2025-06-23 01:02:57 +03:00
|
|
|
{ config, pkgs, ... }:
|
|
|
|
|
let
|
|
|
|
|
update-cert = pkgs.writeScriptBin "update-cert" ''
|
2025-07-04 18:17:49 +03:00
|
|
|
cd ${config.users.users."cert-store".home}
|
|
|
|
|
|
|
|
|
|
rm -rf nixos-conf
|
|
|
|
|
rm -rf ./-.vsinerva.fi
|
|
|
|
|
|
|
|
|
|
if [[ $SSH_ORIGINAL_COMMAND == ${pkgs.openssh}/libexec/sftp-server ]]; then
|
|
|
|
|
eval "$SSH_ORIGINAL_COMMAND"
|
|
|
|
|
fi
|
|
|
|
|
|
2025-07-03 00:11:29 +03:00
|
|
|
export SOPS_AGE_KEY_FILE='${config.sops.secrets.cert-age-key.path}'
|
|
|
|
|
export GIT_SSH_COMMAND='ssh -i ${config.sops.secrets.forgejo-deploy-key.path} -o IdentitiesOnly=yes'
|
|
|
|
|
|
2025-06-23 01:02:57 +03:00
|
|
|
git clone ssh://forgejo@forgejo.sinerva.eu/VSinerva/nixos-conf.git
|
|
|
|
|
cd nixos-conf
|
|
|
|
|
|
|
|
|
|
${pkgs.sops}/bin/sops -d --extract '["cert-fullchain"]' --output old-fullchain secrets/cert.yaml
|
|
|
|
|
${pkgs.sops}/bin/sops -d --extract '["cert-key"]' --output old-key secrets/cert.yaml
|
|
|
|
|
|
2025-06-30 00:57:27 +03:00
|
|
|
cp ${config.users.users."cert-store".home}/-.vsinerva.fi/fullchain.pem ./new-fullchain
|
|
|
|
|
cp ${config.users.users."cert-store".home}/-.vsinerva.fi/key.pem ./new-key
|
2025-06-23 01:02:57 +03:00
|
|
|
|
2025-07-04 18:17:49 +03:00
|
|
|
if ! ${pkgs.diffutils}/bin/cmp new-fullchain old-fullchain; then
|
2025-06-23 01:02:57 +03:00
|
|
|
${pkgs.sops}/bin/sops --set "[\"cert-fullchain\"] $(${pkgs.jq}/bin/jq -sR < new-fullchain)" secrets/cert.yaml
|
|
|
|
|
fi
|
|
|
|
|
|
2025-07-04 18:17:49 +03:00
|
|
|
if ! ${pkgs.diffutils}/bin/cmp new-key old-key; then
|
2025-06-23 01:02:57 +03:00
|
|
|
${pkgs.sops}/bin/sops --set "[\"cert-key\"] $(${pkgs.jq}/bin/jq -sR < new-key)" secrets/cert.yaml
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
git commit -am "Automatically updated wildcard cert"
|
|
|
|
|
git push
|
|
|
|
|
cd ${config.users.users."cert-store".home}
|
|
|
|
|
rm -rf nixos-conf
|
2025-07-04 18:17:49 +03:00
|
|
|
rm -rf ./-.vsinerva.fi
|
2025-06-23 01:02:57 +03:00
|
|
|
'';
|
|
|
|
|
in
|
2025-01-20 18:28:16 +02:00
|
|
|
{
|
2025-06-23 01:02:57 +03:00
|
|
|
sops = {
|
|
|
|
|
secrets = {
|
|
|
|
|
forgejo-deploy-key = {
|
|
|
|
|
sopsFile = ../secrets/cert-store.yaml;
|
|
|
|
|
owner = config.users.users."cert-store".name;
|
|
|
|
|
};
|
|
|
|
|
cert-age-key = {
|
|
|
|
|
sopsFile = ../secrets/cert-store.yaml;
|
|
|
|
|
owner = config.users.users."cert-store".name;
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2025-07-03 00:11:29 +03:00
|
|
|
systemd.tmpfiles.settings."cert-store-home"."/home/cert-store".d = {
|
|
|
|
|
user = "cert-store";
|
|
|
|
|
group = "users";
|
|
|
|
|
mode = "0700";
|
|
|
|
|
};
|
2025-01-20 18:28:16 +02:00
|
|
|
users.users."cert-store" = {
|
|
|
|
|
isNormalUser = true;
|
|
|
|
|
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys ++ [
|
2025-06-23 01:02:57 +03:00
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsctvJR4JOVoTAas0+lb8662EXFsQVNozTntnR7o5R1 opnsense"
|
2025-01-20 18:28:16 +02:00
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
|
2025-06-23 01:02:57 +03:00
|
|
|
services.openssh.knownHosts."forgejo.sinerva.eu".publicKey =
|
2025-07-03 00:11:29 +03:00
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG74oN4MnrCm/rm1WyYy7M7Lv1qMRgcy3sDCgj6YN2zE";
|
2025-06-23 01:02:57 +03:00
|
|
|
|
|
|
|
|
environment.systemPackages = [ update-cert ];
|
|
|
|
|
|
|
|
|
|
programs.git = {
|
|
|
|
|
enable = true;
|
|
|
|
|
config = {
|
|
|
|
|
user = {
|
|
|
|
|
email = "vili.m.sinerva@gmail.com";
|
|
|
|
|
name = "Vili Sinervä";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
2025-07-04 18:17:49 +03:00
|
|
|
|
|
|
|
|
services.openssh.extraConfig = ''
|
|
|
|
|
Match User cert-store
|
|
|
|
|
AllowAgentForwarding no
|
|
|
|
|
AllowTcpForwarding no
|
|
|
|
|
PermitTTY no
|
|
|
|
|
PermitTunnel no
|
|
|
|
|
X11Forwarding no
|
|
|
|
|
ForceCommand ${update-cert}/bin/update-cert
|
|
|
|
|
Match All
|
|
|
|
|
'';
|
2025-01-20 18:28:16 +02:00
|
|
|
}
|
