-{ lib, pkgs, config, mylibs, ... }:
+{ lib, pkgs, config, ... }:
{
options.services.myCertificates = {
certConfig = lib.mkOption {
default = {
- webroot = "/var/lib/acme/acme-challenge";
+ webroot = "${config.security.acme.directory}/acme-challenge";
email = "ismael@bouya.org";
postRun = ''
systemctl reload httpdTools.service httpdInte.service httpdProd.service
};
config = {
+ services.websitesCerts = config.services.myCertificates.certConfig;
+ myServices.databasesCerts = config.services.myCertificates.certConfig;
+ myServices.ircCerts = config.services.myCertificates.certConfig;
+
security.acme.preliminarySelfsigned = true;
security.acme.certs = {
domain = "eldiron.immae.eu";
};
};
+
+ systemd.services = lib.attrsets.mapAttrs' (k: v:
+ lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script =
+ (lib.optionalString (builtins.elem "cert.pem" v.plugins) ''
+ cp $workdir/server.crt ${config.security.acme.directory}/${k}/cert.pem
+ chown '${v.user}:${v.group}' ${config.security.acme.directory}/${k}/cert.pem
+ chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.directory}/${k}/cert.pem
+ '') +
+ (lib.optionalString (builtins.elem "chain.pem" v.plugins) ''
+ cp $workdir/ca.crt ${config.security.acme.directory}/${k}/chain.pem
+ chown '${v.user}:${v.group}' ${config.security.acme.directory}/${k}/chain.pem
+ chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.directory}/${k}/chain.pem
+ '')
+ ; })
+ ) config.security.acme.certs // {
+ httpdProd.after = [ "acme-selfsigned-certificates.target" ];
+ httpdProd.wants = [ "acme-selfsigned-certificates.target" ];
+ httpdTools.after = [ "acme-selfsigned-certificates.target" ];
+ httpdTools.wants = [ "acme-selfsigned-certificates.target" ];
+ httpdInte.after = [ "acme-selfsigned-certificates.target" ];
+ httpdInte.wants = [ "acme-selfsigned-certificates.target" ];
+ };
};
}