]>
Commit | Line | Data |
---|---|---|
1 | { lib, pkgs, config, name, ... }: | |
2 | { | |
3 | options.myServices.certificates = { | |
4 | enable = lib.mkEnableOption "enable certificates"; | |
5 | certConfig = lib.mkOption { | |
6 | default = { | |
7 | webroot = "/var/lib/acme/acme-challenge"; | |
8 | email = "ismael@bouya.org"; | |
9 | postRun = builtins.concatStringsSep "\n" [ | |
10 | (lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service") | |
11 | (lib.optionalString config.services.httpd.Tools.enable "systemctl reload httpdTools.service") | |
12 | (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service") | |
13 | (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service") | |
14 | ]; | |
15 | plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" "account_reg.json"]; | |
16 | }; | |
17 | description = "Default configuration for certificates"; | |
18 | }; | |
19 | }; | |
20 | ||
21 | config = lib.mkIf config.myServices.certificates.enable { | |
22 | services.duplyBackup.profiles.system.excludeFile = '' | |
23 | + /var/lib/acme/acme-challenge | |
24 | ''; | |
25 | services.nginx = { | |
26 | recommendedTlsSettings = true; | |
27 | virtualHosts = { "${config.hostEnv.fqdn}" = { useACMEHost = name; forceSSL = true; }; }; | |
28 | }; | |
29 | services.websites.certs = config.myServices.certificates.certConfig; | |
30 | myServices.databasesCerts = config.myServices.certificates.certConfig; | |
31 | myServices.ircCerts = config.myServices.certificates.certConfig; | |
32 | ||
33 | security.acme.preliminarySelfsigned = true; | |
34 | ||
35 | security.acme.certs = { | |
36 | "${name}" = config.myServices.certificates.certConfig // { | |
37 | domain = config.hostEnv.fqdn; | |
38 | }; | |
39 | }; | |
40 | ||
41 | systemd.services = lib.attrsets.mapAttrs' (k: v: | |
42 | lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script = | |
43 | (lib.optionalString (builtins.elem "cert.pem" v.plugins) '' | |
44 | cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem | |
45 | chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem | |
46 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem | |
47 | '') + | |
48 | (lib.optionalString (builtins.elem "chain.pem" v.plugins) '' | |
49 | cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem | |
50 | chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem | |
51 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem | |
52 | '') | |
53 | ; }) | |
54 | ) config.security.acme.certs // | |
55 | lib.attrsets.mapAttrs' (k: data: | |
56 | lib.attrsets.nameValuePair "acme-${k}" { | |
57 | serviceConfig.ExecStartPre = | |
58 | let | |
59 | script = pkgs.writeScript "acme-pre-start" '' | |
60 | #!${pkgs.runtimeShell} -e | |
61 | mkdir -p '${data.webroot}/.well-known/acme-challenge' | |
62 | chmod a+w '${data.webroot}/.well-known/acme-challenge' | |
63 | #doesn't work for multiple concurrent runs | |
64 | #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge' | |
65 | ''; | |
66 | in | |
67 | "+${script}"; | |
68 | } | |
69 | ) config.security.acme.certs // | |
70 | { | |
71 | httpdProd = lib.mkIf config.services.httpd.Prod.enable | |
72 | { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; }; | |
73 | httpdTools = lib.mkIf config.services.httpd.Tools.enable | |
74 | { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; }; | |
75 | httpdInte = lib.mkIf config.services.httpd.Inte.enable | |
76 | { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; }; | |
77 | }; | |
78 | }; | |
79 | } |