arianvp/gist:6244e5383298d7b688ec889aed312fbb Secret

## gistfile1.txt
{ config, lib, pkgs, ... }:

with lib;

let

  cfg = config.security.acme2;

  certOpts = { name, ... }: {
    options = {
      webroot = mkOption {
        type = types.str;
        example = "/var/lib/acme/acme-challenges";
        description = ''
          Where the webroot of the HTTP vhost is located.
          <filename>.well-known/acme-challenge/</filename> directory
          will be created below the webroot if it doesn't exist.
          <literal>http://example.org/.well-known/acme-challenge/</literal> must also
          be available (notice unencrypted HTTP).
        '';
      };

      domain = mkOption {
        type = types.str;
        default = name;
        description = "Domain to fetch certificate for (defaults to the entry name)";
      };

      email = mkOption {
        type = types.nullOr types.str;
        default = null;
        description = "Contact email address for the CA to be able to reach you.";
      };

      user = mkOption {
        type = types.str;
        default = "root";
        description = "User running the ACME client.";
      };

      group = mkOption {
        type = types.str;
        default = "root";
        description = "Group running the ACME client.";
      };

      allowKeysForGroup = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Give read permissions to the specified group
          (<option>security.acme.cert.&lt;name&gt;.group</option>) to read SSL private certificates.
        '';
      };

      postRun = mkOption {
        type = types.lines;
        default = "";
        example = "systemctl reload nginx.service";
        description = ''
          Commands to run after new certificates go live. Typically
          the web server and other servers using certificates need to
          be reloaded.

          Executed in the same directory with the new certificate.
        '';
      };

      plugins = mkOption {
        type = types.listOf (types.enum [
          "cert.der" "cert.pem" "chain.pem" "external.sh"
          "fullchain.pem" "full.pem" "key.der" "key.pem" "account_key.json"
        ]);
        default = [ "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
        description = ''
          Plugins to enable. With default settings simp_le will
          store public certificate bundle in <filename>fullchain.pem</filename>,
          private key in <filename>key.pem</filename> and those two previous
          files combined in <filename>full.pem</filename> in its state directory.
        '';
      };

      activationDelay = mkOption {
        type = types.nullOr types.str;
        default = null;
        description = ''
          Systemd time span expression to delay copying new certificates to main
          state directory. See <citerefentry><refentrytitle>systemd.time</refentrytitle>
          <manvolnum>7</manvolnum></citerefentry>.
        '';
      };

      preDelay = mkOption {
        type = types.lines;
        default = "";
        description = ''
          Commands to run after certificates are re-issued but before they are
          activated. Typically the new certificate is published to DNS.

          Executed in the same directory with the new certificate.
        '';
      };

      directory = mkOption {
        type = types.str;
        readOnly = true;
        default = "/var/lib/acme/${name}";

      };

      extraDomains = mkOption {
        type = types.attrsOf (types.nullOr types.str);
        default = {};
        example = literalExample ''
          {
            "example.org" = "/srv/http/nginx";
            "mydomain.org" = null;
          }
        '';
        description = ''
          A list of extra domain names, which are included in the one certificate to be issued, with their
          own server roots if needed.
        '';
      };
    };
  };

in

{

  ###### interface

  options = {
    security.acme2 = {

      validMin = mkOption {
        type = types.int;
        default = 30 * 24 * 3600;
        description = "Minimum remaining validity before renewal in seconds.";
      };

      renewInterval = mkOption {
        type = types.str;
        default = "weekly";
        description = ''
          Systemd calendar expression when to check for renewal. See
          <citerefentry><refentrytitle>systemd.time</refentrytitle>
          <manvolnum>7</manvolnum></citerefentry>.
        '';
      };

      preliminarySelfsigned = mkOption {
        type = types.bool;
        default = true;
        description = ''
          Whether a preliminary self-signed certificate should be generated before
          doing ACME requests. This can be useful when certificates are required in
          a webserver, but ACME needs the webserver to make its requests.

          With preliminary self-signed certificate the webserver can be started and
          can later reload the correct ACME certificates.
        '';
      };

      production = mkOption {
        type = types.bool;
        default = true;
        description = ''
          If set to true, use Let's Encrypt's production environment
          instead of the staging environment. The main benefit of the
          staging environment is to get much higher rate limits.

          See
          <literal>https://letsencrypt.org/docs/staging-environment</literal>
          for more detail.
        '';
      };

      certs = mkOption {
        default = { };
        type = with types; attrsOf (submodule certOpts);
        description = ''
          Attribute set of certificates to get signed and renewed.
        '';
        example = literalExample ''
          {
            "example.com" = {
              webroot = "/var/www/challenges/";
              email = "foo@example.com";
              extraDomains = { "www.example.com" = null; "foo.example.com" = "/var/www/foo/"; };
            };
            "bar.example.com" = {
              webroot = "/var/www/challenges/";
              email = "bar@example.com";
            };
          }
        '';
      };
    };
  };

  ###### implementation
  config = mkMerge (flip mapAttrsToList cfg.certs (cert: data: {
    systemd.services."hello-${cert}".script = "hello";
  }));

}
	{ config, lib, pkgs, ... }:

	with lib;

	let

	cfg = config.security.acme2;

	certOpts = { name, ... }: {
	options = {
	webroot = mkOption {
	type = types.str;
	example = "/var/lib/acme/acme-challenges";
	description = ''
	Where the webroot of the HTTP vhost is located.
	<filename>.well-known/acme-challenge/</filename> directory
	will be created below the webroot if it doesn't exist.
	<literal>http://example.org/.well-known/acme-challenge/</literal> must also
	be available (notice unencrypted HTTP).
	'';
	};

	domain = mkOption {
	type = types.str;
	default = name;
	description = "Domain to fetch certificate for (defaults to the entry name)";
	};

	email = mkOption {
	type = types.nullOr types.str;
	default = null;
	description = "Contact email address for the CA to be able to reach you.";
	};

	user = mkOption {
	type = types.str;
	default = "root";
	description = "User running the ACME client.";
	};

	group = mkOption {
	type = types.str;
	default = "root";
	description = "Group running the ACME client.";
	};

	allowKeysForGroup = mkOption {
	type = types.bool;
	default = false;
	description = ''
	Give read permissions to the specified group
	(<option>security.acme.cert.<name>.group</option>) to read SSL private certificates.
	'';
	};

	postRun = mkOption {
	type = types.lines;
	default = "";
	example = "systemctl reload nginx.service";
	description = ''
	Commands to run after new certificates go live. Typically
	the web server and other servers using certificates need to
	be reloaded.

	Executed in the same directory with the new certificate.
	'';
	};

	plugins = mkOption {
	type = types.listOf (types.enum [
	"cert.der" "cert.pem" "chain.pem" "external.sh"
	"fullchain.pem" "full.pem" "key.der" "key.pem" "account_key.json"
	]);
	default = [ "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
	description = ''
	Plugins to enable. With default settings simp_le will
	store public certificate bundle in <filename>fullchain.pem</filename>,
	private key in <filename>key.pem</filename> and those two previous
	files combined in <filename>full.pem</filename> in its state directory.
	'';
	};

	activationDelay = mkOption {
	type = types.nullOr types.str;
	default = null;
	description = ''
	Systemd time span expression to delay copying new certificates to main
	state directory. See <citerefentry><refentrytitle>systemd.time</refentrytitle>
	<manvolnum>7</manvolnum></citerefentry>.
	'';
	};

	preDelay = mkOption {
	type = types.lines;
	default = "";
	description = ''
	Commands to run after certificates are re-issued but before they are
	activated. Typically the new certificate is published to DNS.

	Executed in the same directory with the new certificate.
	'';
	};

	directory = mkOption {
	type = types.str;
	readOnly = true;
	default = "/var/lib/acme/${name}";

	};

	extraDomains = mkOption {
	type = types.attrsOf (types.nullOr types.str);
	default = {};
	example = literalExample ''
	{
	"example.org" = "/srv/http/nginx";
	"mydomain.org" = null;
	}
	'';
	description = ''
	A list of extra domain names, which are included in the one certificate to be issued, with their
	own server roots if needed.
	'';
	};
	};
	};

	in

	{

	###### interface

	options = {
	security.acme2 = {

	validMin = mkOption {
	type = types.int;
	default = 30 * 24 * 3600;
	description = "Minimum remaining validity before renewal in seconds.";
	};

	renewInterval = mkOption {
	type = types.str;
	default = "weekly";
	description = ''
	Systemd calendar expression when to check for renewal. See
	<citerefentry><refentrytitle>systemd.time</refentrytitle>
	<manvolnum>7</manvolnum></citerefentry>.
	'';
	};

	preliminarySelfsigned = mkOption {
	type = types.bool;
	default = true;
	description = ''
	Whether a preliminary self-signed certificate should be generated before
	doing ACME requests. This can be useful when certificates are required in
	a webserver, but ACME needs the webserver to make its requests.

	With preliminary self-signed certificate the webserver can be started and
	can later reload the correct ACME certificates.
	'';
	};

	production = mkOption {
	type = types.bool;
	default = true;
	description = ''
	If set to true, use Let's Encrypt's production environment
	instead of the staging environment. The main benefit of the
	staging environment is to get much higher rate limits.

	See
	<literal>https://letsencrypt.org/docs/staging-environment</literal>
	for more detail.
	'';
	};

	certs = mkOption {
	default = { };
	type = with types; attrsOf (submodule certOpts);
	description = ''
	Attribute set of certificates to get signed and renewed.
	'';
	example = literalExample ''
	{
	"example.com" = {
	webroot = "/var/www/challenges/";
	email = "foo@example.com";
	extraDomains = { "www.example.com" = null; "foo.example.com" = "/var/www/foo/"; };
	};
	"bar.example.com" = {
	webroot = "/var/www/challenges/";
	email = "bar@example.com";
	};
	}
	'';
	};
	};
	};

	###### implementation
	config = mkMerge (flip mapAttrsToList cfg.certs (cert: data: {
	systemd.services."hello-${cert}".script = "hello";
	}));

	}