62 lines
1.6 KiB
Nix
62 lines
1.6 KiB
Nix
|
{ config, pkgs, lib, ... }:
|
||
|
|
||
|
let
|
||
|
cfg = config.shb.ssl;
|
||
|
in
|
||
|
{
|
||
|
options.shb.ssl = {
|
||
|
enable = lib.mkEnableOption "selfhostblocks.ssl";
|
||
|
|
||
|
sopsFile = lib.mkOption {
|
||
|
type = lib.types.path;
|
||
|
description = "Sops file location";
|
||
|
example = "secrets/haproxy.yaml";
|
||
|
};
|
||
|
|
||
|
domain = lib.mkOption {
|
||
|
description = lib.mdDoc "Domain to serve sites under.";
|
||
|
type = lib.types.str;
|
||
|
example = "domain.com";
|
||
|
};
|
||
|
|
||
|
adminEmail = lib.mkOption {
|
||
|
description = lib.mdDoc "Admin email in case certificate retrieval goes wrong.";
|
||
|
type = lib.types.str;
|
||
|
};
|
||
|
};
|
||
|
|
||
|
config = lib.mkIf cfg.enable {
|
||
|
users.users.${config.services.nginx.user} = {
|
||
|
isSystemUser = true;
|
||
|
group = "nginx";
|
||
|
extraGroups = [ config.security.acme.defaults.group ];
|
||
|
};
|
||
|
users.groups.ngins = {};
|
||
|
|
||
|
security.acme = {
|
||
|
acceptTerms = true;
|
||
|
certs."${cfg.domain}" = {
|
||
|
extraDomainNames = ["*.${cfg.domain}"];
|
||
|
};
|
||
|
defaults = {
|
||
|
email = cfg.adminEmail;
|
||
|
dnsProvider = "linode";
|
||
|
dnsResolver = "8.8.8.8";
|
||
|
# For example, to use Linode to prove the dns challenge,
|
||
|
# the content of the file should be the following, with
|
||
|
# XXX replaced by your Linode API token.
|
||
|
# LINODE_HTTP_TIMEOUT=10
|
||
|
# LINODE_POLLING_INTERVAL=10
|
||
|
# LINODE_PROPAGATION_TIMEOUT=240
|
||
|
# LINODE_TOKEN=XXX
|
||
|
credentialsFile = "/run/secrets/linode";
|
||
|
enableDebugLogs = false;
|
||
|
};
|
||
|
};
|
||
|
sops.secrets.linode = {
|
||
|
inherit (cfg) sopsFile;
|
||
|
restartUnits = [ "acme-${cfg.domain}.service" ];
|
||
|
};
|
||
|
};
|
||
|
}
|