added acme to impermanence

2025-01-03 13:07:52 -06:00 · 2025-01-03 13:07:52 -06:00 · 6ab64fafe1
commit 6ab64fafe1
parent b02bd1a5e2
2 changed files with 44 additions and 26 deletions
--- a/configurations/nixos/defiant/services.nix
+++ b/configurations/nixos/defiant/services.nix
@ -135,11 +135,6 @@ in {
      };
    };

-    security.acme = {
-      acceptTerms = true;
-      defaults.email = "jan-leila@protonmail.com";
-    };
-
    networking.firewall.allowedTCPPorts =
      [
        httpPort
--- a/modules/nixos-modules/server/reverse_proxy.nix
+++ b/modules/nixos-modules/server/reverse_proxy.nix
@ -2,7 +2,9 @@
  lib,
  config,
  ...
-}: {
+}: let
+  dataDir = "/var/lib/acme";
+in {
  options.host.reverse_proxy = {
    enable = lib.mkEnableOption "turn on the reverse proxy";
    hostname = lib.mkOption {
@ -32,25 +34,46 @@
    };
  };

-  # TODO: impermanence for ACME keys
-  config = {
-    security.acme = lib.mkIf config.host.reverse_proxy.enableACME {
-      acceptTerms = true;
-      defaults.email = "jan-leila@protonmail.com";
-    };
+  config = lib.mkIf config.host.reverse_proxy.enable (lib.mkMerge [
+    {
+      security.acme = lib.mkIf config.host.reverse_proxy.enableACME {
+        acceptTerms = true;
+        defaults.email = "jan-leila@protonmail.com";
+      };

-    services.nginx = {
-      enable = config.host.reverse_proxy.enable;
-      virtualHosts = lib.attrsets.mapAttrs' (name: value:
-        lib.attrsets.nameValuePair "${name}.${config.host.reverse_proxy.hostname}" {
-          forceSSL = config.host.reverse_proxy.forceSSL;
-          enableACME = config.host.reverse_proxy.enableACME;
-          locations."/" = {
-            proxyPass = value.target;
-            proxyWebsockets = value.websockets;
-          };
-        })
-      config.host.reverse_proxy.subdomains;
-    };
-  };
+      services.nginx = {
+        enable = true;
+        virtualHosts = lib.attrsets.mapAttrs' (name: value:
+          lib.attrsets.nameValuePair "${name}.${config.host.reverse_proxy.hostname}" {
+            forceSSL = config.host.reverse_proxy.forceSSL;
+            enableACME = config.host.reverse_proxy.enableACME;
+            locations."/" = {
+              proxyPass = value.target;
+              proxyWebsockets = value.websockets;
+            };
+          })
+        config.host.reverse_proxy.subdomains;
+      };
+    }
+    (lib.mkIf config.host.impermanence.enable {
+      # TODO: figure out how to write an assertion for this
+      # assertions = [
+      #   {
+      #     assertion = security.acme.certs.<name>.directory == dataDir;
+      #     message = "postgres data directory does not match persistence";
+      #   }
+      # ];
+      environment.persistence."/persist/system/root" = {
+        enable = true;
+        hideMounts = true;
+        directories = [
+          {
+            directory = dataDir;
+            user = "acme";
+            group = "acme";
+          }
+        ];
+      };
+    })
+  ]);
 }