Refactored how SSL certs are configured for nginx

Made a separate ACME module to handle requesting certs from multiple machines. Right now, the module only supports exactly one wildcard cert. It might make sense to have cache.kilonull.com use a cert specific to its subdomain rather than also requesting a wildcard cert (or maybe the nginx on its host shouldn't care about TLS and it should be node's responsibility).
2023-07-16 10:53:02 -07:00 · 2023-07-16 10:53:02 -07:00 · d5969ca923
commit d5969ca923
parent 60917107b1
9 changed files with 128 additions and 41 deletions
--- a/modules/security/acme/default.nix
+++ b/modules/security/acme/default.nix
@ -0,0 +1,56 @@
+{
+  options,
+  config,
+  lib,
+  pkgs,
+  format,
+  ...
+}:
+with lib; let
+  cfg = config.aa.security.acme;
+in {
+  options.aa.security.acme = with types; {
+    enable = mkEnableOption "Automatic Certificate Management Environment (ACME)";
+    useStaging = mkOption {
+      type = bool;
+      description = ''
+        Use the staging environment (use when configuring for the first time to
+        avoid being locked out).
+      '';
+      default = false;
+    };
+    domainName = mkOption {
+      type = str;
+      description = "The domain to request a wildcard cert for.";
+    };
+    dnsCredentialsFile = mkOption {
+      type = path;
+      description = "The path to the credentials file for the DNS provider.";
+    };
+  };
+
+  # Only supports exactly one wildcard cert using Cloudflare (only use case I have)
+  config = mkIf cfg.enable {
+    security.acme = {
+      acceptTerms = true;
+      defaults = {
+        email = config.aa.user.email;
+        group = "nginx";
+        server = mkIf cfg.useStaging "https://acme-staging-v02.api.letsencrypt.org/directory";
+      };
+
+      # Wildcard cert
+      certs."${cfg.domainName}" = {
+        group = "nginx";
+        dnsProvider = "cloudflare";
+        # Private network resolves *.kilonull.com to private servers but `lego`
+        # (acme client under the hood) needs to find the cloudflare nameservers
+        # to determine the correct zone to apply changes in. Use cloudflare's
+        # own DNS to make `lego` happy (will resolve names to a public IP).
+        dnsResolver = "1.1.1.1:53";
+        credentialsFile = cfg.dnsCredentialsFile;
+        extraDomainNames = [("*." + cfg.domainName)];
+      };
+    };
+  };
+}