+++ /dev/null
-{ lib, pkgs, config, name, ... }:
-{
- options.myServices.certificates = {
- enable = lib.mkEnableOption "enable certificates";
- certConfig = lib.mkOption {
- default = {
- webroot = "/var/lib/acme/acme-challenges";
- email = "ismael@bouya.org";
- postRun = builtins.concatStringsSep "\n" [
- (lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service")
- (lib.optionalString config.services.httpd.Tools.enable "systemctl reload httpdTools.service")
- (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service")
- (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
- ];
- };
- description = "Default configuration for certificates";
- };
- };
-
- config = lib.mkIf config.myServices.certificates.enable {
- services.duplyBackup.profiles.system.excludeFile = ''
- + /var/lib/acme/acme-challenges
- '';
- services.nginx = {
- recommendedTlsSettings = true;
- virtualHosts = {
- "${config.hostEnv.fqdn}" = {
- acmeRoot = config.security.acme.certs."${name}".webroot;
- useACMEHost = name;
- forceSSL = true;
- };
- };
- };
- services.websites.certs = config.myServices.certificates.certConfig;
- myServices.databasesCerts = config.myServices.certificates.certConfig;
- myServices.ircCerts = config.myServices.certificates.certConfig;
-
- security.acme.acceptTerms = true;
- security.acme.preliminarySelfsigned = true;
-
- security.acme.certs = {
- "${name}" = config.myServices.certificates.certConfig // {
- domain = config.hostEnv.fqdn;
- };
- };
-
- systemd.services = lib.attrsets.mapAttrs' (k: v:
- lib.attrsets.nameValuePair "acme-selfsigned-${k}" { script = lib.mkBefore ''
- cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem
- chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem
- chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem
-
- cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem
- chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem
- chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem
- '';
- }
- ) config.security.acme.certs //
- lib.attrsets.mapAttrs' (k: data:
- lib.attrsets.nameValuePair "acme-${k}" {
- serviceConfig.ExecStartPre =
- let
- script = pkgs.writeScript "acme-pre-start" ''
- #!${pkgs.runtimeShell} -e
- mkdir -p '${data.webroot}/.well-known/acme-challenge'
- chmod a+w '${data.webroot}/.well-known/acme-challenge'
- #doesn't work for multiple concurrent runs
- #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge'
- '';
- in
- "+${script}";
- # This is a workaround to
- # https://github.com/NixOS/nixpkgs/issues/84409
- # https://github.com/NixOS/nixpkgs/issues/84633
- serviceConfig.RemainAfterExit = lib.mkForce false;
- serviceConfig.WorkingDirectory = lib.mkForce "/var/lib/acme/${k}/.lego";
- serviceConfig.StateDirectory = lib.mkForce "acme/${k}/.lego acme/${k}";
- serviceConfig.ExecStartPost =
- let
- keyName = builtins.replaceStrings ["*"] ["_"] data.domain;
- fileMode = if data.allowKeysForGroup then "640" else "600";
- spath = "/var/lib/acme/${k}/.lego";
- script = pkgs.writeScript "acme-post-start" ''
- #!${pkgs.runtimeShell} -e
- cd /var/lib/acme/${k}
-
- # Test that existing cert is older than new cert
- KEY=${spath}/certificates/${keyName}.key
- if [ -e $KEY -a $KEY -nt key.pem ]; then
- cp -p ${spath}/certificates/${keyName}.key key.pem
- cp -p ${spath}/certificates/${keyName}.crt fullchain.pem
- cp -p ${spath}/certificates/${keyName}.issuer.crt chain.pem
- ln -sf fullchain.pem cert.pem
- cat key.pem fullchain.pem > full.pem
-
- ${data.postRun}
- fi
-
- chmod ${fileMode} *.pem
- chown '${data.user}:${data.group}' *.pem
- '';
- in
- lib.mkForce "+${script}";
-
- }
- ) config.security.acme.certs //
- {
- httpdProd = lib.mkIf config.services.httpd.Prod.enable
- { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
- httpdTools = lib.mkIf config.services.httpd.Tools.enable
- { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
- httpdInte = lib.mkIf config.services.httpd.Inte.enable
- { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
- };
- };
-}