feat(a1d1): init
Co-Authored-By: Samuel Shuert <coded@clicks.codes>
Change-Id: Iaf1499b8cde6d3f6bdb024374f6830d582006aeb
Reviewed-on: https://git.clicks.codes/c/Infra/NixFiles/+/720
Tested-by: Samuel Shuert <coded@clicks.codes>
Reviewed-by: Samuel Shuert <coded@clicks.codes>
diff --git a/modules/nixos/clicks/security/acme/default.nix b/modules/nixos/clicks/security/acme/default.nix
new file mode 100644
index 0000000..655e39f
--- /dev/null
+++ b/modules/nixos/clicks/security/acme/default.nix
@@ -0,0 +1,42 @@
+# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
+# SPDX-FileCopyrightText: 2024 Clicks Codes
+#
+# SPDX-License-Identifier: GPL-3.0-only
+
+{ lib, config, ... }:
+let
+ cfg = config.clicks.security.acme;
+in
+{
+ options.clicks.security.acme = {
+ enable = lib.mkEnableOption "Acme defaults";
+
+ email = lib.mkOption {
+ type = lib.types.str;
+ default = "";
+ description = "Email address to use for Let's Encrypt registration.";
+ };
+
+ staging = lib.mkOption {
+ type = lib.types.bool;
+ default = false;
+ description = "Use the Let's Encrypt staging server.";
+ };
+ };
+
+ config = lib.mkIf cfg.enable {
+ security.acme = {
+ acceptTerms = true;
+
+ defaults = {
+ inherit (cfg) email;
+
+ group = lib.mkIf config.services.nginx.enable "nginx";
+ server = lib.mkIf cfg.staging "https://acme-staging-v02.api.letsencrypt.org/directory";
+
+ # Reload nginx when certs change.
+ reloadServices = lib.optional config.services.nginx.enable "nginx.service";
+ };
+ };
+ };
+}
diff --git a/modules/nixos/clicks/security/doas/default.nix b/modules/nixos/clicks/security/doas/default.nix
new file mode 100644
index 0000000..424d9d7
--- /dev/null
+++ b/modules/nixos/clicks/security/doas/default.nix
@@ -0,0 +1,38 @@
+# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
+# SPDX-FileCopyrightText: 2024 Clicks Codes
+#
+# SPDX-License-Identifier: GPL-3.0-only
+
+{
+ lib,
+ pkgs,
+ config,
+ ...
+}:
+let
+ cfg = config.clicks.security.doas;
+in
+{
+ options.clicks.security.doas = {
+ enable = lib.mkEnableOption "doas";
+ };
+
+ config = lib.mkIf cfg.enable {
+ security.sudo.enable = false;
+
+ security.doas = {
+ enable = true;
+ extraRules = [
+ {
+ users = config.clicks.users.deployers;
+ noPass = true;
+ keepEnv = true;
+ }
+ ];
+ };
+
+ environment.shellAliases = {
+ sudo = "${config.security.wrapperDir}/${config.security.wrappers.doas.program}";
+ };
+ };
+}