pyrox.dev / nixpkgs
lol
fork atom

nixos/acme: validMin & renewInterval aren't cert-specific

Franz Pletz 9374ddb8 0517d59a

options
unified split
Changed files
+18 -18
nixos
modules
security
acme.nix
+18 -18
nixos/modules/security/acme.nix 
···

       
19

       
 

       
        '';


     

       
20

       
 

       
      };


     

       
21

       
 

       



     

       
22

       
-

       
      validMin = mkOption {


     

       
23

       
-

       
        type = types.int;


     

       
24

       
-

       
        default = 30 * 24 * 3600;


     

       
25

       
-

       
        description = "Minimum remaining validity before renewal in seconds.";


     

       
26

       
-

       
      };


     

       
27

       
-

       



     

       
28

       
-

       
      renewInterval = mkOption {


     

       
29

       
-

       
        type = types.str;


     

       
30

       
-

       
        default = "weekly";


     

       
31

       
-

       
        description = ''


     

       
32

       
-

       
          Systemd calendar expression when to check for renewal. See


     

       
33

       
-

       
          <citerefentry><refentrytitle>systemd.time</refentrytitle>


     

       
34

       
-

       
          <manvolnum>5</manvolnum></citerefentry>.


     

       
35

       
-

       
        '';


     

       
36

       
-

       
      };


     

       
37

       
-

       



     

       
38

       
 

       
      email = mkOption {


     

       
39

       
 

       
        type = types.nullOr types.str;


     

       
40

       
 

       
        default = null;


     
···

       
108

       
 

       
        '';


     

       
109

       
 

       
      };


     

       
110

       
 

       



     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
111

       
 

       
      certs = mkOption {


     

       
112

       
 

       
        default = { };


     

       
113

       
 

       
        type = types.loaOf types.optionSet;


     
···

       
136

       
 

       
    systemd.services = flip mapAttrs' cfg.certs (cert: data:


     

       
137

       
 

       
      let


     

       
138

       
 

       
        cpath = "${cfg.directory}/${cert}";


     

       
139

       
-

       
        cmdline = [ "-v" "-d" cert "--default_root" data.webroot "--valid_min" data.validMin ]


     

       
140

       
 

       
                  ++ optionals (data.email != null) [ "--email" data.email ]


     

       
141

       
 

       
                  ++ concatMap (p: [ "-f" p ]) data.plugins


     

       
142

       
 

       
                  ++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains);


     
···

       
186

       
 

       
        description = "timer for ACME cert renewal of ${cert}";


     

       
187

       
 

       
        wantedBy = [ "timers.target" ];


     

       
188

       
 

       
        timerConfig = {


     

       
189

       
-

       
          OnCalendar = data.renewInterval;


     

       
190

       
 

       
          Unit = "acme-simp_le-${cert}.service";


     

       
191

       
 

       
        };


     

       
192

       
 

       
      })


     
···

       
19

       
 

       
        '';


     

       
20

       
 

       
      };


     

       
21

       
 

       



     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
22

       
 

       
      email = mkOption {


     

       
23

       
 

       
        type = types.nullOr types.str;


     

       
24

       
 

       
        default = null;


     
···

       
92

       
 

       
        '';


     

       
93

       
 

       
      };


     

       
94

       
 

       



     

       
95

       
+

       
      validMin = mkOption {


     

       
96

       
+

       
        type = types.int;


     

       
97

       
+

       
        default = 30 * 24 * 3600;


     

       
98

       
+

       
        description = "Minimum remaining validity before renewal in seconds.";


     

       
99

       
+

       
      };


     

       
100

       
+

       



     

       
101

       
+

       
      renewInterval = mkOption {


     

       
102

       
+

       
        type = types.str;


     

       
103

       
+

       
        default = "weekly";


     

       
104

       
+

       
        description = ''


     

       
105

       
+

       
          Systemd calendar expression when to check for renewal. See


     

       
106

       
+

       
          <citerefentry><refentrytitle>systemd.time</refentrytitle>


     

       
107

       
+

       
          <manvolnum>5</manvolnum></citerefentry>.


     

       
108

       
+

       
        '';


     

       
109

       
+

       
      };


     

       
110

       
+

       



     

       
111

       
 

       
      certs = mkOption {


     

       
112

       
 

       
        default = { };


     

       
113

       
 

       
        type = types.loaOf types.optionSet;


     
···

       
136

       
 

       
    systemd.services = flip mapAttrs' cfg.certs (cert: data:


     

       
137

       
 

       
      let


     

       
138

       
 

       
        cpath = "${cfg.directory}/${cert}";


     

       
139

       
+

       
        cmdline = [ "-v" "-d" cert "--default_root" data.webroot "--valid_min" cfg.validMin ]


     

       
140

       
 

       
                  ++ optionals (data.email != null) [ "--email" data.email ]


     

       
141

       
 

       
                  ++ concatMap (p: [ "-f" p ]) data.plugins


     

       
142

       
 

       
                  ++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains);


     
···

       
186

       
 

       
        description = "timer for ACME cert renewal of ${cert}";


     

       
187

       
 

       
        wantedBy = [ "timers.target" ];


     

       
188

       
 

       
        timerConfig = {


     

       
189

       
+

       
          OnCalendar = cfg.renewInterval;


     

       
190

       
 

       
          Unit = "acme-simp_le-${cert}.service";


     

       
191

       
 

       
        };


     

       
192

       
 

       
      })