summary refs log tree commit diff
path: root/nixos/modules
diff options
context:
space:
mode:
authordatafoo <34766150+datafoo@users.noreply.github.com>2023-07-20 12:44:11 +0200
committerAnderson Torres <torres.anderson.85@protonmail.com>2023-09-11 16:34:20 +0000
commit5f105f87787b15a4f7179b6414b9fbe4063e34da (patch)
treed0c50e3a5d401b09dfd564578526588f4d86677e /nixos/modules
parentac4fd1a1098a3954b0e10fa8288a6492040102bb (diff)
downloadnixpkgs-5f105f87787b15a4f7179b6414b9fbe4063e34da.tar
nixpkgs-5f105f87787b15a4f7179b6414b9fbe4063e34da.tar.gz
nixpkgs-5f105f87787b15a4f7179b6414b9fbe4063e34da.tar.bz2
nixpkgs-5f105f87787b15a4f7179b6414b9fbe4063e34da.tar.lz
nixpkgs-5f105f87787b15a4f7179b6414b9fbe4063e34da.tar.xz
nixpkgs-5f105f87787b15a4f7179b6414b9fbe4063e34da.tar.zst
nixpkgs-5f105f87787b15a4f7179b6414b9fbe4063e34da.zip
nixos/acme: add option to set credential files
This is to leverage systemd credentials for variables suffixed by _FILE.
Diffstat (limited to 'nixos/modules')
-rw-r--r--nixos/modules/security/acme/default.nix31
1 files changed, 31 insertions, 0 deletions
diff --git a/nixos/modules/security/acme/default.nix b/nixos/modules/security/acme/default.nix
index 222a25cf11d..94fd77b23bb 100644
--- a/nixos/modules/security/acme/default.nix
+++ b/nixos/modules/security/acme/default.nix
@@ -365,6 +365,12 @@ let
         # Only try loading the credentialsFile if the dns challenge is enabled
         EnvironmentFile = mkIf useDns data.credentialsFile;
 
+        Environment = mkIf useDns
+          (mapAttrsToList (k: v: ''"${k}=%d/${k}"'') data.credentialFiles);
+
+        LoadCredential = mkIf useDns
+          (mapAttrsToList (k: v: "${k}:${v}") data.credentialFiles);
+
         # Run as root (Prefixed with +)
         ExecStartPost = "+" + (pkgs.writeShellScript "acme-postrun" ''
           cd /var/lib/acme/${escapeShellArg cert}
@@ -619,6 +625,24 @@ let
         example = "/var/src/secrets/example.org-route53-api-token";
       };
 
+      credentialFiles = mkOption {
+        type = types.attrsOf (types.path);
+        inherit (defaultAndText "credentialFiles" {}) default defaultText;
+        description = lib.mdDoc ''
+          Environment variables suffixed by "_FILE" to set for the cert's service
+          for your selected dnsProvider.
+          To find out what values you need to set, consult the documentation at
+          <https://go-acme.github.io/lego/dns/> for the corresponding dnsProvider.
+          This allows to securely pass credential files to lego by leveraging systemd
+          credentials.
+        '';
+        example = literalExpression ''
+          {
+            "RFC2136_TSIG_SECRET_FILE" = "/run/secrets/tsig-secret-example.org";
+          }
+        '';
+      };
+
       dnsPropagationCheck = mkOption {
         type = types.bool;
         inherit (defaultAndText "dnsPropagationCheck" true) default defaultText;
@@ -929,6 +953,13 @@ in {
             `security.acme.certs.${cert}.listenHTTP` must be provided.
           '';
         }
+        {
+          assertion = all (hasSuffix "_FILE") (attrNames data.credentialFiles);
+          message = ''
+            Option `security.acme.certs.${cert}.credentialFiles` can only be
+            used for variables suffixed by "_FILE".
+          '';
+        }
       ]) cfg.certs));
 
       users.users.acme = {
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-01 07:14:43 +0000