mirror of
https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config.git
synced 2024-11-22 11:41:26 +00:00
68 lines
2 KiB
Nix
68 lines
2 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
let
|
|
cfg = config.selfprivacy;
|
|
dnsCredentialsTemplates = {
|
|
DIGITALOCEAN = "DO_AUTH_TOKEN=$TOKEN";
|
|
CLOUDFLARE = ''
|
|
CF_API_KEY=$TOKEN
|
|
CLOUDFLARE_DNS_API_TOKEN=$TOKEN
|
|
CLOUDFLARE_ZONE_API_TOKEN=$TOKEN
|
|
CLOUDFLARE_POLLING_INTERVAL=30
|
|
'';
|
|
DESEC = ''
|
|
DESEC_TOKEN=$TOKEN
|
|
DESEC_POLLING_INTERVAL=30
|
|
DESEC_PROPAGATION_TIMEOUT=180
|
|
DESEC_TTL=3600
|
|
'';
|
|
};
|
|
dnsCredentialsTemplate = dnsCredentialsTemplates.${cfg.dns.provider};
|
|
acme-env-filepath = "/var/lib/selfprivacy/acme-env";
|
|
secrets-filepath = "/etc/selfprivacy/secrets.json";
|
|
dnsPropagationCheckExceptions = [ "DIGITALOCEAN" "DESEC" ];
|
|
in
|
|
{
|
|
users.groups.acmereceivers.members = [ "nginx" ];
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
defaults = {
|
|
email = "${cfg.username}@${cfg.domain}";
|
|
server = if cfg.dns.useStagingACME then "https://acme-staging-v02.api.letsencrypt.org/directory" else "https://acme-v02.api.letsencrypt.org/directory";
|
|
reloadServices = [ "nginx" ];
|
|
};
|
|
certs = {
|
|
"${cfg.domain}" = {
|
|
domain = "*.${cfg.domain}";
|
|
group = "acmereceivers";
|
|
dnsProvider = lib.strings.toLower cfg.dns.provider;
|
|
credentialsFile = acme-env-filepath;
|
|
dnsPropagationCheck =
|
|
! (lib.elem cfg.dns.provider dnsPropagationCheckExceptions);
|
|
};
|
|
"root-${cfg.domain}" = {
|
|
domain = cfg.domain;
|
|
group = "acmereceivers";
|
|
webroot = "/var/lib/acme/acme-challenge";
|
|
};
|
|
};
|
|
};
|
|
systemd.services.acme-secrets = {
|
|
before = [ "acme-${cfg.domain}.service" ];
|
|
requiredBy = [ "acme-${cfg.domain}.service" ];
|
|
serviceConfig.Type = "oneshot";
|
|
path = with pkgs; [ coreutils jq ];
|
|
script = ''
|
|
set -o nounset
|
|
|
|
TOKEN="$(jq -re '.dns.apiKey' ${secrets-filepath})"
|
|
filecontents=$(cat <<- EOF
|
|
${dnsCredentialsTemplate}
|
|
EOF
|
|
)
|
|
|
|
install -m 0440 -o root -g acmereceivers -DT \
|
|
<(printf "%s\n" "$filecontents") ${acme-env-filepath}
|
|
'';
|
|
};
|
|
}
|