1 { lib, pkgs, config, name, ... }:
3 options.myServices.certificates = {
4 enable = lib.mkEnableOption "enable certificates";
5 webroot = lib.mkOption {
7 default = "/var/lib/acme/acme-challenges";
9 certConfig = lib.mkOption {
11 webroot = "/var/lib/acme/acme-challenges";
12 email = "ismael@bouya.org";
13 postRun = builtins.concatStringsSep "\n" [
14 (lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service")
15 (lib.optionalString config.services.httpd.Tools.enable "systemctl reload httpdTools.service")
16 (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service")
17 (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
19 extraLegoRenewFlags = [ "--reuse-key" ];
20 keyType = lib.mkDefault "ec256"; # https://github.com/NixOS/nixpkgs/pull/83121
21 #extraLegoRunFlags = [ "--reuse-key" "--preferred-chain" "ISRG Root X1"];
22 #extraLegoRenewFlags = ["--preferred-chain" "ISRG Root X1"];
24 description = "Default configuration for certificates";
28 config = lib.mkIf config.myServices.certificates.enable {
30 recommendedTlsSettings = true;
32 "${config.hostEnv.fqdn}" = {
33 acmeRoot = config.myServices.certificates.webroot;
39 services.websites.certs = config.myServices.certificates.certConfig;
40 myServices.databasesCerts = config.myServices.certificates.certConfig;
41 myServices.ircCerts = config.myServices.certificates.certConfig;
43 security.acme.acceptTerms = true;
44 security.acme.preliminarySelfsigned = true;
46 security.acme.certs = {
47 "${name}" = config.myServices.certificates.certConfig // {
48 domain = config.hostEnv.fqdn;