frumar: split out selfsigned module
parent
734a2fc02f
commit
a15ea5ff17
|
@ -15,30 +15,7 @@
|
||||||
};
|
};
|
||||||
}) ];
|
}) ];
|
||||||
|
|
||||||
systemd.tmpfiles.rules = lib.mkAfter [
|
security.y-selfsigned.enable = true;
|
||||||
"d /var/lib/acme.sh/selfsign 0700 nginx nginx"
|
|
||||||
];
|
|
||||||
systemd.services."yori-selfsigned-ca" = {
|
|
||||||
description = "Generate self-signed fallback";
|
|
||||||
path = with pkgs; [ minica ];
|
|
||||||
unitConfig = {
|
|
||||||
ConditionPathExists = "!/var/lib/acme.sh/selfsign/selfsigned.local/key.pem";
|
|
||||||
StartLimitIntervalSec = 0;
|
|
||||||
};
|
|
||||||
serviceConfig = {
|
|
||||||
User = "nginx";
|
|
||||||
Group = "nginx";
|
|
||||||
UMask = "0077";
|
|
||||||
Type = "oneshot";
|
|
||||||
PrivateTmp = true;
|
|
||||||
WorkingDirectory = "/var/lib/acme.sh/selfsign";
|
|
||||||
};
|
|
||||||
script = "minica --domains selfsigned.local";
|
|
||||||
};
|
|
||||||
systemd.services.nginx = {
|
|
||||||
requires = [ "yori-selfsigned-ca.service" ];
|
|
||||||
after = [ "yori-selfsigned-ca.service" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -64,8 +41,7 @@
|
||||||
};
|
};
|
||||||
virtualHosts."frumar.yori.cc" = {
|
virtualHosts."frumar.yori.cc" = {
|
||||||
enableACME = lib.mkForce false;
|
enableACME = lib.mkForce false;
|
||||||
sslCertificate = "/var/lib/acme.sh/selfsign/selfsigned.local/cert.pem";
|
inherit (config.security.y-selfsigned) sslCertificate sslCertificateKey;
|
||||||
sslCertificateKey = "/var/lib/acme.sh/selfsign/selfsigned.local/key.pem";
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
boot.supportedFilesystems = [ "zfs" ];
|
boot.supportedFilesystems = [ "zfs" ];
|
||||||
|
|
|
@ -0,0 +1,65 @@
|
||||||
|
{ pkgs, config, lib, ...}: let
|
||||||
|
cfg = config.security.y-selfsigned;
|
||||||
|
in {
|
||||||
|
options.security.y-selfsigned = with lib; {
|
||||||
|
enable = mkEnableOption "Enable generating a self-signed certificate";
|
||||||
|
directory = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "/var/lib/selfsign";
|
||||||
|
description = "Directory to store the self-signed certificate";
|
||||||
|
};
|
||||||
|
domain = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "selfsigned.local";
|
||||||
|
description = "Domain to generate the self-signed certificate for";
|
||||||
|
};
|
||||||
|
sslCertificate = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
readOnly = true;
|
||||||
|
default = "${cfg.directory}/${cfg.domain}/cert.pem";
|
||||||
|
description = "Path to the self-signed certificate";
|
||||||
|
};
|
||||||
|
sslCertificateKey = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
readOnly = true;
|
||||||
|
default = "${cfg.directory}/${cfg.domain}/key.pem";
|
||||||
|
description = "Path to the self-signed certificate key";
|
||||||
|
};
|
||||||
|
user = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "nginx";
|
||||||
|
description = "User to run the self-signed certificate generator as";
|
||||||
|
};
|
||||||
|
group = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "nginx";
|
||||||
|
description = "Group to run the self-signed certificate generator as";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
config = lib.mkIf cfg.enable {
|
||||||
|
systemd.tmpfiles.rules = lib.mkAfter [
|
||||||
|
"d ${cfg.directory} 0700 ${cfg.user} ${cfg.group}"
|
||||||
|
];
|
||||||
|
systemd.services."y-selfsigned-ca" = {
|
||||||
|
description = "Generate self-signed fallback";
|
||||||
|
path = with pkgs; [ minica ];
|
||||||
|
unitConfig = {
|
||||||
|
ConditionPathExists = "!${cfg.sslCertificateKey}";
|
||||||
|
StartLimitIntervalSec = 0;
|
||||||
|
};
|
||||||
|
serviceConfig = {
|
||||||
|
User = cfg.user;
|
||||||
|
Group = cfg.group;
|
||||||
|
UMask = "0077";
|
||||||
|
Type = "oneshot";
|
||||||
|
PrivateTmp = true;
|
||||||
|
WorkingDirectory = cfg.directory;
|
||||||
|
};
|
||||||
|
script = "minica --domains ${cfg.domain}";
|
||||||
|
};
|
||||||
|
systemd.services.nginx = {
|
||||||
|
requires = [ "y-selfsigned-ca.service" ];
|
||||||
|
after = [ "y-selfsigned-ca.service" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -10,6 +10,7 @@ in {
|
||||||
../modules/lumi-cache.nix
|
../modules/lumi-cache.nix
|
||||||
../modules/lumi-vpn.nix
|
../modules/lumi-vpn.nix
|
||||||
../modules/muflax-blog.nix
|
../modules/muflax-blog.nix
|
||||||
|
../modules/selfsigned.nix
|
||||||
../services
|
../services
|
||||||
];
|
];
|
||||||
age.secrets = {
|
age.secrets = {
|
||||||
|
|
Loading…
Reference in New Issue