2024-12-06 16:46:10 +00:00
|
|
|
{
|
|
|
|
|
config,
|
|
|
|
|
lib,
|
|
|
|
|
namespace,
|
|
|
|
|
...
|
|
|
|
|
}:
|
2024-05-21 00:52:57 +00:00
|
|
|
|
|
|
|
|
let
|
2024-12-06 16:46:10 +00:00
|
|
|
cfg = config.${namespace}.services.acme;
|
2024-05-21 00:52:57 +00:00
|
|
|
in
|
|
|
|
|
{
|
|
|
|
|
options = {
|
2024-12-06 16:46:10 +00:00
|
|
|
${namespace}.services.acme = {
|
2024-09-08 15:58:56 +00:00
|
|
|
enable = lib.mkEnableOption "Enable the ACME client (for Let's Encrypt TLS certificates).";
|
2024-05-21 00:52:57 +00:00
|
|
|
certs = lib.mkOption {
|
|
|
|
|
default = { };
|
|
|
|
|
type = lib.types.attrs;
|
|
|
|
|
description = "Cert configurations for ACME.";
|
|
|
|
|
};
|
|
|
|
|
defaultEmail = lib.mkOption {
|
|
|
|
|
default = "";
|
|
|
|
|
type = lib.types.str;
|
|
|
|
|
description = "Default admin email to use for problems.";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
|
|
|
security.acme = {
|
|
|
|
|
acceptTerms = true;
|
|
|
|
|
defaults.email = cfg.defaultEmail;
|
|
|
|
|
certs = cfg.certs;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
# /var/lib/acme/.challenges must be writable by the ACME user
|
|
|
|
|
# and readable by the Nginx user. The easiest way to achieve
|
|
|
|
|
# this is to add the Nginx user to the ACME group.
|
2024-12-06 16:46:10 +00:00
|
|
|
users.users.nginx.extraGroups = lib.mkIf config.${namespace}.services.nginx.enable [ "acme" ];
|
2024-05-21 00:52:57 +00:00
|
|
|
};
|
|
|
|
|
}
|
