feat: improve acme wildcard module extension

2024-04-08 15:55:08 +02:00 · 2024-04-08 15:55:08 +02:00 · 4fbd9af0b2
commit 4fbd9af0b2
parent 289fcdd197
5 changed files with 29 additions and 33 deletions
--- a/hosts/envoy/acme.nix
+++ b/hosts/envoy/acme.nix
@ -16,7 +16,6 @@ in {
  security.acme = {
    acceptTerms = true;
    defaults = {
-      inherit (acme) email;
      credentialFiles = {
        CF_DNS_API_TOKEN_FILE = config.age.secrets.acme-cloudflare-dns-token.path;
        CF_ZONE_API_TOKEN_FILE = config.age.secrets.acme-cloudflare-zone-token.path;
@ -25,6 +24,6 @@ in {
      dnsPropagationCheck = true;
      reloadServices = ["nginx"];
    };
-    wildcardDomains = acme.domains;
+    inherit (acme) certs;
  };
 }
--- a/hosts/envoy/secrets/local.nix.age
+++ b/hosts/envoy/secrets/local.nix.age
--- a/hosts/sentinel/acme.nix
+++ b/hosts/sentinel/acme.nix
@ -16,7 +16,6 @@ in {
  security.acme = {
    acceptTerms = true;
    defaults = {
-      inherit (acme) email;
      credentialFiles = {
        CF_DNS_API_TOKEN_FILE = config.age.secrets.acme-cloudflare-dns-token.path;
        CF_ZONE_API_TOKEN_FILE = config.age.secrets.acme-cloudflare-zone-token.path;
@ -25,6 +24,6 @@ in {
      dnsPropagationCheck = true;
      reloadServices = ["nginx"];
    };
-    wildcardDomains = acme.domains;
+    inherit (acme) certs;
  };
 }
--- a/hosts/sentinel/secrets/local.nix.age
+++ b/hosts/sentinel/secrets/local.nix.age
@ -1,11 +1,11 @@
 age-encryption.org/v1
-> X25519 Iz/ZYzOsB5ONZTT2azO8HcfvwEdS8zjYv2a+gdSa6Rw
-3RvSD6jq4IKXOWmgFiLK0OgZkvrbRQZLqlYgiVMixAY
-> piv-p256 xqSe8Q A4BW1CqEWMOdGkIjIqvXJrzC54BBaEbnhywgd1UA9gQf
-lRdaSMaW/xFvzBYk56T6ld64vrFS4EbQdcJJarOd2hE
-> Xw[-grease ^u-qoTf JV
-7ht6GO0MH9xXNpmbVpi/NYiy27V0XHtE+qNmMqZSj0/rVtnYWMhm4Ezu+3Y
--- EYikW64z1mfwwVgFevfGeo4Sp4994H8WnvbJ+RfxMnc
-Pðlðb wqÚZêÿÉÞœä9‚ÁÃí—Ô«:V†ål~(Þƒ¦#xÒ£V[ã|!óæccVn»%®kÊYðr;hS)g�gELÀ€‘wZAôJHµÚj~a´Ëö{®*ªC8·
-ábÓi!
˜ãÏ#â	K4¶‡À/3Ð$I§c7’Uèÿ…Tš°j«×f€Ëj`LX0f•hO%~ª”¥*]Þc“Óñ¯›œÞR¤Aß0Øy¿0¤v¯²¨#{·CÙ.BqW-ÓÄÊÁž1WÂ7/jÈ”ã}!òÓãüçò/„¡öEb%Ô ƒ—št«q¼²!éùe>g€ó)Î›d~Üð„¨yA
-‰ZŽá¼NÐÏßìŸžmo–|„˜ÆrX˜Íˆº6T$¿~5ÜýýÍ‚Rj>û– zh•³•K�IeÀdä}›Nó zZñãšá¢e`e¦Ý�Äb~KÆÐ]hï1—ÇÉè½yF
+-> X25519 AvHay53WfH+7CtbB9XWEkpcXVDqFUtNXmb3O9kkzt3Y
+IucF4tsZgx7VsZ1jCuRbGOn/9m5ftvrJ9uBWs+F1XLE
+-> piv-p256 xqSe8Q A0rh+U5E0cN7K7oR8TSipN/AyHBxNoohLrGHEIiQ0jWo
+Qhi2dcShCBmodbO+QpxIwjjjMloe4NF9EQrXLecJt/w
+-> wfDXBMR-grease & qyMg
+UHgrFeFyejZpOlwsIQ1oviNwQVvNy+qrLfXc9LB5IiNE7MGn4Q
+--- OvK6sw/WcdoBELlN6UvJmzSc8Hi/+0xMfq58lxTm3TQ
+|ú1Û=£_¨¨�m6œÌa®*ñkNÑœº±–ÝÕ_‘±Ÿ~çxÓ=Å÷øúö<
+ÛeBG‡^ã·X[FÄq�8Tïø½Š�d^¤Müíˆ{æ]‘>?.jÜ0~ÖU¼tü¡[ŽÊe	k	ù‘Ìtí½¬ÃÈ_§8còîãJÏÌèIâ®*‡oK^�bkq¢E[0žIeA³†æöt@¶\?
Ï™¥uU¾±ßl˜0ˆ JiÌ�‘ä�¦‰Œ×ŽÍÉÈÏ…Ý74Êò'Ç·\y¨kOÖò?ä×IZ‚g‡(„�þ (&Ô„�¤„½tmÉ¯Ð]&qØY/�O\zÃ{“Ùá¬„_¿½˜ÖÇ±pžÉ‘>*r?¡>Š¢Ggvuy6˜Òl¶‡áÜÆuàþ’læ¿âB!1j�:DfÒ�˜±ñøäœYÌ°:`�7¿f<éZ-×A¥Ç®7¿´‰Üp	þÚñ”(Ô	)‹È~çSùêNÆ·µ·�Ç<!Ü>>‰N¡ÃmNl_?1kqüä–Ãá'$º*1/+•P‡ë…š¯¦Pñ™SDDW¿*âfP3
+c·@}iË«ðó¹e~-¨!W„4Æñ	÷¶—~`§»Ÿšï›Ý]7±�¿¾5�0øç
--- a/modules/acme-wildcard.nix
+++ b/modules/acme-wildcard.nix
@ -6,8 +6,9 @@
  inherit
    (lib)
    assertMsg
+    attrNames
    filter
-    genAttrs
+    filterAttrs
    hasInfix
    head
    mkIf
@ -15,17 +16,19 @@
    removeSuffix
    types
    ;
+
+  wildcardDomains = attrNames (filterAttrs (_: v: v.wildcard) config.security.acme.certs);
 in {
-  options.security.acme.wildcardDomains = mkOption {
-    default = [];
-    example = ["example.org"];
-    type = types.listOf types.str;
-    description = ''
-      All domains for which a wildcard certificate will be generated.
-      This will define the given `security.acme.certs` and set `extraDomainNames` correctly,
-      but does not fill any options such as credentials or dnsProvider. These have to be set
-      individually for each cert by the user or via `security.acme.defaults`.
-    '';
+  options.security.acme.certs = mkOption {
+    type = types.attrsOf (types.submodule (submod: {
+      options.wildcard = mkOption {
+        default = false;
+        type = types.bool;
+        description = "If set to true, this will automatically append `*.<domain>` to `extraDomainNames`.";
+      };
+
+      config.extraDomainNames = mkIf submod.config.wildcard ["*.${submod.config._module.args.name}"];
+    }));
  };

  options.services.nginx.virtualHosts = mkOption {
@ -36,14 +39,13 @@ in {
        description = ''Automatically set useACMEHost with the correct wildcard domain for the virtualHosts's main domain.'';
      };
      config = let
-        # This retrieves all matching wildcard certs that would include
-        # the corresponding domain. If no such domain is defined in
-        # security.acme.wildcardDomains, an assertion is triggered.
+        # This retrieves all matching wildcard certs that would include the corresponding domain.
+        # If no such domain is found then an assertion is triggered.
        domain = submod.config._module.args.name;
        matchingCerts =
          filter
          (x: !hasInfix "." (removeSuffix ".${x}" domain))
-          config.security.acme.wildcardDomains;
+          wildcardDomains;
      in
        mkIf submod.config.useACMEWildcardHost {
          useACMEHost = assert assertMsg (matchingCerts != []) "No wildcard certificate was defined that matches ${domain}";
@ -51,8 +53,4 @@ in {
        };
    }));
  };
-
-  config.security.acme.certs = genAttrs config.security.acme.wildcardDomains (domain: {
-    extraDomainNames = ["*.${domain}"];
-  });
 }