acme: init

2025-05-22 09:44:38 +02:00 · 2025-05-22 09:44:38 +02:00 · a20746490a
commit a20746490a
parent 9edc2a4ad4
2 changed files with 48 additions and 14 deletions
--- a/modules/services/acme/module.nix
+++ b/modules/services/acme/module.nix
@ -0,0 +1,34 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  acmeRoot = "/var/lib/acme/challenges";
+
+  mkAcmeCert = domain: {
+    # An acme system user is created. This user belongs to the acme group
+    # and the home directory is /var/lib/acme. This user will try to make the directory
+    # .well-known/acme-challenge/ under the webroot directory.
+    webroot = "${acmeRoot}-${domain}";
+
+    # email to send updates to, we prefix "acme" and the
+    #  name of the domain the certificate is for to it.
+    email = "acme+${domain}+charlie@charlieroot.dev";
+    group = "nginx";
+  };
+in {
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = "charlie@charlieroot.dev";
+      # testing server, do not use in production, but DO use it for setting things up.
+      # it has much higher rate limits.
+      # server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+    };
+    # certs = {
+    #   "copeberg.org" = mkAcmeCert "copeberg.org";
+    #   "info.copeberg.org" = mkAcmeCert "info.copeberg.org";
+    # };
+  };
+}
--- a/modules/services/forgejo/module.nix
+++ b/modules/services/forgejo/module.nix
@ -43,20 +43,20 @@ in {
      };
    };

-    security.acme = let
-      email = "charlie@charlieroot.dev";
-    in {
-      # testing server, do not use in production, but DO use it for setting things up.
-      # it has much higher rate limits.
-      # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
-      certs = {
-        ${domain} = {
-          webroot = acmeRoot;
-          inherit email;
-          group = "nginx";
-        };
-      };
-    };
+    # security.acme = let
+    #   email = "charlie@charlieroot.dev";
+    # in {
+    #   # testing server, do not use in production, but DO use it for setting things up.
+    #   # it has much higher rate limits.
+    #   # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+    #   certs = {
+    #     ${domain} = {
+    #       webroot = acmeRoot;
+    #       inherit email;
+    #       group = "nginx";
+    #     };
+    #   };
+    # };

    # create the git user for forgejo
    # NOTE: this is important and it will _not_ work otherwise.