summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorlassulus <lass@aidsballs.de>2016-11-24 23:57:29 +0100
committerlassulus <lass@aidsballs.de>2016-11-24 23:57:29 +0100
commitd279999a9c1d8247f718883651180bc9fdd9855b (patch)
tree591573841505a03263db8b3fbf069f79a81513d7
parenteb0bd41a0df8579529e0908bc1a39cfd26b7634b (diff)
k 3 nginx: add ssl.acmeEnable option
-rw-r--r--krebs/3modules/nginx.nix45
1 files changed, 43 insertions, 2 deletions
diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix
index 1577c5b64..933c2e513 100644
--- a/krebs/3modules/nginx.nix
+++ b/krebs/3modules/nginx.nix
@@ -53,9 +53,22 @@ let
default = "";
};
ssl = mkOption {
- type = with types; submodule ({
+ type = with types; submodule ({ config, ... }: {
options = {
enable = mkEnableOption "ssl";
+ acmeEnable = mkOption {
+ type = bool;
+ apply = x:
+ if x && config.enable
+ #conflicts because of certificate/certificate_key location
+ then throw "can't use ssl.enable and ssl.acmeEnable together"
+ else x;
+ default = false;
+ description = ''
+ enables automatical generation of lets-encrypt certificates and setting them as certificate
+ conflicts with ssl.enable
+ '';
+ };
certificate = mkOption {
type = str;
};
@@ -95,6 +108,7 @@ let
};
imp = {
+ security.acme.certs = mapAttrs (_: to-acme) (filterAttrs (_: server: server.ssl.acmeEnable) cfg.servers);
services.nginx = {
enable = true;
httpConfig = ''
@@ -117,13 +131,24 @@ let
indent = replaceChars ["\n"] ["\n "];
+ to-acme = { server-names, ssl, ... }:
+ optionalAttrs ssl.acmeEnable {
+ email = "lassulus@gmail.com";
+ webroot = "${config.security.acme.directory}/${head server-names}";
+ };
+
to-location = { name, value }: ''
location ${name} {
${indent value}
}
'';
- to-server = { server-names, listen, locations, extraConfig, ssl, ... }: ''
+ to-server = { server-names, listen, locations, extraConfig, ssl, ... }: let
+ domain = head server-names;
+ acmeLocation = optionalAttrs ssl.acmeEnable (nameValuePair "/.well-known/acme-challenge" ''
+ root ${config.security.acme.certs.${domain}.webroot};
+ '');
+ in ''
server {
server_name ${toString (unique server-names)};
${concatMapStringsSep "\n" (x: indent "listen ${x};") listen}
@@ -142,7 +167,23 @@ let
ssl_ciphers ${ssl.ciphers};
ssl_protocols ${toString ssl.protocols};
'')}
+ ${optionalString ssl.acmeEnable (indent ''
+ ${optionalString ssl.force_encryption ''
+ if ($scheme = http){
+ return 301 https://$server_name$request_uri;
+ }
+ ''}
+ listen 443 ssl;
+ ssl_certificate ${config.security.acme.directory}/${domain}/fullchain.pem;
+ ssl_certificate_key ${config.security.acme.directory}/${domain}/key.pem;
+ ${optionalString ssl.prefer_server_ciphers ''
+ ssl_prefer_server_ciphers On;
+ ''}
+ ssl_ciphers ${ssl.ciphers};
+ ssl_protocols ${toString ssl.protocols};
+ '')}
${indent extraConfig}
+ ${optionalString ssl.acmeEnable (indent (to-location acmeLocation))}
${indent (concatMapStrings to-location locations)}
}
'';