]>
Commit | Line | Data |
---|---|---|
1 | { lib, pkgs, config, name, ... }: | |
2 | { | |
3 | options.myServices.certificates = { | |
4 | enable = lib.mkEnableOption "enable certificates"; | |
5 | certConfig = lib.mkOption { | |
6 | default = { | |
7 | webroot = "/var/lib/acme/acme-challenges"; | |
8 | email = "ismael@bouya.org"; | |
9 | postRun = builtins.concatStringsSep "\n" [ | |
10 | (lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service") | |
11 | (lib.optionalString config.services.httpd.Tools.enable "systemctl reload httpdTools.service") | |
12 | (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service") | |
13 | (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service") | |
14 | ]; | |
15 | }; | |
16 | description = "Default configuration for certificates"; | |
17 | }; | |
18 | }; | |
19 | ||
20 | config = lib.mkIf config.myServices.certificates.enable { | |
21 | services.duplyBackup.profiles.system.excludeFile = '' | |
22 | + /var/lib/acme/acme-challenges | |
23 | ''; | |
24 | services.nginx = { | |
25 | recommendedTlsSettings = true; | |
26 | virtualHosts = { | |
27 | "${config.hostEnv.fqdn}" = { | |
28 | acmeRoot = config.security.acme.certs."${name}".webroot; | |
29 | useACMEHost = name; | |
30 | forceSSL = true; | |
31 | }; | |
32 | }; | |
33 | }; | |
34 | services.websites.certs = config.myServices.certificates.certConfig; | |
35 | myServices.databasesCerts = config.myServices.certificates.certConfig; | |
36 | myServices.ircCerts = config.myServices.certificates.certConfig; | |
37 | ||
38 | security.acme.acceptTerms = true; | |
39 | security.acme.preliminarySelfsigned = true; | |
40 | ||
41 | security.acme.certs = { | |
42 | "${name}" = config.myServices.certificates.certConfig // { | |
43 | domain = config.hostEnv.fqdn; | |
44 | }; | |
45 | }; | |
46 | ||
47 | systemd.services = lib.attrsets.mapAttrs' (k: v: | |
48 | lib.attrsets.nameValuePair "acme-selfsigned-${k}" { script = lib.mkBefore '' | |
49 | cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem | |
50 | chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem | |
51 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem | |
52 | ||
53 | cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem | |
54 | chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem | |
55 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem | |
56 | ''; | |
57 | } | |
58 | ) config.security.acme.certs // | |
59 | lib.attrsets.mapAttrs' (k: data: | |
60 | lib.attrsets.nameValuePair "acme-${k}" { | |
61 | serviceConfig.ExecStartPre = | |
62 | let | |
63 | script = pkgs.writeScript "acme-pre-start" '' | |
64 | #!${pkgs.runtimeShell} -e | |
65 | mkdir -p '${data.webroot}/.well-known/acme-challenge' | |
66 | chmod a+w '${data.webroot}/.well-known/acme-challenge' | |
67 | #doesn't work for multiple concurrent runs | |
68 | #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge' | |
69 | ''; | |
70 | in | |
71 | "+${script}"; | |
72 | # This is a workaround to | |
73 | # https://github.com/NixOS/nixpkgs/issues/84409 | |
74 | # https://github.com/NixOS/nixpkgs/issues/84633 | |
75 | serviceConfig.RemainAfterExit = lib.mkForce false; | |
76 | serviceConfig.WorkingDirectory = lib.mkForce "/var/lib/acme/${k}/.lego"; | |
77 | serviceConfig.StateDirectory = lib.mkForce "acme/${k}/.lego acme/${k}"; | |
78 | serviceConfig.ExecStartPost = | |
79 | let | |
80 | keyName = builtins.replaceStrings ["*"] ["_"] data.domain; | |
81 | fileMode = if data.allowKeysForGroup then "640" else "600"; | |
82 | spath = "/var/lib/acme/${k}/.lego"; | |
83 | script = pkgs.writeScript "acme-post-start" '' | |
84 | #!${pkgs.runtimeShell} -e | |
85 | cd /var/lib/acme/${k} | |
86 | ||
87 | # Test that existing cert is older than new cert | |
88 | KEY=${spath}/certificates/${keyName}.key | |
89 | if [ -e $KEY -a $KEY -nt key.pem ]; then | |
90 | cp -p ${spath}/certificates/${keyName}.key key.pem | |
91 | cp -p ${spath}/certificates/${keyName}.crt fullchain.pem | |
92 | cp -p ${spath}/certificates/${keyName}.issuer.crt chain.pem | |
93 | ln -sf fullchain.pem cert.pem | |
94 | cat key.pem fullchain.pem > full.pem | |
95 | ||
96 | ${data.postRun} | |
97 | fi | |
98 | ||
99 | chmod ${fileMode} *.pem | |
100 | chown '${data.user}:${data.group}' *.pem | |
101 | ''; | |
102 | in | |
103 | lib.mkForce "+${script}"; | |
104 | ||
105 | } | |
106 | ) config.security.acme.certs // | |
107 | { | |
108 | httpdProd = lib.mkIf config.services.httpd.Prod.enable | |
109 | { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; }; | |
110 | httpdTools = lib.mkIf config.services.httpd.Tools.enable | |
111 | { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; }; | |
112 | httpdInte = lib.mkIf config.services.httpd.Inte.enable | |
113 | { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; }; | |
114 | }; | |
115 | }; | |
116 | } |