nix/lib
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Formatting

Browse Source
This commit is contained in:
niten 2023-10-11 12:03:07 -07:00
parent 1e5cdcba79
commit 5079561573
1 changed files with 159 additions and 154 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
lib/fudo/acme-certs.nix
View File

@ -1,11 +1,11 @@
{ config, lib, pkgs, ... } @ toplevel: { config, lib, pkgs, ... }@toplevel:
with lib; with lib;
let let
hostname = config.instance.hostname; hostname = config.instance.hostname;
domainOpts = { name, ... }: let domainOpts = { name, ... }:
domain = name; let domain = name;
in { in {
options = with types; { options = with types; {
admin-email = mkOption { admin-email = mkOption {
@ -17,15 +17,15 @@ let
extra-domains = mkOption { extra-domains = mkOption {
type = listOf str; type = listOf str;
description = "List of domains to add to this certificate."; description = "List of domains to add to this certificate.";
default = []; default = [ ];
}; };
local-copies = let local-copies = let
localCopyOpts = { name, ... }: let localCopyOpts = { name, ... }:
copy = name; let copy = name;
in { in {
options = with types; let options = with types;
target-path = "/run/ssl-certificates/${domain}/${copy}"; let target-path = "/run/ssl-certificates/${domain}/${copy}";
in { in {
user = mkOption { user = mkOption {
type = str; type = str;
@ -70,13 +70,15 @@ let
dependent-services = mkOption { dependent-services = mkOption {
type = listOf str; type = listOf str;
description = "List of systemd services depending on this copy."; description =
"List of systemd services depending on this copy.";
default = [ ]; default = [ ];
}; };
part-of = mkOption { part-of = mkOption {
type = listOf str; type = listOf str;
description = "List of systemd targets to which this copy belongs."; description =
"List of systemd targets to which this copy belongs.";
default = [ ]; default = [ ];
}; };
}; };
@ -84,25 +86,22 @@ let
in mkOption { in mkOption {
type = attrsOf (submodule localCopyOpts); type = attrsOf (submodule localCopyOpts);
description = "Map of copies to make for use by services."; description = "Map of copies to make for use by services.";
default = {}; default = { };
}; };
}; };
}; };
head-or-null = lst: if (lst == []) then null else head lst; head-or-null = lst: if (lst == [ ]) then null else head lst;
rm-service-ext = filename: rm-service-ext = filename:
head-or-null (builtins.match "^(.+)\.service$" filename); head-or-null (builtins.match "^(.+).service$" filename);
concatMapAttrs = f: attrs: concatMapAttrs = f: attrs: foldr (a: b: a // b) { } (mapAttrsToList f attrs);
foldr (a: b: a // b) {} (mapAttrsToList f attrs);
cfg = config.fudo.acme; cfg = config.fudo.acme;
hasLocalDomains = hasAttr hostname cfg.host-domains; hasLocalDomains = hasAttr hostname cfg.host-domains;
localDomains = if hasLocalDomains then localDomains = if hasLocalDomains then cfg.host-domains.${hostname} else { };
cfg.host-domains.${hostname} else {};
optionalStringOr = str: default: optionalStringOr = str: default: if (str != null) then str else default;
if (str != null) then str else default;
in { in {
options.fudo.acme = with types; { options.fudo.acme = with types; {
@ -123,7 +122,8 @@ in {
}; };
config = { config = {
security.acme.certs = mapAttrs (domain: domainOpts: { security.acme.certs = mapAttrs (domain: domainOpts:
{
# email = domainOpts.admin-email; # email = domainOpts.admin-email;
# webroot = cfg.challenge-path; # webroot = cfg.challenge-path;
# group = "nginx"; # group = "nginx";
@ -135,8 +135,7 @@ in {
services.nginx = mkIf hasLocalDomains { services.nginx = mkIf hasLocalDomains {
enable = true; enable = true;
recommendedTlsSettings = true; recommendedTlsSettings = true;
virtualHosts = let virtualHosts = let server-path = "/.well-known/acme-challenge";
server-path = "/.well-known/acme-challenge";
in (mapAttrs (domain: domainOpts: { in (mapAttrs (domain: domainOpts: {
# THIS IS A HACK. Getting redundant paths. So if {domain} is configured # THIS IS A HACK. Getting redundant paths. So if {domain} is configured
# somewhere else, assume ACME is already set. # somewhere else, assume ACME is already set.
@ -152,7 +151,7 @@ in {
serverName = "_"; serverName = "_";
default = true; default = true;
locations = { locations = {
${server-path} = { "${server-path}" = {
root = cfg.challenge-path; root = cfg.challenge-path;
extraConfig = "auth_basic off;"; extraConfig = "auth_basic off;";
}; };
@ -167,39 +166,45 @@ in {
systemd = { systemd = {
tmpfiles = mkIf hasLocalDomains { tmpfiles = mkIf hasLocalDomains {
rules = let rules = let
copies = concatMapAttrs (domain: domainOpts: copies = concatMapAttrs (domain: domainOpts: domainOpts.local-copies)
domainOpts.local-copies) localDomains; localDomains;
perms = copyOpts: if (copyOpts.group != null) then "0550" else "0500"; perms = copyOpts: if (copyOpts.group != null) then "0550" else "0500";
copy-paths = mapAttrsToList (copy: copyOpts: copy-paths = mapAttrsToList (copy: copyOpts:
let let
dir-entry = copyOpts: file: "d \"${dirOf file}\" ${perms copyOpts} ${copyOpts.user} ${optionalStringOr copyOpts.group "-"} - -"; dir-entry = copyOpts: file:
''
d "${dirOf file}" ${perms copyOpts} ${copyOpts.user} ${
optionalStringOr copyOpts.group "-"
} - -'';
in map (dir-entry copyOpts) [ in map (dir-entry copyOpts) [
copyOpts.certificate copyOpts.certificate
copyOpts.full-certificate copyOpts.full-certificate
copyOpts.chain copyOpts.chain
copyOpts.private-key copyOpts.private-key
]) copies; ]) copies;
in (unique (concatMap (i: unique i) copy-paths)) ++ [ in (unique (concatMap (i: unique i) copy-paths))
"d \"${cfg.challenge-path}\" 755 acme nginx - -" ++ [ ''d "${cfg.challenge-path}" 755 acme nginx - -'' ];
];
}; };
services = concatMapAttrs (domain: domainOpts: services = concatMapAttrs (domain: domainOpts:
concatMapAttrs (copy: copyOpts: let concatMapAttrs (copy: copyOpts:
key-perms = copyOpts: if (copyOpts.group != null) then "0440" else "0400"; let
key-perms = copyOpts:
if (copyOpts.group != null) then "0440" else "0400";
source = config.security.acme.certs.${domain}.directory; source = config.security.acme.certs.${domain}.directory;
target = copyOpts.path; target = copyOpts.path;
owners = owners = if (copyOpts.group != null) then
if (copyOpts.group != null) then
"${copyOpts.user}:${copyOpts.group}" "${copyOpts.user}:${copyOpts.group}"
else copyOpts.user; else
copyOpts.user;
dirs = unique [ dirs = unique [
(dirOf copyOpts.certificate) (dirOf copyOpts.certificate)
(dirOf copyOpts.full-certificate) (dirOf copyOpts.full-certificate)
(dirOf copyOpts.chain) (dirOf copyOpts.chain)
(dirOf copyOpts.private-key) (dirOf copyOpts.private-key)
]; ];
install-certs = pkgs.writeShellScript "fudo-install-${domain}-${copy}-certs.sh" '' install-certs =
pkgs.writeShellScript "fudo-install-${domain}-${copy}-certs.sh" ''
${concatStringsSep "\n" (map (dir: '' ${concatStringsSep "\n" (map (dir: ''
mkdir -p ${dir} mkdir -p ${dir}
chown ${owners} ${dir} chown ${owners} ${dir}