k 3 nginx: add ssl.acmeEnable option
This commit is contained in:
lassulus
parent
eb0bd41a0d
commit
d279999a9c
@ -53,9 +53,22 @@ let
|
|||||||
default = "";
|
default = "";
|
||||||
};
|
};
|
||||||
ssl = mkOption {
|
ssl = mkOption {
|
||||||
type = with types; submodule ({
|
type = with types; submodule ({ config, ... }: {
|
||||||
options = {
|
options = {
|
||||||
enable = mkEnableOption "ssl";
|
enable = mkEnableOption "ssl";
|
||||||
|
acmeEnable = mkOption {
|
||||||
|
type = bool;
|
||||||
|
apply = x:
|
||||||
|
if x && config.enable
|
||||||
|
#conflicts because of certificate/certificate_key location
|
||||||
|
then throw "can't use ssl.enable and ssl.acmeEnable together"
|
||||||
|
else x;
|
||||||
|
default = false;
|
||||||
|
description = ''
|
||||||
|
enables automatical generation of lets-encrypt certificates and setting them as certificate
|
||||||
|
conflicts with ssl.enable
|
||||||
|
'';
|
||||||
|
};
|
||||||
certificate = mkOption {
|
certificate = mkOption {
|
||||||
type = str;
|
type = str;
|
||||||
};
|
};
|
||||||
@ -95,6 +108,7 @@ let
|
|||||||
};
|
};
|
||||||
|
|
||||||
imp = {
|
imp = {
|
||||||
|
security.acme.certs = mapAttrs (_: to-acme) (filterAttrs (_: server: server.ssl.acmeEnable) cfg.servers);
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
httpConfig = ''
|
httpConfig = ''
|
||||||
@ -117,13 +131,24 @@ let
|
|||||||
|
|
||||||
indent = replaceChars ["\n"] ["\n "];
|
indent = replaceChars ["\n"] ["\n "];
|
||||||
|
|
||||||
|
to-acme = { server-names, ssl, ... }:
|
||||||
|
optionalAttrs ssl.acmeEnable {
|
||||||
|
email = "lassulus@gmail.com";
|
||||||
|
webroot = "${config.security.acme.directory}/${head server-names}";
|
||||||
|
};
|
||||||
|
|
||||||
to-location = { name, value }: ''
|
to-location = { name, value }: ''
|
||||||
location ${name} {
|
location ${name} {
|
||||||
${indent value}
|
${indent value}
|
||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
to-server = { server-names, listen, locations, extraConfig, ssl, ... }: ''
|
to-server = { server-names, listen, locations, extraConfig, ssl, ... }: let
|
||||||
|
domain = head server-names;
|
||||||
|
acmeLocation = optionalAttrs ssl.acmeEnable (nameValuePair "/.well-known/acme-challenge" ''
|
||||||
|
root ${config.security.acme.certs.${domain}.webroot};
|
||||||
|
'');
|
||||||
|
in ''
|
||||||
server {
|
server {
|
||||||
server_name ${toString (unique server-names)};
|
server_name ${toString (unique server-names)};
|
||||||
${concatMapStringsSep "\n" (x: indent "listen ${x};") listen}
|
${concatMapStringsSep "\n" (x: indent "listen ${x};") listen}
|
||||||
@ -142,7 +167,23 @@ let
|
|||||||
ssl_ciphers ${ssl.ciphers};
|
ssl_ciphers ${ssl.ciphers};
|
||||||
ssl_protocols ${toString ssl.protocols};
|
ssl_protocols ${toString ssl.protocols};
|
||||||
'')}
|
'')}
|
||||||
|
${optionalString ssl.acmeEnable (indent ''
|
||||||
|
${optionalString ssl.force_encryption ''
|
||||||
|
if ($scheme = http){
|
||||||
|
return 301 https://$server_name$request_uri;
|
||||||
|
}
|
||||||
|
''}
|
||||||
|
listen 443 ssl;
|
||||||
|
ssl_certificate ${config.security.acme.directory}/${domain}/fullchain.pem;
|
||||||
|
ssl_certificate_key ${config.security.acme.directory}/${domain}/key.pem;
|
||||||
|
${optionalString ssl.prefer_server_ciphers ''
|
||||||
|
ssl_prefer_server_ciphers On;
|
||||||
|
''}
|
||||||
|
ssl_ciphers ${ssl.ciphers};
|
||||||
|
ssl_protocols ${toString ssl.protocols};
|
||||||
|
'')}
|
||||||
${indent extraConfig}
|
${indent extraConfig}
|
||||||
|
${optionalString ssl.acmeEnable (indent (to-location acmeLocation))}
|
||||||
${indent (concatMapStrings to-location locations)}
|
${indent (concatMapStrings to-location locations)}
|
||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user