diff --git a/nixos/machines/frumar/default.nix b/nixos/machines/frumar/default.nix index a9c19b3..8005da3 100644 --- a/nixos/machines/frumar/default.nix +++ b/nixos/machines/frumar/default.nix @@ -15,30 +15,7 @@ }; }) ]; - systemd.tmpfiles.rules = lib.mkAfter [ - "d /var/lib/acme.sh/selfsign 0700 nginx nginx" - ]; - systemd.services."yori-selfsigned-ca" = { - description = "Generate self-signed fallback"; - path = with pkgs; [ minica ]; - unitConfig = { - ConditionPathExists = "!/var/lib/acme.sh/selfsign/selfsigned.local/key.pem"; - StartLimitIntervalSec = 0; - }; - serviceConfig = { - User = "nginx"; - Group = "nginx"; - UMask = "0077"; - Type = "oneshot"; - PrivateTmp = true; - WorkingDirectory = "/var/lib/acme.sh/selfsign"; - }; - script = "minica --domains selfsigned.local"; - }; - systemd.services.nginx = { - requires = [ "yori-selfsigned-ca.service" ]; - after = [ "yori-selfsigned-ca.service" ]; - }; + security.y-selfsigned.enable = true; services.nginx = { enable = true; @@ -64,8 +41,7 @@ }; virtualHosts."frumar.yori.cc" = { enableACME = lib.mkForce false; - sslCertificate = "/var/lib/acme.sh/selfsign/selfsigned.local/cert.pem"; - sslCertificateKey = "/var/lib/acme.sh/selfsign/selfsigned.local/key.pem"; + inherit (config.security.y-selfsigned) sslCertificate sslCertificateKey; }; }; boot.supportedFilesystems = [ "zfs" ]; diff --git a/nixos/modules/selfsigned.nix b/nixos/modules/selfsigned.nix new file mode 100644 index 0000000..ef72ffb --- /dev/null +++ b/nixos/modules/selfsigned.nix @@ -0,0 +1,65 @@ +{ pkgs, config, lib, ...}: let + cfg = config.security.y-selfsigned; +in { + options.security.y-selfsigned = with lib; { + enable = mkEnableOption "Enable generating a self-signed certificate"; + directory = mkOption { + type = types.str; + default = "/var/lib/selfsign"; + description = "Directory to store the self-signed certificate"; + }; + domain = mkOption { + type = types.str; + default = "selfsigned.local"; + description = "Domain to generate the self-signed certificate for"; + }; + sslCertificate = mkOption { + type = types.str; + readOnly = true; + default = "${cfg.directory}/${cfg.domain}/cert.pem"; + description = "Path to the self-signed certificate"; + }; + sslCertificateKey = mkOption { + type = types.str; + readOnly = true; + default = "${cfg.directory}/${cfg.domain}/key.pem"; + description = "Path to the self-signed certificate key"; + }; + user = mkOption { + type = types.str; + default = "nginx"; + description = "User to run the self-signed certificate generator as"; + }; + group = mkOption { + type = types.str; + default = "nginx"; + description = "Group to run the self-signed certificate generator as"; + }; + }; + config = lib.mkIf cfg.enable { + systemd.tmpfiles.rules = lib.mkAfter [ + "d ${cfg.directory} 0700 ${cfg.user} ${cfg.group}" + ]; + systemd.services."y-selfsigned-ca" = { + description = "Generate self-signed fallback"; + path = with pkgs; [ minica ]; + unitConfig = { + ConditionPathExists = "!${cfg.sslCertificateKey}"; + StartLimitIntervalSec = 0; + }; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + UMask = "0077"; + Type = "oneshot"; + PrivateTmp = true; + WorkingDirectory = cfg.directory; + }; + script = "minica --domains ${cfg.domain}"; + }; + systemd.services.nginx = { + requires = [ "y-selfsigned-ca.service" ]; + after = [ "y-selfsigned-ca.service" ]; + }; + }; +} diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix index 1c935ef..2c9eb7c 100644 --- a/nixos/roles/default.nix +++ b/nixos/roles/default.nix @@ -10,6 +10,7 @@ in { ../modules/lumi-cache.nix ../modules/lumi-vpn.nix ../modules/muflax-blog.nix + ../modules/selfsigned.nix ../services ]; age.secrets = {