service/acme: split from nginx

2025-05-24 01:44:40 +02:00 · 2025-01-22 00:48:12 +01:00 · 2025-01-22 00:48:12 +01:00 · bd2da85ef0
commit bd2da85ef0
parent 0314eeabd6
5 changed files with 45 additions and 25 deletions
--- a/machines/newton/services.nix
+++ b/machines/newton/services.nix
@ -139,9 +139,6 @@ in
    # Webserver
    nginx = {
      enable = true;
-      acme = {
-        credentialsFile = secrets."acme/inwx".path;
-      };
      sso = {
        authKeyFile = secrets."sso/auth-key".path;
        users = {
@ -155,6 +152,10 @@ in
        };
      };
    };
+    acme = {
+      enable = true;
+      credentialsFile = secrets."acme/inwx".path;
+    };
    vpn = {
      enable = true;
      isMaster = true;
--- a/machines/serverle/services.nix
+++ b/machines/serverle/services.nix
@ -89,9 +89,6 @@ in
    # Webserver
    nginx = {
      enable = true;
-      acme = {
-        credentialsFile = secrets."acme/inwx".path;
-      };
      sso = {
        authKeyFile = secrets."sso/auth-key".path;
        users = {
@ -105,6 +102,10 @@ in
        };
      };
    };
+    acme = {
+      enable = true;
+      credentialsFile = secrets."acme/inwx".path;
+    };
    vpn.enable = true;
  };
 }
--- a/modules/services/acme/default.nix
+++ b/modules/services/acme/default.nix
@ -0,0 +1,36 @@
+# automatic certificates
+{ config, lib, ... }:
+let
+  cfg = config.my.services.acme;
+  inherit (config.networking) domain;
+in
+{
+  options.my.services.acme = with lib; {
+    enable = mkEnableOption "ACME certificates";
+
+    credentialsFile = mkOption {
+      type = types.str;
+      example = "/var/lib/acme/creds.env";
+      description = ''
+        INWX API key file as an 'EnvironmentFile' (see `systemd.exec(5)`)
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    security.acme = {
+      defaults.email = "server@buehler.rocks";
+      # this is specially needed for inwx and does not work without it
+      defaults.dnsResolver = "ns.inwx.de";
+      acceptTerms = true;
+      # Use DNS wildcard certificate
+      certs = {
+        "${config.networking.domain}" = {
+          extraDomainNames = [ "*.${config.networking.domain}" ];
+          dnsProvider = "inwx";
+          inherit (cfg) credentialsFile;
+        };
+      };
+    };
+  };
+}
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@ -1,6 +1,7 @@
 { ... }:
 {
  imports = [
+    ./acme
    ./alertmanager
    ./aria2
    ./backup
--- a/modules/services/nginx/default.nix
+++ b/modules/services/nginx/default.nix
@ -448,24 +448,5 @@ in
    ];
    # Nginx needs to be able to read the certificates
    users.users.nginx.extraGroups = [ "acme" ];
-    security.acme = {
-      defaults.email = "server@buehler.rocks";
-      # this is specially needed for inwx and does not work without it
-      defaults.dnsResolver = "ns.inwx.de";
-      acceptTerms = true;
-      # Use DNS wildcard certificate
-      certs =
-        let
-          inherit (config.networking) domain;
-        in
-        with pkgs;
-        {
-          "${domain}" = {
-            extraDomainNames = [ "*.${domain}" ];
-            dnsProvider = "inwx";
-            inherit (cfg.acme) credentialsFile;
-          };
-        };
-    };
  };
 }