diff options
author | sefidel <contact@sefidel.net> | 2023-03-29 20:54:19 +0900 |
---|---|---|
committer | sefidel <contact@sefidel.net> | 2023-04-03 18:32:29 +0900 |
commit | ce06f43476863da90dc60dcee606d2b6c5a89a8e (patch) | |
tree | 5d14946330cb09ff0ebd97bee59407fccee4d860 /modules/services/acme.nix | |
download | infra-ce06f43476863da90dc60dcee606d2b6c5a89a8e.tar.gz infra-ce06f43476863da90dc60dcee606d2b6c5a89a8e.zip |
project: initial commit
Diffstat (limited to 'modules/services/acme.nix')
-rw-r--r-- | modules/services/acme.nix | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/modules/services/acme.nix b/modules/services/acme.nix new file mode 100644 index 0000000..6f6e33e --- /dev/null +++ b/modules/services/acme.nix @@ -0,0 +1,52 @@ +{ config, lib, ... }: + +with lib; +let + cfg = config.modules.services.acme; +in +{ + options.modules.services.acme = { + enable = mkEnableOption "ACME certificate manager"; + email = mkOption { + type = types.str; + description = mdDoc '' + The postmaster email address to use. + ''; + }; + certs = mkOption { + type = types.attrsOf + (types.submodule { + options = { + domain = mkOption { + type = types.nullOr types.str; + default = null; + }; + subDomains = mkOption { type = types.listOf types.str; }; + }; + }); + }; + secrets.acme-credentials = mkOption { type = types.str; description = "path to the acme environment file"; }; + }; + + config = mkIf cfg.enable { + security.acme = { + acceptTerms = true; + defaults.email = cfg.email; + certs = mapAttrs + (name: { domain, subDomains }: { + extraDomainNames = lists.forEach subDomains (elem: elem + ".${name}"); + } // { + dnsProvider = "hetzner"; + dnsPropagationCheck = true; + credentialsFile = cfg.secrets.acme-credentials; + } // optionalAttrs (domain != null) { + domain = domain; + }) + cfg.certs; + }; + + environment.persistence."/persist".directories = [ + "/var/lib/acme" + ]; + }; +} |