env/acme/default.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

{ config, lib, ... }:
with lib; let
  cfg = config.local;
in
{
  options.local = with types; {
    domains = mkOption {
      type = attrsOf (attrsOf str);
    };

    certs = mapAttrs
      (_: _: {
        enable = mkEnableOption "TLS cert for ${name}";
      })
      cfg.domains;
  };

  config = {
    security.acme = {
      acceptTerms = true;

      defaults = {
        email = "security@${config.networking.domain}";
        renewInterval = "weekly";

        webroot =
          if config.security.acme.defaults.dnsProvider == null
          then "/var/lib/acme/acme-challenge"
          else null;
      };

      certs =
        let
          domainSort = sort (a: b: splitString "." a < splitString "." b);

          certConfig = domains: {
            domain = domains.main;
            extraDomainNames = domainSort (attrValues (filterAttrs (k: _: k != "main") domains));
          };
        in
        mapAttrs'
          (_: value: nameValuePair value.main (certConfig value))
          (filterAttrs (name: _: cfg.certs.${name}.enable) cfg.domains);
    };

    local.domains = import ./domains.nix;
  };
}