1
0
Fork 0
selfhostblocks/modules/ssl.nix

62 lines
1.6 KiB
Nix
Raw Normal View History

{ config, pkgs, lib, ... }:
let
cfg = config.shb.ssl;
in
{
options.shb.ssl = {
enable = lib.mkEnableOption "selfhostblocks.ssl";
sopsFile = lib.mkOption {
type = lib.types.path;
description = "Sops file location";
example = "secrets/haproxy.yaml";
};
domain = lib.mkOption {
description = lib.mdDoc "Domain to serve sites under.";
type = lib.types.str;
example = "domain.com";
};
adminEmail = lib.mkOption {
description = lib.mdDoc "Admin email in case certificate retrieval goes wrong.";
type = lib.types.str;
};
};
config = lib.mkIf cfg.enable {
users.users.${config.services.nginx.user} = {
isSystemUser = true;
group = "nginx";
extraGroups = [ config.security.acme.defaults.group ];
};
users.groups.ngins = {};
security.acme = {
acceptTerms = true;
certs."${cfg.domain}" = {
extraDomainNames = ["*.${cfg.domain}"];
};
defaults = {
email = cfg.adminEmail;
dnsProvider = "linode";
dnsResolver = "8.8.8.8";
# For example, to use Linode to prove the dns challenge,
# the content of the file should be the following, with
# XXX replaced by your Linode API token.
# LINODE_HTTP_TIMEOUT=10
# LINODE_POLLING_INTERVAL=10
# LINODE_PROPAGATION_TIMEOUT=240
# LINODE_TOKEN=XXX
credentialsFile = "/run/secrets/linode";
enableDebugLogs = false;
};
};
sops.secrets.linode = {
inherit (cfg) sopsFile;
restartUnits = [ "acme-${cfg.domain}.service" ];
};
};
}