[perso/Immae/Config/Nix.git] / modules / private / certificates.nix

{ lib, pkgs, config, name, ... }:
{
  options.myServices.certificates = {
    enable = lib.mkEnableOption "enable certificates";
    certConfig = lib.mkOption {
      default = {
        webroot = "/var/lib/acme/acme-challenge";
        email = "ismael@bouya.org";
        postRun = builtins.concatStringsSep "\n" [
          (lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service")
          (lib.optionalString config.services.httpd.Tools.enable "systemctl reload httpdTools.service")
          (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service")
          (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
        ];
      };
      description = "Default configuration for certificates";
    };
  };

  config = lib.mkIf config.myServices.certificates.enable {
    services.duplyBackup.profiles.system.excludeFile = ''
      + /var/lib/acme/acme-challenge
      '';
    services.nginx = {
      recommendedTlsSettings = true;
      virtualHosts = { "${config.hostEnv.fqdn}" = { useACMEHost = name; forceSSL = true; }; };
    };
    services.websites.certs = config.myServices.certificates.certConfig;
    myServices.databasesCerts = config.myServices.certificates.certConfig;
    myServices.ircCerts = config.myServices.certificates.certConfig;

    security.acme.acceptTerms = true;
    security.acme.preliminarySelfsigned = true;

    security.acme.certs = {
      "${name}" = config.myServices.certificates.certConfig // {
        domain = config.hostEnv.fqdn;
      };
    };

    systemd.services = lib.attrsets.mapAttrs' (k: v:
      lib.attrsets.nameValuePair "acme-selfsigned-${k}" { script = lib.mkBefore ''
        cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem
        chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem
        chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem

        cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem
        chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem
        chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem
        '';
      }
    ) config.security.acme.certs //
    lib.attrsets.mapAttrs' (k: data:
      lib.attrsets.nameValuePair "acme-${k}" {
        serviceConfig.ExecStartPre =
          let
            script = pkgs.writeScript "acme-pre-start" ''
              #!${pkgs.runtimeShell} -e
              mkdir -p '${data.webroot}/.well-known/acme-challenge'
              chmod a+w '${data.webroot}/.well-known/acme-challenge'
              #doesn't work for multiple concurrent runs
              #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge'
            '';
          in
            "+${script}";
      }
    ) config.security.acme.certs //
    {
      httpdProd = lib.mkIf config.services.httpd.Prod.enable
        { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
      httpdTools = lib.mkIf config.services.httpd.Tools.enable
        { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
      httpdInte = lib.mkIf config.services.httpd.Inte.enable
        { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
    };
  };
}
Commit	Line	Data
6e9f30f4	1	{ lib, pkgs, config, name, ... }:
3013caf1	2	{
8415083e IB	3	options.myServices.certificates = {
8415083e IB	4	enable = lib.mkEnableOption "enable certificates";
3013caf1 IB	5	certConfig = lib.mkOption {
3013caf1 IB	6	default = {
981fa803	7	webroot = "/var/lib/acme/acme-challenge";
3013caf1	8	email = "ismael@bouya.org";
6e9f30f4 IB	9	postRun = builtins.concatStringsSep "\n" [
	10	(lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service")
	11	(lib.optionalString config.services.httpd.Tools.enable "systemctl reload httpdTools.service")
	12	(lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service")
	13	(lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
	14	];
3013caf1 IB	15	};
	16	description = "Default configuration for certificates";
	17	};
	18	};
	19
8415083e	20	config = lib.mkIf config.myServices.certificates.enable {
d2e703c5	21	services.duplyBackup.profiles.system.excludeFile = ''
981fa803	22	+ /var/lib/acme/acme-challenge
6a8252b1	23	'';
6e9f30f4 IB	24	services.nginx = {
6e9f30f4 IB	25	recommendedTlsSettings = true;
619e4f46	26	virtualHosts = { "${config.hostEnv.fqdn}" = { useACMEHost = name; forceSSL = true; }; };
6e9f30f4	27	};
8415083e IB	28	services.websites.certs = config.myServices.certificates.certConfig;
	29	myServices.databasesCerts = config.myServices.certificates.certConfig;
	30	myServices.ircCerts = config.myServices.certificates.certConfig;
7df420c2	31
258dd18b	32	security.acme.acceptTerms = true;
5400b9b6	33	security.acme.preliminarySelfsigned = true;
3013caf1	34
5400b9b6	35	security.acme.certs = {
6e9f30f4	36	"${name}" = config.myServices.certificates.certConfig // {
619e4f46	37	domain = config.hostEnv.fqdn;
3013caf1 IB	38	};
3013caf1 IB	39	};
017cb76f IB	40
017cb76f IB	41	systemd.services = lib.attrsets.mapAttrs' (k: v:
258dd18b	42	lib.attrsets.nameValuePair "acme-selfsigned-${k}" { script = lib.mkBefore ''
5400b9b6 IB	43	cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem
	44	chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem
	45	chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem
258dd18b	46
5400b9b6 IB	47	cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem
	48	chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem
	49	chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem
258dd18b IB	50	'';
258dd18b IB	51	}
5400b9b6 IB	52	) config.security.acme.certs //
	53	lib.attrsets.mapAttrs' (k: data:
	54	lib.attrsets.nameValuePair "acme-${k}" {
	55	serviceConfig.ExecStartPre =
	56	let
	57	script = pkgs.writeScript "acme-pre-start" ''
	58	#!${pkgs.runtimeShell} -e
	59	mkdir -p '${data.webroot}/.well-known/acme-challenge'
	60	chmod a+w '${data.webroot}/.well-known/acme-challenge'
	61	#doesn't work for multiple concurrent runs
	62	#chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge'
	63	'';
	64	in
	65	"+${script}";
	66	}
	67	) config.security.acme.certs //
	68	{
6e9f30f4 IB	69	httpdProd = lib.mkIf config.services.httpd.Prod.enable
	70	{ after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
	71	httpdTools = lib.mkIf config.services.httpd.Tools.enable
	72	{ after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
	73	httpdInte = lib.mkIf config.services.httpd.Inte.enable
	74	{ after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
017cb76f	75	};
3013caf1 IB	76	};
3013caf1 IB	77	}