frumar: split out selfsigned module

nixos/machines/frumar/default.nix

@@ -15,30 +15,7 @@
     };
   }) ];
 
-  systemd.tmpfiles.rules = lib.mkAfter [
-    "d /var/lib/acme.sh/selfsign 0700 nginx nginx"
-  ];
-  systemd.services."yori-selfsigned-ca" = {
-    description = "Generate self-signed fallback";
-    path = with pkgs; [ minica ];
-    unitConfig = {
-      ConditionPathExists = "!/var/lib/acme.sh/selfsign/selfsigned.local/key.pem";
-      StartLimitIntervalSec = 0;
-    };
-    serviceConfig = {
-      User = "nginx";
-      Group = "nginx";
-      UMask = "0077";
-      Type = "oneshot";
-      PrivateTmp = true;
-      WorkingDirectory = "/var/lib/acme.sh/selfsign";
-    };
-    script = "minica --domains selfsigned.local";
-  };
-  systemd.services.nginx = {
-    requires = [ "yori-selfsigned-ca.service" ];
-    after = [ "yori-selfsigned-ca.service" ];
-  };
+  security.y-selfsigned.enable = true;
 
   services.nginx = {
     enable = true;
@@ -64,8 +41,7 @@
     };
     virtualHosts."frumar.yori.cc" = {
       enableACME = lib.mkForce false;
-      sslCertificate = "/var/lib/acme.sh/selfsign/selfsigned.local/cert.pem";
-      sslCertificateKey = "/var/lib/acme.sh/selfsign/selfsigned.local/key.pem";
+      inherit (config.security.y-selfsigned) sslCertificate sslCertificateKey;
     };
   };
   boot.supportedFilesystems = [ "zfs" ];

nixos/modules/selfsigned.nix

@@ -0,0 +1,65 @@
+{ pkgs, config, lib, ...}: let
+  cfg = config.security.y-selfsigned;
+in {
+  options.security.y-selfsigned = with lib; {
+    enable = mkEnableOption "Enable generating a self-signed certificate";
+    directory = mkOption {
+      type = types.str;
+      default = "/var/lib/selfsign";
+      description = "Directory to store the self-signed certificate";
+    };
+    domain = mkOption {
+      type = types.str;
+      default = "selfsigned.local";
+      description = "Domain to generate the self-signed certificate for";
+    };
+    sslCertificate = mkOption {
+      type = types.str;
+      readOnly = true;
+      default = "${cfg.directory}/${cfg.domain}/cert.pem";
+      description = "Path to the self-signed certificate";
+    };
+    sslCertificateKey = mkOption {
+      type = types.str;
+      readOnly = true;
+      default = "${cfg.directory}/${cfg.domain}/key.pem";
+      description = "Path to the self-signed certificate key";
+    };
+    user = mkOption {
+      type = types.str;
+      default = "nginx";
+      description = "User to run the self-signed certificate generator as";
+    };
+    group = mkOption {
+      type = types.str;
+      default = "nginx";
+      description = "Group to run the self-signed certificate generator as";
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    systemd.tmpfiles.rules = lib.mkAfter [
+      "d ${cfg.directory} 0700 ${cfg.user} ${cfg.group}"
+    ];
+    systemd.services."y-selfsigned-ca" = {
+      description = "Generate self-signed fallback";
+      path = with pkgs; [ minica ];
+      unitConfig = {
+        ConditionPathExists = "!${cfg.sslCertificateKey}";
+        StartLimitIntervalSec = 0;
+      };
+      serviceConfig = {
+        User = cfg.user;
+        Group = cfg.group;
+        UMask = "0077";
+        Type = "oneshot";
+        PrivateTmp = true;
+        WorkingDirectory = cfg.directory;
+      };
+      script = "minica --domains ${cfg.domain}";
+    };
+    systemd.services.nginx = {
+      requires = [ "y-selfsigned-ca.service" ];
+      after = [ "y-selfsigned-ca.service" ];
+    };
+  };
+}

nixos/roles/default.nix

@@ -10,6 +10,7 @@ in {
     ../modules/lumi-cache.nix
     ../modules/lumi-vpn.nix
     ../modules/muflax-blog.nix
+    ../modules/selfsigned.nix
     ../services
   ];
   age.secrets = {