]>
Commit | Line | Data |
---|---|---|
1 | { lib, pkgs, config, name, ... }: | |
2 | { | |
3 | options.myServices.certificates = { | |
4 | enable = lib.mkEnableOption "enable certificates"; | |
5 | certConfig = lib.mkOption { | |
6 | default = { | |
7 | webroot = "/var/lib/acme/acme-challenges"; | |
8 | email = "ismael@bouya.org"; | |
9 | postRun = builtins.concatStringsSep "\n" [ | |
10 | (lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service") | |
11 | (lib.optionalString config.services.httpd.Tools.enable "systemctl reload httpdTools.service") | |
12 | (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service") | |
13 | (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service") | |
14 | ]; | |
15 | extraLegoRenewFlags = [ "--reuse-key" ]; | |
16 | }; | |
17 | description = "Default configuration for certificates"; | |
18 | }; | |
19 | }; | |
20 | ||
21 | config = lib.mkIf config.myServices.certificates.enable { | |
22 | services.duplyBackup.profiles.system.excludeFile = '' | |
23 | + /var/lib/acme/acme-challenges | |
24 | ''; | |
25 | services.nginx = { | |
26 | recommendedTlsSettings = true; | |
27 | virtualHosts = { | |
28 | "${config.hostEnv.fqdn}" = { | |
29 | acmeRoot = config.security.acme.certs."${name}".webroot; | |
30 | useACMEHost = name; | |
31 | forceSSL = true; | |
32 | }; | |
33 | }; | |
34 | }; | |
35 | services.websites.certs = config.myServices.certificates.certConfig; | |
36 | myServices.databasesCerts = config.myServices.certificates.certConfig; | |
37 | myServices.ircCerts = config.myServices.certificates.certConfig; | |
38 | ||
39 | security.acme.acceptTerms = true; | |
40 | security.acme.preliminarySelfsigned = true; | |
41 | ||
42 | security.acme.certs = { | |
43 | "${name}" = config.myServices.certificates.certConfig // { | |
44 | domain = config.hostEnv.fqdn; | |
45 | }; | |
46 | }; | |
47 | ||
48 | systemd.services = lib.attrsets.mapAttrs' (k: v: | |
49 | lib.attrsets.nameValuePair "acme-selfsigned-${k}" { | |
50 | wantedBy = [ "acme-selfsigned-certificates.target" ]; | |
51 | script = lib.mkAfter '' | |
52 | cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem | |
53 | chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem | |
54 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem | |
55 | ||
56 | cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem | |
57 | chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem | |
58 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem | |
59 | ''; | |
60 | } | |
61 | ) config.security.acme.certs // | |
62 | lib.attrsets.mapAttrs' (k: data: | |
63 | lib.attrsets.nameValuePair "acme-${k}" { | |
64 | after = lib.mkAfter [ "bind.service" ]; | |
65 | serviceConfig.ExecStartPre = | |
66 | let | |
67 | script = pkgs.writeScript "acme-pre-start" '' | |
68 | #!${pkgs.runtimeShell} -e | |
69 | mkdir -p '${data.webroot}/.well-known/acme-challenge' | |
70 | chmod a+w '${data.webroot}/.well-known/acme-challenge' | |
71 | #doesn't work for multiple concurrent runs | |
72 | #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge' | |
73 | ''; | |
74 | in | |
75 | "+${script}"; | |
76 | # This is a workaround to | |
77 | # https://github.com/NixOS/nixpkgs/issues/84409 | |
78 | # https://github.com/NixOS/nixpkgs/issues/84633 | |
79 | serviceConfig.RemainAfterExit = lib.mkForce false; | |
80 | serviceConfig.WorkingDirectory = lib.mkForce "/var/lib/acme/${k}/.lego"; | |
81 | serviceConfig.StateDirectory = lib.mkForce "acme/${k}/.lego acme/${k} acme/.lego/${k} acme/.lego/accounts"; | |
82 | serviceConfig.ExecStartPost = | |
83 | let | |
84 | keyName = builtins.replaceStrings ["*"] ["_"] data.domain; | |
85 | fileMode = if data.allowKeysForGroup then "640" else "600"; | |
86 | spath = "/var/lib/acme/${k}/.lego"; | |
87 | script = pkgs.writeScript "acme-post-start" '' | |
88 | #!${pkgs.runtimeShell} -e | |
89 | cd /var/lib/acme/${k} | |
90 | ||
91 | # Test that existing cert is older than new cert | |
92 | KEY=${spath}/certificates/${keyName}.key | |
93 | if [ -e $KEY -a $KEY -nt key.pem ]; then | |
94 | cp -p ${spath}/certificates/${keyName}.key key.pem | |
95 | cp -p ${spath}/certificates/${keyName}.crt fullchain.pem | |
96 | cp -p ${spath}/certificates/${keyName}.issuer.crt chain.pem | |
97 | ln -sf fullchain.pem cert.pem | |
98 | cat key.pem fullchain.pem > full.pem | |
99 | ||
100 | ${data.postRun} | |
101 | fi | |
102 | ||
103 | chmod ${fileMode} *.pem | |
104 | chown '${data.user}:${data.group}' *.pem | |
105 | ''; | |
106 | in | |
107 | lib.mkForce "+${script}"; | |
108 | ||
109 | } | |
110 | ) config.security.acme.certs // | |
111 | { | |
112 | httpdProd = lib.mkIf config.services.httpd.Prod.enable | |
113 | { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; }; | |
114 | httpdTools = lib.mkIf config.services.httpd.Tools.enable | |
115 | { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; }; | |
116 | httpdInte = lib.mkIf config.services.httpd.Inte.enable | |
117 | { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; }; | |
118 | }; | |
119 | }; | |
120 | } |