+ cfg = config.security.acme;
+ hashOptions = let
+ domains = builtins.concatStringsSep "," (
+ [ data.domain ] ++ (builtins.attrNames data.extraDomains)
+ );
+ certOptions = builtins.concatStringsSep "," [
+ (if data.ocspMustStaple then "must-staple" else "no-must-staple")
+ ];
+ in
+ builtins.hashString "sha256" (builtins.concatStringsSep ";" [ data.keyType domains certOptions ]);
+ accountsDir = "accounts-${data.keyType}";
+ lpath = "acme/${k}";
+ apath = "/var/lib/${lpath}";
+ spath = "/var/lib/acme/.lego/${k}";
+ fileMode = if data.allowKeysForGroup then "640" else "600";
+ dirFileMode = if data.allowKeysForGroup then "750" else "700";
+ globalOpts = [ "-d" data.domain "--email" data.email "--path" "." "--key-type" data.keyType ]
+ ++ lib.optionals (cfg.acceptTerms) [ "--accept-tos" ]
+ ++ lib.optionals (data.dnsProvider != null && !data.dnsPropagationCheck) [ "--dns.disable-cp" ]
+ ++ lib.concatLists (lib.mapAttrsToList (name: root: [ "-d" name ]) data.extraDomains)
+ ++ (if data.dnsProvider != null then [ "--dns" data.dnsProvider ] else [ "--http" "--http.webroot" config.myServices.certificates.webroot ])
+ ++ lib.optionals (cfg.server != null || data.server != null) ["--server" (if data.server == null then cfg.server else data.server)];
+ certOpts = lib.optionals data.ocspMustStaple [ "--must-staple" ];
+ runOpts = lib.escapeShellArgs (globalOpts ++ [ "run" ] ++ certOpts);
+ renewOpts = lib.escapeShellArgs (globalOpts ++
+ [ "renew" "--days" (builtins.toString cfg.validMinDays) ] ++
+ certOpts ++ data.extraLegoRenewFlags);
+ forceRenewOpts = lib.escapeShellArgs (globalOpts ++
+ [ "renew" "--days" "999" ] ++
+ certOpts ++ data.extraLegoRenewFlags);
+ keyName = builtins.replaceStrings ["*"] ["_"] data.domain;
+ in {
+ User = lib.mkForce "acme";
+ Group = lib.mkForce "acme";
+ WorkingDirectory = lib.mkForce spath;
+ StateDirectory = lib.mkForce "acme/.lego/${k} acme/.lego/${accountsDir}";
+ ExecStartPre =
+ let
+ script = pkgs.writeScript "acme-prestart" ''
+ #!${pkgs.runtimeShell} -e
+ install -m 0755 -o acme -g acme -d ${config.myServices.certificates.webroot}
+ '';
+ in
+ lib.mkForce "+${script}";
+ ExecStart = lib.mkForce (pkgs.writeScript "acme-start" ''