Berwn
48bf7fb250
web01 terminates TLS for grafana.cnx.network and proxies to Grafana on control over the mesh. Caddy serves a *.cnx.network wildcard cert obtained via ACME DNS-01, using a dedicated acme_web01 TSIG key scoped on ns1 to _acme-challenge on the cnx.network zone only. Ports 80/443 are the only public exposure (80 just redirects); admin and the backend ride ZeroTier. Also reload Caddy on cert renewal for both web01 and mx1, since both reference the cert via explicit tls file paths and would otherwise keep serving a stale cert after a silent renewal.
20 lines
888 B
Nix
20 lines
888 B
Nix
# Shared TSIG secret for the dedicated acme_web01 key.
|
|
#
|
|
# This key lets web01 — and only web01 — write _acme-challenge.cnx.network TXT
|
|
# records on ns1 to obtain its wildcard (*.cnx.network) TLS cert via ACME DNS-01.
|
|
# ns1 scopes it with acl_acme_web01 (attached only to the cnx.network zone) so the
|
|
# credential can touch nothing else. ns1 renders this secret into a Knot key file;
|
|
# web01 into a lego rfc2136 env file; both must carry the same secret, hence one
|
|
# shared generator with a per-host renderer that depends on it. Imported by ns1
|
|
# and (via web-proxy.nix) web01.
|
|
{ pkgs, ... }:
|
|
{
|
|
clan.core.vars.generators.dns-acme-web01-secret = {
|
|
share = true;
|
|
files."secret".secret = true;
|
|
runtimeInputs = [ pkgs.openssl ];
|
|
# 32 random bytes, base64 — a valid hmac-sha256 TSIG secret.
|
|
script = ''openssl rand -base64 32 | tr -d '\n' > "$out"/secret'';
|
|
};
|
|
}
|