1
0
Fork 0
selfhostblocks/modules/blocks/ssl.nix

99 lines
2.7 KiB
Nix
Raw Normal View History

{ config, pkgs, lib, ... }:
let
cfg = config.shb.ssl;
in
{
options.shb.ssl = {
enable = lib.mkEnableOption "selfhostblocks.ssl";
domain = lib.mkOption {
2023-11-29 22:20:21 -08:00
description = "Domain to ask a wildcard certificate for.";
type = lib.types.str;
example = "domain.com";
};
2023-09-14 22:21:15 -07:00
dnsProvider = lib.mkOption {
2023-11-29 22:20:21 -08:00
description = "DNS provider to use. See https://go-acme.github.io/lego/dns/ for the list of supported providers.";
2023-09-14 22:21:15 -07:00
type = lib.types.str;
example = "linode";
};
2023-11-29 22:20:21 -08:00
credentialsFile = lib.mkOption {
type = lib.types.path;
2023-11-30 12:06:41 -08:00
description = ''
Credentials file location for the chosen DNS provider.
2023-11-29 22:20:21 -08:00
The content of this file must expose environment variables as written in the
[documentation](https://go-acme.github.io/lego/dns/) of each DNS provider.
For example, if the documentation says the credential must be located in the environment
variable DNSPROVIDER_TOKEN, then the file content must be:
DNSPROVIDER_TOKEN=xyz
You can put non-secret environment variables here too or use shb.ssl.additionalcfg instead.
'';
example = "/run/secrets/ssl";
};
additionalCfg = lib.mkOption {
type = lib.types.attrsOf lib.types.str;
2023-11-30 12:06:41 -08:00
description = ''Additional environment variables used to configure the DNS provider.
2023-11-29 22:20:21 -08:00
For secrets, use shb.ssl.credentialsFile instead.
See the chose provider's [documentation](https://go-acme.github.io/lego/dns/) for available
options.
'';
2023-11-30 12:06:41 -08:00
example = lib.literalExpression ''
{
2023-11-29 22:20:21 -08:00
DNSPROVIDER_TIMEOUT = "10";
DNSPROVIDER_PROPAGATION_TIMEOUT = "240";
2023-11-30 12:06:41 -08:00
}
'';
2023-11-29 22:20:21 -08:00
};
2023-09-14 22:21:15 -07:00
dnsResolver = lib.mkOption {
2023-11-29 22:20:21 -08:00
description = "IP of a DNS server used to resolve hostnames.";
2023-09-14 22:21:15 -07:00
type = lib.types.str;
default = "8.8.8.8";
};
adminEmail = lib.mkOption {
2023-11-29 22:20:21 -08:00
description = "Admin email in case certificate retrieval goes wrong.";
type = lib.types.str;
};
2023-11-29 22:20:21 -08:00
debug = lib.mkOption {
description = "Enable debug logging";
type = lib.types.bool;
default = false;
};
};
config = lib.mkIf cfg.enable {
users.users.${config.services.nginx.user} = {
isSystemUser = true;
group = "nginx";
extraGroups = [ config.security.acme.defaults.group ];
};
2023-11-16 20:43:44 -08:00
users.groups.nginx = {};
security.acme = {
acceptTerms = true;
certs."${cfg.domain}" = {
extraDomainNames = ["*.${cfg.domain}"];
};
defaults = {
email = cfg.adminEmail;
2023-09-14 22:21:15 -07:00
inherit (cfg) dnsProvider dnsResolver;
2023-11-29 22:20:21 -08:00
credentialsFile = cfg.credentialsFile;
enableDebugLogs = cfg.debug;
};
};
2023-11-29 22:20:21 -08:00
systemd.services."acme-${cfg.domain}".environment = cfg.additionalCfg;
};
}