acme: extract module

hosts/permafrost/configuration.nix

@@ -2,8 +2,9 @@
 
 {
   permafrost.nyazoom.enable = true;
-  permafrost.nginx.enableACME = true;
+  permafrost.forgejo.enable = true;
-  permafrost.nginx.useStagingServer = false;
+  permafrost.acme.enable = true;
+  permafrost.acme.useStagingServer = false;
 
   networking.hostName = "permafrost"; # Define your hostname.
 

modules/acme.nix

@@ -0,0 +1,46 @@
+{ lib, config, ... }:
+
+let
+  cfg = config.permafrost.acme;
+in
+{
+  options.permafrost.acme = {
+    enable = lib.mkEnableOption "acme nixos module";
+
+    certDomains = lib.mkOption {
+      description = "additional domains to register with the ACME cert";
+      default = [ ];
+      type = with lib.types; listOf str;
+    };
+
+    useStagingServer = lib.mkOption {
+      description = "use the letsencrypt staging server";
+      default = true;
+      type = with lib.types; bool;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    sops.secrets."cloudflare/email" = { };
+    sops.secrets."cloudflare/api_key" = { };
+
+    security.acme.acceptTerms = true;
+    security.acme.certs.permafrost = {
+      email = "Zynh0722@gmail.com";
+      domain = "scarlet.zynh.me";
+      group = config.services.nginx.group;
+      renewInterval = "weekly";
+      server =
+        if cfg.useStagingServer
+        then "https://acme-staging-v02.api.letsencrypt.org/directory"
+        else config.security.acme.defaults.server;
+      extraDomainNames = cfg.certDomains;
+
+      dnsProvider = "cloudflare";
+      credentialFiles = {
+        "CF_API_EMAIL_FILE" = config.sops.secrets."cloudflare/email".path;
+        "CF_DNS_API_TOKEN_FILE" = config.sops.secrets."cloudflare/api_key".path;
+      };
+    };
+  };
+}

modules/forgejo.nix

@@ -2,7 +2,7 @@
 
 let
   cfg = config.permafrost.forgejo;
-  ACMEEnabled = config.permafrost.nginx.enableACME;
+  ACMEEnabled = config.permafrost.acme.enable;
 in
 {
   options.permafrost.forgejo = {
@@ -11,10 +11,10 @@ in
 
   config = lib.mkIf cfg.enable {
     permafrost.nginx.enable = lib.mkDefault true;
-    permafrost.nginx.certDomains = lib.mkIf ACMEEnabled [ "git.zynh.me" ];
+    permafrost.acme.certDomains = lib.mkIf ACMEEnabled [ "git.zynh.me" ];
     services.nginx.virtualHosts."git.zynh.me" = {
-      forceSSL = lib.mkIf ACMEEnabled true;
       serverName = "git.zynh.me";
+      forceSSL = lib.mkIf ACMEEnabled true;
       useACMEHost = lib.mkIf ACMEEnabled "permafrost";
       locations."/" = {
         proxyPass = "http://localhost:3032";

modules/foundry.nix

@@ -2,7 +2,7 @@
 
 let
   cfg = config.permafrost.foundry;
-  ACMEEnabled = config.permafrost.nginx.enableACME;
+  ACMEEnabled = config.permafrost.acme.enable;
 in
 {
   options.permafrost.foundry = {
@@ -14,7 +14,6 @@ in
       permafrost.nginx.enable = lib.mkDefault true;
     }
     {
-      # permafrost.nginx.certDomains = lib.mkIf ACMEEnabled [ "scarlet.zynh.me" ];
       services.nginx.virtualHosts."scarlet.zynh.me" = {
         serverName = "scarlet.zynh.me";
         forceSSL = lib.mkIf ACMEEnabled true;
@@ -35,10 +34,9 @@ in
       };
     }
     {
-      permafrost.nginx.certDomains = lib.mkIf ACMEEnabled [ "ddbimporter.zynh.me" ];
+      permafrost.acme.certDomains = lib.mkIf ACMEEnabled [ "ddbimporter.zynh.me" ];
       services.nginx.virtualHosts."ddbimporter.zynh.me" = {
-        # TODO: Force ssl
+        forceSSL = true;
-        # addSSL = true;
         useACMEHost = lib.mkIf ACMEEnabled "permafrost";
         serverName = "ddbimporter.zynh.me";
         locations."/".proxyPass = "http://localhost:3232";

modules/nginx.nix

@@ -7,8 +7,6 @@ in
   options.permafrost.nginx = {
     enable = lib.mkEnableOption "nginx nixos module";
 
-    enableACME = lib.mkEnableOption "acme cert generation and use";
-
     certDomains = lib.mkOption {
       description = "additional domains to register with the ACME cert";
       default = [ ];
@@ -25,28 +23,6 @@ in
   config = lib.mkIf cfg.enable {
     services.nginx.enable = true;
 
-    sops.secrets."cloudflare/email" = { };
-    sops.secrets."cloudflare/api_key" = { };
-
-    security.acme.acceptTerms = true;
-    security.acme.certs.permafrost = lib.mkIf cfg.enableACME {
-      email = "Zynh0722@gmail.com";
-      domain = "scarlet.zynh.me";
-      group = config.services.nginx.group;
-      renewInterval = "weekly";
-      server =
-        if cfg.useStagingServer
-        then "https://acme-staging-v02.api.letsencrypt.org/directory"
-        else config.security.acme.defaults.server;
-      extraDomainNames = cfg.certDomains;
-
-      dnsProvider = "cloudflare";
-      credentialFiles = {
-        "CF_API_EMAIL_FILE" = config.sops.secrets."cloudflare/email".path;
-        "CF_DNS_API_TOKEN_FILE" = config.sops.secrets."cloudflare/api_key".path;
-      };
-    };
-
     networking.firewall.allowedTCPPorts = [ 80 443 ];
   };
 }

modules/nyazoom.nix

@@ -4,7 +4,7 @@ let
   nyazoom = inputs.nyazoom.packages.${pkgs.system}.default;
 
   cfg = config.permafrost.nyazoom;
-  ACMEEnabled = config.permafrost.nginx.enableACME;
+  ACMEEnabled = config.permafrost.acme.enable;
 in
 {
   options.permafrost.nyazoom = {
@@ -23,13 +23,11 @@ in
     };
 
     permafrost.nginx.enable = lib.mkDefault true;
-    permafrost.nginx.certDomains = lib.mkIf ACMEEnabled [ "nyazoom.zynh.me" ];
+    permafrost.acme.certDomains = lib.mkIf ACMEEnabled [ "nyazoom.zynh.me" ];
     services.nginx.virtualHosts."nyazoom.zynh.me" = {
-      # TODO: Force ssl
-      # TODO: Force ssl
       serverName = "nyazoom.zynh.me";
-      useACMEHost = lib.mkIf ACMEEnabled "permafrost";
       forceSSL = lib.mkIf ACMEEnabled true;
+      useACMEHost = lib.mkIf ACMEEnabled "permafrost";
       locations."/" = {
         proxyPass = "http://localhost:3000";
         extraConfig = /* nginx */ ''