nixos-combined-flake/lib/genSslCert.nix

{ name, dataDir, user, domain, wantedBy ? [], Before ? [] }: { pkgs, ... }:
{
  systemd.services."create-${name}-cert" = {
    description = "Create a certificate for ${domain}";

    script = ''
      ${pkgs.openssl}/bin/openssl req -x509 -newkey rsa:4096 -keyout ${domain}.key -out ${domain}.crt -nodes -subj '/CN=${domain}'
      ${pkgs.openssl}/bin/openssl pkcs12 -export -out ${domain}.pfx -inkey ${domain}.key -in ${domain}.crt -passout pass:
      cat ${domain}.crt ${domain}.key > ${domain}.pem
      chmod 644 ${domain}.crt
      chmod 640 ${domain}.pfx
      chmod 640 ${domain}.key
      chmod 640 ${domain}.pem
    '';

    wantedBy = [ "multi-user.target" ] ++ wantedBy;

    unitConfig = {
      Before = [ "multi-user.target" ] ++ Before;
      ConditionPathExists = "!${dataDir}/${domain}.pfx";
    };

    serviceConfig = {
      User = user;
      Type = "oneshot";
      WorkingDirectory = dataDir;
      RemainAfterExit = true;
    };
  };
}