From 5812f0c85e22862f0a49d68ffb60cb26aa702785 Mon Sep 17 00:00:00 2001
From: Zynh Ludwig <zynh0722@gmail.com>
Date: Fri, 27 Dec 2024 06:58:10 -0800
Subject: [PATCH] nginx: certs

---
 modules/nginx.nix | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/modules/nginx.nix b/modules/nginx.nix
index 3c70f78..f0bdb1c 100644
--- a/modules/nginx.nix
+++ b/modules/nginx.nix
@@ -6,12 +6,36 @@ in
 {
   options.permafrost.nginx = {
     enable = lib.mkEnableOption "nginx nixos module";
+
+    enableACME = lib.mkEnableOption "acme cert generation and use";
+
+    certDomains = lib.mkOptions {
+      description = "additional domains to register with the ACME cert";
+      default = [ ];
+      type = with lib.types; listOf str;
+    };
+
+    useStagingServer = lib.mkOption {
+      description = "use the letsencrypt staging server";
+      default = true;
+      type = with lib.types; bool;
+    };
   };
 
   config = lib.mkIf cfg.enable {
     services.nginx.enable = true;
     security.acme.acceptTerms = true;
     # TODO: security.acme.certs + services.nginx.virtualHosts.<name>.useACMEHost
+    security.acme.certs.permafrost = lib.mkIf cfg.enableACME {
+      email = "Zynh0722@gmail.com";
+      domain = "scarlet.zynh.me";
+      renewInterval = "weekly";
+      server =
+        if cfg.useStagingServer
+        then "https://acme-staging-v02.api.letsencrypt.org/directory"
+        else config.security.acme.defaults.server;
+      extraDomainNames = cfg.certDomains;
+    };
 
     networking.firewall.allowedTCPPorts = [ 80 443 ];
   };