about summary refs log tree commit diff
path: root/modules/services
diff options
context:
space:
mode:
Diffstat (limited to 'modules/services')
-rw-r--r--modules/services/acme.nix52
1 files changed, 52 insertions, 0 deletions
diff --git a/modules/services/acme.nix b/modules/services/acme.nix
new file mode 100644
index 0000000..b3ebb26
--- /dev/null
+++ b/modules/services/acme.nix
@@ -0,0 +1,52 @@
+{ config, lib, ... }:
+
+with lib;
+let
+  cfg = config.modules.services.acme;
+in
+{
+  options.modules.services.acme = {
+    enable = mkEnableOption "ACME certificate manager";
+    email = mkOption {
+      type = types.str;
+      description = mdDoc ''
+        The postmaster email address to use.
+      '';
+    };
+    certs = mkOption {
+      type = types.attrsOf
+        (types.submodule {
+          options = {
+            domain = mkOption {
+              type = types.nullOr types.str;
+              default = null;
+            };
+            subDomains = mkOption { type = types.listOf types.str; };
+          };
+        });
+    };
+    secrets.acme-credentials = mkOption { type = types.str; description = "path to the acme environment file"; };
+  };
+
+  config = mkIf cfg.enable {
+    security.acme = {
+      acceptTerms = true;
+      defaults.email = cfg.email;
+      certs = mapAttrs
+        (name: { domain, subDomains }: {
+          extraDomainNames = lists.forEach subDomains (elem: elem + ".${name}");
+        } // {
+          dnsProvider = "cloudflare";
+          dnsPropagationCheck = true;
+          credentialsFile = cfg.secrets.acme-credentials;
+        } // optionalAttrs (domain != null) {
+          domain = domain;
+        })
+        cfg.certs;
+    };
+
+    modules.persistence.directories = [
+      "/var/lib/acme"
+    ];
+  };
+}