1 { lib, pkgs, config, name, ... }:
3 options.myServices.certificates = {
4 enable = lib.mkEnableOption "enable certificates";
5 certConfig = lib.mkOption {
7 webroot = "/var/lib/acme/acme-challenges";
8 email = "ismael@bouya.org";
9 postRun = builtins.concatStringsSep "\n" [
10 (lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service")
11 (lib.optionalString config.services.httpd.Tools.enable "systemctl reload httpdTools.service")
12 (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service")
13 (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
16 description = "Default configuration for certificates";
20 config = lib.mkIf config.myServices.certificates.enable {
21 services.duplyBackup.profiles.system.excludeFile = ''
22 + /var/lib/acme/acme-challenges
25 recommendedTlsSettings = true;
27 "${config.hostEnv.fqdn}" = {
28 acmeRoot = config.security.acme.certs."${name}".webroot;
34 services.websites.certs = config.myServices.certificates.certConfig;
35 myServices.databasesCerts = config.myServices.certificates.certConfig;
36 myServices.ircCerts = config.myServices.certificates.certConfig;
38 security.acme.acceptTerms = true;
39 security.acme.preliminarySelfsigned = true;
41 security.acme.certs = {
42 "${name}" = config.myServices.certificates.certConfig // {
43 domain = config.hostEnv.fqdn;
47 systemd.services = lib.attrsets.mapAttrs' (k: v:
48 lib.attrsets.nameValuePair "acme-selfsigned-${k}" { script = lib.mkBefore ''
49 cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem
50 chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem
51 chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem
53 cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem
54 chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem
55 chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem
58 ) config.security.acme.certs //
59 lib.attrsets.mapAttrs' (k: data:
60 lib.attrsets.nameValuePair "acme-${k}" {
61 serviceConfig.ExecStartPre =
63 script = pkgs.writeScript "acme-pre-start" ''
64 #!${pkgs.runtimeShell} -e
65 mkdir -p '${data.webroot}/.well-known/acme-challenge'
66 chmod a+w '${data.webroot}/.well-known/acme-challenge'
67 #doesn't work for multiple concurrent runs
68 #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge'
72 # This is a workaround to
73 # https://github.com/NixOS/nixpkgs/issues/84409
74 # https://github.com/NixOS/nixpkgs/issues/84633
75 serviceConfig.RemainAfterExit = lib.mkForce false;
76 serviceConfig.WorkingDirectory = lib.mkForce "/var/lib/acme/${k}/.lego";
77 serviceConfig.StateDirectory = lib.mkForce "acme/${k}/.lego acme/${k}";
78 serviceConfig.ExecStartPost =
80 keyName = builtins.replaceStrings ["*"] ["_"] data.domain;
81 fileMode = if data.allowKeysForGroup then "640" else "600";
82 spath = "/var/lib/acme/${k}/.lego";
83 script = pkgs.writeScript "acme-post-start" ''
84 #!${pkgs.runtimeShell} -e
87 # Test that existing cert is older than new cert
88 KEY=${spath}/certificates/${keyName}.key
89 if [ -e $KEY -a $KEY -nt key.pem ]; then
90 cp -p ${spath}/certificates/${keyName}.key key.pem
91 cp -p ${spath}/certificates/${keyName}.crt fullchain.pem
92 cp -p ${spath}/certificates/${keyName}.issuer.crt chain.pem
93 ln -sf fullchain.pem cert.pem
94 cat key.pem fullchain.pem > full.pem
99 chmod ${fileMode} *.pem
100 chown '${data.user}:${data.group}' *.pem
103 lib.mkForce "+${script}";
106 ) config.security.acme.certs //
108 httpdProd = lib.mkIf config.services.httpd.Prod.enable
109 { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
110 httpdTools = lib.mkIf config.services.httpd.Tools.enable
111 { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
112 httpdInte = lib.mkIf config.services.httpd.Inte.enable
113 { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };