From 6e9f30f4c63fddc5ce886b26b7e4e9ca23a93111 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= <ismael.bouya@normalesup.org>
Date: Sun, 5 Jan 2020 17:09:33 +0100
Subject: Add status page for monitoring host

---
 modules/private/certificates.nix | 31 +++++++++++++++++++------------
 1 file changed, 19 insertions(+), 12 deletions(-)

(limited to 'modules/private/certificates.nix')

diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix
index 337a7fc..9e60a09 100644
--- a/modules/private/certificates.nix
+++ b/modules/private/certificates.nix
@@ -1,4 +1,4 @@
-{ lib, pkgs, config,  ... }:
+{ lib, pkgs, config, name, ... }:
 {
   options.myServices.certificates = {
     enable = lib.mkEnableOption "enable certificates";
@@ -6,9 +6,12 @@
       default = {
         webroot = "${config.security.acme.directory}/acme-challenge";
         email = "ismael@bouya.org";
-        postRun = ''
-          systemctl reload httpdTools.service httpdInte.service httpdProd.service
-        '';
+        postRun = builtins.concatStringsSep "\n" [
+          (lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service")
+          (lib.optionalString config.services.httpd.Tools.enable "systemctl reload httpdTools.service")
+          (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service")
+          (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
+        ];
         plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
       };
       description = "Default configuration for certificates";
@@ -19,6 +22,10 @@
     services.duplyBackup.profiles.system.excludeFile = ''
       + ${config.security.acme.directory}
       '';
+    services.nginx = {
+      recommendedTlsSettings = true;
+      virtualHosts = { "${config.hostEnv.FQDN}" = { useACMEHost = name; forceSSL = true; }; };
+    };
     services.websites.certs = config.myServices.certificates.certConfig;
     myServices.databasesCerts = config.myServices.certificates.certConfig;
     myServices.ircCerts = config.myServices.certificates.certConfig;
@@ -26,8 +33,8 @@
     security.acme.preliminarySelfsigned = true;
 
     security.acme.certs = {
-      "eldiron" = config.myServices.certificates.certConfig // {
-        domain = "eldiron.immae.eu";
+      "${name}" = config.myServices.certificates.certConfig // {
+        domain = config.hostEnv.FQDN;
       };
     };
 
@@ -45,12 +52,12 @@
         '')
       ; })
     ) config.security.acme.certs // {
-      httpdProd.after = [ "acme-selfsigned-certificates.target" ];
-      httpdProd.wants = [ "acme-selfsigned-certificates.target" ];
-      httpdTools.after = [ "acme-selfsigned-certificates.target" ];
-      httpdTools.wants = [ "acme-selfsigned-certificates.target" ];
-      httpdInte.after = [ "acme-selfsigned-certificates.target" ];
-      httpdInte.wants = [ "acme-selfsigned-certificates.target" ];
+      httpdProd = lib.mkIf config.services.httpd.Prod.enable
+        { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
+      httpdTools = lib.mkIf config.services.httpd.Tools.enable
+        { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
+      httpdInte = lib.mkIf config.services.httpd.Inte.enable
+        { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
     };
   };
 }
-- 
cgit v1.2.3