commit 5f105f87787b15a4f7179b6414b9fbe4063e34da · pyrox.dev/nixpkgs

+31
nixos/modules/security/acme/default.nix
···

       365
       365
        
               # Only try loading the credentialsFile if the dns challenge is enabled

     

       366
       366
        
               EnvironmentFile = mkIf useDns data.credentialsFile;

     

       367
       367
        
       

     

       368
       368
       +
               Environment = mkIf useDns

     

       369
       369
       +
                 (mapAttrsToList (k: v: ''"${k}=%d/${k}"'') data.credentialFiles);

     

       370
       370
       +
       

     

       371
       371
       +
               LoadCredential = mkIf useDns

     

       372
       372
       +
                 (mapAttrsToList (k: v: "${k}:${v}") data.credentialFiles);

     

       373
       373
       +
       

     

       368
       374
        
               # Run as root (Prefixed with +)

     

       369
       375
        
               ExecStartPost = "+" + (pkgs.writeShellScript "acme-postrun" ''

     

       370
       376
        
                 cd /var/lib/acme/${escapeShellArg cert}

     
···

       617
       623
        
                 <https://go-acme.github.io/lego/dns/> for the corresponding dnsProvider.

     

       618
       624
        
               '';

     

       619
       625
        
               example = "/var/src/secrets/example.org-route53-api-token";

     

       626
       626
       +
             };

     

       627
       627
       +
       

     

       628
       628
       +
             credentialFiles = mkOption {

     

       629
       629
       +
               type = types.attrsOf (types.path);

     

       630
       630
       +
               inherit (defaultAndText "credentialFiles" {}) default defaultText;

     

       631
       631
       +
               description = lib.mdDoc ''

     

       632
       632
       +
                 Environment variables suffixed by "_FILE" to set for the cert's service

     

       633
       633
       +
                 for your selected dnsProvider.

     

       634
       634
       +
                 To find out what values you need to set, consult the documentation at

     

       635
       635
       +
                 <https://go-acme.github.io/lego/dns/> for the corresponding dnsProvider.

     

       636
       636
       +
                 This allows to securely pass credential files to lego by leveraging systemd

     

       637
       637
       +
                 credentials.

     

       638
       638
       +
               '';

     

       639
       639
       +
               example = literalExpression ''

     

       640
       640
       +
                 {

     

       641
       641
       +
                   "RFC2136_TSIG_SECRET_FILE" = "/run/secrets/tsig-secret-example.org";

     

       642
       642
       +
                 }

     

       643
       643
       +
               '';

     

       620
       644
        
             };

     

       621
       645
        
       

     

       622
       646
        
             dnsPropagationCheck = mkOption {

     
···

       927
       951
        
                   One of `security.acme.certs.${cert}.dnsProvider`,

     

       928
       952
        
                   `security.acme.certs.${cert}.webroot`, or

     

       929
       953
        
                   `security.acme.certs.${cert}.listenHTTP` must be provided.

     

       954
       954
       +
                 '';

     

       955
       955
       +
               }

     

       956
       956
       +
               {

     

       957
       957
       +
                 assertion = all (hasSuffix "_FILE") (attrNames data.credentialFiles);

     

       958
       958
       +
                 message = ''

     

       959
       959
       +
                   Option `security.acme.certs.${cert}.credentialFiles` can only be

     

       960
       960
       +
                   used for variables suffixed by "_FILE".

     

       930
       961
        
                 '';

     

       931
       962
        
               }

     

       932
       963
        
             ]) cfg.certs));