nginx: certs

2024-12-27 06:58:10 -08:00 · 2024-12-27 06:58:10 -08:00 · 5812f0c85e
commit 5812f0c85e
parent 75e970e330
1 changed files with 24 additions and 0 deletions
--- a/modules/nginx.nix
+++ b/modules/nginx.nix
@ -6,12 +6,36 @@ in
 {
  options.permafrost.nginx = {
    enable = lib.mkEnableOption "nginx nixos module";
+
+    enableACME = lib.mkEnableOption "acme cert generation and use";
+
+    certDomains = lib.mkOptions {
+      description = "additional domains to register with the ACME cert";
+      default = [ ];
+      type = with lib.types; listOf str;
+    };
+
+    useStagingServer = lib.mkOption {
+      description = "use the letsencrypt staging server";
+      default = true;
+      type = with lib.types; bool;
+    };
  };

  config = lib.mkIf cfg.enable {
    services.nginx.enable = true;
    security.acme.acceptTerms = true;
    # TODO: security.acme.certs + services.nginx.virtualHosts.<name>.useACMEHost
+    security.acme.certs.permafrost = lib.mkIf cfg.enableACME {
+      email = "Zynh0722@gmail.com";
+      domain = "scarlet.zynh.me";
+      renewInterval = "weekly";
+      server =
+        if cfg.useStagingServer
+        then "https://acme-staging-v02.api.letsencrypt.org/directory"
+        else config.security.acme.defaults.server;
+      extraDomainNames = cfg.certDomains;
+    };

    networking.firewall.allowedTCPPorts = [ 80 443 ];
  };