forked from mirrors_public/oddlama_nix-config
63 lines
1.8 KiB
Nix
63 lines
1.8 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
...
|
|
}:
|
|
let
|
|
inherit (lib)
|
|
assertMsg
|
|
elem
|
|
filter
|
|
genAttrs
|
|
hasInfix
|
|
head
|
|
mkIf
|
|
mkOption
|
|
removeSuffix
|
|
types
|
|
;
|
|
in
|
|
{
|
|
options.security.acme.wildcardDomains = mkOption {
|
|
type = types.listOf types.str;
|
|
default = [ ];
|
|
description = ''
|
|
List of domains to which a wilcard certificate exists under the same name in `certs`.
|
|
All of these certs will automatically have `*.<domain>` appended to `extraDomainNames`.
|
|
'';
|
|
};
|
|
|
|
options.services.nginx.virtualHosts = mkOption {
|
|
type = types.attrsOf (
|
|
types.submodule (submod: {
|
|
options.useACMEWildcardHost = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = ''Automatically set useACMEHost with the correct wildcard domain for the virtualHosts's main domain.'';
|
|
};
|
|
config =
|
|
let
|
|
# This retrieves all matching wildcard certs that would include the corresponding domain.
|
|
# If no such domain is found then an assertion is triggered.
|
|
domain = submod.config._module.args.name;
|
|
matchingCerts =
|
|
if elem domain config.security.acme.wildcardDomains then
|
|
[ domain ]
|
|
else
|
|
filter (x: !hasInfix "." (removeSuffix ".${x}" domain)) config.security.acme.wildcardDomains;
|
|
in
|
|
mkIf submod.config.useACMEWildcardHost {
|
|
useACMEHost =
|
|
assert assertMsg (
|
|
matchingCerts != [ ]
|
|
) "No wildcard certificate was defined that matches ${domain}";
|
|
head matchingCerts;
|
|
};
|
|
})
|
|
);
|
|
};
|
|
|
|
config.security.acme.certs = genAttrs config.security.acme.wildcardDomains (domain: {
|
|
extraDomainNames = [ "*.${domain}" ];
|
|
});
|
|
}
|