X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Fcertificates.nix;h=f057200263416c9aeaa33d20c80b20c4f19e4098;hb=HEAD;hp=b9c0860bc08c53b583697f9539df1309ad1728b6;hpb=2fe37e4945c19d25ec65fb1591ee010a97d8bf80;p=perso%2FImmae%2FConfig%2FNix.git

diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix
deleted file mode 100644
index b9c0860..0000000
--- a/modules/private/certificates.nix
+++ /dev/null
@@ -1,118 +0,0 @@
-{ lib, pkgs, config, name, ... }:
-{
-  options.myServices.certificates = {
-    enable = lib.mkEnableOption "enable certificates";
-    certConfig = lib.mkOption {
-      default = {
-        webroot = "/var/lib/acme/acme-challenges";
-        email = "ismael@bouya.org";
-        postRun = builtins.concatStringsSep "\n" [
-          (lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service")
-          (lib.optionalString config.services.httpd.Tools.enable "systemctl reload httpdTools.service")
-          (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service")
-          (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
-        ];
-      };
-      description = "Default configuration for certificates";
-    };
-  };
-
-  config = lib.mkIf config.myServices.certificates.enable {
-    services.duplyBackup.profiles.system.excludeFile = ''
-      + /var/lib/acme/acme-challenges
-      '';
-    services.nginx = {
-      recommendedTlsSettings = true;
-      virtualHosts = {
-        "${config.hostEnv.fqdn}" = {
-          acmeRoot = config.security.acme.certs."${name}".webroot;
-          useACMEHost = name;
-          forceSSL = true;
-        };
-      };
-    };
-    services.websites.certs = config.myServices.certificates.certConfig;
-    myServices.databasesCerts = config.myServices.certificates.certConfig;
-    myServices.ircCerts = config.myServices.certificates.certConfig;
-
-    security.acme.acceptTerms = true;
-    security.acme.preliminarySelfsigned = true;
-
-    security.acme.certs = {
-      "${name}" = config.myServices.certificates.certConfig // {
-        domain = config.hostEnv.fqdn;
-      };
-    };
-
-    systemd.services = lib.attrsets.mapAttrs' (k: v:
-      lib.attrsets.nameValuePair "acme-selfsigned-${k}" {
-          wantedBy = [ "acme-selfsigned-certificates.target" ];
-          script = lib.mkAfter ''
-          cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem
-          chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem
-          chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem
-
-          cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem
-          chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem
-          chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem
-          '';
-        }
-      ) config.security.acme.certs //
-    lib.attrsets.mapAttrs' (k: data:
-      lib.attrsets.nameValuePair "acme-${k}" {
-        serviceConfig.ExecStartPre =
-          let
-            script = pkgs.writeScript "acme-pre-start" ''
-              #!${pkgs.runtimeShell} -e
-              mkdir -p '${data.webroot}/.well-known/acme-challenge'
-              chmod a+w '${data.webroot}/.well-known/acme-challenge'
-              #doesn't work for multiple concurrent runs
-              #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge'
-            '';
-          in
-          "+${script}";
-        # This is a workaround to
-        # https://github.com/NixOS/nixpkgs/issues/84409
-        # https://github.com/NixOS/nixpkgs/issues/84633
-        serviceConfig.RemainAfterExit = lib.mkForce false;
-        serviceConfig.WorkingDirectory = lib.mkForce "/var/lib/acme/${k}/.lego";
-        serviceConfig.StateDirectory = lib.mkForce "acme/${k}/.lego acme/${k}";
-        serviceConfig.ExecStartPost =
-          let
-            keyName = builtins.replaceStrings ["*"] ["_"] data.domain;
-            fileMode = if data.allowKeysForGroup then "640" else "600";
-            spath = "/var/lib/acme/${k}/.lego";
-            script = pkgs.writeScript "acme-post-start" ''
-              #!${pkgs.runtimeShell} -e
-              cd /var/lib/acme/${k}
-
-              # Test that existing cert is older than new cert
-              KEY=${spath}/certificates/${keyName}.key
-              if [ -e $KEY -a $KEY -nt key.pem ]; then
-                cp -p ${spath}/certificates/${keyName}.key key.pem
-                cp -p ${spath}/certificates/${keyName}.crt fullchain.pem
-                cp -p ${spath}/certificates/${keyName}.issuer.crt chain.pem
-                ln -sf fullchain.pem cert.pem
-                cat key.pem fullchain.pem > full.pem
-
-                ${data.postRun}
-              fi
-
-              chmod ${fileMode} *.pem
-              chown '${data.user}:${data.group}' *.pem
-            '';
-          in
-            lib.mkForce "+${script}";
-
-      }
-    ) config.security.acme.certs //
-    {
-      httpdProd = lib.mkIf config.services.httpd.Prod.enable
-        { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
-      httpdTools = lib.mkIf config.services.httpd.Tools.enable
-        { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
-      httpdInte = lib.mkIf config.services.httpd.Inte.enable
-        { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
-    };
-  };
-}