X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Fcertificates.nix;h=c68bbee5f585d4bdf69376a687180c9cf9e92e78;hb=3ffa15baf832f5b94cfd8d1b978eaa42f4102e07;hp=2e40b3cd7a7f27f2febb40ef2075a310036173a8;hpb=29f8cb850d74b456d6481a456311bbf5361d328c;p=perso%2FImmae%2FConfig%2FNix.git diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix index 2e40b3c..c68bbee 100644 --- a/modules/private/certificates.nix +++ b/modules/private/certificates.nix @@ -1,52 +1,83 @@ -{ lib, pkgs, config, ... }: +{ lib, pkgs, config, name, ... }: { - options.services.myCertificates = { + options.myServices.certificates = { + enable = lib.mkEnableOption "enable certificates"; certConfig = lib.mkOption { default = { - webroot = "${config.security.acme.directory}/acme-challenge"; + webroot = "/var/lib/acme/acme-challenges"; email = "ismael@bouya.org"; - postRun = '' - systemctl reload httpdTools.service httpdInte.service httpdProd.service - ''; - plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ]; + postRun = builtins.concatStringsSep "\n" [ + (lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service") + (lib.optionalString config.services.httpd.Tools.enable "systemctl reload httpdTools.service") + (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service") + (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service") + ]; }; description = "Default configuration for certificates"; }; }; - config = { - services.websites.certs = config.services.myCertificates.certConfig; - myServices.databasesCerts = config.services.myCertificates.certConfig; - myServices.ircCerts = config.services.myCertificates.certConfig; + config = lib.mkIf config.myServices.certificates.enable { + services.duplyBackup.profiles.system.excludeFile = '' + + /var/lib/acme/acme-challenges + ''; + services.nginx = { + recommendedTlsSettings = true; + virtualHosts = { + "${config.hostEnv.fqdn}" = { + acmeRoot = config.security.acme.certs."${name}".webroot; + useACMEHost = name; + forceSSL = true; + }; + }; + }; + services.websites.certs = config.myServices.certificates.certConfig; + myServices.databasesCerts = config.myServices.certificates.certConfig; + myServices.ircCerts = config.myServices.certificates.certConfig; + security.acme.acceptTerms = true; security.acme.preliminarySelfsigned = true; security.acme.certs = { - "eldiron" = config.services.myCertificates.certConfig // { - domain = "eldiron.immae.eu"; + "${name}" = config.myServices.certificates.certConfig // { + domain = config.hostEnv.fqdn; }; }; systemd.services = lib.attrsets.mapAttrs' (k: v: - lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script = - (lib.optionalString (builtins.elem "cert.pem" v.plugins) '' - cp $workdir/server.crt ${config.security.acme.directory}/${k}/cert.pem - chown '${v.user}:${v.group}' ${config.security.acme.directory}/${k}/cert.pem - chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.directory}/${k}/cert.pem - '') + - (lib.optionalString (builtins.elem "chain.pem" v.plugins) '' - cp $workdir/ca.crt ${config.security.acme.directory}/${k}/chain.pem - chown '${v.user}:${v.group}' ${config.security.acme.directory}/${k}/chain.pem - chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.directory}/${k}/chain.pem - '') - ; }) - ) config.security.acme.certs // { - httpdProd.after = [ "acme-selfsigned-certificates.target" ]; - httpdProd.wants = [ "acme-selfsigned-certificates.target" ]; - httpdTools.after = [ "acme-selfsigned-certificates.target" ]; - httpdTools.wants = [ "acme-selfsigned-certificates.target" ]; - httpdInte.after = [ "acme-selfsigned-certificates.target" ]; - httpdInte.wants = [ "acme-selfsigned-certificates.target" ]; + lib.attrsets.nameValuePair "acme-selfsigned-${k}" { script = lib.mkBefore '' + cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem + chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem + chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem + + cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem + chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem + chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem + ''; + } + ) config.security.acme.certs // + lib.attrsets.mapAttrs' (k: data: + lib.attrsets.nameValuePair "acme-${k}" { + serviceConfig.ExecStartPre = + let + script = pkgs.writeScript "acme-pre-start" '' + #!${pkgs.runtimeShell} -e + mkdir -p '${data.webroot}/.well-known/acme-challenge' + chmod a+w '${data.webroot}/.well-known/acme-challenge' + #doesn't work for multiple concurrent runs + #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge' + ''; + in + "+${script}"; + } + ) config.security.acme.certs // + { + httpdProd = lib.mkIf config.services.httpd.Prod.enable + { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; }; + httpdTools = lib.mkIf config.services.httpd.Tools.enable + { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; }; + httpdInte = lib.mkIf config.services.httpd.Inte.enable + { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; }; }; }; }