[perso/Immae/Config/Nix.git] / modules / private / certificates.nix

{ lib, pkgs, config, name, ... }:
{
  options.myServices.certificates = {
    enable = lib.mkEnableOption "enable certificates";
    webroot = lib.mkOption {
      readOnly = true;
      default = "/var/lib/acme/acme-challenges";
    };
    certConfig = lib.mkOption {
      default = {
        webroot = "/var/lib/acme/acme-challenges";
        email = "ismael@bouya.org";
        postRun = builtins.concatStringsSep "\n" [
          (lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service")
          (lib.optionalString config.services.httpd.Tools.enable "systemctl reload httpdTools.service")
          (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service")
          (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
        ];
        extraLegoRenewFlags = [ "--reuse-key" ];
        keyType = lib.mkDefault "ec256"; # https://github.com/NixOS/nixpkgs/pull/83121
        #extraLegoRunFlags = [ "--reuse-key" "--preferred-chain" "ISRG Root X1"];
        #extraLegoRenewFlags = ["--preferred-chain" "ISRG Root X1"];
      };
      description = "Default configuration for certificates";
    };
  };

  config = lib.mkIf config.myServices.certificates.enable {
    services.nginx = {
      recommendedTlsSettings = true;
      virtualHosts = {
        "${config.hostEnv.fqdn}" = {
          acmeRoot = config.myServices.certificates.webroot;
          useACMEHost = name;
          forceSSL = true;
        };
      };
    };
    services.websites.certs = config.myServices.certificates.certConfig;
    myServices.databasesCerts = config.myServices.certificates.certConfig;
    myServices.ircCerts = config.myServices.certificates.certConfig;

    security.acme.acceptTerms = true;
    security.acme.preliminarySelfsigned = true;

    security.acme.certs = {
      "${name}" = config.myServices.certificates.certConfig // {
        domain = config.hostEnv.fqdn;
      };
    };
  };
}
Commit	Line	Data
6e9f30f4	1	{ lib, pkgs, config, name, ... }:
3013caf1	2	{
8415083e IB	3	options.myServices.certificates = {
8415083e IB	4	enable = lib.mkEnableOption "enable certificates";
cfda3cfc IB	5	webroot = lib.mkOption {
	6	readOnly = true;
	7	default = "/var/lib/acme/acme-challenges";
	8	};
3013caf1 IB	9	certConfig = lib.mkOption {
3013caf1 IB	10	default = {
e34b3079	11	webroot = "/var/lib/acme/acme-challenges";
3013caf1	12	email = "ismael@bouya.org";
6e9f30f4 IB	13	postRun = builtins.concatStringsSep "\n" [
	14	(lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service")
	15	(lib.optionalString config.services.httpd.Tools.enable "systemctl reload httpdTools.service")
	16	(lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service")
	17	(lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
	18	];
f5761aac	19	extraLegoRenewFlags = [ "--reuse-key" ];
cfda3cfc	20	keyType = lib.mkDefault "ec256"; # https://github.com/NixOS/nixpkgs/pull/83121
e34b3079 IB	21	#extraLegoRunFlags = [ "--reuse-key" "--preferred-chain" "ISRG Root X1"];
e34b3079 IB	22	#extraLegoRenewFlags = ["--preferred-chain" "ISRG Root X1"];
3013caf1 IB	23	};
	24	description = "Default configuration for certificates";
	25	};
	26	};
	27
8415083e	28	config = lib.mkIf config.myServices.certificates.enable {
6e9f30f4 IB	29	services.nginx = {
6e9f30f4 IB	30	recommendedTlsSettings = true;
3ffa15ba IB	31	virtualHosts = {
3ffa15ba IB	32	"${config.hostEnv.fqdn}" = {
cfda3cfc	33	acmeRoot = config.myServices.certificates.webroot;
3ffa15ba IB	34	useACMEHost = name;
	35	forceSSL = true;
	36	};
	37	};
6e9f30f4	38	};
8415083e IB	39	services.websites.certs = config.myServices.certificates.certConfig;
	40	myServices.databasesCerts = config.myServices.certificates.certConfig;
	41	myServices.ircCerts = config.myServices.certificates.certConfig;
7df420c2	42
258dd18b	43	security.acme.acceptTerms = true;
5400b9b6	44	security.acme.preliminarySelfsigned = true;
3013caf1	45
5400b9b6	46	security.acme.certs = {
6e9f30f4	47	"${name}" = config.myServices.certificates.certConfig // {
619e4f46	48	domain = config.hostEnv.fqdn;
3013caf1 IB	49	};
	50	};
	51	};
	52	}