Gitiles
Code Review Sign In
git.clicks.codes / Infra / NixFiles / 4bf2de5c100d990d362ea999deb65d783d9fb3b6 / . / modules / nixos / clicks / security / acme / default.nix
blob: 7acb887110a7eed5db465b86fadd174a6a109b2e [file] [log] [blame]
Skyler Greyf08a6192024-06-01 23:55:20 +0000[diff] [blame]1# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
2# SPDX-FileCopyrightText: 2024 Clicks Codes
3#
4# SPDX-License-Identifier: GPL-3.0-only
5
6{ lib, config, ... }:
7let
8 cfg = config.clicks.security.acme;
9in
10{
11 options.clicks.security.acme = {
12 enable = lib.mkEnableOption "Acme defaults";
13
Skyler Greyf08a6192024-06-01 23:55:20 +0000[diff] [blame]14 staging = lib.mkOption {
15 type = lib.types.bool;
16 default = false;
Skyler Greyd7e1acd2024-06-22 14:42:11 +0000[diff] [blame]17 description = "Use the Let's Encrypt staging server";
18 };
19
20 defaults = {
21 email = lib.mkOption {
22 type = lib.types.nullOr lib.types.str;
23 default = null;
24 description = "Email address to use for Let's Encrypt registration";
25 };
26
27 dnsProvider = lib.mkOption {
28 type = lib.types.nullOr lib.types.str;
29 description = "Default provider for getting web certificates";
30 default = config.clicks.services.nginx.defaultDnsProvider;
31 };
32
33 environmentFile = lib.mkOption {
34 type = lib.types.nullOr lib.types.str;
35 default =
36 if config.clicks.security.acme.defaults.dnsProvider == null
37 then null
38 else throw "config.clicks.security.acme: You should provide an environment file default (or explicitly set to null) if you are using a DNS provider";
39 description = "Environment file containing DNS provider credentials";
40 };
Skyler Greyf08a6192024-06-01 23:55:20 +0000[diff] [blame]41 };
42 };
43
44 config = lib.mkIf cfg.enable {
45 security.acme = {
46 acceptTerms = true;
47
48 defaults = {
Skyler Greyd7e1acd2024-06-22 14:42:11 +0000[diff] [blame]49 inherit (cfg.defaults) email dnsProvider environmentFile;
Skyler Greyf08a6192024-06-01 23:55:20 +0000[diff] [blame]50
51 group = lib.mkIf config.services.nginx.enable "nginx";
52 server = lib.mkIf cfg.staging "https://acme-staging-v02.api.letsencrypt.org/directory";
53
54 # Reload nginx when certs change.
55 reloadServices = lib.optional config.services.nginx.enable "nginx.service";
56 };
57 };
58 };
59}