X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Fcertificates.nix;h=f057200263416c9aeaa33d20c80b20c4f19e4098;hb=HEAD;hp=82ff52f04ba0f437966e6fdbff7472cb2bf6e645;hpb=258dd18bac4bf5dd03cf1098ffa35cb954f9e015;p=perso%2FImmae%2FConfig%2FNix.git diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix deleted file mode 100644 index 82ff52f..0000000 --- a/modules/private/certificates.nix +++ /dev/null @@ -1,77 +0,0 @@ -{ lib, pkgs, config, name, ... }: -{ - options.myServices.certificates = { - enable = lib.mkEnableOption "enable certificates"; - certConfig = lib.mkOption { - default = { - webroot = "/var/lib/acme/acme-challenge"; - email = "ismael@bouya.org"; - postRun = builtins.concatStringsSep "\n" [ - (lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service") - (lib.optionalString config.services.httpd.Tools.enable "systemctl reload httpdTools.service") - (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service") - (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service") - ]; - }; - description = "Default configuration for certificates"; - }; - }; - - config = lib.mkIf config.myServices.certificates.enable { - services.duplyBackup.profiles.system.excludeFile = '' - + /var/lib/acme/acme-challenge - ''; - services.nginx = { - recommendedTlsSettings = true; - virtualHosts = { "${config.hostEnv.fqdn}" = { useACMEHost = name; forceSSL = true; }; }; - }; - services.websites.certs = config.myServices.certificates.certConfig; - myServices.databasesCerts = config.myServices.certificates.certConfig; - myServices.ircCerts = config.myServices.certificates.certConfig; - - security.acme.acceptTerms = true; - security.acme.preliminarySelfsigned = true; - - security.acme.certs = { - "${name}" = config.myServices.certificates.certConfig // { - domain = config.hostEnv.fqdn; - }; - }; - - systemd.services = lib.attrsets.mapAttrs' (k: v: - lib.attrsets.nameValuePair "acme-selfsigned-${k}" { script = lib.mkBefore '' - cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem - chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem - chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem - - cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem - chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem - chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem - ''; - } - ) config.security.acme.certs // - lib.attrsets.mapAttrs' (k: data: - lib.attrsets.nameValuePair "acme-${k}" { - serviceConfig.ExecStartPre = - let - script = pkgs.writeScript "acme-pre-start" '' - #!${pkgs.runtimeShell} -e - mkdir -p '${data.webroot}/.well-known/acme-challenge' - chmod a+w '${data.webroot}/.well-known/acme-challenge' - #doesn't work for multiple concurrent runs - #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge' - ''; - in - "+${script}"; - } - ) config.security.acme.certs // - { - httpdProd = lib.mkIf config.services.httpd.Prod.enable - { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; }; - httpdTools = lib.mkIf config.services.httpd.Tools.enable - { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; }; - httpdInte = lib.mkIf config.services.httpd.Inte.enable - { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; }; - }; - }; -}