modules/private/certificates.nix

   1 { lib, pkgs, config, name, ... }:
   2 {
   3   options.myServices.certificates = {
   4     enable = lib.mkEnableOption "enable certificates";
   5     certConfig = lib.mkOption {
   6       default = {
   7         webroot = "/var/lib/acme/acme-challenge";
   8         email = "ismael@bouya.org";
   9         postRun = builtins.concatStringsSep "\n" [
  10           (lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service")
  11           (lib.optionalString config.services.httpd.Tools.enable "systemctl reload httpdTools.service")
  12           (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service")
  13           (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
  14         ];
  15       };
  16       description = "Default configuration for certificates";
  17     };
  18   };
  19
  20   config = lib.mkIf config.myServices.certificates.enable {
  21     services.duplyBackup.profiles.system.excludeFile = ''
  22       + /var/lib/acme/acme-challenge
  23       '';
  24     services.nginx = {
  25       recommendedTlsSettings = true;
  26       virtualHosts = { "${config.hostEnv.fqdn}" = { useACMEHost = name; forceSSL = true; }; };
  27     };
  28     services.websites.certs = config.myServices.certificates.certConfig;
  29     myServices.databasesCerts = config.myServices.certificates.certConfig;
  30     myServices.ircCerts = config.myServices.certificates.certConfig;
  31
  32     security.acme.acceptTerms = true;
  33     security.acme.preliminarySelfsigned = true;
  34
  35     security.acme.certs = {
  36       "${name}" = config.myServices.certificates.certConfig // {
  37         domain = config.hostEnv.fqdn;
  38       };
  39     };
  40
  41     systemd.services = lib.attrsets.mapAttrs' (k: v:
  42       lib.attrsets.nameValuePair "acme-selfsigned-${k}" { script = lib.mkBefore ''
  43         cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem
  44         chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem
  45         chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem
  46
  47         cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem
  48         chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem
  49         chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem
  50         '';
  51       }
  52     ) config.security.acme.certs //
  53     lib.attrsets.mapAttrs' (k: data:
  54       lib.attrsets.nameValuePair "acme-${k}" {
  55         serviceConfig.ExecStartPre =
  56           let
  57             script = pkgs.writeScript "acme-pre-start" ''
  58               #!${pkgs.runtimeShell} -e
  59               mkdir -p '${data.webroot}/.well-known/acme-challenge'
  60               chmod a+w '${data.webroot}/.well-known/acme-challenge'
  61               #doesn't work for multiple concurrent runs
  62               #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge'
  63             '';
  64           in
  65             "+${script}";
  66       }
  67     ) config.security.acme.certs //
  68     {
  69       httpdProd = lib.mkIf config.services.httpd.Prod.enable
  70         { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
  71       httpdTools = lib.mkIf config.services.httpd.Tools.enable
  72         { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
  73       httpdInte = lib.mkIf config.services.httpd.Inte.enable
  74         { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
  75     };
  76   };
  77 }