Add certificate creation and handling to websites

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-05-16 23:23:05 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-05-17 00:04:47 +0200
commit: 7df420c27ebe7daaa4fd099c457ce9a9075b840e (patch)
tree: ec41e01e9331652c09dc4f2ed4186ce5952c3882 /modules/websites
parent: 52f45eb051df228955add90ca62de66a7ed8af34 (diff)
download: Nix-7df420c27ebe7daaa4fd099c457ce9a9075b840e.tar.gz
Nix-7df420c27ebe7daaa4fd099c457ce9a9075b840e.tar.zst
Nix-7df420c27ebe7daaa4fd099c457ce9a9075b840e.zip
1 files changed, 51 insertions, 0 deletions
diff --git a/modules/websites/default.nix b/modules/websites/default.nix
index 6a18c8a..b76aeea 100644
--- a/modules/websites/default.nix
+++ b/modules/websites/default.nix
@@ -3,6 +3,9 @@ let
  cfg = config.services.websites;
 in
 {
+  options.services.websitesCerts = mkOption {
+    description = "Default websites configuration for certificates as accepted by acme";
+  };
  options.services.websites = with types; mkOption {
    default = {};
    description = "Each type of website to enable will target a distinct httpd server";
@@ -72,6 +75,16 @@ in
          type = attrsOf (submodule {
            options = {
              certName = mkOption { type = string; };
+              addToCerts = mkOption {
+                type = bool;
+                default = false;
+                description = "Use these to certificates. Is ignored (considered true) if certMainHost is not null";
+              };
+              certMainHost = mkOption {
+                type = nullOr string;
+                description = "Use that host as 'main host' for acme certs";
+                default = null;
+              };
              hosts    = mkOption { type = listOf string; };
              root     = mkOption { type = nullOr path; };
              extraConfig = mkOption { type = listOf lines; default = []; };
@@ -145,4 +158,42 @@ in
        ++ [ (redirectVhost icfg.ips) ];
    })
  ) cfg;
+  config.security.acme.certs = let
+    typesToManage = attrsets.filterAttrs (k: v: v.enable) cfg;
+    flatVhosts = lists.flatten (attrsets.mapAttrsToList (k: v:
+      attrValues v.vhostConfs
+    ) typesToManage);
+    groupedCerts = attrsets.filterAttrs
+      (_: group: builtins.any (v: v.addToCerts || !isNull v.certMainHost) group)
+      (lists.groupBy (v: v.certName) flatVhosts);
+    groupToDomain = group:
+      let
+        nonNull = builtins.filter (v: !isNull v.certMainHost) group;
+        domains = lists.unique (map (v: v.certMainHost) nonNull);
+      in
+        if builtins.length domains == 0
+          then null
+          else assert (builtins.length domains == 1); (elemAt domains 0);
+    extraDomains = group:
+      let
+        mainDomain = groupToDomain group;
+      in
+        lists.remove mainDomain (
+          lists.unique (
+            lists.flatten (map (c: optionals (c.addToCerts || !isNull c.certMainHost) c.hosts) group)
+          )
+        );
+  in attrsets.mapAttrs (k: g:
+    if (!isNull (groupToDomain g))
+    then config.services.websitesCerts // {
+      domain = groupToDomain g;
+      extraDomains = builtins.listToAttrs (
+        map (d: attrsets.nameValuePair d null) (extraDomains g));
+    }
+    else {
+      extraDomains = builtins.listToAttrs (
+        map (d: attrsets.nameValuePair d null) (extraDomains g));
+    }
+  ) groupedCerts;
 }
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-05-16 23:23:05 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-05-17 00:04:47 +0200
commit	7df420c27ebe7daaa4fd099c457ce9a9075b840e (patch)
tree	ec41e01e9331652c09dc4f2ed4186ce5952c3882 /modules/websites
parent	52f45eb051df228955add90ca62de66a7ed8af34 (diff)
download	Nix-7df420c27ebe7daaa4fd099c457ce9a9075b840e.tar.gz Nix-7df420c27ebe7daaa4fd099c457ce9a9075b840e.tar.zst Nix-7df420c27ebe7daaa4fd099c457ce9a9075b840e.zip

diff --git a/modules/websites/default.nix b/modules/websites/default.nix index 6a18c8a..b76aeea 100644 --- a/modules/websites/default.nix +++ b/modules/websites/default.nix
@@ -3,6 +3,9 @@ let
3	cfg = config.services.websites;	3	cfg = config.services.websites;
4	in	4	in
5	{	5	{
		6	options.services.websitesCerts = mkOption {
		7	description = "Default websites configuration for certificates as accepted by acme";
		8	};
6	options.services.websites = with types; mkOption {	9	options.services.websites = with types; mkOption {
7	default = {};	10	default = {};
8	description = "Each type of website to enable will target a distinct httpd server";	11	description = "Each type of website to enable will target a distinct httpd server";
@@ -72,6 +75,16 @@ in
72	type = attrsOf (submodule {	75	type = attrsOf (submodule {
73	options = {	76	options = {
74	certName = mkOption { type = string; };	77	certName = mkOption { type = string; };
		78	addToCerts = mkOption {
		79	type = bool;
		80	default = false;
		81	description = "Use these to certificates. Is ignored (considered true) if certMainHost is not null";
		82	};
		83	certMainHost = mkOption {
		84	type = nullOr string;
		85	description = "Use that host as 'main host' for acme certs";
		86	default = null;
		87	};
75	hosts = mkOption { type = listOf string; };	88	hosts = mkOption { type = listOf string; };
76	root = mkOption { type = nullOr path; };	89	root = mkOption { type = nullOr path; };
77	extraConfig = mkOption { type = listOf lines; default = []; };	90	extraConfig = mkOption { type = listOf lines; default = []; };
@@ -145,4 +158,42 @@ in
145	++ [ (redirectVhost icfg.ips) ];	158	++ [ (redirectVhost icfg.ips) ];
146	})	159	})
147	) cfg;	160	) cfg;
		161
		162	config.security.acme.certs = let
		163	typesToManage = attrsets.filterAttrs (k: v: v.enable) cfg;
		164	flatVhosts = lists.flatten (attrsets.mapAttrsToList (k: v:
		165	attrValues v.vhostConfs
		166	) typesToManage);
		167	groupedCerts = attrsets.filterAttrs
		168	(_: group: builtins.any (v: v.addToCerts \|\| !isNull v.certMainHost) group)
		169	(lists.groupBy (v: v.certName) flatVhosts);
		170	groupToDomain = group:
		171	let
		172	nonNull = builtins.filter (v: !isNull v.certMainHost) group;
		173	domains = lists.unique (map (v: v.certMainHost) nonNull);
		174	in
		175	if builtins.length domains == 0
		176	then null
		177	else assert (builtins.length domains == 1); (elemAt domains 0);
		178	extraDomains = group:
		179	let
		180	mainDomain = groupToDomain group;
		181	in
		182	lists.remove mainDomain (
		183	lists.unique (
		184	lists.flatten (map (c: optionals (c.addToCerts \|\| !isNull c.certMainHost) c.hosts) group)
		185	)
		186	);
		187	in attrsets.mapAttrs (k: g:
		188	if (!isNull (groupToDomain g))
		189	then config.services.websitesCerts // {
		190	domain = groupToDomain g;
		191	extraDomains = builtins.listToAttrs (
		192	map (d: attrsets.nameValuePair d null) (extraDomains g));
		193	}
		194	else {
		195	extraDomains = builtins.listToAttrs (
		196	map (d: attrsets.nameValuePair d null) (extraDomains g));
		197	}
		198	) groupedCerts;
148	}	199	}