mirror of
https://github.com/oddlama/nix-config.git
synced 2025-10-11 07:10:39 +02:00
feat: improve acme wildcard module extension
This commit is contained in:
parent
289fcdd197
commit
4fbd9af0b2
5 changed files with 29 additions and 33 deletions
|
@ -16,7 +16,6 @@ in {
|
||||||
security.acme = {
|
security.acme = {
|
||||||
acceptTerms = true;
|
acceptTerms = true;
|
||||||
defaults = {
|
defaults = {
|
||||||
inherit (acme) email;
|
|
||||||
credentialFiles = {
|
credentialFiles = {
|
||||||
CF_DNS_API_TOKEN_FILE = config.age.secrets.acme-cloudflare-dns-token.path;
|
CF_DNS_API_TOKEN_FILE = config.age.secrets.acme-cloudflare-dns-token.path;
|
||||||
CF_ZONE_API_TOKEN_FILE = config.age.secrets.acme-cloudflare-zone-token.path;
|
CF_ZONE_API_TOKEN_FILE = config.age.secrets.acme-cloudflare-zone-token.path;
|
||||||
|
@ -25,6 +24,6 @@ in {
|
||||||
dnsPropagationCheck = true;
|
dnsPropagationCheck = true;
|
||||||
reloadServices = ["nginx"];
|
reloadServices = ["nginx"];
|
||||||
};
|
};
|
||||||
wildcardDomains = acme.domains;
|
inherit (acme) certs;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Binary file not shown.
|
@ -16,7 +16,6 @@ in {
|
||||||
security.acme = {
|
security.acme = {
|
||||||
acceptTerms = true;
|
acceptTerms = true;
|
||||||
defaults = {
|
defaults = {
|
||||||
inherit (acme) email;
|
|
||||||
credentialFiles = {
|
credentialFiles = {
|
||||||
CF_DNS_API_TOKEN_FILE = config.age.secrets.acme-cloudflare-dns-token.path;
|
CF_DNS_API_TOKEN_FILE = config.age.secrets.acme-cloudflare-dns-token.path;
|
||||||
CF_ZONE_API_TOKEN_FILE = config.age.secrets.acme-cloudflare-zone-token.path;
|
CF_ZONE_API_TOKEN_FILE = config.age.secrets.acme-cloudflare-zone-token.path;
|
||||||
|
@ -25,6 +24,6 @@ in {
|
||||||
dnsPropagationCheck = true;
|
dnsPropagationCheck = true;
|
||||||
reloadServices = ["nginx"];
|
reloadServices = ["nginx"];
|
||||||
};
|
};
|
||||||
wildcardDomains = acme.domains;
|
inherit (acme) certs;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,11 +1,11 @@
|
||||||
age-encryption.org/v1
|
age-encryption.org/v1
|
||||||
-> X25519 Iz/ZYzOsB5ONZTT2azO8HcfvwEdS8zjYv2a+gdSa6Rw
|
-> X25519 AvHay53WfH+7CtbB9XWEkpcXVDqFUtNXmb3O9kkzt3Y
|
||||||
3RvSD6jq4IKXOWmgFiLK0OgZkvrbRQZLqlYgiVMixAY
|
IucF4tsZgx7VsZ1jCuRbGOn/9m5ftvrJ9uBWs+F1XLE
|
||||||
-> piv-p256 xqSe8Q A4BW1CqEWMOdGkIjIqvXJrzC54BBaEbnhywgd1UA9gQf
|
-> piv-p256 xqSe8Q A0rh+U5E0cN7K7oR8TSipN/AyHBxNoohLrGHEIiQ0jWo
|
||||||
lRdaSMaW/xFvzBYk56T6ld64vrFS4EbQdcJJarOd2hE
|
Qhi2dcShCBmodbO+QpxIwjjjMloe4NF9EQrXLecJt/w
|
||||||
-> Xw[-grease ^u-qoTf JV
|
-> wfDXBMR-grease & qyMg
|
||||||
7ht6GO0MH9xXNpmbVpi/NYiy27V0XHtE+qNmMqZSj0/rVtnYWMhm4Ezu+3Y
|
UHgrFeFyejZpOlwsIQ1oviNwQVvNy+qrLfXc9LB5IiNE7MGn4Q
|
||||||
--- EYikW64z1mfwwVgFevfGeo4Sp4994H8WnvbJ+RfxMnc
|
--- OvK6sw/WcdoBELlN6UvJmzSc8Hi/+0xMfq58lxTm3TQ
|
||||||
Pðlðb wqÚZêÿÉÞœä9‚ÁÃí—Ô«:V†ål~(Þƒ¦#xÒ£V[ã|!óæccVn»%®kÊYðr;hS)g�gELÀ€‘wZAôJHµÚj~a´Ëö{®*ªC8·
|
|ú1Û=£_¨¨�m6œÌa®*ñkNÑœº±–ÝÕ_‘±Ÿ~çxÓ=Å÷øúö<
|
||||||
ábÓi!
˜ãÏ#â K4¶‡À/3Ð$I§c7’Uèÿ…Tš°j«×f€Ëj`LX0f•hO%~ª”¥*]Þc“Óñ¯›œÞR¤Aß0Øy¿0¤v¯²¨#{·CÙ.BqW-ÓÄÊÁž1WÂ7/jÈ”ã}!òÓãüçò/„¡öEb%Ô ƒ—št«q¼²!éùe>g€ó)Λd~Üð„¨yA
|
ÛeBG‡^ã·X[FÄq�8Tïø½Š�d^¤Müíˆ{æ]‘>?.jÜ0~ÖU¼tü¡[ŽÊe k ù‘Ìtí½¬ÃÈ_§8còîãJÏÌèIâ®*‡oK^�bkq¢E[0žIeA³†æöt@¶\?
Ï™¥uU¾±ßl˜0ˆ JiÌ�‘ä�¦‰Œ×ŽÍÉÈÏ…Ý74Êò'Ç·\y¨kOÖò?ä×IZ‚g‡(„�þ (&Ô„�¤„½tmɯÐ]&qØY/�O\zÃ{“Ùᬄ_¿½˜ÖDZpžÉ‘>*r?¡>Š¢Ggvuy6˜Òl¶‡áÜÆuàþ’læ¿âB!1j�:DfÒ�˜±ñøäœY̰:`�7¿f<éZ-×A¥Ç®7¿´‰Üp þÚñ”(Ô )‹È~çSùêNÆ·µ·�Ç<!Ü>>‰N¡ÃmNl_?1kqüä–Ãá'$º*1/+•P‡ë…š¯¦Pñ™SDDW¿*âfP3
|
||||||
‰ZŽá¼NÐÏß쟞mo–|„˜ÆrX˜Íˆº6T$¿~5ÜýýÍ‚Rj>û– zh•³•K�IeÀdä}›Nó zZñãšá¢e`e¦Ý�Äb~KÆÐ]hï1—ÇÉè½yF
|
c·@}iË«ðó¹e~-¨!W„4Æñ ÷¶—~`§»Ÿšï›Ý]7±�¿¾5�0øç
|
|
@ -6,8 +6,9 @@
|
||||||
inherit
|
inherit
|
||||||
(lib)
|
(lib)
|
||||||
assertMsg
|
assertMsg
|
||||||
|
attrNames
|
||||||
filter
|
filter
|
||||||
genAttrs
|
filterAttrs
|
||||||
hasInfix
|
hasInfix
|
||||||
head
|
head
|
||||||
mkIf
|
mkIf
|
||||||
|
@ -15,17 +16,19 @@
|
||||||
removeSuffix
|
removeSuffix
|
||||||
types
|
types
|
||||||
;
|
;
|
||||||
|
|
||||||
|
wildcardDomains = attrNames (filterAttrs (_: v: v.wildcard) config.security.acme.certs);
|
||||||
in {
|
in {
|
||||||
options.security.acme.wildcardDomains = mkOption {
|
options.security.acme.certs = mkOption {
|
||||||
default = [];
|
type = types.attrsOf (types.submodule (submod: {
|
||||||
example = ["example.org"];
|
options.wildcard = mkOption {
|
||||||
type = types.listOf types.str;
|
default = false;
|
||||||
description = ''
|
type = types.bool;
|
||||||
All domains for which a wildcard certificate will be generated.
|
description = "If set to true, this will automatically append `*.<domain>` to `extraDomainNames`.";
|
||||||
This will define the given `security.acme.certs` and set `extraDomainNames` correctly,
|
};
|
||||||
but does not fill any options such as credentials or dnsProvider. These have to be set
|
|
||||||
individually for each cert by the user or via `security.acme.defaults`.
|
config.extraDomainNames = mkIf submod.config.wildcard ["*.${submod.config._module.args.name}"];
|
||||||
'';
|
}));
|
||||||
};
|
};
|
||||||
|
|
||||||
options.services.nginx.virtualHosts = mkOption {
|
options.services.nginx.virtualHosts = mkOption {
|
||||||
|
@ -36,14 +39,13 @@ in {
|
||||||
description = ''Automatically set useACMEHost with the correct wildcard domain for the virtualHosts's main domain.'';
|
description = ''Automatically set useACMEHost with the correct wildcard domain for the virtualHosts's main domain.'';
|
||||||
};
|
};
|
||||||
config = let
|
config = let
|
||||||
# This retrieves all matching wildcard certs that would include
|
# This retrieves all matching wildcard certs that would include the corresponding domain.
|
||||||
# the corresponding domain. If no such domain is defined in
|
# If no such domain is found then an assertion is triggered.
|
||||||
# security.acme.wildcardDomains, an assertion is triggered.
|
|
||||||
domain = submod.config._module.args.name;
|
domain = submod.config._module.args.name;
|
||||||
matchingCerts =
|
matchingCerts =
|
||||||
filter
|
filter
|
||||||
(x: !hasInfix "." (removeSuffix ".${x}" domain))
|
(x: !hasInfix "." (removeSuffix ".${x}" domain))
|
||||||
config.security.acme.wildcardDomains;
|
wildcardDomains;
|
||||||
in
|
in
|
||||||
mkIf submod.config.useACMEWildcardHost {
|
mkIf submod.config.useACMEWildcardHost {
|
||||||
useACMEHost = assert assertMsg (matchingCerts != []) "No wildcard certificate was defined that matches ${domain}";
|
useACMEHost = assert assertMsg (matchingCerts != []) "No wildcard certificate was defined that matches ${domain}";
|
||||||
|
@ -51,8 +53,4 @@ in {
|
||||||
};
|
};
|
||||||
}));
|
}));
|
||||||
};
|
};
|
||||||
|
|
||||||
config.security.acme.certs = genAttrs config.security.acme.wildcardDomains (domain: {
|
|
||||||
extraDomainNames = ["*.${domain}"];
|
|
||||||
});
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue