{ lib, config, ... }: with lib; let cfg = config.services.danilafe-blog; sslForDomain = domain: (cfg.ssl == true) || (cfg.ssl."${domain}" or false); anySsl = any sslForDomain (attrNames cfg.domains); virtualHost = domain: package: { virtualHosts."${domain}" = mkMerge [ { root = package; } (mkIf (sslForDomain domain) { addSSL = true; enableACME = true; acmeRoot = cfg.challengePath; }) ]; }; service = domain: { # Workaround for new configuration setting all of /var to be readonly. # See https://github.com/NixOS/nixpkgs/issues/139310 "acme-${domain}".serviceConfig = { ReadWritePaths = [ cfg.challengePath ]; }; }; virtualHosts = mapAttrsToList virtualHost cfg.domains; services = map service (filter sslForDomain (attrNames cfg.domains)); in { options.services.danilafe-blog = { enable = mkEnableOption "Daniel's blog service"; ssl = mkOption { type = types.either types.bool (types.attrsOf types.bool); default = false; description = "Enable SSL and ACME for all or some domains."; }; domains = mkOption { type = types.attrsOf types.package; default = {}; description = "Attribute set where keys are domains and values are packages to host there."; }; challengePath = mkOption { type = types.str; description = "The location for ACME challenges."; }; }; config.services.nginx = mkIf cfg.enable (mkMerge (virtualHosts ++ [ { # Always enable nginx. enable = true; recommendedGzipSettings = true; } ])); config.systemd.services = mkIf cfg.enable (mkMerge services); config.security.acme = mkIf (cfg.enable && anySsl) { # If any domain uses SSL, enable ACME and accept terms. security.acme.email = "danila.fedorin@gmail.com"; security.acme.acceptTerms = true; }; }