From 956284a8bf3460cbcbfa1b32b31dab0079d63028 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vili=20Sinerv=C3=A4?= <vili.m.sinerva@gmail.com>
Date: Mon, 20 Jan 2025 18:28:16 +0200
Subject: [PATCH] Add ACME cert-store

---
 machine-confs/cert-store.nix | 15 +++++++++++++++
 machine-confs/honeypot.nix   | 31 -------------------------------
 machine-confs/ntfy.nix       | 22 ----------------------
 services/acme-cert-store.nix | 30 ++++++++++++++++++++++++++++++
 4 files changed, 45 insertions(+), 53 deletions(-)
 create mode 100644 machine-confs/cert-store.nix
 delete mode 100644 machine-confs/honeypot.nix
 delete mode 100644 machine-confs/ntfy.nix
 create mode 100644 services/acme-cert-store.nix

diff --git a/machine-confs/cert-store.nix b/machine-confs/cert-store.nix
new file mode 100644
index 0000000..93e3e0c
--- /dev/null
+++ b/machine-confs/cert-store.nix
@@ -0,0 +1,15 @@
+{ pkgs, ... }:
+{
+  networking.hostName = "cert-store";
+
+  imports = [
+    ../base.nix
+    ../services/acme-cert-store.nix
+  ];
+
+  #Many installs will need this, and it won't hurt either way
+  services.qemuGuest.enable = true;
+
+  #Prevent user from being locked out of the system before switching to proper config
+  users.mutableUsers = pkgs.lib.mkForce true;
+}
diff --git a/machine-confs/honeypot.nix b/machine-confs/honeypot.nix
deleted file mode 100644
index 822a742..0000000
--- a/machine-confs/honeypot.nix
+++ /dev/null
@@ -1,31 +0,0 @@
-{ ... }:
-{
-  networking.hostName = "honeypot";
-
-  imports = [
-    ../base.nix
-  ];
-
-  networking.firewall.allowedTCPPorts = [
-    80
-  ];
-
-  services = {
-    nginx = {
-      enable = true;
-      recommendedGzipSettings = true;
-
-      virtualHosts.localhost = {
-        locations."/" = {
-          return = "200 '<html><body>It works</body></html>'";
-          extraConfig = ''
-            default_type text/html;
-          '';
-        };
-      };
-    };
-  };
-
-  # HARDWARE SPECIFIC
-  services.qemuGuest.enable = true;
-}
diff --git a/machine-confs/ntfy.nix b/machine-confs/ntfy.nix
deleted file mode 100644
index 238f1c0..0000000
--- a/machine-confs/ntfy.nix
+++ /dev/null
@@ -1,22 +0,0 @@
-{ pkgs, ... }:
-{
-  networking.hostName = "ntfy";
-
-  imports = [
-    ../base.nix
-    ../services/ntfy.nix
-  ];
-
-  # HARDWARE SPECIFIC
-  services.qemuGuest.enable = true;
-
-  # Make sure this service updates later than the rest, to capture any notifs from the others
-  system.autoUpgrade = {
-    dates = pkgs.lib.mkForce "05:00";
-    rebootWindow = pkgs.lib.mkForce {
-      lower = "04:30";
-      upper = "06:00";
-    };
-  };
-
-}
diff --git a/services/acme-cert-store.nix b/services/acme-cert-store.nix
new file mode 100644
index 0000000..66ca6f8
--- /dev/null
+++ b/services/acme-cert-store.nix
@@ -0,0 +1,30 @@
+{ config, ... }:
+{
+  users.users."cert-store" = {
+    isNormalUser = true;
+    description = "Read-only access to certs";
+    openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys ++ [
+    ];
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    certs."vsinerva.fi".extraDomainNames = [ "*.vsinerva.fi" ];
+    defaults = {
+      email = "vili.m.sinerva@gmail.com";
+      environmentFile = "/var/lib/acme/dns-creds";
+      dnsProvider = "ovh";
+      extraLegoFlags = [
+        "--dns.propagation-wait"
+        "60s"
+      ];
+      postRun = ''
+        mkdir -p ${config.users.users."cert-store".home}/acme
+        cp fullchain.pem ${config.users.users."cert-store".home}/acme/
+        cp key.pem ${config.users.users."cert-store".home}/acme/
+        chown -R cert-store:cert-store ${config.users.users."cert-store".home}/acme/
+        chmod ugoa=r ${config.users.users."cert-store".home}/acme/*.pem
+      '';
+    };
+  };
+}