zaphyra's git: nixfiles

config/nixos/modules/websites: add `zaphyra.dn42`

diff --git a/config/nixos/modules/presets/zaphyra/enable.nix b/config/nixos/modules/presets/zaphyra/enable.nix
@@ -62,34 +62,65 @@ in
     };
 
     modules.filesystem.impermanence.system.dirs = [ "/var/lib/acme" ];
-    security.acme = {
-      acceptTerms = true;
-      defaults = {
-        email = "letsencrypt@zaphyra.eu";
-        keyType = "ec384";
-        dnsProvider = "rfc2136";
-        environmentFile = pkgs.writeText "acme-dns-env" ''
-          RFC2136_NAMESERVER=morio.infra.zaphyra.eu
-          RFC2136_TSIG_KEY=acme-nix-${config.networking.hostName}
-          RFC2136_TSIG_ALGORITHM=hmac-sha384
-        '';
-        credentialFiles = {
-          RFC2136_TSIG_SECRET_FILE = config.sops.secrets.acmeTSIGKey.path;
+    security = {
+      acme = {
+        acceptTerms = true;
+        defaults = {
+          email = "letsencrypt@zaphyra.eu";
+          keyType = "ec384";
+          dnsProvider = "rfc2136";
+          environmentFile = pkgs.writeText "acme-dns-env" ''
+            RFC2136_NAMESERVER=morio.infra.zaphyra.eu
+            RFC2136_TSIG_KEY=acme-nix-${config.networking.hostName}
+            RFC2136_TSIG_ALGORITHM=hmac-sha384
+          '';
+          credentialFiles = {
+            RFC2136_TSIG_SECRET_FILE = config.sops.secrets.acmeTSIGKey.path;
+          };
+        };
+        certs."${config.networking.fqdn}" = {
+          group = lib.mkIf config.services.nginx.enable "nginx";
+          extraDomainNames = (
+            config.services.nginx.virtualHosts
+            |> lib.mapAttrsToList (
+              key: config: [
+                (if config ? serverAliases then config.serverAliases else [ ])
+                key
+              ]
+            )
+            |> lib.flatten
+            |> lib.filter (domain: !(lib.hasSuffix "dn42" domain))
+          );
         };
       };
-      certs."${config.networking.fqdn}" = {
-        group = lib.mkIf config.services.nginx.enable "nginx";
-        extraDomainNames = (
-          config.services.nginx.virtualHosts
-          |> lib.mapAttrsToList (
-            key: config: [
-              (if config ? serverAliases then config.serverAliases else [ ])
-              key
-            ]
-          )
-          |> lib.flatten
-        );
-      };
+      pki.certificates = [
+        ''
+          -----BEGIN CERTIFICATE-----
+          MIID8DCCAtigAwIBAgIFIBYBAAAwDQYJKoZIhvcNAQELBQAwYjELMAkGA1UEBhMC
+          WEQxDTALBgNVBAoMBGRuNDIxIzAhBgNVBAsMGmRuNDIgQ2VydGlmaWNhdGUgQXV0
+          aG9yaXR5MR8wHQYDVQQDDBZkbjQyIFJvb3QgQXV0aG9yaXR5IENBMCAXDTE2MDEx
+          NjAwMTIwNFoYDzIwMzAxMjMxMjM1OTU5WjBiMQswCQYDVQQGEwJYRDENMAsGA1UE
+          CgwEZG40MjEjMCEGA1UECwwaZG40MiBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAd
+          BgNVBAMMFmRuNDIgUm9vdCBBdXRob3JpdHkgQ0EwggEiMA0GCSqGSIb3DQEBAQUA
+          A4IBDwAwggEKAoIBAQDBGRDeAYYR8YIMsNTl/5rI46r0AAiCwM9/BXohl8G1i6PR
+          VO76BA931VyYS9mIGMEXEJLlJPrvYetdexHlvrqJ8mDJO4IFOnRUYCNmGtjNKHvx
+          6lUlmowEoP+dSFRMnbwtoN9xrmRHDed1BfTFAirSDL6jY1RiK60p62oIpF6o6/FS
+          FE7RXUEv0xm65II2etGj8oT2B7L2DDDb23bu6RQFx491tz/V1TVW0JJE3yYeAPqu
+          y3rJUGddafj5/SWnHdtAsUK8RVfhyRxCummAHuolmRKfbyOj0i5KzRXkfEn50cDw
+          GQwVUM6mUbuqFrKC7PRhRIwc3WVgBHewTZlnF/sJAgMBAAGjgaowgacwDgYDVR0P
+          AQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFR2iLLAtTDQ/E/J
+          bTv5jFURrBUVMB8GA1UdIwQYMBaAFFR2iLLAtTDQ/E/JbTv5jFURrBUVMEQGA1Ud
+          HgQ9MDugOTAHggUuZG40MjAKhwisFAAA//wAADAihyD9QgAAAAAAAAAAAAAAAAAA
+          //8AAAAAAAAAAAAAAAAAADANBgkqhkiG9w0BAQsFAAOCAQEAXKQ7QaCBaeJxmU11
+          S1ogDSrZ7Oq8jU+wbPMuQRqgdfPefjrgp7nbzfUW5GrL58wqj+5/FAqltflmSIHl
+          aB4MpqM8pyvjlc/jYxUNFglj2WYxO0IufBrlKI5ePZ4omUjpR4YR4gQpYCuWlZmu
+          P6v/P0WrfgdFTk0LGEA9OwKcTqkPpcI/SjB3rmZcs42yQWvimAF94GtScE09uKlI
+          9QLS2UBmtl5EJRFVrDEC12dyamq8dDRfddyaT4MoQOAq3D9BQ1pHByu3pz/QFaJC
+          1zAi8vbktPY7OMprTOc8pHDL3q8KFP8jJcoEzZ5Jw0vkCrULhLXvtFtjB0djzVxQ
+          C0IKqQ==
+          -----END CERTIFICATE-----
+        ''
+      ];
     };
 
     services = {

diff --git a/config/nixos/modules/websites/zaphyra.dn42.nix b/config/nixos/modules/websites/zaphyra.dn42.nix
@@ -0,0 +1,55 @@
+{
+  povSelf,
+  hostConfig,
+  config,
+  pkgs,
+  lib,
+  dnsNix,
+  ...
+}:
+
+let
+  inherit (lib) types;
+  cfg = lib.getAttrFromPath povSelf config;
+
+in
+{
+
+  options = {
+    enable = {
+      type = types.bool;
+      default = false;
+    };
+    domain = {
+      type = types.str;
+      default = "zaphyra.dn42";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    dns.zones."${cfg.domain}".AAAA = [ "fd6b:6174:6a61::2" ];
+
+    security.acme.certs."zaphyra.dn42" = {
+      server = "https://acme.burble.dn42/v1/dn42/acme/directory";
+      validMinDays = 20;
+      keyType = "ec384";
+      dnsProvider = null;
+    };
+
+    services.nginx = {
+      enable = true;
+      virtualHosts."${cfg.domain}" = {
+        enableACME = true;
+        forceSSL = true;
+        kTLS = true;
+        root = pkgs.zaphyra-website;
+        extraConfig = ''
+          location /.well-known/openpgpkey {
+              add_header Access-Control-Allow-Origin * always;
+          }
+        '';
+      };
+    };
+  };
+
+}

diff --git a/hosts/morio/default.nix b/hosts/morio/default.nix
@@ -95,6 +95,7 @@
           "grafana.infra.zaphyra.eu".enable = true;
 
           "zaphyra.eu".enable = true;
+          "zaphyra.dn42".enable = true;
           "katja.wtf".enable = true;
           "git.zaphyra.eu".enable = true;
           "bikemap.zaphyra.eu".enable = true;