Snippet #2630 (by ., python)

  • #2630
Expires in: 0 minutes View Raw
  1. options.ekleog.acme = lib.mkOption {
  2.  type = with lib.types; attrsOf str;
  3.  default = {};
  4.  description = "Mapping dns -> action on refresh for SSL certificates";
  5. };
  6.  
  7. config = lib.mkIf (cfg != {}) {
  8.  services.nginx = {
  9.    enable = true;
  10.    virtualHosts = lib.mapAttrs (dns: _: {
  11.      listen = lib.mkDefault [
  12.        { addr = dns; port = 80; }
  13.        { addr = dns; port = 443; ssl = true; }
  14.      ];
  15.      locations."/.well-known/acme-challenge".root =
  16.        "/var/acme-challenge/${dns}";
  17.    }) cfg;
  18.  };
  19.  
  20.  networking.firewall.allowedTCPPorts = [ 80 ];
  21.  
  22.  security.acme.certs = lib.mapAttrs (dns: reload: {
  23.    webroot = "/var/acme-challenge/${dns}";
  24.    postRun = reload;
  25.    email = "leo@gaspard.io";
  26.  }) cfg;
  27. };

Reply to this snippet →

Honeypot, don't fill.
⌘+⏎ or Ctrl+⏎