X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Fcertificates.nix;h=f057200263416c9aeaa33d20c80b20c4f19e4098;hb=981fa80354fd6f00f49446777c38f77bd8a65f65;hp=9de3e6d7b1c82cdae432f6e72a7f6b05b655dad7;hpb=8415083eb6acc343dfa404dbbc12fa0171a48a20;p=perso%2FImmae%2FConfig%2FNix.git

diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix
index 9de3e6d..f057200 100644
--- a/modules/private/certificates.nix
+++ b/modules/private/certificates.nix
@@ -1,56 +1,63 @@
-{ lib, pkgs, config,  ... }:
+{ lib, pkgs, config, name, ... }:
 {
   options.myServices.certificates = {
     enable = lib.mkEnableOption "enable certificates";
     certConfig = lib.mkOption {
       default = {
-        webroot = "${config.security.acme.directory}/acme-challenge";
+        webroot = "/var/lib/acme/acme-challenge";
         email = "ismael@bouya.org";
-        postRun = ''
-          systemctl reload httpdTools.service httpdInte.service httpdProd.service
-        '';
-        plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
+        postRun = builtins.concatStringsSep "\n" [
+          (lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service")
+          (lib.optionalString config.services.httpd.Tools.enable "systemctl reload httpdTools.service")
+          (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service")
+          (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
+        ];
+        plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" "account_reg.json"];
       };
       description = "Default configuration for certificates";
     };
   };
 
   config = lib.mkIf config.myServices.certificates.enable {
-    services.backup.profiles.system.excludeFile = ''
-      + ${config.security.acme.directory}
+    services.duplyBackup.profiles.system.excludeFile = ''
+      + /var/lib/acme/acme-challenge
       '';
+    services.nginx = {
+      recommendedTlsSettings = true;
+      virtualHosts = { "${config.hostEnv.fqdn}" = { useACMEHost = name; forceSSL = true; }; };
+    };
     services.websites.certs = config.myServices.certificates.certConfig;
     myServices.databasesCerts = config.myServices.certificates.certConfig;
     myServices.ircCerts = config.myServices.certificates.certConfig;
 
-    security.acme.preliminarySelfsigned = true;
+    security.acme2.preliminarySelfsigned = true;
 
-    security.acme.certs = {
-      "eldiron" = config.myServices.certificates.certConfig // {
-        domain = "eldiron.immae.eu";
+    security.acme2.certs = {
+      "${name}" = config.myServices.certificates.certConfig // {
+        domain = config.hostEnv.fqdn;
       };
     };
 
     systemd.services = lib.attrsets.mapAttrs' (k: v:
       lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script =
         (lib.optionalString (builtins.elem "cert.pem" v.plugins) ''
-        cp $workdir/server.crt ${config.security.acme.directory}/${k}/cert.pem
-        chown '${v.user}:${v.group}' ${config.security.acme.directory}/${k}/cert.pem
-        chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.directory}/${k}/cert.pem
+        cp $workdir/server.crt ${config.security.acme2.certs."${k}".directory}/cert.pem
+        chown '${v.user}:${v.group}' ${config.security.acme2.certs."${k}".directory}/cert.pem
+        chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme2.certs."${k}".directory}/cert.pem
         '') +
         (lib.optionalString (builtins.elem "chain.pem" v.plugins) ''
-        cp $workdir/ca.crt ${config.security.acme.directory}/${k}/chain.pem
-        chown '${v.user}:${v.group}' ${config.security.acme.directory}/${k}/chain.pem
-        chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.directory}/${k}/chain.pem
+        cp $workdir/ca.crt ${config.security.acme2.certs."${k}".directory}/chain.pem
+        chown '${v.user}:${v.group}' ${config.security.acme2.certs."${k}".directory}/chain.pem
+        chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme2.certs."${k}".directory}/chain.pem
         '')
       ; })
-    ) config.security.acme.certs // {
-      httpdProd.after = [ "acme-selfsigned-certificates.target" ];
-      httpdProd.wants = [ "acme-selfsigned-certificates.target" ];
-      httpdTools.after = [ "acme-selfsigned-certificates.target" ];
-      httpdTools.wants = [ "acme-selfsigned-certificates.target" ];
-      httpdInte.after = [ "acme-selfsigned-certificates.target" ];
-      httpdInte.wants = [ "acme-selfsigned-certificates.target" ];
+    ) config.security.acme2.certs // {
+      httpdProd = lib.mkIf config.services.httpd.Prod.enable
+        { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
+      httpdTools = lib.mkIf config.services.httpd.Tools.enable
+        { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
+      httpdInte = lib.mkIf config.services.httpd.Inte.enable
+        { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
     };
   };
 }