nixos/acme: add option to set credential files

pyrox.dev / nixpkgs

fork atom

lol

fork atom

This is to leverage systemd credentials for variables suffixed by _FILE.

authored by

datafoo and committed by

Anderson Torres 2 years ago 5f105f87 ac4fd1a1

+31

1 changed file

expand all

nixos

modules

security

acme

default.nix

+31

nixos/modules/security/acme/default.nix

··· 365 365 # Only try loading the credentialsFile if the dns challenge is enabled 366 366 EnvironmentFile = mkIf useDns data.credentialsFile; 367 367 368 + Environment = mkIf useDns 369 + (mapAttrsToList (k: v: ''"${k}=%d/${k}"'') data.credentialFiles); 370 + 371 + LoadCredential = mkIf useDns 372 + (mapAttrsToList (k: v: "${k}:${v}") data.credentialFiles); 373 + 368 374 # Run as root (Prefixed with +) 369 375 ExecStartPost = "+" + (pkgs.writeShellScript "acme-postrun" '' 370 376 cd /var/lib/acme/${escapeShellArg cert} ··· 617 623 <https://go-acme.github.io/lego/dns/> for the corresponding dnsProvider. 618 624 ''; 619 625 example = "/var/src/secrets/example.org-route53-api-token"; 626 + }; 627 + 628 + credentialFiles = mkOption { 629 + type = types.attrsOf (types.path); 630 + inherit (defaultAndText "credentialFiles" {}) default defaultText; 631 + description = lib.mdDoc '' 632 + Environment variables suffixed by "_FILE" to set for the cert's service 633 + for your selected dnsProvider. 634 + To find out what values you need to set, consult the documentation at 635 + <https://go-acme.github.io/lego/dns/> for the corresponding dnsProvider. 636 + This allows to securely pass credential files to lego by leveraging systemd 637 + credentials. 638 + ''; 639 + example = literalExpression '' 640 + { 641 + "RFC2136_TSIG_SECRET_FILE" = "/run/secrets/tsig-secret-example.org"; 642 + } 643 + ''; 620 644 }; 621 645 622 646 dnsPropagationCheck = mkOption { ··· 927 951 One of `security.acme.certs.${cert}.dnsProvider`, 928 952 `security.acme.certs.${cert}.webroot`, or 929 953 `security.acme.certs.${cert}.listenHTTP` must be provided. 954 + ''; 955 + } 956 + { 957 + assertion = all (hasSuffix "_FILE") (attrNames data.credentialFiles); 958 + message = '' 959 + Option `security.acme.certs.${cert}.credentialFiles` can only be 960 + used for variables suffixed by "_FILE". 930 961 ''; 931 962 } 932 963 ]) cfg.certs));