diff options
author | datafoo <34766150+datafoo@users.noreply.github.com> | 2023-07-20 12:44:11 +0200 |
---|---|---|
committer | Anderson Torres <torres.anderson.85@protonmail.com> | 2023-09-11 16:34:20 +0000 |
commit | 5f105f87787b15a4f7179b6414b9fbe4063e34da (patch) | |
tree | d0c50e3a5d401b09dfd564578526588f4d86677e /nixos/modules | |
parent | ac4fd1a1098a3954b0e10fa8288a6492040102bb (diff) | |
download | nixpkgs-5f105f87787b15a4f7179b6414b9fbe4063e34da.tar nixpkgs-5f105f87787b15a4f7179b6414b9fbe4063e34da.tar.gz nixpkgs-5f105f87787b15a4f7179b6414b9fbe4063e34da.tar.bz2 nixpkgs-5f105f87787b15a4f7179b6414b9fbe4063e34da.tar.lz nixpkgs-5f105f87787b15a4f7179b6414b9fbe4063e34da.tar.xz nixpkgs-5f105f87787b15a4f7179b6414b9fbe4063e34da.tar.zst nixpkgs-5f105f87787b15a4f7179b6414b9fbe4063e34da.zip |
nixos/acme: add option to set credential files
This is to leverage systemd credentials for variables suffixed by _FILE.
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/security/acme/default.nix | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/nixos/modules/security/acme/default.nix b/nixos/modules/security/acme/default.nix index 222a25cf11d..94fd77b23bb 100644 --- a/nixos/modules/security/acme/default.nix +++ b/nixos/modules/security/acme/default.nix @@ -365,6 +365,12 @@ let # Only try loading the credentialsFile if the dns challenge is enabled EnvironmentFile = mkIf useDns data.credentialsFile; + Environment = mkIf useDns + (mapAttrsToList (k: v: ''"${k}=%d/${k}"'') data.credentialFiles); + + LoadCredential = mkIf useDns + (mapAttrsToList (k: v: "${k}:${v}") data.credentialFiles); + # Run as root (Prefixed with +) ExecStartPost = "+" + (pkgs.writeShellScript "acme-postrun" '' cd /var/lib/acme/${escapeShellArg cert} @@ -619,6 +625,24 @@ let example = "/var/src/secrets/example.org-route53-api-token"; }; + credentialFiles = mkOption { + type = types.attrsOf (types.path); + inherit (defaultAndText "credentialFiles" {}) default defaultText; + description = lib.mdDoc '' + Environment variables suffixed by "_FILE" to set for the cert's service + for your selected dnsProvider. + To find out what values you need to set, consult the documentation at + <https://go-acme.github.io/lego/dns/> for the corresponding dnsProvider. + This allows to securely pass credential files to lego by leveraging systemd + credentials. + ''; + example = literalExpression '' + { + "RFC2136_TSIG_SECRET_FILE" = "/run/secrets/tsig-secret-example.org"; + } + ''; + }; + dnsPropagationCheck = mkOption { type = types.bool; inherit (defaultAndText "dnsPropagationCheck" true) default defaultText; @@ -929,6 +953,13 @@ in { `security.acme.certs.${cert}.listenHTTP` must be provided. ''; } + { + assertion = all (hasSuffix "_FILE") (attrNames data.credentialFiles); + message = '' + Option `security.acme.certs.${cert}.credentialFiles` can only be + used for variables suffixed by "_FILE". + ''; + } ]) cfg.certs)); users.users.acme = { |