forked from Zynh0722/permafrost
46 lines
1.3 KiB
Nix
46 lines
1.3 KiB
Nix
{ lib, config, ... }:
|
|
|
|
let
|
|
cfg = config.permafrost.acme;
|
|
in
|
|
{
|
|
options.permafrost.acme = {
|
|
enable = lib.mkEnableOption "acme nixos module";
|
|
|
|
certDomains = lib.mkOption {
|
|
description = "additional domains to register with the ACME cert";
|
|
default = [ ];
|
|
type = with lib.types; listOf str;
|
|
};
|
|
|
|
useStagingServer = lib.mkOption {
|
|
description = "use the letsencrypt staging server";
|
|
default = true;
|
|
type = with lib.types; bool;
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
sops.secrets."cloudflare/email" = { };
|
|
sops.secrets."cloudflare/api_key" = { };
|
|
|
|
security.acme.acceptTerms = true;
|
|
security.acme.certs.permafrost = {
|
|
email = "Zynh0722@gmail.com";
|
|
domain = "scarlet.zynh.me";
|
|
group = config.services.nginx.group;
|
|
renewInterval = "weekly";
|
|
server =
|
|
if cfg.useStagingServer
|
|
then "https://acme-staging-v02.api.letsencrypt.org/directory"
|
|
else config.security.acme.defaults.server;
|
|
extraDomainNames = cfg.certDomains;
|
|
|
|
dnsProvider = "cloudflare";
|
|
credentialFiles = {
|
|
"CF_API_EMAIL_FILE" = config.sops.secrets."cloudflare/email".path;
|
|
"CF_DNS_API_TOKEN_FILE" = config.sops.secrets."cloudflare/api_key".path;
|
|
};
|
|
};
|
|
};
|
|
}
|