77 lines
2.4 KiB
Nix
77 lines
2.4 KiB
Nix
{ config, pkgs, ... }:
|
|
let
|
|
update-cert = pkgs.writeScriptBin "update-cert" ''
|
|
cd ${config.users.users."cert-store".home}
|
|
git clone ssh://forgejo@forgejo.sinerva.eu/VSinerva/nixos-conf.git
|
|
cd nixos-conf
|
|
|
|
${pkgs.sops}/bin/sops -d --extract '["cert-fullchain"]' --output old-fullchain secrets/cert.yaml
|
|
${pkgs.sops}/bin/sops -d --extract '["cert-key"]' --output old-key secrets/cert.yaml
|
|
|
|
cp ${config.users.users."cert-store".home}/-.vsinerva.fi/fullchain.pem ./new-fullchain
|
|
cp ${config.users.users."cert-store".home}/-.vsinerva.fi/key.pem ./new-key
|
|
|
|
if ${pkgs.diffutils}/bin/cmp new-fullchain old-fullchain; then
|
|
echo "Old and new fullchain are the same, skipping!"
|
|
else
|
|
${pkgs.sops}/bin/sops --set "[\"cert-fullchain\"] $(${pkgs.jq}/bin/jq -sR < new-fullchain)" secrets/cert.yaml
|
|
fi
|
|
|
|
if ${pkgs.diffutils}/bin/cmp new-key old-key; then
|
|
echo "Old and new key are the same, skipping!"
|
|
else
|
|
${pkgs.sops}/bin/sops --set "[\"cert-key\"] $(${pkgs.jq}/bin/jq -sR < new-key)" secrets/cert.yaml
|
|
fi
|
|
|
|
git commit -am "Automatically updated wildcard cert"
|
|
git push
|
|
cd ${config.users.users."cert-store".home}
|
|
rm -rf nixos-conf
|
|
'';
|
|
in
|
|
{
|
|
sops = {
|
|
secrets = {
|
|
forgejo-deploy-key = {
|
|
sopsFile = ../secrets/cert-store.yaml;
|
|
path = "${config.users.users."cert-store".home}/.ssh/id_ed25519";
|
|
owner = config.users.users."cert-store".name;
|
|
};
|
|
cert-age-key = {
|
|
sopsFile = ../secrets/cert-store.yaml;
|
|
path = "${config.users.users."cert-store".home}/.config/sops/age/keys.txt";
|
|
owner = config.users.users."cert-store".name;
|
|
};
|
|
};
|
|
};
|
|
|
|
environment.persistence."/persist".directories = [
|
|
{
|
|
directory = "/home/cert-store";
|
|
user = "cert-store";
|
|
group = "users";
|
|
mode = "u=rwx,g=,o=";
|
|
}
|
|
];
|
|
users.users."cert-store" = {
|
|
isNormalUser = true;
|
|
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys ++ [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsctvJR4JOVoTAas0+lb8662EXFsQVNozTntnR7o5R1 opnsense"
|
|
];
|
|
};
|
|
|
|
services.openssh.knownHosts."forgejo.sinerva.eu".publicKey =
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDiJZWlmiEkVzlf5/KV/jKkCGlgp8mnEeCnwk/dhdctJ";
|
|
|
|
environment.systemPackages = [ update-cert ];
|
|
|
|
programs.git = {
|
|
enable = true;
|
|
config = {
|
|
user = {
|
|
email = "vili.m.sinerva@gmail.com";
|
|
name = "Vili Sinervä";
|
|
};
|
|
};
|
|
};
|
|
}
|