selfprivacy-nixos-config/letsencrypt/acme.nix

64 lines
1.9 KiB
Nix
Raw Permalink Normal View History

{ config, lib, pkgs, ... }:
2021-11-15 10:02:05 +00:00
let
cfg = config.selfprivacy;
dnsCredentialsTemplates = {
DIGITALOCEAN = "DO_AUTH_TOKEN=$TOKEN";
CLOUDFLARE = ''
CF_API_KEY=$TOKEN
CLOUDFLARE_DNS_API_TOKEN=$TOKEN
CLOUDFLARE_ZONE_API_TOKEN=$TOKEN
CLOUDFLARE_POLLING_INTERVAL=30
'';
DESEC = ''
DESEC_TOKEN=$TOKEN
DESEC_POLLING_INTERVAL=30
DESEC_PROPAGATION_TIMEOUT=180
DESEC_TTL=3600
'';
};
dnsCredentialsTemplate = dnsCredentialsTemplates.${cfg.dns.provider};
acme-env-filepath = "/var/lib/selfprivacy/acme-env";
secrets-filepath = "/etc/selfprivacy/secrets.json";
dnsPropagationCheckExceptions = [ "DIGITALOCEAN" "DESEC" ];
2021-11-15 10:02:05 +00:00
in
{
2023-12-01 04:42:03 +00:00
users.groups.acmereceivers.members = [ "nginx" ];
2021-11-15 10:02:05 +00:00
security.acme = {
acceptTerms = true;
defaults = {
email = "${cfg.username}@${cfg.domain}";
server = if cfg.dns.useStagingACME then "https://acme-staging-v02.api.letsencrypt.org/directory" else "https://acme-v02.api.letsencrypt.org/directory";
2023-06-14 16:06:58 +00:00
reloadServices = [ "nginx" ];
};
2023-12-20 13:16:49 +00:00
certs = {
"${cfg.domain}" = {
domain = "*.${cfg.domain}";
extraDomainNames = [ "${cfg.domain}" ];
group = "acmereceivers";
dnsProvider = lib.strings.toLower cfg.dns.provider;
credentialsFile = acme-env-filepath;
dnsPropagationCheck =
! (lib.elem cfg.dns.provider dnsPropagationCheckExceptions);
};
2021-11-15 10:02:05 +00:00
};
};
systemd.services.acme-secrets = {
before = [ "acme-${cfg.domain}.service" ];
requiredBy = [ "acme-${cfg.domain}.service" ];
serviceConfig.Type = "oneshot";
path = with pkgs; [ coreutils jq ];
script = ''
set -o nounset
TOKEN="$(jq -re '.dns.apiKey' ${secrets-filepath})"
filecontents=$(cat <<- EOF
${dnsCredentialsTemplate}
EOF
)
install -m 0440 -o root -g acmereceivers -DT \
<(printf "%s\n" "$filecontents") ${acme-env-filepath}
'';
};
2021-11-15 10:02:05 +00:00
}