From fd156bcd3028a42b6d6a56dc1956d934bf8ea2c9 Mon Sep 17 00:00:00 2001
From: Alejandro Soto <alejandro@34project.org>
Date: Sat, 7 Jan 2023 01:26:07 -0600
Subject: env/acme: move domains, certs out of dmz

---
 env/acme/default.nix | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 env/acme/default.nix

(limited to 'env/acme/default.nix')

diff --git a/env/acme/default.nix b/env/acme/default.nix
new file mode 100644
index 0000000..779b4e2
--- /dev/null
+++ b/env/acme/default.nix
@@ -0,0 +1,44 @@
+{ config, lib, ... }:
+with lib; let
+  cfg = config.local;
+in
+{
+  options.local = with types; {
+    domains = mkOption {
+      type = attrsOf (attrsOf str);
+    };
+
+    certs = mapAttrs
+      (_: _: {
+        enable = mkEnableOption "TLS cert for ${name}";
+      })
+      cfg.domains;
+  };
+
+  config = {
+    security.acme = {
+      acceptTerms = true;
+
+      defaults = {
+        email = "security@${config.networking.domain}";
+        renewInterval = "weekly";
+      };
+
+      certs =
+        let
+          domainSort = sort (a: b: splitString "." a < splitString "." b);
+
+          certConfig = domains: {
+            domain = domains.main;
+            extraDomainNames = domainSort (attrValues (filterAttrs (k: _: k != "main") domains));
+            webroot = "/var/lib/acme/acme-challenge";
+          };
+        in
+        mapAttrs'
+          (_: value: nameValuePair value.main (certConfig value))
+          (filterAttrs (name: _: cfg.certs.${name}.enable) cfg.domains);
+    };
+
+    local.domains = import ./domains.nix;
+  };
+}
-- 
cgit v1.2.3