From bd2da85ef0eeba04c2320c150d6040ee72008b4e Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Wed, 22 Jan 2025 00:48:12 +0100 Subject: [PATCH] service/acme: split from nginx --- machines/newton/services.nix | 7 +++--- machines/serverle/services.nix | 7 +++--- modules/services/acme/default.nix | 36 ++++++++++++++++++++++++++++++ modules/services/default.nix | 1 + modules/services/nginx/default.nix | 19 ---------------- 5 files changed, 45 insertions(+), 25 deletions(-) create mode 100644 modules/services/acme/default.nix diff --git a/machines/newton/services.nix b/machines/newton/services.nix index 90439f9..bca5bcd 100644 --- a/machines/newton/services.nix +++ b/machines/newton/services.nix @@ -139,9 +139,6 @@ in # Webserver nginx = { enable = true; - acme = { - credentialsFile = secrets."acme/inwx".path; - }; sso = { authKeyFile = secrets."sso/auth-key".path; users = { @@ -155,6 +152,10 @@ in }; }; }; + acme = { + enable = true; + credentialsFile = secrets."acme/inwx".path; + }; vpn = { enable = true; isMaster = true; diff --git a/machines/serverle/services.nix b/machines/serverle/services.nix index 726a35d..d20ff2e 100644 --- a/machines/serverle/services.nix +++ b/machines/serverle/services.nix @@ -89,9 +89,6 @@ in # Webserver nginx = { enable = true; - acme = { - credentialsFile = secrets."acme/inwx".path; - }; sso = { authKeyFile = secrets."sso/auth-key".path; users = { @@ -105,6 +102,10 @@ in }; }; }; + acme = { + enable = true; + credentialsFile = secrets."acme/inwx".path; + }; vpn.enable = true; }; } diff --git a/modules/services/acme/default.nix b/modules/services/acme/default.nix new file mode 100644 index 0000000..73bb332 --- /dev/null +++ b/modules/services/acme/default.nix @@ -0,0 +1,36 @@ +# automatic certificates +{ config, lib, ... }: +let + cfg = config.my.services.acme; + inherit (config.networking) domain; +in +{ + options.my.services.acme = with lib; { + enable = mkEnableOption "ACME certificates"; + + credentialsFile = mkOption { + type = types.str; + example = "/var/lib/acme/creds.env"; + description = '' + INWX API key file as an 'EnvironmentFile' (see `systemd.exec(5)`) + ''; + }; + }; + + config = lib.mkIf cfg.enable { + security.acme = { + defaults.email = "server@buehler.rocks"; + # this is specially needed for inwx and does not work without it + defaults.dnsResolver = "ns.inwx.de"; + acceptTerms = true; + # Use DNS wildcard certificate + certs = { + "${config.networking.domain}" = { + extraDomainNames = [ "*.${config.networking.domain}" ]; + dnsProvider = "inwx"; + inherit (cfg) credentialsFile; + }; + }; + }; + }; +} diff --git a/modules/services/default.nix b/modules/services/default.nix index 755e83b..cc842da 100644 --- a/modules/services/default.nix +++ b/modules/services/default.nix @@ -1,6 +1,7 @@ { ... }: { imports = [ + ./acme ./alertmanager ./aria2 ./backup diff --git a/modules/services/nginx/default.nix b/modules/services/nginx/default.nix index b36a00c..239fa0f 100644 --- a/modules/services/nginx/default.nix +++ b/modules/services/nginx/default.nix @@ -448,24 +448,5 @@ in ]; # Nginx needs to be able to read the certificates users.users.nginx.extraGroups = [ "acme" ]; - security.acme = { - defaults.email = "server@buehler.rocks"; - # this is specially needed for inwx and does not work without it - defaults.dnsResolver = "ns.inwx.de"; - acceptTerms = true; - # Use DNS wildcard certificate - certs = - let - inherit (config.networking) domain; - in - with pkgs; - { - "${domain}" = { - extraDomainNames = [ "*.${domain}" ]; - dnsProvider = "inwx"; - inherit (cfg.acme) credentialsFile; - }; - }; - }; }; }