Make acme-challenge writable

[perso/Immae/Config/Nix.git] / modules / websites / default.nix

diff --git a/modules/websites/default.nix b/modules/websites/default.nix
index 043fc6ecf619c0a51e8d57133649188af8afe777..e69080e9dc2ae14c43f785796c8379468e5aeb9c 100644 (file)
--- a/modules/websites/default.nix
+++ b/modules/websites/default.nix
@@ -86,6 +86,17 @@ in
               };
             };
           };
+          vhostNoSSLConfs = mkOption {
+            default = {};
+            description = "List of no ssl vhosts to define for Apache";
+            type = attrsOf (submodule {
+              options = {
+                hosts    = mkOption { type = listOf string; };
+                root     = mkOption { type = nullOr path; };
+                extraConfig = mkOption { type = listOf lines; default = []; };
+              };
+            });
+          };
           vhostConfs = mkOption {
             default = {};
             description = "List of vhosts to define for Apache";
@@ -138,7 +149,7 @@ in
       serverAliases = [ "*" ];
       enableSSL = false;
       logFormat = "combinedVhost";
-      documentRoot = "${config.security.acme.directory}/acme-challenge";
+      documentRoot = "/var/lib/acme/acme-challenge";
       extraConfig = ''
         RewriteEngine on
         RewriteCond "%{REQUEST_URI}"   "!^/\.well-known"
@@ -167,9 +178,9 @@ in
     };
     toVhost = ips: vhostConf: {
       enableSSL = true;
-      sslServerCert = "${config.security.acme.directory}/${vhostConf.certName}/cert.pem";
-      sslServerKey = "${config.security.acme.directory}/${vhostConf.certName}/key.pem";
-      sslServerChain = "${config.security.acme.directory}/${vhostConf.certName}/chain.pem";
+      sslServerCert = "${config.security.acme2.certs."${vhostConf.certName}".directory}/cert.pem";
+      sslServerKey = "${config.security.acme2.certs."${vhostConf.certName}".directory}/key.pem";
+      sslServerChain = "${config.security.acme2.certs."${vhostConf.certName}".directory}/chain.pem";
       logFormat = "combinedVhost";
       listen = map (ip: { inherit ip; port = 443; }) ips;
       hostName = builtins.head vhostConf.hosts;
@@ -177,6 +188,15 @@ in
       documentRoot = vhostConf.root;
       extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig;
     };
+    toVhostNoSSL = ips: vhostConf: {
+      enableSSL = false;
+      logFormat = "combinedVhost";
+      listen = map (ip: { inherit ip; port = 80; }) ips;
+      hostName = builtins.head vhostConf.hosts;
+      serverAliases = builtins.tail vhostConf.hosts or [];
+      documentRoot = vhostConf.root;
+      extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig;
+    };
   in attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
     icfg.httpdName (mkIf icfg.enable {
       enable = true;
@@ -190,6 +210,7 @@ in
       extraConfig = builtins.concatStringsSep "\n" icfg.extraConfig;
       virtualHosts = [ (toVhost icfg.ips icfg.fallbackVhost) ]
         ++ optionals (icfg.nosslVhost.enable) [ (nosslVhost icfg.ips icfg.nosslVhost) ]
+        ++ (attrsets.mapAttrsToList (n: v: toVhostNoSSL icfg.ips v) icfg.vhostNoSSLConfs)
         ++ (attrsets.mapAttrsToList (n: v: toVhost icfg.ips v) icfg.vhostConfs)
         ++ [ (redirectVhost icfg.ips) ];
     })
@@ -202,7 +223,7 @@ in
     }
   ) cfg.env;
 
-  config.security.acme.certs = let
+  config.security.acme2.certs = let
     typesToManage = attrsets.filterAttrs (k: v: v.enable) cfg.env;
     flatVhosts = lists.flatten (attrsets.mapAttrsToList (k: v:
       attrValues v.vhostConfs