diff options
author | Franz Pletz <fpletz@fnordicwalking.de> | 2015-12-12 16:06:24 +0100 |
---|---|---|
committer | Franz Pletz <fpletz@fnordicwalking.de> | 2015-12-12 16:06:53 +0100 |
commit | 1685b9d06ebe93eaaed478bde02db813fc39e4b2 (patch) | |
tree | b0ea1836f1d8341396ba5b3ccc3deabdee7c99ca /nixos/modules/security/acme.nix | |
parent | 9374ddb89523f6d77951445c5224b464d9ec198c (diff) | |
download | nixpkgs-1685b9d06ebe93eaaed478bde02db813fc39e4b2.tar nixpkgs-1685b9d06ebe93eaaed478bde02db813fc39e4b2.tar.gz nixpkgs-1685b9d06ebe93eaaed478bde02db813fc39e4b2.tar.bz2 nixpkgs-1685b9d06ebe93eaaed478bde02db813fc39e4b2.tar.lz nixpkgs-1685b9d06ebe93eaaed478bde02db813fc39e4b2.tar.xz nixpkgs-1685b9d06ebe93eaaed478bde02db813fc39e4b2.tar.zst nixpkgs-1685b9d06ebe93eaaed478bde02db813fc39e4b2.zip |
nixos/acme: Add module documentation
Diffstat (limited to 'nixos/modules/security/acme.nix')
-rw-r--r-- | nixos/modules/security/acme.nix | 129 |
1 files changed, 67 insertions, 62 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index 37de46cb1a5..8f3a2ee073b 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -131,67 +131,72 @@ in }; ###### implementation - config = mkIf (cfg.certs != { }) { - - systemd.services = flip mapAttrs' cfg.certs (cert: data: - let - cpath = "${cfg.directory}/${cert}"; - cmdline = [ "-v" "-d" cert "--default_root" data.webroot "--valid_min" cfg.validMin ] - ++ optionals (data.email != null) [ "--email" data.email ] - ++ concatMap (p: [ "-f" p ]) data.plugins - ++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains); - - in nameValuePair - ("acme-${cert}") - ({ - description = "ACME cert renewal for ${cert} using simp_le"; - after = [ "network.target" ]; - serviceConfig = { - Type = "oneshot"; - SuccessExitStatus = [ "0" "1" ]; - PermissionsStartOnly = true; - User = data.user; - Group = data.group; - PrivateTmp = true; - }; - path = [ pkgs.simp_le ]; - preStart = '' - mkdir -p '${cfg.directory}' - if [ ! -d '${cpath}' ]; then - mkdir -m 700 '${cpath}' - chown '${data.user}:${data.group}' '${cpath}' - fi - ''; - script = '' - cd '${cpath}' - set +e - simp_le ${concatMapStringsSep " " (arg: escapeShellArg (toString arg)) cmdline} - EXITCODE=$? - set -e - echo "$EXITCODE" > /tmp/lastExitCode - exit "$EXITCODE" - ''; - postStop = '' - if [ -e /tmp/lastExitCode ] && [ "$(cat /tmp/lastExitCode)" = "0" ]; then - echo "Executing postRun hook..." - ${data.postRun} - fi - ''; - }) - ); - - systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair - ("acme-${cert}") - ({ - description = "timer for ACME cert renewal of ${cert}"; - wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar = cfg.renewInterval; - Unit = "acme-simp_le-${cert}.service"; - }; - }) - ); - - }; + config = mkMerge [ + (mkIf (cfg.certs != { }) { + + systemd.services = flip mapAttrs' cfg.certs (cert: data: + let + cpath = "${cfg.directory}/${cert}"; + cmdline = [ "-v" "-d" cert "--default_root" data.webroot "--valid_min" cfg.validMin ] + ++ optionals (data.email != null) [ "--email" data.email ] + ++ concatMap (p: [ "-f" p ]) data.plugins + ++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains); + + in nameValuePair + ("acme-${cert}") + ({ + description = "ACME cert renewal for ${cert} using simp_le"; + after = [ "network.target" ]; + serviceConfig = { + Type = "oneshot"; + SuccessExitStatus = [ "0" "1" ]; + PermissionsStartOnly = true; + User = data.user; + Group = data.group; + PrivateTmp = true; + }; + path = [ pkgs.simp_le ]; + preStart = '' + mkdir -p '${cfg.directory}' + if [ ! -d '${cpath}' ]; then + mkdir -m 700 '${cpath}' + chown '${data.user}:${data.group}' '${cpath}' + fi + ''; + script = '' + cd '${cpath}' + set +e + simp_le ${concatMapStringsSep " " (arg: escapeShellArg (toString arg)) cmdline} + EXITCODE=$? + set -e + echo "$EXITCODE" > /tmp/lastExitCode + exit "$EXITCODE" + ''; + postStop = '' + if [ -e /tmp/lastExitCode ] && [ "$(cat /tmp/lastExitCode)" = "0" ]; then + echo "Executing postRun hook..." + ${data.postRun} + fi + ''; + }) + ); + + systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair + ("acme-${cert}") + ({ + description = "timer for ACME cert renewal of ${cert}"; + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = cfg.renewInterval; + Unit = "acme-simp_le-${cert}.service"; + }; + }) + ); + }) + + { meta.maintainers = with lib.maintainers; [ abbradar fpletz globin ]; + meta.doc = ./acme.xml; + } + ]; } |