nixos/acme: add option to set credential files

This is to leverage systemd credentials for variables suffixed by _FILE.
2024-09-29 15:43:00 +00:00 · 2023-07-20 12:44:11 +02:00 · 2023-07-20 12:44:11 +02:00 · 5f105f8778
commit 5f105f8778
parent ac4fd1a109
1 changed files with 31 additions and 0 deletions
--- a/nixos/modules/security/acme/default.nix
+++ b/nixos/modules/security/acme/default.nix
@ -365,6 +365,12 @@ let
        # Only try loading the credentialsFile if the dns challenge is enabled
        EnvironmentFile = mkIf useDns data.credentialsFile;

+        Environment = mkIf useDns
+          (mapAttrsToList (k: v: ''"${k}=%d/${k}"'') data.credentialFiles);
+
+        LoadCredential = mkIf useDns
+          (mapAttrsToList (k: v: "${k}:${v}") data.credentialFiles);
+
        # Run as root (Prefixed with +)
        ExecStartPost = "+" + (pkgs.writeShellScript "acme-postrun" ''
          cd /var/lib/acme/${escapeShellArg cert}
@ -619,6 +625,24 @@ let
        example = "/var/src/secrets/example.org-route53-api-token";
      };

+      credentialFiles = mkOption {
+        type = types.attrsOf (types.path);
+        inherit (defaultAndText "credentialFiles" {}) default defaultText;
+        description = lib.mdDoc ''
+          Environment variables suffixed by "_FILE" to set for the cert's service
+          for your selected dnsProvider.
+          To find out what values you need to set, consult the documentation at
+          <https://go-acme.github.io/lego/dns/> for the corresponding dnsProvider.
+          This allows to securely pass credential files to lego by leveraging systemd
+          credentials.
+        '';
+        example = literalExpression ''
+          {
+            "RFC2136_TSIG_SECRET_FILE" = "/run/secrets/tsig-secret-example.org";
+          }
+        '';
+      };
+
      dnsPropagationCheck = mkOption {
        type = types.bool;
        inherit (defaultAndText "dnsPropagationCheck" true) default defaultText;
@ -929,6 +953,13 @@ in {
            `security.acme.certs.${cert}.listenHTTP` must be provided.
          '';
        }
+        {
+          assertion = all (hasSuffix "_FILE") (attrNames data.credentialFiles);
+          message = ''
+            Option `security.acme.certs.${cert}.credentialFiles` can only be
+            used for variables suffixed by "_FILE".
+          '';
+        }
      ]) cfg.certs));

      users.users.acme = {