-{ lib, pkgs, config, ... }:
+{ lib, pkgs, config, name, ... }:
{
- options.services.myCertificates = {
+ options.myServices.certificates = {
+ enable = lib.mkEnableOption "enable certificates";
certConfig = lib.mkOption {
default = {
- webroot = "${config.security.acme.directory}/acme-challenge";
+ webroot = "/var/lib/acme/acme-challenges";
email = "ismael@bouya.org";
- postRun = ''
- systemctl reload httpdTools.service httpdInte.service httpdProd.service
- '';
- plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
+ postRun = builtins.concatStringsSep "\n" [
+ (lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service")
+ (lib.optionalString config.services.httpd.Tools.enable "systemctl reload httpdTools.service")
+ (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service")
+ (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
+ ];
};
description = "Default configuration for certificates";
};
};
- config = {
- services.backup.profiles.system.excludeFile = ''
- + ${config.security.acme.directory}
+ config = lib.mkIf config.myServices.certificates.enable {
+ services.duplyBackup.profiles.system.excludeFile = ''
+ + /var/lib/acme/acme-challenges
'';
- services.websites.certs = config.services.myCertificates.certConfig;
- myServices.databasesCerts = config.services.myCertificates.certConfig;
- myServices.ircCerts = config.services.myCertificates.certConfig;
+ services.nginx = {
+ recommendedTlsSettings = true;
+ virtualHosts = {
+ "${config.hostEnv.fqdn}" = {
+ acmeRoot = config.security.acme.certs."${name}".webroot;
+ useACMEHost = name;
+ forceSSL = true;
+ };
+ };
+ };
+ services.websites.certs = config.myServices.certificates.certConfig;
+ myServices.databasesCerts = config.myServices.certificates.certConfig;
+ myServices.ircCerts = config.myServices.certificates.certConfig;
+ security.acme.acceptTerms = true;
security.acme.preliminarySelfsigned = true;
security.acme.certs = {
- "eldiron" = config.services.myCertificates.certConfig // {
- domain = "eldiron.immae.eu";
+ "${name}" = config.myServices.certificates.certConfig // {
+ domain = config.hostEnv.fqdn;
};
};
systemd.services = lib.attrsets.mapAttrs' (k: v:
- lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script =
- (lib.optionalString (builtins.elem "cert.pem" v.plugins) ''
- cp $workdir/server.crt ${config.security.acme.directory}/${k}/cert.pem
- chown '${v.user}:${v.group}' ${config.security.acme.directory}/${k}/cert.pem
- chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.directory}/${k}/cert.pem
- '') +
- (lib.optionalString (builtins.elem "chain.pem" v.plugins) ''
- cp $workdir/ca.crt ${config.security.acme.directory}/${k}/chain.pem
- chown '${v.user}:${v.group}' ${config.security.acme.directory}/${k}/chain.pem
- chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.directory}/${k}/chain.pem
- '')
- ; })
- ) config.security.acme.certs // {
- httpdProd.after = [ "acme-selfsigned-certificates.target" ];
- httpdProd.wants = [ "acme-selfsigned-certificates.target" ];
- httpdTools.after = [ "acme-selfsigned-certificates.target" ];
- httpdTools.wants = [ "acme-selfsigned-certificates.target" ];
- httpdInte.after = [ "acme-selfsigned-certificates.target" ];
- httpdInte.wants = [ "acme-selfsigned-certificates.target" ];
+ lib.attrsets.nameValuePair "acme-selfsigned-${k}" {
+ wantedBy = [ "acme-selfsigned-certificates.target" ];
+ script = lib.mkAfter ''
+ cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem
+ chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem
+ chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem
+
+ cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem
+ chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem
+ chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem
+ '';
+ }
+ ) config.security.acme.certs //
+ lib.attrsets.mapAttrs' (k: data:
+ lib.attrsets.nameValuePair "acme-${k}" {
+ serviceConfig.ExecStartPre =
+ let
+ script = pkgs.writeScript "acme-pre-start" ''
+ #!${pkgs.runtimeShell} -e
+ mkdir -p '${data.webroot}/.well-known/acme-challenge'
+ chmod a+w '${data.webroot}/.well-known/acme-challenge'
+ #doesn't work for multiple concurrent runs
+ #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge'
+ '';
+ in
+ "+${script}";
+ # This is a workaround to
+ # https://github.com/NixOS/nixpkgs/issues/84409
+ # https://github.com/NixOS/nixpkgs/issues/84633
+ serviceConfig.RemainAfterExit = lib.mkForce false;
+ serviceConfig.WorkingDirectory = lib.mkForce "/var/lib/acme/${k}/.lego";
+ serviceConfig.StateDirectory = lib.mkForce "acme/${k}/.lego acme/${k}";
+ serviceConfig.ExecStartPost =
+ let
+ keyName = builtins.replaceStrings ["*"] ["_"] data.domain;
+ fileMode = if data.allowKeysForGroup then "640" else "600";
+ spath = "/var/lib/acme/${k}/.lego";
+ script = pkgs.writeScript "acme-post-start" ''
+ #!${pkgs.runtimeShell} -e
+ cd /var/lib/acme/${k}
+
+ # Test that existing cert is older than new cert
+ KEY=${spath}/certificates/${keyName}.key
+ if [ -e $KEY -a $KEY -nt key.pem ]; then
+ cp -p ${spath}/certificates/${keyName}.key key.pem
+ cp -p ${spath}/certificates/${keyName}.crt fullchain.pem
+ cp -p ${spath}/certificates/${keyName}.issuer.crt chain.pem
+ ln -sf fullchain.pem cert.pem
+ cat key.pem fullchain.pem > full.pem
+
+ ${data.postRun}
+ fi
+
+ chmod ${fileMode} *.pem
+ chown '${data.user}:${data.group}' *.pem
+ '';
+ in
+ lib.mkForce "+${script}";
+
+ }
+ ) config.security.acme.certs //
+ {
+ httpdProd = lib.mkIf config.services.httpd.Prod.enable
+ { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
+ httpdTools = lib.mkIf config.services.httpd.Tools.enable
+ { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
+ httpdInte = lib.mkIf config.services.httpd.Inte.enable
+ { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
};
};
}