRpt>ixK8RaDs)BW-kC@&7b^V=$E7qohg1>j$P)gP;o_
zj-=XosBdVeL>Fr*@(E9E;?-!2bPa&6kvxGxcNwd-hz}~8RQD5(9uHJ?T5b42A0kl$
z7V+_*e{*joxE(=yuf$mzQ=mRR@LSy`1ks2iw<;+gU2*a}4zZ;{Dn<&y4iA9AQmyxd
zRaQ_Jh?4<IDjmcXHq|*PIc#}>AS^*|6lPQXtCf}4OUfCm=s@3AvdqlpNF=a^LGT2X
zdK4^ccHSMxbc)FEB96lfj$tz`g@zmTGg*Z8f~v=oFp5b4+?job%mUo^K}-wXSsfKK
z85Ic&$FwLn2&&-vSywEF8)dN)9gE3@g9fwp3Pea%n*#217{eQUX)44nohM*5ti>=A
zYio${(B5Nrda}!d#ljh*dncwHUT%e&T+()<Pa1K{1C|C`i}i}faE9V$bl6pE8$*L8
zn}h|Z1O!7&)c%}oJR{DJr&>rkg3Oz!PV|kJ*)s(&VoxP)aOXkkp>U%S8sMd?>J&%l
zaT>${GO2_}-x~UUizksN1mS46M_GflgEU_;Yaplkh)W*aUA3A?S)h$wZ_NEKCD6Xn
zeZ7Z+=(L^gsI2N5Gw*mX;~+M#CEwX4f@OQEWLrB{mbF;|tVMKd1{yQNO5HdRjx?Es
zEI|mGk@5?CNz|=13IoU$r~1FU{qF-96mgsqtJszl!qPsE>WnGt$A>{Kp(RbhxT7<X
z=z^HQ`FKOp8PFe0Ak|HL(~o##VsPRj4Ww-<ub3bU85-6cIhCrJiJSaC+R4Y1bEl4?
zGW4ntU=ciMT0L+LLH8WT<fE|$<7<p04Szi?T@1#N_K@4+B$Mg|N49c53ahg36m8ux
ztp@B_Lk5nHj(Tae28$T9e1-JzB}X%k8_bIovJzFQmDuNJ+}_QWE{gfUwX<aP`(HP%
z{`tejpQQJ0aZXrM_qiut`sv1<C-3|5qfgK4*RJ1v22_8>e+^!pz4PsDUtZ~6tg>&g
zFQ5MK#=E~<y7Ow0JoVr`=Prk@?92x)e)sY-uV07%xU2Wo?N>f|?Zk!E8!x<n>huTq
zKl*U*<k^S3E4PkrfAU%Iw+kQdp8xUjH_xm0esSjXTkvOJV=ZyV?(^@>N8Y}C>F95K
C$>G=l

literal 0
HcmV?d00001

diff --git a/machines/web01/secrets/secrets.nix b/machines/web01/secrets/secrets.nix
index 384b505..5ab0979 100644
--- a/machines/web01/secrets/secrets.nix
+++ b/machines/web01/secrets/secrets.nix
@@ -1,9 +1,9 @@
 let
   lib = import ../../../lib { };
   publicKeys = lib.getNodeKeys "web01";
-in
-
-lib.setDefault { inherit publicKeys; } [
+in lib.setDefault { inherit publicKeys; } [
+  "acme-certs_secret"
+  "named-bind_dnskeys_conf"
   "plausible_admin-user-password-file"
   "plausible_secret-key-base-file"
   "plausible_release-cookie-file"