From b9a0c8e52d101fba3e8c918fb00d6b73cc7a44c6 Mon Sep 17 00:00:00 2001
From: Thomas Boerger <thomas@webhippie.de>
Date: Tue, 22 Mar 2022 08:55:51 +0100
Subject: [PATCH] module: add acme

---
 machines/modules/acme.nix    |  46 +++++++++++++++++++++++++++++++++++
 machines/modules/default.nix |   5 ++++
 machines/utgard/default.nix  |   8 ++++++
 secrets/acme.age             | Bin 0 -> 467 bytes
 secrets/secrets.nix          |   7 ++++++
 5 files changed, 66 insertions(+)
 create mode 100644 machines/modules/acme.nix
 create mode 100644 secrets/acme.age
 create mode 100644 secrets/secrets.nix

diff --git a/machines/modules/acme.nix b/machines/modules/acme.nix
new file mode 100644
index 0000000..6d38163
--- /dev/null
+++ b/machines/modules/acme.nix
@@ -0,0 +1,46 @@
+{ pkgs, lib, config, options, ... }:
+
+let
+  cfg = config.my.modules.acme;
+
+in
+
+{
+  options = with lib; {
+    my = {
+      modules = {
+        acme = {
+          enable = mkEnableOption ''
+            Whether to enable acme module
+          '';
+        };
+      };
+    };
+  };
+
+  config = with lib;
+    mkIf cfg.enable {
+      security = {
+        acme = {
+          acceptTerms = true;
+
+          defaults = {
+            email = "hostmaster@boerger.ws";
+          };
+
+          certs = {
+            "home.boerger.ws" = {
+              domain = "*.home.boerger.ws";
+              dnsProvider = "cloudflare";
+              credentialsFile = config.age.secrets.acme.path;
+            };
+          };
+        };
+      };
+
+      age.secrets.acme = {
+        file = ../../secrets/acme.age;
+        owner = "acme";
+      };
+    };
+}
diff --git a/machines/modules/default.nix b/machines/modules/default.nix
index 42ca0df..9098d6e 100644
--- a/machines/modules/default.nix
+++ b/machines/modules/default.nix
@@ -4,6 +4,7 @@
   imports = [
     ./settings.nix
 
+    ./acme.nix
     ./boot.nix
     ./haveged.nix
     ./network.nix
@@ -16,6 +17,10 @@
 
   my = {
     modules = {
+      acme = {
+        enable = lib.mkDefault false;
+      };
+
       boot = {
         enable = lib.mkDefault true;
       };
diff --git a/machines/utgard/default.nix b/machines/utgard/default.nix
index c3b8849..de3e2ac 100644
--- a/machines/utgard/default.nix
+++ b/machines/utgard/default.nix
@@ -10,6 +10,14 @@
     ./networking.nix
   ];
 
+  my = {
+    modules = {
+      acme = {
+        enable = true;
+      };
+    };
+  };
+
   system = {
     stateVersion = "21.11";
   };
diff --git a/secrets/acme.age b/secrets/acme.age
new file mode 100644
index 0000000000000000000000000000000000000000..8e2039cedcc523f1352cb18dd98a3cb1e24b2c90
GIT binary patch
literal 467
zcmV;^0WAJuXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9LaCB5LPf;Lo
zV=!kgQ*>D?F;I6iRBSY7XJ<HPOE_;dYk5RbZB1ECHhO9@K{8ftGB^rlZ$?^na4UFA
zGB0mbazR!yIY>2YacFd7Z#j2YZck%rM|E^rZZ>pnWI+loJ|KNZW<6b7d@W~kWnpt=
zAU}L>H(4M<Q*0nZAYwKOZ$o1?Yg2b(b1OwhWN<Q7QZQpkYI#v(XH9iPV`foFZFy&K
zZA(Z}Rz-S6ZdOZFa7<@ScSuWhP<2FOWkE+(3O7qHYh-OzR&_OPd2K>vXfa_qT1GcA
zP&8&&Q+jP|NP1&Ua!YS{Oi3_OIAk(TXl^r7K|^a|XnJ8-Q#WS{EiEk|HZ@p9GFe4I
zT4_u}VnsAeQdKKaY)^D<L2WiRb!;{=FKSI|aZ5{2I6_4V7#GJ-pA>Ag3U(><cwp+w
zk58>CMP5Tf+y|JVtoer1o5df+07BujFI5ixaK%2>wAF$vU%h2nTeD!E4F^YbuHf;e
zwK<{&R#P0{IOjdED!Ge?sL*AV{dk4fN&5wOA0@^#@W>dve8RnQUl?X1>6j@yQTiBq
J60}kqCSk9hs$2j7

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
new file mode 100644
index 0000000..c0ece88
--- /dev/null
+++ b/secrets/secrets.nix
@@ -0,0 +1,7 @@
+let
+  thomas = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINaQYR0/Oj6k1H03kshz2J7rlGCaDSuaGPhhOs9FcZfn";
+  users = [ thomas ];
+in
+{
+  "acme.age".publicKeys = users;
+}