1
0
Fork 0

remove usage of sops file in ssl.nix

This commit is contained in:
Pierre Penninckx 2023-11-29 22:20:21 -08:00 committed by GitHub
parent 7d9dedb845
commit 86e86dc787
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 50 additions and 25 deletions

View file

@ -178,5 +178,9 @@ in
authConfig = c: map (r: r // { domain = fqdn c; }) c.autheliaRules;
in
lib.flatten (map authConfig cfg.autheliaProtect);
security.acme.defaults.reloadServices = [
"nginx.service"
];
};
}

View file

@ -7,43 +7,66 @@ in
options.shb.ssl = {
enable = lib.mkEnableOption "selfhostblocks.ssl";
sopsFile = lib.mkOption {
type = lib.types.path;
description = ''Sops file location.
To use Linode to prove the dns challenge, the content of the file should be the following,
with XXX replaced by your Linode API token.
LINODE_HTTP_TIMEOUT=10
LINODE_POLLING_INTERVAL=10
LINODE_PROPAGATION_TIMEOUT=240
LINODE_TOKEN=XXX
'';
example = "secrets/haproxy.yaml";
};
domain = lib.mkOption {
description = lib.mdDoc "Domain to serve sites under.";
description = "Domain to ask a wildcard certificate for.";
type = lib.types.str;
example = "domain.com";
};
dnsProvider = lib.mkOption {
description = lib.mdDoc "DNS provider.";
description = "DNS provider to use. See https://go-acme.github.io/lego/dns/ for the list of supported providers.";
type = lib.types.str;
example = "linode";
};
credentialsFile = lib.mkOption {
type = lib.types.path;
description = ''Credentials file location for the chosen DNS provider.
The content of this file must expose environment variables as written in the
[documentation](https://go-acme.github.io/lego/dns/) of each DNS provider.
For example, if the documentation says the credential must be located in the environment
variable DNSPROVIDER_TOKEN, then the file content must be:
DNSPROVIDER_TOKEN=xyz
You can put non-secret environment variables here too or use shb.ssl.additionalcfg instead.
'';
example = "/run/secrets/ssl";
};
additionalCfg = lib.mkOption {
type = lib.types.attrsOf lib.types.str;
description = lib.mdDoc ''Additional environment variables used to configure the DNS provider.
For secrets, use shb.ssl.credentialsFile instead.
See the chose provider's [documentation](https://go-acme.github.io/lego/dns/) for available
options.
'';
example = lib.literalExpression ''{
DNSPROVIDER_TIMEOUT = "10";
DNSPROVIDER_PROPAGATION_TIMEOUT = "240";
}'';
};
dnsResolver = lib.mkOption {
description = lib.mdDoc "IP of a DNS server used to resolve hostnames.";
description = "IP of a DNS server used to resolve hostnames.";
type = lib.types.str;
default = "8.8.8.8";
};
adminEmail = lib.mkOption {
description = lib.mdDoc "Admin email in case certificate retrieval goes wrong.";
description = "Admin email in case certificate retrieval goes wrong.";
type = lib.types.str;
};
debug = lib.mkOption {
description = "Enable debug logging";
type = lib.types.bool;
default = false;
};
};
config = lib.mkIf cfg.enable {
@ -62,13 +85,11 @@ in
defaults = {
email = cfg.adminEmail;
inherit (cfg) dnsProvider dnsResolver;
credentialsFile = config.sops.secrets.acme.path;
enableDebugLogs = false;
credentialsFile = cfg.credentialsFile;
enableDebugLogs = cfg.debug;
};
};
sops.secrets.acme = {
inherit (cfg) sopsFile;
restartUnits = [ "acme-${cfg.domain}.service" ];
};
systemd.services."acme-${cfg.domain}".environment = cfg.additionalCfg;
};
}