diff options
author | lassulus <lass@aidsballs.de> | 2016-11-24 23:57:29 +0100 |
---|---|---|
committer | lassulus <lass@aidsballs.de> | 2016-11-24 23:57:29 +0100 |
commit | d279999a9c1d8247f718883651180bc9fdd9855b (patch) | |
tree | 591573841505a03263db8b3fbf069f79a81513d7 | |
parent | eb0bd41a0df8579529e0908bc1a39cfd26b7634b (diff) |
k 3 nginx: add ssl.acmeEnable option
-rw-r--r-- | krebs/3modules/nginx.nix | 45 |
1 files changed, 43 insertions, 2 deletions
diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix index 1577c5b64..933c2e513 100644 --- a/krebs/3modules/nginx.nix +++ b/krebs/3modules/nginx.nix @@ -53,9 +53,22 @@ let default = ""; }; ssl = mkOption { - type = with types; submodule ({ + type = with types; submodule ({ config, ... }: { options = { enable = mkEnableOption "ssl"; + acmeEnable = mkOption { + type = bool; + apply = x: + if x && config.enable + #conflicts because of certificate/certificate_key location + then throw "can't use ssl.enable and ssl.acmeEnable together" + else x; + default = false; + description = '' + enables automatical generation of lets-encrypt certificates and setting them as certificate + conflicts with ssl.enable + ''; + }; certificate = mkOption { type = str; }; @@ -95,6 +108,7 @@ let }; imp = { + security.acme.certs = mapAttrs (_: to-acme) (filterAttrs (_: server: server.ssl.acmeEnable) cfg.servers); services.nginx = { enable = true; httpConfig = '' @@ -117,13 +131,24 @@ let indent = replaceChars ["\n"] ["\n "]; + to-acme = { server-names, ssl, ... }: + optionalAttrs ssl.acmeEnable { + email = "lassulus@gmail.com"; + webroot = "${config.security.acme.directory}/${head server-names}"; + }; + to-location = { name, value }: '' location ${name} { ${indent value} } ''; - to-server = { server-names, listen, locations, extraConfig, ssl, ... }: '' + to-server = { server-names, listen, locations, extraConfig, ssl, ... }: let + domain = head server-names; + acmeLocation = optionalAttrs ssl.acmeEnable (nameValuePair "/.well-known/acme-challenge" '' + root ${config.security.acme.certs.${domain}.webroot}; + ''); + in '' server { server_name ${toString (unique server-names)}; ${concatMapStringsSep "\n" (x: indent "listen ${x};") listen} @@ -142,7 +167,23 @@ let ssl_ciphers ${ssl.ciphers}; ssl_protocols ${toString ssl.protocols}; '')} + ${optionalString ssl.acmeEnable (indent '' + ${optionalString ssl.force_encryption '' + if ($scheme = http){ + return 301 https://$server_name$request_uri; + } + ''} + listen 443 ssl; + ssl_certificate ${config.security.acme.directory}/${domain}/fullchain.pem; + ssl_certificate_key ${config.security.acme.directory}/${domain}/key.pem; + ${optionalString ssl.prefer_server_ciphers '' + ssl_prefer_server_ciphers On; + ''} + ssl_ciphers ${ssl.ciphers}; + ssl_protocols ${toString ssl.protocols}; + '')} ${indent extraConfig} + ${optionalString ssl.acmeEnable (indent (to-location acmeLocation))} ${indent (concatMapStrings to-location locations)} } ''; |