Make cert-store update cert in version control

2025-06-23 01:02:57 +03:00 · 2025-06-23 01:02:57 +03:00 · 631c12d2ef
commit 631c12d2ef
parent 6e1fb93c42
4 changed files with 128 additions and 32 deletions
--- a/servers/acme-cert-store.nix
+++ b/servers/acme-cert-store.nix
@ -1,16 +1,69 @@
-{ config, ... }:
+{ config, pkgs, ... }:
+let
+  update-cert = pkgs.writeScriptBin "update-cert" ''
+    cd ${config.users.users."cert-store".home}
+    git clone ssh://forgejo@forgejo.sinerva.eu/VSinerva/nixos-conf.git
+    cd nixos-conf
+
+    ${pkgs.sops}/bin/sops -d --extract '["cert-fullchain"]' --output old-fullchain secrets/cert.yaml
+    ${pkgs.sops}/bin/sops -d --extract '["cert-key"]' --output old-key secrets/cert.yaml
+
+    cp ${config.users.users."cert-store".home}/acme/-.vsinerva.fi/fullchain.pem ./new-fullchain
+    cp ${config.users.users."cert-store".home}/acme/-.vsinerva.fi/key.pem ./new-key
+
+    if ${pkgs.diffutils}/bin/cmp new-fullchain old-fullchain; then
+      echo "Old and new fullchain are the same, skipping!"
+    else
+      ${pkgs.sops}/bin/sops --set "[\"cert-fullchain\"] $(${pkgs.jq}/bin/jq -sR < new-fullchain)" secrets/cert.yaml
+    fi
+
+    if ${pkgs.diffutils}/bin/cmp new-key old-key; then
+      echo "Old and new key are the same, skipping!"
+    else
+      ${pkgs.sops}/bin/sops --set "[\"cert-key\"] $(${pkgs.jq}/bin/jq -sR < new-key)" secrets/cert.yaml
+    fi
+
+    git commit -am "Automatically updated wildcard cert"
+    git push
+    cd ${config.users.users."cert-store".home}
+    rm -rf nixos-conf
+  '';
+in
 {
+  sops = {
+    secrets = {
+      forgejo-deploy-key = {
+        sopsFile = ../secrets/cert-store.yaml;
+        path = "${config.users.users."cert-store".home}/.ssh/id_ed25519";
+        owner = config.users.users."cert-store".name;
+      };
+      cert-age-key = {
+        sopsFile = ../secrets/cert-store.yaml;
+        path = "${config.users.users."cert-store".home}/.config/sops/age/keys.txt";
+        owner = config.users.users."cert-store".name;
+      };
+    };
+  };
+
  users.users."cert-store" = {
    isNormalUser = true;
-    description = "Read-only access to certs";
    openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys ++ [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBCEnSRQyUVUOwzIbThHC2cdk+zDabHUNkgPLgnjwqme idacloud"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHj2PK6LHsanSqaz8Gf/VqHaurd5e6Y7KnZNBiHb9adT nextcloud"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOgIXTr7HxC13UNZP0UCALBRJuiDh4U0Nnd4GPIE4RQR vaultwarden"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsctvJR4JOVoTAas0+lb8662EXFsQVNozTntnR7o5R1 opnsense"
    ];
  };

-  users.users.root.openssh.authorizedKeys.keys = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsctvJR4JOVoTAas0+lb8662EXFsQVNozTntnR7o5R1 opnsense"
-  ];
+  services.openssh.knownHosts."forgejo.sinerva.eu".publicKey =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDiJZWlmiEkVzlf5/KV/jKkCGlgp8mnEeCnwk/dhdctJ";
+
+  environment.systemPackages = [ update-cert ];
+
+  programs.git = {
+    enable = true;
+    config = {
+      user = {
+        email = "vili.m.sinerva@gmail.com";
+        name = "Vili Sinervä";
+      };
+    };
+  };
 }