acme: init
This commit is contained in:
parent
9edc2a4ad4
commit
a20746490a
SSH key fingerprint:
SHA256:Uj2AXqvtdCA4hn5Hq0ZonhIAyUqI1q4w2sMG3Z1TH7E
2 changed files with 48 additions and 14 deletions
34
modules/services/acme/module.nix
Normal file
34
modules/services/acme/module.nix
Normal file
|
|
@ -0,0 +1,34 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}: let
|
||||||
|
acmeRoot = "/var/lib/acme/challenges";
|
||||||
|
|
||||||
|
mkAcmeCert = domain: {
|
||||||
|
# An acme system user is created. This user belongs to the acme group
|
||||||
|
# and the home directory is /var/lib/acme. This user will try to make the directory
|
||||||
|
# .well-known/acme-challenge/ under the webroot directory.
|
||||||
|
webroot = "${acmeRoot}-${domain}";
|
||||||
|
|
||||||
|
# email to send updates to, we prefix "acme" and the
|
||||||
|
# name of the domain the certificate is for to it.
|
||||||
|
email = "acme+${domain}+charlie@charlieroot.dev";
|
||||||
|
group = "nginx";
|
||||||
|
};
|
||||||
|
in {
|
||||||
|
security.acme = {
|
||||||
|
acceptTerms = true;
|
||||||
|
defaults = {
|
||||||
|
email = "charlie@charlieroot.dev";
|
||||||
|
# testing server, do not use in production, but DO use it for setting things up.
|
||||||
|
# it has much higher rate limits.
|
||||||
|
# server = "https://acme-staging-v02.api.letsencrypt.org/directory";
|
||||||
|
};
|
||||||
|
# certs = {
|
||||||
|
# "copeberg.org" = mkAcmeCert "copeberg.org";
|
||||||
|
# "info.copeberg.org" = mkAcmeCert "info.copeberg.org";
|
||||||
|
# };
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
@ -43,20 +43,20 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
security.acme = let
|
# security.acme = let
|
||||||
email = "charlie@charlieroot.dev";
|
# email = "charlie@charlieroot.dev";
|
||||||
in {
|
# in {
|
||||||
# testing server, do not use in production, but DO use it for setting things up.
|
# # testing server, do not use in production, but DO use it for setting things up.
|
||||||
# it has much higher rate limits.
|
# # it has much higher rate limits.
|
||||||
# defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
|
# # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
|
||||||
certs = {
|
# certs = {
|
||||||
${domain} = {
|
# ${domain} = {
|
||||||
webroot = acmeRoot;
|
# webroot = acmeRoot;
|
||||||
inherit email;
|
# inherit email;
|
||||||
group = "nginx";
|
# group = "nginx";
|
||||||
};
|
# };
|
||||||
};
|
# };
|
||||||
};
|
# };
|
||||||
|
|
||||||
# create the git user for forgejo
|
# create the git user for forgejo
|
||||||
# NOTE: this is important and it will _not_ work otherwise.
|
# NOTE: this is important and it will _not_ work otherwise.
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue