]> git.immae.eu Git - perso/Immae/Config/Nix.git/blame - modules/private/certificates.nix
Retry dovecot submission on failure
[perso/Immae/Config/Nix.git] / modules / private / certificates.nix
CommitLineData
6e9f30f4 1{ lib, pkgs, config, name, ... }:
3013caf1 2{
8415083e
IB
3 options.myServices.certificates = {
4 enable = lib.mkEnableOption "enable certificates";
cfda3cfc
IB
5 webroot = lib.mkOption {
6 readOnly = true;
7 default = "/var/lib/acme/acme-challenges";
8 };
3013caf1
IB
9 certConfig = lib.mkOption {
10 default = {
e34b3079 11 webroot = "/var/lib/acme/acme-challenges";
3013caf1 12 email = "ismael@bouya.org";
6e9f30f4
IB
13 postRun = builtins.concatStringsSep "\n" [
14 (lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service")
15 (lib.optionalString config.services.httpd.Tools.enable "systemctl reload httpdTools.service")
16 (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service")
17 (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
18 ];
f5761aac 19 extraLegoRenewFlags = [ "--reuse-key" ];
cfda3cfc 20 keyType = lib.mkDefault "ec256"; # https://github.com/NixOS/nixpkgs/pull/83121
e34b3079
IB
21 #extraLegoRunFlags = [ "--reuse-key" "--preferred-chain" "ISRG Root X1"];
22 #extraLegoRenewFlags = ["--preferred-chain" "ISRG Root X1"];
3013caf1
IB
23 };
24 description = "Default configuration for certificates";
25 };
26 };
27
8415083e 28 config = lib.mkIf config.myServices.certificates.enable {
6e9f30f4
IB
29 services.nginx = {
30 recommendedTlsSettings = true;
3ffa15ba
IB
31 virtualHosts = {
32 "${config.hostEnv.fqdn}" = {
cfda3cfc 33 acmeRoot = config.myServices.certificates.webroot;
3ffa15ba
IB
34 useACMEHost = name;
35 forceSSL = true;
36 };
37 };
6e9f30f4 38 };
8415083e
IB
39 services.websites.certs = config.myServices.certificates.certConfig;
40 myServices.databasesCerts = config.myServices.certificates.certConfig;
41 myServices.ircCerts = config.myServices.certificates.certConfig;
7df420c2 42
258dd18b 43 security.acme.acceptTerms = true;
5400b9b6 44 security.acme.preliminarySelfsigned = true;
3013caf1 45
5400b9b6 46 security.acme.certs = {
6e9f30f4 47 "${name}" = config.myServices.certificates.certConfig // {
619e4f46 48 domain = config.hostEnv.fqdn;
3013caf1
IB
49 };
50 };
51 };
52}