{ config, pkgs, ... }: let update-cert = pkgs.writeScriptBin "update-cert" '' cd ${config.users.users."cert-store".home} rm -rf nixos-conf rm -rf ./-.vsinerva.fi if [[ $SSH_ORIGINAL_COMMAND == ${pkgs.openssh}/libexec/sftp-server ]]; then eval "$SSH_ORIGINAL_COMMAND" fi export SOPS_AGE_KEY_FILE='${config.sops.secrets.cert-age-key.path}' export GIT_SSH_COMMAND='ssh -i ${config.sops.secrets.forgejo-deploy-key.path} -o IdentitiesOnly=yes' git clone ssh://forgejo@forgejo.sinerva.eu/VSinerva/nixos-conf.git cd nixos-conf ${pkgs.sops}/bin/sops -d --extract '["cert-fullchain"]' --output old-fullchain secrets/cert.yaml ${pkgs.sops}/bin/sops -d --extract '["cert-key"]' --output old-key secrets/cert.yaml cp ${config.users.users."cert-store".home}/-.vsinerva.fi/fullchain.pem ./new-fullchain cp ${config.users.users."cert-store".home}/-.vsinerva.fi/key.pem ./new-key if ! ${pkgs.diffutils}/bin/cmp new-fullchain old-fullchain; then ${pkgs.sops}/bin/sops --set "[\"cert-fullchain\"] $(${pkgs.jq}/bin/jq -sR < new-fullchain)" secrets/cert.yaml fi if ! ${pkgs.diffutils}/bin/cmp new-key old-key; then ${pkgs.sops}/bin/sops --set "[\"cert-key\"] $(${pkgs.jq}/bin/jq -sR < new-key)" secrets/cert.yaml fi git commit -am "Automatically updated wildcard cert" git push cd ${config.users.users."cert-store".home} rm -rf nixos-conf rm -rf ./-.vsinerva.fi ''; in { sops = { secrets = { forgejo-deploy-key = { sopsFile = ../secrets/cert-store.yaml; owner = config.users.users."cert-store".name; }; cert-age-key = { sopsFile = ../secrets/cert-store.yaml; owner = config.users.users."cert-store".name; }; }; }; systemd.tmpfiles.settings."cert-store-home"."/home/cert-store".d = { user = "cert-store"; group = "users"; mode = "0700"; }; users.users."cert-store" = { isNormalUser = true; openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys ++ [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsctvJR4JOVoTAas0+lb8662EXFsQVNozTntnR7o5R1 opnsense" ]; }; services.openssh.knownHosts."forgejo.sinerva.eu".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG74oN4MnrCm/rm1WyYy7M7Lv1qMRgcy3sDCgj6YN2zE"; environment.systemPackages = [ update-cert ]; programs.git = { enable = true; config = { user = { email = "vili.m.sinerva@gmail.com"; name = "Vili Sinervä"; }; }; }; services.openssh.extraConfig = '' Match User cert-store AllowAgentForwarding no AllowTcpForwarding no PermitTTY no PermitTunnel no X11Forwarding no ForceCommand ${update-cert}/bin/update-cert Match All ''; }