66 lines
2 KiB
Nix
66 lines
2 KiB
Nix
{ pkgs, config, lib, ...}: let
|
|
cfg = config.security.y-selfsigned;
|
|
in {
|
|
options.security.y-selfsigned = with lib; {
|
|
enable = mkEnableOption "Enable generating a self-signed certificate";
|
|
directory = mkOption {
|
|
type = types.str;
|
|
default = "/var/lib/selfsign";
|
|
description = "Directory to store the self-signed certificate";
|
|
};
|
|
domain = mkOption {
|
|
type = types.str;
|
|
default = "selfsigned.local";
|
|
description = "Domain to generate the self-signed certificate for";
|
|
};
|
|
sslCertificate = mkOption {
|
|
type = types.str;
|
|
readOnly = true;
|
|
default = "${cfg.directory}/${cfg.domain}/cert.pem";
|
|
description = "Path to the self-signed certificate";
|
|
};
|
|
sslCertificateKey = mkOption {
|
|
type = types.str;
|
|
readOnly = true;
|
|
default = "${cfg.directory}/${cfg.domain}/key.pem";
|
|
description = "Path to the self-signed certificate key";
|
|
};
|
|
user = mkOption {
|
|
type = types.str;
|
|
default = "nginx";
|
|
description = "User to run the self-signed certificate generator as";
|
|
};
|
|
group = mkOption {
|
|
type = types.str;
|
|
default = "nginx";
|
|
description = "Group to run the self-signed certificate generator as";
|
|
};
|
|
};
|
|
config = lib.mkIf cfg.enable {
|
|
systemd.tmpfiles.rules = lib.mkAfter [
|
|
"d ${cfg.directory} 0700 ${cfg.user} ${cfg.group}"
|
|
];
|
|
systemd.services."y-selfsigned-ca" = {
|
|
description = "Generate self-signed fallback";
|
|
path = with pkgs; [ minica ];
|
|
unitConfig = {
|
|
ConditionPathExists = "!${cfg.sslCertificateKey}";
|
|
StartLimitIntervalSec = 0;
|
|
};
|
|
serviceConfig = {
|
|
User = cfg.user;
|
|
Group = cfg.group;
|
|
UMask = "0077";
|
|
Type = "oneshot";
|
|
PrivateTmp = true;
|
|
WorkingDirectory = cfg.directory;
|
|
};
|
|
script = "minica --domains ${cfg.domain}";
|
|
};
|
|
systemd.services.nginx = {
|
|
requires = [ "y-selfsigned-ca.service" ];
|
|
after = [ "y-selfsigned-ca.service" ];
|
|
};
|
|
};
|
|
}
|