{ me, lib, pkgs, ... }: let oneWeekInSeconds = 7 * 24 * 60 * 60; tailscaleRenewScript = pkgs.writeShellScript "tailscale-cert-renew" '' set -euxo pipefail check_validity() { pem=$1 ${pkgs.openssl}/bin/openssl x509 \ -checkend ${toString oneWeekInSeconds} \ -noout <$pem } try_renew() { ${pkgs.tailscale}/bin/tailscale cert \ --cert-file certificates/fullchain.pem \ --key-file certificates/key.pem \ ${me.tailscale.domain} } cut_out_certificate_authority() { fullchain=$1 buf="" while read LINE; do if [[ $LINE == *"BEGIN CERTIFICATE"* ]]; then buf="" fi buf="$buf$LINE"$'\n' done < $fullchain echo "$buf" } install_certificates() { touch out/renewed cp -vp 'certificates/fullchain.pem' out/fullchain.pem cp -vp 'certificates/key.pem' out/key.pem ln -sf fullchain.pem out/cert.pem cat out/key.pem out/fullchain.pem > out/full.pem cut_out_certificate_authority out/fullchain.pem > out/chain.pem chown 'acme:nginx' out/* chmod 640 out/* } if [[ ! -e 'out/fullchain.pem' ]] || ! check_validity out/fullchain.pem; then echo 1>&2 "attempting tailscale certificate renewal..." if ! try_renew; then echo 1>&2 "renewal failed :(" exit 1 fi install_certificates echo 1>&2 "successfully renewed certificate :)" else echo 1>&2 "renewal not yet necessary." fi ''; in { # overwrite default acme behaviour with tailscale systemd.services."acme-${me.tailscale.domain}" = { after = [ "tailscaled.service" ]; requires = [ "tailscaled.service" ]; serviceConfig = { ExecStart = lib.mkForce "+${tailscaleRenewScript}"; }; }; # tailnet internal vhost services.nginx.virtualHosts.tailnet = { forceSSL = true; enableACME = true; serverName = me.tailscale.domain; listenAddresses = [ me.tailscale.ip ]; # point to the default page, for now! locations."/" = { alias = "/var/www/html/"; }; extraConfig = '' access_log /var/log/nginx/tailnet.access.log json_combined; ''; }; }