mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-09-29 15:43:00 +00:00
nixos/acme: add option to set credential files
This is to leverage systemd credentials for variables suffixed by _FILE.
This commit is contained in:
parent
ac4fd1a109
commit
5f105f8778
@ -365,6 +365,12 @@ let
|
||||
# Only try loading the credentialsFile if the dns challenge is enabled
|
||||
EnvironmentFile = mkIf useDns data.credentialsFile;
|
||||
|
||||
Environment = mkIf useDns
|
||||
(mapAttrsToList (k: v: ''"${k}=%d/${k}"'') data.credentialFiles);
|
||||
|
||||
LoadCredential = mkIf useDns
|
||||
(mapAttrsToList (k: v: "${k}:${v}") data.credentialFiles);
|
||||
|
||||
# Run as root (Prefixed with +)
|
||||
ExecStartPost = "+" + (pkgs.writeShellScript "acme-postrun" ''
|
||||
cd /var/lib/acme/${escapeShellArg cert}
|
||||
@ -619,6 +625,24 @@ let
|
||||
example = "/var/src/secrets/example.org-route53-api-token";
|
||||
};
|
||||
|
||||
credentialFiles = mkOption {
|
||||
type = types.attrsOf (types.path);
|
||||
inherit (defaultAndText "credentialFiles" {}) default defaultText;
|
||||
description = lib.mdDoc ''
|
||||
Environment variables suffixed by "_FILE" to set for the cert's service
|
||||
for your selected dnsProvider.
|
||||
To find out what values you need to set, consult the documentation at
|
||||
<https://go-acme.github.io/lego/dns/> for the corresponding dnsProvider.
|
||||
This allows to securely pass credential files to lego by leveraging systemd
|
||||
credentials.
|
||||
'';
|
||||
example = literalExpression ''
|
||||
{
|
||||
"RFC2136_TSIG_SECRET_FILE" = "/run/secrets/tsig-secret-example.org";
|
||||
}
|
||||
'';
|
||||
};
|
||||
|
||||
dnsPropagationCheck = mkOption {
|
||||
type = types.bool;
|
||||
inherit (defaultAndText "dnsPropagationCheck" true) default defaultText;
|
||||
@ -929,6 +953,13 @@ in {
|
||||
`security.acme.certs.${cert}.listenHTTP` must be provided.
|
||||
'';
|
||||
}
|
||||
{
|
||||
assertion = all (hasSuffix "_FILE") (attrNames data.credentialFiles);
|
||||
message = ''
|
||||
Option `security.acme.certs.${cert}.credentialFiles` can only be
|
||||
used for variables suffixed by "_FILE".
|
||||
'';
|
||||
}
|
||||
]) cfg.certs));
|
||||
|
||||
users.users.acme = {
|
||||
|
Loading…
Reference in New Issue
Block a user