- lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script =
- (lib.optionalString (builtins.elem "cert.pem" v.plugins) ''
- cp $workdir/server.crt ${config.security.acme.directory}/${k}/cert.pem
- chown '${v.user}:${v.group}' ${config.security.acme.directory}/${k}/cert.pem
- chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.directory}/${k}/cert.pem
- '') +
- (lib.optionalString (builtins.elem "chain.pem" v.plugins) ''
- cp $workdir/ca.crt ${config.security.acme.directory}/${k}/chain.pem
- chown '${v.user}:${v.group}' ${config.security.acme.directory}/${k}/chain.pem
- chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.directory}/${k}/chain.pem
- '')
- ; })
- ) config.security.acme.certs // {
- httpdProd.after = [ "acme-selfsigned-certificates.target" ];
- httpdProd.wants = [ "acme-selfsigned-certificates.target" ];
- httpdTools.after = [ "acme-selfsigned-certificates.target" ];
- httpdTools.wants = [ "acme-selfsigned-certificates.target" ];
- httpdInte.after = [ "acme-selfsigned-certificates.target" ];
- httpdInte.wants = [ "acme-selfsigned-certificates.target" ];
+ lib.attrsets.nameValuePair "acme-selfsigned-${k}" { script = lib.mkBefore ''
+ cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem
+ chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem
+ chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem
+
+ cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem
+ chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem
+ chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem
+ '';
+ }
+ ) config.security.acme.certs //
+ lib.attrsets.mapAttrs' (k: data:
+ lib.attrsets.nameValuePair "acme-${k}" {
+ serviceConfig.ExecStartPre =
+ let
+ script = pkgs.writeScript "acme-pre-start" ''
+ #!${pkgs.runtimeShell} -e
+ mkdir -p '${data.webroot}/.well-known/acme-challenge'
+ chmod a+w '${data.webroot}/.well-known/acme-challenge'
+ #doesn't work for multiple concurrent runs
+ #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge'
+ '';
+ in
+ "+${script}";
+ }
+ ) config.security.acme.certs //
+ {
+ httpdProd = lib.mkIf config.services.httpd.Prod.enable
+ { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
+ httpdTools = lib.mkIf config.services.httpd.Tools.enable
+ { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
+ httpdInte = lib.mkIf config.services.httpd.Inte.enable
+ { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };