aboutsummaryrefslogtreecommitdiff
path: root/modules/services
diff options
context:
space:
mode:
Diffstat (limited to 'modules/services')
-rw-r--r--modules/services/acme.nix52
1 files changed, 52 insertions, 0 deletions
diff --git a/modules/services/acme.nix b/modules/services/acme.nix
new file mode 100644
index 0000000..b3ebb26
--- /dev/null
+++ b/modules/services/acme.nix
@@ -0,0 +1,52 @@
+{ config, lib, ... }:
+
+with lib;
+let
+ cfg = config.modules.services.acme;
+in
+{
+ options.modules.services.acme = {
+ enable = mkEnableOption "ACME certificate manager";
+ email = mkOption {
+ type = types.str;
+ description = mdDoc ''
+ The postmaster email address to use.
+ '';
+ };
+ certs = mkOption {
+ type = types.attrsOf
+ (types.submodule {
+ options = {
+ domain = mkOption {
+ type = types.nullOr types.str;
+ default = null;
+ };
+ subDomains = mkOption { type = types.listOf types.str; };
+ };
+ });
+ };
+ secrets.acme-credentials = mkOption { type = types.str; description = "path to the acme environment file"; };
+ };
+
+ config = mkIf cfg.enable {
+ security.acme = {
+ acceptTerms = true;
+ defaults.email = cfg.email;
+ certs = mapAttrs
+ (name: { domain, subDomains }: {
+ extraDomainNames = lists.forEach subDomains (elem: elem + ".${name}");
+ } // {
+ dnsProvider = "cloudflare";
+ dnsPropagationCheck = true;
+ credentialsFile = cfg.secrets.acme-credentials;
+ } // optionalAttrs (domain != null) {
+ domain = domain;
+ })
+ cfg.certs;
+ };
+
+ modules.persistence.directories = [
+ "/var/lib/acme"
+ ];
+ };
+}
generated by cgit v1.2.3 (git 2.25.1) at 2026-03-11 06:35:00 +0000