dotfiles/modules/nixos/security/acme/default.nix

{
  config,
  lib,
  namespace,
  ...
}: let
  inherit (lib) mkOption mkEnableOption mkIf types;

  cfg = config.aa.security.acme;
in {
  options.aa.security.acme = {
    enable = mkEnableOption "Automatic Certificate Management Environment (ACME)";
    useStaging = mkOption {
      type = types.bool;
      description = ''
        Use the staging environment (use when configuring for the first time to
        avoid being locked out).
      '';
      default = false;
    };
    domainName = mkOption {
      type = types.str;
      description = "The domain to request a wildcard cert for.";
    };
    isWildcard = mkOption {
      type = types.bool;
      default = true;
      description = "Whether or not to request a wildcard cert.";
    };
    dnsCredentialsFile = mkOption {
      type = types.path;
      description = "The path to the credentials file for the DNS provider.";
    };
  };

  # Only supports exactly one wildcard cert using Cloudflare (only use case I have)
  config = mkIf cfg.enable {
    security.acme = {
      acceptTerms = true;
      defaults = {
        email = config.aa.user.email;
        group = "nginx";
        server = mkIf cfg.useStaging "https://acme-staging-v02.api.letsencrypt.org/directory";
      };

      # Wildcard cert
      certs."${cfg.domainName}" = {
        group = "nginx";
        dnsProvider = "cloudflare";
        # Private network resolves *.kilonull.com to private servers but `lego`
        # (acme client under the hood) needs to find the cloudflare nameservers
        # to determine the correct zone to apply changes in. Use cloudflare's
        # own DNS to make `lego` happy (will resolve names to a public IP).
        dnsResolver = "1.1.1.1:53";
        credentialsFile = cfg.dnsCredentialsFile;
        extraDomainNames = mkIf cfg.isWildcard [("*." + cfg.domainName)];
      };
    };
  };
}
Refactored how SSL certs are configured for nginx Made a separate ACME module to handle requesting certs from multiple machines. Right now, the module only supports exactly one wildcard cert. It might make sense to have cache.kilonull.com use a cert specific to its subdomain rather than also requesting a wildcard cert (or maybe the nginx on its host shouldn't care about TLS and it should be node's responsibility). 2023-07-16 17:53:02 +00:00			`{`
			`config,`
			`lib,`
Cleanup Addressed some things nixd complained about 2024-08-03 17:32:02 +00:00			`namespace,`
Refactored how SSL certs are configured for nginx Made a separate ACME module to handle requesting certs from multiple machines. Right now, the module only supports exactly one wildcard cert. It might make sense to have cache.kilonull.com use a cert specific to its subdomain rather than also requesting a wildcard cert (or maybe the nginx on its host shouldn't care about TLS and it should be node's responsibility). 2023-07-16 17:53:02 +00:00			`...`
Cleanup Addressed some things nixd complained about 2024-08-03 17:32:02 +00:00			`}: let`
			`inherit (lib) mkOption mkEnableOption mkIf types;`

Refactored how SSL certs are configured for nginx Made a separate ACME module to handle requesting certs from multiple machines. Right now, the module only supports exactly one wildcard cert. It might make sense to have cache.kilonull.com use a cert specific to its subdomain rather than also requesting a wildcard cert (or maybe the nginx on its host shouldn't care about TLS and it should be node's responsibility). 2023-07-16 17:53:02 +00:00			`cfg = config.aa.security.acme;`
			`in {`
Cleanup Addressed some things nixd complained about 2024-08-03 17:32:02 +00:00			`options.aa.security.acme = {`
Refactored how SSL certs are configured for nginx Made a separate ACME module to handle requesting certs from multiple machines. Right now, the module only supports exactly one wildcard cert. It might make sense to have cache.kilonull.com use a cert specific to its subdomain rather than also requesting a wildcard cert (or maybe the nginx on its host shouldn't care about TLS and it should be node's responsibility). 2023-07-16 17:53:02 +00:00			`enable = mkEnableOption "Automatic Certificate Management Environment (ACME)";`
			`useStaging = mkOption {`
Cleanup Addressed some things nixd complained about 2024-08-03 17:32:02 +00:00			`type = types.bool;`
Refactored how SSL certs are configured for nginx Made a separate ACME module to handle requesting certs from multiple machines. Right now, the module only supports exactly one wildcard cert. It might make sense to have cache.kilonull.com use a cert specific to its subdomain rather than also requesting a wildcard cert (or maybe the nginx on its host shouldn't care about TLS and it should be node's responsibility). 2023-07-16 17:53:02 +00:00			`description = ''`
			`Use the staging environment (use when configuring for the first time to`
			`avoid being locked out).`
			`'';`
			`default = false;`
			`};`
			`domainName = mkOption {`
Cleanup Addressed some things nixd complained about 2024-08-03 17:32:02 +00:00			`type = types.str;`
Refactored how SSL certs are configured for nginx Made a separate ACME module to handle requesting certs from multiple machines. Right now, the module only supports exactly one wildcard cert. It might make sense to have cache.kilonull.com use a cert specific to its subdomain rather than also requesting a wildcard cert (or maybe the nginx on its host shouldn't care about TLS and it should be node's responsibility). 2023-07-16 17:53:02 +00:00			`description = "The domain to request a wildcard cert for.";`
			`};`
Added hydra proxy 2024-05-04 02:57:00 +00:00			`isWildcard = mkOption {`
Cleanup Addressed some things nixd complained about 2024-08-03 17:32:02 +00:00			`type = types.bool;`
Added hydra proxy 2024-05-04 02:57:00 +00:00			`default = true;`
			`description = "Whether or not to request a wildcard cert.";`
			`};`
Refactored how SSL certs are configured for nginx Made a separate ACME module to handle requesting certs from multiple machines. Right now, the module only supports exactly one wildcard cert. It might make sense to have cache.kilonull.com use a cert specific to its subdomain rather than also requesting a wildcard cert (or maybe the nginx on its host shouldn't care about TLS and it should be node's responsibility). 2023-07-16 17:53:02 +00:00			`dnsCredentialsFile = mkOption {`
Cleanup Addressed some things nixd complained about 2024-08-03 17:32:02 +00:00			`type = types.path;`
Refactored how SSL certs are configured for nginx Made a separate ACME module to handle requesting certs from multiple machines. Right now, the module only supports exactly one wildcard cert. It might make sense to have cache.kilonull.com use a cert specific to its subdomain rather than also requesting a wildcard cert (or maybe the nginx on its host shouldn't care about TLS and it should be node's responsibility). 2023-07-16 17:53:02 +00:00			`description = "The path to the credentials file for the DNS provider.";`
			`};`
			`};`

			`# Only supports exactly one wildcard cert using Cloudflare (only use case I have)`
			`config = mkIf cfg.enable {`
			`security.acme = {`
			`acceptTerms = true;`
			`defaults = {`
			`email = config.aa.user.email;`
			`group = "nginx";`
			`server = mkIf cfg.useStaging "https://acme-staging-v02.api.letsencrypt.org/directory";`
			`};`

			`# Wildcard cert`
			`certs."${cfg.domainName}" = {`
			`group = "nginx";`
			`dnsProvider = "cloudflare";`
			# Private network resolves *.kilonull.com to private servers but `lego`
			`# (acme client under the hood) needs to find the cloudflare nameservers`
			`# to determine the correct zone to apply changes in. Use cloudflare's`
			# own DNS to make `lego` happy (will resolve names to a public IP).
			`dnsResolver = "1.1.1.1:53";`
			`credentialsFile = cfg.dnsCredentialsFile;`
Added hydra proxy 2024-05-04 02:57:00 +00:00			`extraDomainNames = mkIf cfg.isWildcard [("*." + cfg.domainName)];`
Refactored how SSL certs are configured for nginx Made a separate ACME module to handle requesting certs from multiple machines. Right now, the module only supports exactly one wildcard cert. It might make sense to have cache.kilonull.com use a cert specific to its subdomain rather than also requesting a wildcard cert (or maybe the nginx on its host shouldn't care about TLS and it should be node's responsibility). 2023-07-16 17:53:02 +00:00			`};`
			`};`
			`};`
			`}`