nix
/
lib
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Formatting

This commit is contained in:
niten 2023-10-11 12:03:07 -07:00
parent 1e5cdcba79
commit 5079561573
1 changed files with 159 additions and 154 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
lib/fudo/acme-certs.nix
View File

@ -1,11 +1,11 @@
{ config, lib, pkgs, ... } @ toplevel:
{ config, lib, pkgs, ... }@toplevel:
with lib;
let
hostname = config.instance.hostname;
domainOpts = { name, ... }: let
domain = name;
domainOpts = { name, ... }:
let domain = name;
in {
options = with types; {
admin-email = mkOption {
@ -17,15 +17,15 @@ let
extra-domains = mkOption {
type = listOf str;
description = "List of domains to add to this certificate.";
default = [];
default = [ ];
};
local-copies = let
localCopyOpts = { name, ... }: let
copy = name;
localCopyOpts = { name, ... }:
let copy = name;
in {
options = with types; let
target-path = "/run/ssl-certificates/${domain}/${copy}";
options = with types;
let target-path = "/run/ssl-certificates/${domain}/${copy}";
in {
user = mkOption {
type = str;
@ -70,13 +70,15 @@ let
dependent-services = mkOption {
type = listOf str;
description = "List of systemd services depending on this copy.";
description =
"List of systemd services depending on this copy.";
default = [ ];
};
part-of = mkOption {
type = listOf str;
description = "List of systemd targets to which this copy belongs.";
description =
"List of systemd targets to which this copy belongs.";
default = [ ];
};
};
@ -84,25 +86,22 @@ let
in mkOption {
type = attrsOf (submodule localCopyOpts);
description = "Map of copies to make for use by services.";
default = {};
default = { };
};
};
};
head-or-null = lst: if (lst == []) then null else head lst;
head-or-null = lst: if (lst == [ ]) then null else head lst;
rm-service-ext = filename:
head-or-null (builtins.match "^(.+)\.service$" filename);
head-or-null (builtins.match "^(.+).service$" filename);
concatMapAttrs = f: attrs:
foldr (a: b: a // b) {} (mapAttrsToList f attrs);
concatMapAttrs = f: attrs: foldr (a: b: a // b) { } (mapAttrsToList f attrs);
cfg = config.fudo.acme;
hasLocalDomains = hasAttr hostname cfg.host-domains;
localDomains = if hasLocalDomains then
cfg.host-domains.${hostname} else {};
localDomains = if hasLocalDomains then cfg.host-domains.${hostname} else { };
optionalStringOr = str: default:
if (str != null) then str else default;
optionalStringOr = str: default: if (str != null) then str else default;
in {
options.fudo.acme = with types; {
@ -123,7 +122,8 @@ in {
};
config = {
security.acme.certs = mapAttrs (domain: domainOpts: {
security.acme.certs = mapAttrs (domain: domainOpts:
{
# email = domainOpts.admin-email;
# webroot = cfg.challenge-path;
# group = "nginx";
@ -135,8 +135,7 @@ in {
services.nginx = mkIf hasLocalDomains {
enable = true;
recommendedTlsSettings = true;
virtualHosts = let
server-path = "/.well-known/acme-challenge";
virtualHosts = let server-path = "/.well-known/acme-challenge";
in (mapAttrs (domain: domainOpts: {
# THIS IS A HACK. Getting redundant paths. So if {domain} is configured
# somewhere else, assume ACME is already set.
@ -152,7 +151,7 @@ in {
serverName = "_";
default = true;
locations = {
${server-path} = {
"${server-path}" = {
root = cfg.challenge-path;
extraConfig = "auth_basic off;";
};
@ -167,39 +166,45 @@ in {
systemd = {
tmpfiles = mkIf hasLocalDomains {
rules = let
copies = concatMapAttrs (domain: domainOpts:
domainOpts.local-copies) localDomains;
copies = concatMapAttrs (domain: domainOpts: domainOpts.local-copies)
localDomains;
perms = copyOpts: if (copyOpts.group != null) then "0550" else "0500";
copy-paths = mapAttrsToList (copy: copyOpts:
let
dir-entry = copyOpts: file: "d \"${dirOf file}\" ${perms copyOpts} ${copyOpts.user} ${optionalStringOr copyOpts.group "-"} - -";
dir-entry = copyOpts: file:
''
d "${dirOf file}" ${perms copyOpts} ${copyOpts.user} ${
optionalStringOr copyOpts.group "-"
} - -'';
in map (dir-entry copyOpts) [
copyOpts.certificate
copyOpts.full-certificate
copyOpts.chain
copyOpts.private-key
]) copies;
in (unique (concatMap (i: unique i) copy-paths)) ++ [
"d \"${cfg.challenge-path}\" 755 acme nginx - -"
];
in (unique (concatMap (i: unique i) copy-paths))
++ [ ''d "${cfg.challenge-path}" 755 acme nginx - -'' ];
};
services = concatMapAttrs (domain: domainOpts:
concatMapAttrs (copy: copyOpts: let
key-perms = copyOpts: if (copyOpts.group != null) then "0440" else "0400";
concatMapAttrs (copy: copyOpts:
let
key-perms = copyOpts:
if (copyOpts.group != null) then "0440" else "0400";
source = config.security.acme.certs.${domain}.directory;
target = copyOpts.path;
owners =
if (copyOpts.group != null) then
owners = if (copyOpts.group != null) then
"${copyOpts.user}:${copyOpts.group}"
else copyOpts.user;
else
copyOpts.user;
dirs = unique [
(dirOf copyOpts.certificate)
(dirOf copyOpts.full-certificate)
(dirOf copyOpts.chain)
(dirOf copyOpts.private-key)
];
install-certs = pkgs.writeShellScript "fudo-install-${domain}-${copy}-certs.sh" ''
install-certs =
pkgs.writeShellScript "fudo-install-${domain}-${copy}-certs.sh" ''
${concatStringsSep "\n" (map (dir: ''
mkdir -p ${dir}
chown ${owners} ${dir}