]>
Commit | Line | Data |
---|---|---|
1 | { lib, pkgs, config, name, ... }: | |
2 | { | |
3 | options.myServices.certificates = { | |
4 | enable = lib.mkEnableOption "enable certificates"; | |
5 | certConfig = lib.mkOption { | |
6 | default = { | |
7 | webroot = "/var/lib/acme/acme-challenges"; | |
8 | email = "ismael@bouya.org"; | |
9 | postRun = builtins.concatStringsSep "\n" [ | |
10 | (lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service") | |
11 | (lib.optionalString config.services.httpd.Tools.enable "systemctl reload httpdTools.service") | |
12 | (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service") | |
13 | (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service") | |
14 | ]; | |
15 | }; | |
16 | description = "Default configuration for certificates"; | |
17 | }; | |
18 | }; | |
19 | ||
20 | config = lib.mkIf config.myServices.certificates.enable { | |
21 | services.duplyBackup.profiles.system.excludeFile = '' | |
22 | + /var/lib/acme/acme-challenges | |
23 | ''; | |
24 | services.nginx = { | |
25 | recommendedTlsSettings = true; | |
26 | virtualHosts = { | |
27 | "${config.hostEnv.fqdn}" = { | |
28 | acmeRoot = config.security.acme.certs."${name}".webroot; | |
29 | useACMEHost = name; | |
30 | forceSSL = true; | |
31 | }; | |
32 | }; | |
33 | }; | |
34 | services.websites.certs = config.myServices.certificates.certConfig; | |
35 | myServices.databasesCerts = config.myServices.certificates.certConfig; | |
36 | myServices.ircCerts = config.myServices.certificates.certConfig; | |
37 | ||
38 | security.acme.acceptTerms = true; | |
39 | security.acme.preliminarySelfsigned = true; | |
40 | ||
41 | security.acme.certs = { | |
42 | "${name}" = config.myServices.certificates.certConfig // { | |
43 | domain = config.hostEnv.fqdn; | |
44 | }; | |
45 | }; | |
46 | ||
47 | systemd.services = lib.attrsets.mapAttrs' (k: v: | |
48 | lib.attrsets.nameValuePair "acme-selfsigned-${k}" { script = lib.mkBefore '' | |
49 | cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem | |
50 | chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem | |
51 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem | |
52 | ||
53 | cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem | |
54 | chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem | |
55 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem | |
56 | ''; | |
57 | } | |
58 | ) config.security.acme.certs // | |
59 | lib.attrsets.mapAttrs' (k: data: | |
60 | lib.attrsets.nameValuePair "acme-${k}" { | |
61 | serviceConfig.ExecStartPre = | |
62 | let | |
63 | script = pkgs.writeScript "acme-pre-start" '' | |
64 | #!${pkgs.runtimeShell} -e | |
65 | mkdir -p '${data.webroot}/.well-known/acme-challenge' | |
66 | chmod a+w '${data.webroot}/.well-known/acme-challenge' | |
67 | #doesn't work for multiple concurrent runs | |
68 | #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge' | |
69 | ''; | |
70 | in | |
71 | "+${script}"; | |
72 | } | |
73 | ) config.security.acme.certs // | |
74 | { | |
75 | httpdProd = lib.mkIf config.services.httpd.Prod.enable | |
76 | { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; }; | |
77 | httpdTools = lib.mkIf config.services.httpd.Tools.enable | |
78 | { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; }; | |
79 | httpdInte = lib.mkIf config.services.httpd.Inte.enable | |
80 | { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; }; | |
81 | }; | |
82 | }; | |
83 | } |