feat: ACME

hosts/rs/configuration.nix

@@ -51,6 +51,7 @@
     age.sshKeyPaths = [ "/home/rs/.ssh/id_ed25519" ];
     secrets = {
       hashed_password.neededForUsers = true;
+      acme_credentials = { };
       "wg/keys/client" = { };
       "wg/keys/server" = { };
       "wg/keys/preshared/lap" = { };
@@ -98,6 +99,11 @@
     };
 
   services = {
+    security.acme = {
+      enable = true;
+      email = "[email protected]";
+    };
+
     media = {
       immich.enable = true;
       jellyfin.enable = true;

hosts/rs/secrets.yaml

@@ -1,4 +1,5 @@
 hashed_password: ENC[AES256_GCM,data:vPupiWnBmR0cKRGN1gSy+SIqGnXQRSV8YS24uUDSo+1d8tDnWBg1GFIn5QHPH8IgSDRSsSbvrOzHMf2SM3e/nhkpFb+B21xQlw==,iv:PVYzHP4xPcALvH5+5cdqdc3/Muyp835qCeDY1a83/n4=,tag:Jv66euWTm2cJfZHWB23yyA==,type:str]
+acme_credentials: ENC[AES256_GCM,data:4UUR/RnW3Pj6NwJhp4mk2mqonrLju7Itao0l+Bu+5Tk=,iv:sFR2nOs+NTWhhTrbZJvsW1r7ITWuSkms+fcw5xf4S+Y=,tag:OMIcqG5RpTOF/hFIjs+I/w==,type:str]
 searx.env: ENC[AES256_GCM,data:6I5oxKOrQ4XE11E/E0gip2Kt58tZZ+KBv7iV1krqsf3WMFlq/F2UBp7btSgjyoe6yiBNtLO9BgMIHovwMQQ=,iv:NIFEPXLNasjcFj+4zxW1XKcmRg1zIIEKa8pClSVxOII=,tag:rTEpKLvU1ftZ/6xL2v1K2Q==,type:str]
 wg:
     keys:
@@ -49,8 +50,8 @@ sops:
             STZMcU8zVlR0cEpTNWtJeFFQS3M1YmsKcxwoVUbI5jHN08DzSaU+SB9uKGl0yQal
             hs0YjNpTKM/y6zzGpu17InVu46FJGtOV4Bkipf2aMipbM+z7TXnKyQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-31T12:11:47Z"
-    mac: ENC[AES256_GCM,data:zWmZuXo3ggXwrE2sllxAZCOFFYODDuyPtwTFtksPDTQU2kANWprDXm0AUMisAx8maRvB4inSZbjpudhpyszw5CiQPjHOt4lBrjbjwPk3J5suRcZiLdIif4SOf16uN7FAz8Gql1MUSDZz1RXDkPAW6WJdnu+vLqB3MgfotYbqDaw=,iv:k25Pcvmh96JwQ2cT2b5dMpnZjkxgG6LdPGW0rfLLyTc=,tag:YMMYKKuyAI2yS87CXwZQYA==,type:str]
+    lastmodified: "2025-01-08T17:27:10Z"
+    mac: ENC[AES256_GCM,data:XWn3bPkyNxWsS+Nlbyrx79PqXnCcf7DYBiwkxYfSz1/4zR0Ulr4e/CkURB1Qso3webPTjipR0+55CgtHnPEUXTlJUNtPk/7uax3WscG2naDOgHDBMWp7Twl4rTLaWtsitrcJEkG4xaNLq09D+TMJyXtzjTJsAKJmmYBzFOSA5eQ=,iv:S5lQAAAIX8xdjGXbxqHzkbXNOLOvNF4/Y06ZE1HVjGg=,tag:P3Z4lYrKP9bkpd+KTXFYCA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.2

services/default.nix

@@ -5,5 +5,6 @@
     ./media
     ./misc
     ./networking
+    ./security
   ];
 }

services/networking/traefik.nix

@@ -2,23 +2,10 @@
 let
   cfg = config.services.networking.traefik;
 in
-# Due to non external factors traefik can't be used yet with authentik-nix.
-# Therefore router Firewall is disabled by default.
-# When done
-# TODO: Authentik-nix
 # TODO: Remove most if not all "openFirewall" instances in Config
 # TODO: Replace SearXNG with selfhosted instance
 {
-  options = {
-    homelab.domain = lib.mkOption {
-      default = "nix-pi.ipv64.de";
-      type = lib.types.nonEmptyStr;
-      example = "myHomeLab.de";
-      description = "The Domain which exposes all Services";
-    };
-
-    services.networking.traefik.enable = lib.mkEnableOption "Traefik";
-  };
+  options.services.networking.traefik.enable = lib.mkEnableOption "Traefik";
 
   config = lib.mkMerge [
     (lib.mkIf cfg.enable {
@@ -27,50 +14,83 @@ in
         443
       ];
 
-      services.traefik = {
-        enable = true;
+      services.traefik =
+        let
+          basePath = "/var/lib/acme/${config.networking.domain}";
+        in
+        {
+          enable = true;
 
-        dynamicConfigOptions.http.routers.dashboard = {
-          rule = "Host(`traefik.${config.homelab.domain}`)";
-          service = "api@internal";
-        };
+          dynamicConfigOptions =
+            let
+              certs = {
+                certFile = "${basePath}/cert.pem";
+                keyFile = "${basePath}/key.pem";
+              };
+            in
+            {
+              tls = {
+                stores.default.defaultCertificate = certs;
+                certificates = [ (certs // { stores = "default"; }) ];
+              };
 
-        staticConfigOptions = {
-          global = {
-            checkNewVersion = false;
-            sendAnonymousUsage = false;
-          };
+              http.routers.dashboard = {
+                rule = "Host(`traefik.${config.networking.domain}`)";
+                service = "api@internal";
+              };
+            };
 
-          api = {
-            disableDashboardAd = true;
-            insecure = true; # TODO: Revert when using HTTPS
-          };
+          staticConfigOptions = {
+            global = {
+              checkNewVersion = false;
+              sendAnonymousUsage = false;
+            };
 
-          log = {
-            level = "INFO";
-            filePath = "${config.services.traefik.dataDir}/traefik.log";
-            format = "json";
-          };
+            api = {
+              dashboard = true;
+              disableDashboardAd = true;
+            };
 
-          entryPoints = {
-            web = {
-              address = ":80";
-              # http.redirections.entryPoint = {
-              #   to = "websecure";
-              #   scheme = "https";
-              #   permanent = true;
-              # };
+            log = {
+              level = "INFO";
+              filePath = "${config.services.traefik.dataDir}/traefik.log";
+              format = "json";
             };
-            websecure = {
-              address = ":443";
-              # http.tls = {
-              #   certResolver = "letsencrypt";
-              #   domains = [ ];
-              # };
+
+            certificatesResolvers.letsencrypt.acme = {
+              email = "[email protected]";
+              storage = "${config.services.traefik.dataDir}/cert.json";
+              dnsChallenge = {
+                provider = "ipv64";
+                resolvers = [ "1.1.1.1:53" ]; # TODO: Change Resolver?
+              };
+            };
+
+            entryPoints = {
+              web = {
+                address = ":80";
+                http.redirections.entryPoint = {
+                  to = "websecure";
+                  scheme = "https";
+                  permanent = true;
+                };
+              };
+              websecure = {
+                address = ":443";
+                asDefault = true;
+                http.tls = {
+                  certResolver = "letsencrypt";
+                  domains = [
+                    {
+                      main = "${config.networking.domain}";
+                      sans = [ "*.${config.networking.domain}" ];
+                    }
+                  ];
+                };
+              };
             };
           };
         };
-      };
     })
 
     (lib.mkIf config.isImpermanenceEnabled {

services/security/acme.nix

@@ -0,0 +1,39 @@
+{ config, lib, ... }:
+let
+  cfg = config.services.security.acme;
+in
+{
+  options.services.security.acme = {
+    enable = lib.mkEnableOption "ACME";
+
+    email = lib.mkOption {
+      readOnly = true;
+      type = lib.types.nonEmptyStr;
+      example = "[email protected]";
+      description = "The default Email for all Certificates";
+    };
+  };
+
+  config = lib.mkMerge [
+    (lib.mkIf cfg.enable {
+      security.acme = {
+        acceptTerms = true;
+        defaults = {
+          inherit (cfg) email;
+          dnsProvider = "ipv64";
+          credentialFiles = {
+            IPV64_API_KEY_FILE = config.sops.secrets.acme_credentials.path;
+          };
+        };
+        certs."${config.networking.domain}" = {
+          group = "traefik";
+          extraDomainNames = [ "*.${config.networking.domain}" ];
+        };
+      };
+    })
+
+    (lib.mkIf config.isImpermanenceEnabled {
+      environment.persistence."/persist".directories = lib.optional cfg.enable "/var/lib/acme";
+    })
+  ];
+}

services/security/default.nix

@@ -0,0 +1 @@
+{ imports = [ ./acme.nix ]; }