blob: 2d245792919ed6c0b5b5f59fc375d224e7ea892d (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
|
{ lib, pkgs, config, name, ... }:
{
options.myServices.certificates = {
enable = lib.mkEnableOption "enable certificates";
certConfig = lib.mkOption {
default = {
webroot = "${config.security.acme.directory}/acme-challenge";
email = "ismael@bouya.org";
postRun = builtins.concatStringsSep "\n" [
(lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service")
(lib.optionalString config.services.httpd.Tools.enable "systemctl reload httpdTools.service")
(lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service")
(lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
];
plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
};
description = "Default configuration for certificates";
};
};
config = lib.mkIf config.myServices.certificates.enable {
services.duplyBackup.profiles.system.excludeFile = ''
+ ${config.security.acme.directory}
'';
services.nginx = {
recommendedTlsSettings = true;
virtualHosts = { "${config.hostEnv.fqdn}" = { useACMEHost = name; forceSSL = true; }; };
};
services.websites.certs = config.myServices.certificates.certConfig;
myServices.databasesCerts = config.myServices.certificates.certConfig;
myServices.ircCerts = config.myServices.certificates.certConfig;
security.acme.preliminarySelfsigned = true;
security.acme.certs = {
"${name}" = config.myServices.certificates.certConfig // {
domain = config.hostEnv.fqdn;
};
};
systemd.services = lib.attrsets.mapAttrs' (k: v:
lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script =
(lib.optionalString (builtins.elem "cert.pem" v.plugins) ''
cp $workdir/server.crt ${config.security.acme.directory}/${k}/cert.pem
chown '${v.user}:${v.group}' ${config.security.acme.directory}/${k}/cert.pem
chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.directory}/${k}/cert.pem
'') +
(lib.optionalString (builtins.elem "chain.pem" v.plugins) ''
cp $workdir/ca.crt ${config.security.acme.directory}/${k}/chain.pem
chown '${v.user}:${v.group}' ${config.security.acme.directory}/${k}/chain.pem
chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.directory}/${k}/chain.pem
'')
; })
) config.security.acme.certs // {
httpdProd = lib.mkIf config.services.httpd.Prod.enable
{ after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
httpdTools = lib.mkIf config.services.httpd.Tools.enable
{ after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
httpdInte = lib.mkIf config.services.httpd.Inte.enable
{ after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
};
};
}
|
