frumar: split out selfsigned module
parent
734a2fc02f
commit
a15ea5ff17
|
@ -15,30 +15,7 @@
|
|||
};
|
||||
}) ];
|
||||
|
||||
systemd.tmpfiles.rules = lib.mkAfter [
|
||||
"d /var/lib/acme.sh/selfsign 0700 nginx nginx"
|
||||
];
|
||||
systemd.services."yori-selfsigned-ca" = {
|
||||
description = "Generate self-signed fallback";
|
||||
path = with pkgs; [ minica ];
|
||||
unitConfig = {
|
||||
ConditionPathExists = "!/var/lib/acme.sh/selfsign/selfsigned.local/key.pem";
|
||||
StartLimitIntervalSec = 0;
|
||||
};
|
||||
serviceConfig = {
|
||||
User = "nginx";
|
||||
Group = "nginx";
|
||||
UMask = "0077";
|
||||
Type = "oneshot";
|
||||
PrivateTmp = true;
|
||||
WorkingDirectory = "/var/lib/acme.sh/selfsign";
|
||||
};
|
||||
script = "minica --domains selfsigned.local";
|
||||
};
|
||||
systemd.services.nginx = {
|
||||
requires = [ "yori-selfsigned-ca.service" ];
|
||||
after = [ "yori-selfsigned-ca.service" ];
|
||||
};
|
||||
security.y-selfsigned.enable = true;
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
|
@ -64,8 +41,7 @@
|
|||
};
|
||||
virtualHosts."frumar.yori.cc" = {
|
||||
enableACME = lib.mkForce false;
|
||||
sslCertificate = "/var/lib/acme.sh/selfsign/selfsigned.local/cert.pem";
|
||||
sslCertificateKey = "/var/lib/acme.sh/selfsign/selfsigned.local/key.pem";
|
||||
inherit (config.security.y-selfsigned) sslCertificate sslCertificateKey;
|
||||
};
|
||||
};
|
||||
boot.supportedFilesystems = [ "zfs" ];
|
||||
|
|
|
@ -0,0 +1,65 @@
|
|||
{ pkgs, config, lib, ...}: let
|
||||
cfg = config.security.y-selfsigned;
|
||||
in {
|
||||
options.security.y-selfsigned = with lib; {
|
||||
enable = mkEnableOption "Enable generating a self-signed certificate";
|
||||
directory = mkOption {
|
||||
type = types.str;
|
||||
default = "/var/lib/selfsign";
|
||||
description = "Directory to store the self-signed certificate";
|
||||
};
|
||||
domain = mkOption {
|
||||
type = types.str;
|
||||
default = "selfsigned.local";
|
||||
description = "Domain to generate the self-signed certificate for";
|
||||
};
|
||||
sslCertificate = mkOption {
|
||||
type = types.str;
|
||||
readOnly = true;
|
||||
default = "${cfg.directory}/${cfg.domain}/cert.pem";
|
||||
description = "Path to the self-signed certificate";
|
||||
};
|
||||
sslCertificateKey = mkOption {
|
||||
type = types.str;
|
||||
readOnly = true;
|
||||
default = "${cfg.directory}/${cfg.domain}/key.pem";
|
||||
description = "Path to the self-signed certificate key";
|
||||
};
|
||||
user = mkOption {
|
||||
type = types.str;
|
||||
default = "nginx";
|
||||
description = "User to run the self-signed certificate generator as";
|
||||
};
|
||||
group = mkOption {
|
||||
type = types.str;
|
||||
default = "nginx";
|
||||
description = "Group to run the self-signed certificate generator as";
|
||||
};
|
||||
};
|
||||
config = lib.mkIf cfg.enable {
|
||||
systemd.tmpfiles.rules = lib.mkAfter [
|
||||
"d ${cfg.directory} 0700 ${cfg.user} ${cfg.group}"
|
||||
];
|
||||
systemd.services."y-selfsigned-ca" = {
|
||||
description = "Generate self-signed fallback";
|
||||
path = with pkgs; [ minica ];
|
||||
unitConfig = {
|
||||
ConditionPathExists = "!${cfg.sslCertificateKey}";
|
||||
StartLimitIntervalSec = 0;
|
||||
};
|
||||
serviceConfig = {
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
UMask = "0077";
|
||||
Type = "oneshot";
|
||||
PrivateTmp = true;
|
||||
WorkingDirectory = cfg.directory;
|
||||
};
|
||||
script = "minica --domains ${cfg.domain}";
|
||||
};
|
||||
systemd.services.nginx = {
|
||||
requires = [ "y-selfsigned-ca.service" ];
|
||||
after = [ "y-selfsigned-ca.service" ];
|
||||
};
|
||||
};
|
||||
}
|
|
@ -10,6 +10,7 @@ in {
|
|||
../modules/lumi-cache.nix
|
||||
../modules/lumi-vpn.nix
|
||||
../modules/muflax-blog.nix
|
||||
../modules/selfsigned.nix
|
||||
../services
|
||||
];
|
||||
age.secrets = {
|
||||
|
|
Loading…
Reference in New Issue