From 9008f6fdb92cb73d4c7c0da79df3e78c49d05fde Mon Sep 17 00:00:00 2001
From: javalsai <jvssxxi@gmail.com>
Date: Sun, 3 May 2026 23:12:06 +0200
Subject: [PATCH] nixos/security: add acme through dns challenge

few side refactors of this:
- no more `dns.domain`, it all must rely on `fqdn`, prevents
  inconsistencies.
- also added an specific host `tuxcord-acmetest` that uses the key zone
  for `nix.tuxcord.net` to test certificate pulling.
---
 .../nix.tuxcord.net/nix.tuxcord.net.key.age   | Bin 0 -> 1901 bytes
 agenix/secrets.nix                            |   2 +
 nixos/common.nix                              |   2 +
 nixos/default.nix                             |   1 +
 nixos/hosts/tuxcord-acmetest/default.nix      |  11 +++
 nixos/hosts/tuxcord-ca/default.nix            |   5 +
 nixos/hosts/tuxcord-test/default.nix          |   1 +
 nixos/modules/acme.nix                        |  89 ++++++++++++++++++
 nixos/modules/default.nix                     |   1 +
 nixos/modules/dns.nix                         |  26 +++--
 nixos/modules/gitea.nix                       |   9 +-
 nixos/modules/nginx.nix                       |   6 +-
 12 files changed, 140 insertions(+), 13 deletions(-)
 create mode 100644 agenix/dns/nix.tuxcord.net/nix.tuxcord.net.key.age
 create mode 100644 nixos/hosts/tuxcord-acmetest/default.nix
 create mode 100644 nixos/modules/acme.nix

diff --git a/agenix/dns/nix.tuxcord.net/nix.tuxcord.net.key.age b/agenix/dns/nix.tuxcord.net/nix.tuxcord.net.key.age
new file mode 100644
index 0000000000000000000000000000000000000000..13bdb91341d89b4c80d6d1efc830f7b1c4508f52
GIT binary patch
literal 1901
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCR+&oN4Kaa4#Za4yUZ
zs`B)64oS>N&h|@+N-nmHjPNq6EDcM|GA%JrE;I=W3i9`_aO4W{HZ0D{O!dmkGz$vI
z_6;^oEON_tiSRTsO)jf6F9|C1cFr#>baG1fEJnAj%Fo#%*ij)c($GBFxiqgL(<jFx
zA~ej@E5#t9GB3g_%dN;Q&7(NDIKsdy%fKrsB%8}I)2O7x*{Cqe)y2rS+^5XQL%+f`
z+_c2RF*3uyG$+8_-{09ND9y6a#}VB&*Gxx8?{WompMqd>H~lJ?vcR<B3X?$hup%$N
zO1Ds_K*MA&Q)jne0}t=8oRHiymwYbYfQZr{w|qn2jEJHnM>E61^02~iqe?%Yh=8m-
zqYO*$(rowe>|77es%)5TMa78<scxCtQRQ6zrpDnB<{?gQUTFmdK@o;UzBxtCPR7X<
ze(s)?7M10t0g0BTA?9HLMk%3=rD-nSE|ukh-kGHysTKh_mPtiit_3Cqz5xZfDOqOD
z#U6>4=^2Ja+L3{&StdS)c^1Z@C4p`(+M$+#5gwJr*_CA_KKW6JiH;U2MJcYHAw>}`
zT#oqx=Dx`}uH|9+Nr8F6g`vhy<`sUCffj{P7A8gRRi=>z-ma!jp`MB1q3!{ZkrhR5
zxnY6DRXGO9<}NNKMqCzoMup+!9z_|RVIe8u8E#H)<$<B$>1IBWW<_bqfl0Zc`j$cZ
zUg_GUZk5`Vc|k#y&iWM*WhPFZeqO#sNd{aI$;Jj2ML}7{NkvZP`9)#I1r|<bA(a6k
zg&Bn&-rniieg;8>CTZc}&f&i0dATL|>B)XsCC+B%VSW*L1^KRArN%Cnk;Q&~?jcDz
z&LysHK`s^*sou_^Mdc~}E(YeQmf5)#rUB-`uD*fUd0rtF{=T_B>G`E;mFd|<M%r%a
zT*irxl^KyaM*ao{0fr$S#<@nB9)+nsS>~2L>A{(yewE37o@oIEnZ{Y60ioH&riEE)
z1(g|=`sR*)*`DFWfm}(>zFx^ymVOo9`lk6|A=%nhxvsvYIfmx$=E;#I#{S8LVdZ`<
z;ThW5ZdpzNDQV^@W|@XTL77g*k-pj5`4wESqyfuhf%#?mK7k6J`USzJPKEi}Cixkr
z$<F#A{sopsxoQ6C&cUt*&OSjNexd2cx&A&C?x9@Hd5Kv*MWqow=7j}@#Ytfi=4K%U
z`RRV)7Lg`}frbSxQRU%=nWkO_`pGccKnc;`E!)*Ioy)r@vBEd7)F?m7FT64+-^C*^
zHQ6||!YwE*GO;u{q|n*l$=I;Ut;{3PFC*ARU)w****w_IDLc>K(#0^_FqA9YH>JQJ
zI5@>5u*fI7$S=bsqpUQ^y{e+rF~lO#*e%Vd%)mL^xZE)*BO}jLKhHO`+%+;X%hfL`
z$J?m9%*l_dq};zCE7;Z8vCzWOrPQg|*vKQ?yP(+7zbLghH^3;gBE-|*HQYESKfokB
zKTkg>JiN%<FEu=~%&;oE!YS2{%Pg?a(jwQzKdhqA%*8J;*UUUGJ=8NG(a9pW#3;}*
zw=kp1JIA*?EF-e2%(o=jBfH!w+|Q&aC*3I7F{?1epUWV}vM9UI$jK|h*gMND$1<-t
z$JyLGz}F(kB{<T|w<xc)Fv2<C%iAo%!at(C(!IbSs64QuDm&jOC^XnDAe<{KHN??7
zG9=l@$<N6`TieUr!>dfY&|BLqCp5dnwJ0dJJTKBHSKrme+czoLqaZlXu*B5BsL<R!
z$luM$&t0F(EW)X@G$q8**&^51Co;+3#MsX$r!>l<upl|t$Tid}E6*)FD^fef-Q3VL
zzbe}>)XCi0DWJgJ$k#E|H`C0ID?KvYATza~Jlt42%{Zh;KRmnGys9jy(8H|UAgMSp
z#Mw6~%hNzVs>(1jIXOQ)JjdO|Cp#nDAgatG+c(!Bge%`YCEqMCFxfmMD$&`o%+Js*
z+@vJi-QPL1%3VKAJKHG8G|;O|JI&p+*eNJHFg(fAGR!wBC?dl&w4$^m)tt*aJ<Zv`
z*wfp|xuV=H!m}zXr#QseJk&VY!_>k#JUuPfB+|mtG|DqS%1t{b-M2g<)ipUSu)HuU
z)zs3fs-%D`HMuG|#5gNBC9^y?)ubvnCs*6jv&<>4s5H>D!Xv~fv@|Lz#H+kezc`so
zS65e|Aj!GH)z2_FD$3bNySUOMHOHjHBhp+uIWslT%%C#J(J3S(Frcc?Js^;4b;i;S
z-8L_Dy6w$dFGoI^7N5^yGE1a*|6hjmP``zZOfJ6+U1cmMTZG3NC3PHFyJ)v<^X0pa
z4}yDF{C}#Zy}`z5iq(5-N8`68`G*>%y(2H*Keb2iq~!eN#X5guB;@+iEHl<mm)f!E
rQT_6V_wKA^ZqeJ;_oz3`RCkubx+y8CvEChbUq{Ey_?g~Qc7GlK5ypU}

literal 0
HcmV?d00001

diff --git a/agenix/secrets.nix b/agenix/secrets.nix
index 3101494..eafb482 100644
--- a/agenix/secrets.nix
+++ b/agenix/secrets.nix
@@ -12,4 +12,6 @@ in
 
   "dns/tuxcord.test/tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;
   "dns/tuxcord.test/sub.tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;
+
+  "dns/nix.tuxcord.net/nix.tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;
 }
diff --git a/nixos/common.nix b/nixos/common.nix
index a6a0487..5291f89 100644
--- a/nixos/common.nix
+++ b/nixos/common.nix
@@ -28,6 +28,8 @@ in
     ./vm.nix
   ];
 
+  age.secrets.ntfy.file = "${self}/agenix/ntfy.age";
+
   nix = {
     package = inputs'.nix-super.packages.default;
 
diff --git a/nixos/default.nix b/nixos/default.nix
index ed32421..e2448ee 100644
--- a/nixos/default.nix
+++ b/nixos/default.nix
@@ -33,5 +33,6 @@ in
     tuxcord-ca = mkSystem "tuxcord-ca" "x86_64-linux";
 
     tuxcord-test = mkSystem "tuxcord-test" "x86_64-linux";
+    tuxcord-acmetest = mkSystem "tuxcord-acmetest" "x86_64-linux";
   };
 }
diff --git a/nixos/hosts/tuxcord-acmetest/default.nix b/nixos/hosts/tuxcord-acmetest/default.nix
new file mode 100644
index 0000000..11d4f90
--- /dev/null
+++ b/nixos/hosts/tuxcord-acmetest/default.nix
@@ -0,0 +1,11 @@
+{
+  acme = {
+    enable = true;
+    rfc2136.nameserver = "tuxcord.net";
+  };
+
+  dns.enable = true;
+  networking.fqdn = "nix.tuxcord.net";
+
+  time.timeZone = "Europe/Madrid";
+}
diff --git a/nixos/hosts/tuxcord-ca/default.nix b/nixos/hosts/tuxcord-ca/default.nix
index a3eeb69..a25a2db 100644
--- a/nixos/hosts/tuxcord-ca/default.nix
+++ b/nixos/hosts/tuxcord-ca/default.nix
@@ -4,6 +4,11 @@
     ./storage.nix
   ];
 
+  acme = {
+    enable = true;
+    useSelfDns = true;
+  };
+
   dns.enable = true;
   networking.fqdn = "tuxcord.net";
   time.timeZone = "Canada/Eastern";
diff --git a/nixos/hosts/tuxcord-test/default.nix b/nixos/hosts/tuxcord-test/default.nix
index ad811a1..41b1be4 100644
--- a/nixos/hosts/tuxcord-test/default.nix
+++ b/nixos/hosts/tuxcord-test/default.nix
@@ -1,4 +1,5 @@
 {
+  acme.enable = false;
   dns.enable = true;
   networking.fqdn = "tuxcord.test";
 }
diff --git a/nixos/modules/acme.nix b/nixos/modules/acme.nix
new file mode 100644
index 0000000..20c2b05
--- /dev/null
+++ b/nixos/modules/acme.nix
@@ -0,0 +1,89 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  cfg = config.acme;
+
+  inherit (lib)
+    mkIf
+    mkEnableOption
+    mkOption
+    types
+    ;
+
+  inherit (config.networking) fqdn;
+in
+{
+  # we'll only support rfc2136 based challenges
+  options.acme = {
+    enable = mkEnableOption "" // {
+      default = true;
+    };
+
+    useSelfDns = mkOption {
+      default = false;
+      description = "Sets values of the self DNS if enabled, otherwise requires manual `rfc2136` nameserver and key values.";
+    };
+
+    rfc2136 = {
+      key = mkOption {
+        type = types.path;
+        default = config.age.secrets."dns/${fqdn}.key.age".path;
+      };
+
+      nameserver = mkOption {
+        type = types.str;
+        default = if cfg.useSelfDns then fqdn else null;
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = with cfg.rfc2136; nameserver != null && key != null;
+        message = "ACME needs rfc2136 parameters to work, consider using `useSelfDns` option.";
+      }
+    ];
+
+    environment.persistence."/persist".directories = [
+      {
+        directory = "/var/lib/acme";
+        group = "acme";
+        user = "acme";
+      }
+    ];
+
+    security.acme = {
+      acceptTerms = true;
+
+      defaults = {
+        email = "error@tuxcord.net";
+        reloadServices = [ "nginx" ];
+        postRun = ''
+          source ${config.age.secrets.ntfy.path}
+          ${pkgs.ntfy-sh}/bin/ntfy publish -T recycle -t "${config.host.name}" "HTTPS certificate has been renewed"
+        '';
+      };
+
+      certs."${fqdn}" = {
+        dnsProvider = "rfc2136";
+        environmentFile =
+          with cfg.rfc2136;
+          builtins.toFile "dns-01-challenge.cfg" ''
+            RFC2136_NAMESERVER=${nameserver}
+            RFC2136_TSIG_FILE="${key}"
+          '';
+        extraDomainNames = [
+          "*.${fqdn}"
+          "${fqdn}"
+        ];
+
+        inherit (config.services.nginx) group;
+      };
+    };
+  };
+}
diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix
index 01c80d9..2593ae5 100644
--- a/nixos/modules/default.nix
+++ b/nixos/modules/default.nix
@@ -1,5 +1,6 @@
 {
   imports = [
+    ./acme.nix
     ./dns.nix
     ./fail2ban.nix
     ./gitea.nix
diff --git a/nixos/modules/dns.nix b/nixos/modules/dns.nix
index ffed8c7..8ed8c63 100644
--- a/nixos/modules/dns.nix
+++ b/nixos/modules/dns.nix
@@ -1,6 +1,16 @@
 { config, lib, ... }:
 let
-  agenixDnsDir = ../../agenix/dns + "/${config.dns.domain}";
+  cfg = config.dns;
+
+  inherit (lib)
+    mkEnableOption
+    mkIf
+    strings
+    ;
+
+  inherit (config.networking) fqdn;
+
+  agenixDnsDir = "${self}/agenix/dns/${fqdn}";
   agenixKeys = builtins.attrNames (builtins.readDir agenixDnsDir);
 
   keys = map (
@@ -18,7 +28,7 @@ let
     {
       name = zoneDomain;
       path = config.age.secrets."dns/${filename}".path;
-      type = if zoneDomain == config.dns.domain then zonesub else subdomain;
+      type = if zoneDomain == fqdn then zonesub else subdomain;
     }
   ) agenixKeys;
 
@@ -34,11 +44,6 @@ in
     enable = mkEnableOption "" // {
       default = true;
     };
-
-    domain = mkOption {
-      type = with lib.types; str;
-      default = config.networking.fqdn;
-    };
   };
 
   config = mkIf cfg.enable {
@@ -53,7 +58,8 @@ in
           value = {
             file = path;
             group = "named";
-            owner = "named";
+            owner = if config.acme.enable then "acme" else "named";
+            mode = "440";
           };
         }
       ) agenixKeys
@@ -65,7 +71,7 @@ in
       extraConfig = builtins.concatStringsSep "\n" (map (key: "include \"${key.path}\";") keys);
 
       zones = {
-        "${config.dns.domain}" = {
+        "${fqdn}" = {
           # grant "tuxcord.net" zonesub ANY;
           extraConfig = ''
             update-policy {
@@ -74,7 +80,7 @@ in
               )}
             };
           '';
-          file = "/var/dns/${config.dns.domain}.zone"; # need to put default stuff
+          file = "/var/dns/${fqdn}.zone"; # need to put default stuff
           master = true;
         };
       };
diff --git a/nixos/modules/gitea.nix b/nixos/modules/gitea.nix
index 7d33da8..e1b0452 100644
--- a/nixos/modules/gitea.nix
+++ b/nixos/modules/gitea.nix
@@ -1,4 +1,9 @@
 { config, lib, ... }:
+let
+  inherit (config.networking) fqdn;
+
+  acmeEnabled = config.acme.enable;
+in
 {
   services.gitea = {
     enable = true;
@@ -8,8 +13,8 @@
 
     lfs.enable = true;
 
-    settings.server.DOMAIN = config.networking.fqdn;
-    # settings.server.ROOT_URL = "https://git.tuxcord.net/"; ? would also depend on ssl status
+    settings.server.DOMAIN = fqdn;
+    settings.server.ROOT_URL = "${if isHTTPS then "https" else "http"}://${fqdn}/";
     settings.server.HTTP_PORT = 3000;
 
     settings.service.DISABLE_REGISTRATION = true;
diff --git a/nixos/modules/nginx.nix b/nixos/modules/nginx.nix
index c9cbfec..3883f31 100644
--- a/nixos/modules/nginx.nix
+++ b/nixos/modules/nginx.nix
@@ -4,8 +4,12 @@ let
 
   mkVhost =
     attrs:
+    let
+      acmeEnabled = config.acme.enable;
+    in
     {
-      forceSSL = false; # TODO: tweak per host
+      forceSSL = acmeEnabled;
+      useACMEHost = if acmeEnabled then fqdn else null;
     }
     // attrs;