]>
Commit | Line | Data |
---|---|---|
1 | { lib, pkgs, config, name, ... }: | |
2 | { | |
3 | options.myServices.certificates = { | |
4 | enable = lib.mkEnableOption "enable certificates"; | |
5 | certConfig = lib.mkOption { | |
6 | default = { | |
7 | webroot = "/var/lib/acme/acme-challenge"; | |
8 | email = "ismael@bouya.org"; | |
9 | postRun = builtins.concatStringsSep "\n" [ | |
10 | (lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service") | |
11 | (lib.optionalString config.services.httpd.Tools.enable "systemctl reload httpdTools.service") | |
12 | (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service") | |
13 | (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service") | |
14 | ]; | |
15 | }; | |
16 | description = "Default configuration for certificates"; | |
17 | }; | |
18 | }; | |
19 | ||
20 | config = lib.mkIf config.myServices.certificates.enable { | |
21 | services.duplyBackup.profiles.system.excludeFile = '' | |
22 | + /var/lib/acme/acme-challenge | |
23 | ''; | |
24 | services.nginx = { | |
25 | recommendedTlsSettings = true; | |
26 | virtualHosts = { "${config.hostEnv.fqdn}" = { useACMEHost = name; forceSSL = true; }; }; | |
27 | }; | |
28 | services.websites.certs = config.myServices.certificates.certConfig; | |
29 | myServices.databasesCerts = config.myServices.certificates.certConfig; | |
30 | myServices.ircCerts = config.myServices.certificates.certConfig; | |
31 | ||
32 | security.acme.acceptTerms = true; | |
33 | security.acme.preliminarySelfsigned = true; | |
34 | ||
35 | security.acme.certs = { | |
36 | "${name}" = config.myServices.certificates.certConfig // { | |
37 | domain = config.hostEnv.fqdn; | |
38 | }; | |
39 | }; | |
40 | ||
41 | systemd.services = lib.attrsets.mapAttrs' (k: v: | |
42 | lib.attrsets.nameValuePair "acme-selfsigned-${k}" { script = lib.mkBefore '' | |
43 | cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem | |
44 | chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem | |
45 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem | |
46 | ||
47 | cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem | |
48 | chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem | |
49 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem | |
50 | ''; | |
51 | } | |
52 | ) config.security.acme.certs // | |
53 | lib.attrsets.mapAttrs' (k: data: | |
54 | lib.attrsets.nameValuePair "acme-${k}" { | |
55 | serviceConfig.ExecStartPre = | |
56 | let | |
57 | script = pkgs.writeScript "acme-pre-start" '' | |
58 | #!${pkgs.runtimeShell} -e | |
59 | mkdir -p '${data.webroot}/.well-known/acme-challenge' | |
60 | chmod a+w '${data.webroot}/.well-known/acme-challenge' | |
61 | #doesn't work for multiple concurrent runs | |
62 | #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge' | |
63 | ''; | |
64 | in | |
65 | "+${script}"; | |
66 | } | |
67 | ) config.security.acme.certs // | |
68 | { | |
69 | httpdProd = lib.mkIf config.services.httpd.Prod.enable | |
70 | { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; }; | |
71 | httpdTools = lib.mkIf config.services.httpd.Tools.enable | |
72 | { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; }; | |
73 | httpdInte = lib.mkIf config.services.httpd.Inte.enable | |
74 | { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; }; | |
75 | }; | |
76 | }; | |
77 | } |