···
+
preliminarySelfsigned = mkOption {
+
Whether a preliminary self-signed certificate should be generated before
+
doing ACME requests. This can be useful when certificates are required in
+
a webserver, but ACME needs the webserver to make its requests.
+
With preliminary self-signed certificate the webserver can be started and
+
can later reload the correct ACME certificates.
type = types.loaOf types.optionSet;
···
(mkIf (cfg.certs != { }) {
+
services = concatLists servicesLists;
+
servicesLists = mapAttrsToList certToServices cfg.certs;
+
certToServices = cert: data:
+
cpath = "${cfg.directory}/${cert}";
+
rights = if data.allowKeysForGroup then "750" else "700";
+
cmdline = [ "-v" "-d" cert "--default_root" data.webroot "--valid_min" cfg.validMin ]
+
++ optionals (data.email != null) [ "--email" data.email ]
+
++ concatMap (p: [ "-f" p ]) data.plugins
+
++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains);
+
description = "Renew ACME Certificate for ${cert}";
+
after = [ "network.target" ];
+
SuccessExitStatus = [ "0" "1" ];
+
PermissionsStartOnly = true;
+
path = [ pkgs.simp_le ];
+
mkdir -p '${cfg.directory}'
+
if [ ! -d '${cpath}' ]; then
+
chmod ${rights} '${cpath}'
+
chown -R '${data.user}:${data.group}' '${cpath}'
+
simp_le ${concatMapStringsSep " " (arg: escapeShellArg (toString arg)) cmdline}
+
echo "$EXITCODE" > /tmp/lastExitCode
+
if [ -e /tmp/lastExitCode ] && [ "$(cat /tmp/lastExitCode)" = "0" ]; then
+
echo "Executing postRun hook..."
+
before = [ "acme-certificates.target" ];
+
wantedBy = [ "acme-certificates.target" ];
+
description = "Create preliminary self-signed certificate for ${cert}";
+
chmod ${rights} '${cpath}'
+
chown '${data.user}:${data.group}' '${cpath}'
+
# Create self-signed key
+
workdir="/run/acme-selfsigned-${cert}"
+
${pkgs.openssl.bin}/bin/openssl genrsa -des3 -passout pass:x -out $workdir/server.pass.key 2048
+
${pkgs.openssl.bin}/bin/openssl rsa -passin pass:x -in $workdir/server.pass.key -out $workdir/server.key
+
${pkgs.openssl.bin}/bin/openssl req -new -key $workdir/server.key -out $workdir/server.csr \
+
-subj "/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=IT Department/CN=example.com"
+
${pkgs.openssl.bin}/bin/openssl x509 -req -days 1 -in $workdir/server.csr -signkey $workdir/server.key -out $workdir/server.crt
+
# Move key to destination
+
mv $workdir/server.key ${cpath}/key.pem
+
mv $workdir/server.crt ${cpath}/fullchain.pem
+
# Clean up working directory
+
rm $workdir/server.pass.key
+
# Give key acme permissions
+
chmod ${rights} '${cpath}/key.pem'
+
chown '${data.user}:${data.group}' '${cpath}/key.pem'
+
chmod ${rights} '${cpath}/fullchain.pem'
+
chown '${data.user}:${data.group}' '${cpath}/fullchain.pem'
+
RuntimeDirectory = "acme-selfsigned-${cert}";
+
PermissionsStartOnly = true;
+
# Do not create self-signed key when key already exists
+
ConditionPathExists = "!${cpath}/key.pem";
+
"acme-selfsigned-certificates.target"
+
"acme-selfsigned-certificates.target"
+
[ { name = "acme-${cert}"; value = acmeService; } ]
+
(if cfg.preliminarySelfsigned
+
then [ { name = "acme-selfsigned-${cert}"; value = selfsignedService; } ]
+
servicesAttr = listToAttrs services;
+
after = [ "acme-selfsigned-certificates.target" ];
+
wants = [ "acme-selfsigned-certificates.target" "acme-certificates.target" ];
+
(if config.services.nginx.enable then nginxAttr else {});
systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair
···
+
systemd.targets."acme-selfsigned-certificates" = mkIf cfg.preliminarySelfsigned {};
+
systemd.targets."acme-certificates" = {};
{ meta.maintainers = with lib.maintainers; [ abbradar fpletz globin ];
pyrox.dev
bobvanderlinden.tngl.sh