1 { lib, pkgs, config, name, ... }:
3 options.myServices.certificates = {
4 enable = lib.mkEnableOption "enable certificates";
5 certConfig = lib.mkOption {
7 webroot = "/var/lib/acme/acme-challenge";
8 email = "ismael@bouya.org";
9 postRun = builtins.concatStringsSep "\n" [
10 (lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service")
11 (lib.optionalString config.services.httpd.Tools.enable "systemctl reload httpdTools.service")
12 (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service")
13 (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
15 plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" "account_reg.json"];
17 description = "Default configuration for certificates";
21 config = lib.mkIf config.myServices.certificates.enable {
22 services.duplyBackup.profiles.system.excludeFile = ''
23 + /var/lib/acme/acme-challenge
26 recommendedTlsSettings = true;
27 virtualHosts = { "${config.hostEnv.fqdn}" = { useACMEHost = name; forceSSL = true; }; };
29 services.websites.certs = config.myServices.certificates.certConfig;
30 myServices.databasesCerts = config.myServices.certificates.certConfig;
31 myServices.ircCerts = config.myServices.certificates.certConfig;
33 security.acme.preliminarySelfsigned = true;
35 security.acme.certs = {
36 "${name}" = config.myServices.certificates.certConfig // {
37 domain = config.hostEnv.fqdn;
41 systemd.services = lib.attrsets.mapAttrs' (k: v:
42 lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script =
43 (lib.optionalString (builtins.elem "cert.pem" v.plugins) ''
44 cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem
45 chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem
46 chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem
48 (lib.optionalString (builtins.elem "chain.pem" v.plugins) ''
49 cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem
50 chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem
51 chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem
54 ) config.security.acme.certs //
55 lib.attrsets.mapAttrs' (k: data:
56 lib.attrsets.nameValuePair "acme-${k}" {
57 serviceConfig.ExecStartPre =
59 script = pkgs.writeScript "acme-pre-start" ''
60 #!${pkgs.runtimeShell} -e
61 mkdir -p '${data.webroot}/.well-known/acme-challenge'
62 chmod a+w '${data.webroot}/.well-known/acme-challenge'
63 #doesn't work for multiple concurrent runs
64 #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge'
69 ) config.security.acme.certs //
71 httpdProd = lib.mkIf config.services.httpd.Prod.enable
72 { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
73 httpdTools = lib.mkIf config.services.httpd.Tools.enable
74 { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
75 httpdInte = lib.mkIf config.services.httpd.Inte.enable
76 { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };