modules/private/certificates.nix

   1 { lib, pkgs, config,  ... }:
   2 {
   3   options.myServices.certificates = {
   4     enable = lib.mkEnableOption "enable certificates";
   5     certConfig = lib.mkOption {
   6       default = {
   7         webroot = "${config.security.acme.directory}/acme-challenge";
   8         email = "ismael@bouya.org";
   9         postRun = ''
  10           systemctl reload httpdTools.service httpdInte.service httpdProd.service
  11         '';
  12         plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
  13       };
  14       description = "Default configuration for certificates";
  15     };
  16   };
  17
  18   config = lib.mkIf config.myServices.certificates.enable {
  19     services.backup.profiles.system.excludeFile = ''
  20       + ${config.security.acme.directory}
  21       '';
  22     services.websites.certs = config.myServices.certificates.certConfig;
  23     myServices.databasesCerts = config.myServices.certificates.certConfig;
  24     myServices.ircCerts = config.myServices.certificates.certConfig;
  25
  26     security.acme.preliminarySelfsigned = true;
  27
  28     security.acme.certs = {
  29       "eldiron" = config.myServices.certificates.certConfig // {
  30         domain = "eldiron.immae.eu";
  31       };
  32     };
  33
  34     systemd.services = lib.attrsets.mapAttrs' (k: v:
  35       lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script =
  36         (lib.optionalString (builtins.elem "cert.pem" v.plugins) ''
  37         cp $workdir/server.crt ${config.security.acme.directory}/${k}/cert.pem
  38         chown '${v.user}:${v.group}' ${config.security.acme.directory}/${k}/cert.pem
  39         chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.directory}/${k}/cert.pem
  40         '') +
  41         (lib.optionalString (builtins.elem "chain.pem" v.plugins) ''
  42         cp $workdir/ca.crt ${config.security.acme.directory}/${k}/chain.pem
  43         chown '${v.user}:${v.group}' ${config.security.acme.directory}/${k}/chain.pem
  44         chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.directory}/${k}/chain.pem
  45         '')
  46       ; })
  47     ) config.security.acme.certs // {
  48       httpdProd.after = [ "acme-selfsigned-certificates.target" ];
  49       httpdProd.wants = [ "acme-selfsigned-certificates.target" ];
  50       httpdTools.after = [ "acme-selfsigned-certificates.target" ];
  51       httpdTools.wants = [ "acme-selfsigned-certificates.target" ];
  52       httpdInte.after = [ "acme-selfsigned-certificates.target" ];
  53       httpdInte.wants = [ "acme-selfsigned-certificates.target" ];
  54     };
  55   };
  56 }