2024-05-21 00:52:57 +00:00
|
|
|
{ config, lib, ... }:
|
|
|
|
|
|
|
|
let
|
2024-06-24 15:38:28 +00:00
|
|
|
cfg = config.aux.system.services.acme;
|
2024-05-21 00:52:57 +00:00
|
|
|
in
|
|
|
|
{
|
|
|
|
options = {
|
2024-06-24 15:38:28 +00:00
|
|
|
aux.system.services.acme = {
|
2024-05-21 00:52:57 +00:00
|
|
|
enable = lib.mkEnableOption (
|
|
|
|
lib.mdDoc "Enable the ACME client (for Let's Encrypt TLS certificates)."
|
|
|
|
);
|
|
|
|
|
|
|
|
certs = lib.mkOption {
|
|
|
|
default = { };
|
|
|
|
type = lib.types.attrs;
|
|
|
|
description = "Cert configurations for ACME.";
|
|
|
|
};
|
|
|
|
|
|
|
|
defaultEmail = lib.mkOption {
|
|
|
|
default = "";
|
|
|
|
type = lib.types.str;
|
|
|
|
description = "Default admin email to use for problems.";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
|
|
security.acme = {
|
|
|
|
acceptTerms = true;
|
|
|
|
defaults.email = cfg.defaultEmail;
|
|
|
|
certs = cfg.certs;
|
|
|
|
};
|
|
|
|
|
|
|
|
# /var/lib/acme/.challenges must be writable by the ACME user
|
|
|
|
# and readable by the Nginx user. The easiest way to achieve
|
|
|
|
# this is to add the Nginx user to the ACME group.
|
2024-06-24 15:38:28 +00:00
|
|
|
users.users.nginx.extraGroups = lib.mkIf config.aux.system.services.nginx.enable [ "acme" ];
|
2024-05-21 00:52:57 +00:00
|
|
|
};
|
|
|
|
}
|