2023-12-16 05:39:22 +00:00
|
|
|
{ config, lib, pkgs, ... }:
|
2021-11-15 10:02:05 +00:00
|
|
|
let
|
2023-11-16 00:00:11 +00:00
|
|
|
cfg = config.selfprivacy;
|
2023-12-16 05:39:22 +00:00
|
|
|
dnsCredentialsTemplates = {
|
|
|
|
DIGITALOCEAN = "DO_AUTH_TOKEN=$TOKEN";
|
|
|
|
CLOUDFLARE = ''
|
|
|
|
CF_API_KEY=$TOKEN
|
|
|
|
CLOUDFLARE_DNS_API_TOKEN=$TOKEN
|
|
|
|
CLOUDFLARE_ZONE_API_TOKEN=$TOKEN
|
2023-12-22 10:06:53 +00:00
|
|
|
CLOUDFLARE_POLLING_INTERVAL=30
|
2023-12-16 05:39:22 +00:00
|
|
|
'';
|
2024-03-12 13:11:49 +00:00
|
|
|
DESEC = ''
|
|
|
|
DESEC_TOKEN=$TOKEN
|
|
|
|
DESEC_POLLING_INTERVAL=30
|
|
|
|
DESEC_PROPAGATION_TIMEOUT=180
|
|
|
|
DESEC_TTL=3600
|
|
|
|
'';
|
2023-12-16 05:39:22 +00:00
|
|
|
};
|
|
|
|
dnsCredentialsTemplate = dnsCredentialsTemplates.${cfg.dns.provider};
|
|
|
|
acme-env-filepath = "/var/lib/selfprivacy/acme-env";
|
|
|
|
secrets-filepath = "/etc/selfprivacy/secrets.json";
|
2024-05-02 19:31:30 +00:00
|
|
|
dnsPropagationCheckExceptions = [ "DIGITALOCEAN" "DESEC" ];
|
2021-11-15 10:02:05 +00:00
|
|
|
in
|
|
|
|
{
|
2023-12-01 04:42:03 +00:00
|
|
|
users.groups.acmereceivers.members = [ "nginx" ];
|
2021-11-15 10:02:05 +00:00
|
|
|
security.acme = {
|
|
|
|
acceptTerms = true;
|
2022-11-16 08:02:20 +00:00
|
|
|
defaults = {
|
|
|
|
email = "${cfg.username}@${cfg.domain}";
|
|
|
|
server = if cfg.dns.useStagingACME then "https://acme-staging-v02.api.letsencrypt.org/directory" else "https://acme-v02.api.letsencrypt.org/directory";
|
2023-06-14 16:06:58 +00:00
|
|
|
reloadServices = [ "nginx" ];
|
2023-12-19 19:46:42 +00:00
|
|
|
};
|
2023-12-20 13:16:49 +00:00
|
|
|
certs = {
|
2023-12-20 13:36:06 +00:00
|
|
|
"${cfg.domain}" = {
|
2023-12-19 19:46:42 +00:00
|
|
|
domain = "*.${cfg.domain}";
|
|
|
|
group = "acmereceivers";
|
|
|
|
dnsProvider = lib.strings.toLower cfg.dns.provider;
|
|
|
|
credentialsFile = acme-env-filepath;
|
2023-12-22 15:08:46 +00:00
|
|
|
dnsPropagationCheck =
|
|
|
|
! (lib.elem cfg.dns.provider dnsPropagationCheckExceptions);
|
2023-12-19 19:46:42 +00:00
|
|
|
};
|
2024-09-06 21:25:35 +00:00
|
|
|
"root-${cfg.domain}" = {
|
|
|
|
domain = cfg.domain;
|
|
|
|
group = "acmerecievers";
|
|
|
|
webroot = "/var/lib/acme/acme-challenge";
|
|
|
|
};
|
2021-11-15 10:02:05 +00:00
|
|
|
};
|
|
|
|
};
|
2023-12-16 05:39:22 +00:00
|
|
|
systemd.services.acme-secrets = {
|
|
|
|
before = [ "acme-${cfg.domain}.service" ];
|
|
|
|
requiredBy = [ "acme-${cfg.domain}.service" ];
|
|
|
|
serviceConfig.Type = "oneshot";
|
|
|
|
path = with pkgs; [ coreutils jq ];
|
|
|
|
script = ''
|
|
|
|
set -o nounset
|
|
|
|
|
|
|
|
TOKEN="$(jq -re '.dns.apiKey' ${secrets-filepath})"
|
|
|
|
filecontents=$(cat <<- EOF
|
|
|
|
${dnsCredentialsTemplate}
|
|
|
|
EOF
|
|
|
|
)
|
|
|
|
|
|
|
|
install -m 0440 -o root -g acmereceivers -DT \
|
|
|
|
<(printf "%s\n" "$filecontents") ${acme-env-filepath}
|
|
|
|
'';
|
|
|
|
};
|
2021-11-15 10:02:05 +00:00
|
|
|
}
|