X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Fcertificates.nix;h=9e60a093d1170fcbafa68709bdbccd83c175551a;hb=6e9f30f4c63fddc5ce886b26b7e4e9ca23a93111;hp=43f6a2343afafeba86880779f6aa66afc75c6447;hpb=8d213e2b1c934f6861f76aad5eb7c11097fa97de;p=perso%2FImmae%2FConfig%2FNix.git

diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix
index 43f6a23..9e60a09 100644
--- a/modules/private/certificates.nix
+++ b/modules/private/certificates.nix
@@ -1,29 +1,40 @@
-{ lib, pkgs, config,  ... }:
+{ lib, pkgs, config, name, ... }:
 {
-  options.services.myCertificates = {
+  options.myServices.certificates = {
+    enable = lib.mkEnableOption "enable certificates";
     certConfig = lib.mkOption {
       default = {
         webroot = "${config.security.acme.directory}/acme-challenge";
         email = "ismael@bouya.org";
-        postRun = ''
-          systemctl reload httpdTools.service httpdInte.service httpdProd.service
-        '';
+        postRun = builtins.concatStringsSep "\n" [
+          (lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service")
+          (lib.optionalString config.services.httpd.Tools.enable "systemctl reload httpdTools.service")
+          (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service")
+          (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
+        ];
         plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
       };
       description = "Default configuration for certificates";
     };
   };
 
-  config = {
-    services.websitesCerts = config.services.myCertificates.certConfig;
-    myServices.databasesCerts = config.services.myCertificates.certConfig;
-    myServices.ircCerts = config.services.myCertificates.certConfig;
+  config = lib.mkIf config.myServices.certificates.enable {
+    services.duplyBackup.profiles.system.excludeFile = ''
+      + ${config.security.acme.directory}
+      '';
+    services.nginx = {
+      recommendedTlsSettings = true;
+      virtualHosts = { "${config.hostEnv.FQDN}" = { useACMEHost = name; forceSSL = true; }; };
+    };
+    services.websites.certs = config.myServices.certificates.certConfig;
+    myServices.databasesCerts = config.myServices.certificates.certConfig;
+    myServices.ircCerts = config.myServices.certificates.certConfig;
 
     security.acme.preliminarySelfsigned = true;
 
     security.acme.certs = {
-      "eldiron" = config.services.myCertificates.certConfig // {
-        domain = "eldiron.immae.eu";
+      "${name}" = config.myServices.certificates.certConfig // {
+        domain = config.hostEnv.FQDN;
       };
     };
 
@@ -41,12 +52,12 @@
         '')
       ; })
     ) config.security.acme.certs // {
-      httpdProd.after = [ "acme-selfsigned-certificates.target" ];
-      httpdProd.wants = [ "acme-selfsigned-certificates.target" ];
-      httpdTools.after = [ "acme-selfsigned-certificates.target" ];
-      httpdTools.wants = [ "acme-selfsigned-certificates.target" ];
-      httpdInte.after = [ "acme-selfsigned-certificates.target" ];
-      httpdInte.wants = [ "acme-selfsigned-certificates.target" ];
+      httpdProd = lib.mkIf config.services.httpd.Prod.enable
+        { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
+      httpdTools = lib.mkIf config.services.httpd.Tools.enable
+        { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
+      httpdInte = lib.mkIf config.services.httpd.Inte.enable
+        { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
     };
   };
 }