]>
Commit | Line | Data |
---|---|---|
1 | { lib, pkgs, config, name, ... }: | |
2 | { | |
3 | options.myServices.certificates = { | |
4 | enable = lib.mkEnableOption "enable certificates"; | |
5 | webroot = lib.mkOption { | |
6 | readOnly = true; | |
7 | default = "/var/lib/acme/acme-challenges"; | |
8 | }; | |
9 | certConfig = lib.mkOption { | |
10 | default = { | |
11 | webroot = "/var/lib/acme/acme-challenges"; | |
12 | email = "ismael@bouya.org"; | |
13 | postRun = builtins.concatStringsSep "\n" [ | |
14 | (lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service") | |
15 | (lib.optionalString config.services.httpd.Tools.enable "systemctl reload httpdTools.service") | |
16 | (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service") | |
17 | (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service") | |
18 | ]; | |
19 | extraLegoRenewFlags = [ "--reuse-key" ]; | |
20 | keyType = lib.mkDefault "ec256"; # https://github.com/NixOS/nixpkgs/pull/83121 | |
21 | #extraLegoRunFlags = [ "--reuse-key" "--preferred-chain" "ISRG Root X1"]; | |
22 | #extraLegoRenewFlags = ["--preferred-chain" "ISRG Root X1"]; | |
23 | }; | |
24 | description = "Default configuration for certificates"; | |
25 | }; | |
26 | }; | |
27 | ||
28 | config = lib.mkIf config.myServices.certificates.enable { | |
29 | services.nginx = { | |
30 | recommendedTlsSettings = true; | |
31 | virtualHosts = { | |
32 | "${config.hostEnv.fqdn}" = { | |
33 | acmeRoot = config.myServices.certificates.webroot; | |
34 | useACMEHost = name; | |
35 | forceSSL = true; | |
36 | }; | |
37 | }; | |
38 | }; | |
39 | services.websites.certs = config.myServices.certificates.certConfig; | |
40 | myServices.databasesCerts = config.myServices.certificates.certConfig; | |
41 | myServices.ircCerts = config.myServices.certificates.certConfig; | |
42 | ||
43 | security.acme.acceptTerms = true; | |
44 | security.acme.preliminarySelfsigned = true; | |
45 | ||
46 | security.acme.certs = { | |
47 | "${name}" = config.myServices.certificates.certConfig // { | |
48 | domain = config.hostEnv.fqdn; | |
49 | }; | |
50 | }; | |
51 | }; | |
52 | } |