default.nix (2392B)
1 { 2 lib, 3 options, 4 config, 5 pkgs, 6 ... 7 }: 8 { 9 options.modules.quark.acme = { 10 enable = lib.mkOption { 11 description = "Whether to enable the Certbot ACME client."; 12 default = false; 13 type = lib.types.bool; 14 }; 15 directory = lib.mkOption { 16 description = '' 17 The directory containing fetched Let's Encrypt certificates. 18 ''; 19 default = "/etc/letsencrypt/live"; 20 readOnly = true; 21 type = lib.types.uniq lib.types.path; 22 }; 23 email = lib.mkOption { 24 description = "The email used for the Let's Encrypt account."; 25 type = lib.types.uniq lib.types.str; 26 }; 27 domain = lib.mkOption { 28 description = "The domain to fetch the certificate for."; 29 type = lib.types.uniq lib.types.str; 30 }; 31 extraDomains = lib.mkOption { 32 description = "The extra domains of the certificate."; 33 default = [ ]; 34 type = lib.types.listOf lib.types.str; 35 }; 36 }; 37 38 config = 39 let 40 inherit (config.modules.quark) acme; 41 in 42 lib.mkIf (acme.enable && config.modules.quark.enable) { 43 systemd = { 44 services = { 45 acme = { 46 enable = true; 47 wantedBy = [ "multi-user.target" ]; 48 serviceConfig = 49 let 50 domains = [ acme.domain ] ++ acme.extraDomains; 51 52 script = pkgs.writeShellScriptBin "script" '' 53 if ${pkgs.certbot}/bin/certbot certificates \ 54 | ${pkgs.gnugrep}/bin/grep -q "No certificates"; then 55 ${pkgs.certbot}/bin/certbot certonly --quiet --webroot \ 56 --agree-tos --email ${acme.email} \ 57 -w ${config.modules.quark.directory} \ 58 -d ${builtins.concatStringsSep " -d " domains} 59 else 60 ${pkgs.certbot}/bin/certbot renew --quiet 61 fi 62 ''; 63 in 64 { 65 User = "root"; 66 Group = "root"; 67 Type = "oneshot"; 68 ExecStart = "${script}/bin/script"; 69 }; 70 }; 71 }; 72 timers = { 73 acme = { 74 enable = true; 75 wantedBy = [ "multi-user.target" ]; 76 timerConfig = { 77 OnCalendar = "weekly"; 78 Persistent = true; 79 }; 80 }; 81 }; 82 }; 83 }; 84 }