X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Fcertificates.nix;h=2bf27302edb8ae8ad435c7df8fb2f4c1d2bfc9ef;hb=5400b9b6f65451d41a9106fae6fc00f97d83f4ef;hp=2d245792919ed6c0b5b5f59fc375d224e7ea892d;hpb=619e4f46adc15e409122c4e0fa0e0a0b811bb32f;p=perso%2FImmae%2FConfig%2FNix.git diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix index 2d24579..2bf2730 100644 --- a/modules/private/certificates.nix +++ b/modules/private/certificates.nix @@ -4,7 +4,7 @@ enable = lib.mkEnableOption "enable certificates"; certConfig = lib.mkOption { default = { - webroot = "${config.security.acme.directory}/acme-challenge"; + webroot = "/var/lib/acme/acme-challenge"; email = "ismael@bouya.org"; postRun = builtins.concatStringsSep "\n" [ (lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service") @@ -12,7 +12,7 @@ (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service") (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service") ]; - plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ]; + plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" "account_reg.json"]; }; description = "Default configuration for certificates"; }; @@ -20,7 +20,7 @@ config = lib.mkIf config.myServices.certificates.enable { services.duplyBackup.profiles.system.excludeFile = '' - + ${config.security.acme.directory} + + /var/lib/acme/acme-challenge ''; services.nginx = { recommendedTlsSettings = true; @@ -41,17 +41,33 @@ systemd.services = lib.attrsets.mapAttrs' (k: v: lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script = (lib.optionalString (builtins.elem "cert.pem" v.plugins) '' - cp $workdir/server.crt ${config.security.acme.directory}/${k}/cert.pem - chown '${v.user}:${v.group}' ${config.security.acme.directory}/${k}/cert.pem - chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.directory}/${k}/cert.pem + cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem + chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem + chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem '') + (lib.optionalString (builtins.elem "chain.pem" v.plugins) '' - cp $workdir/ca.crt ${config.security.acme.directory}/${k}/chain.pem - chown '${v.user}:${v.group}' ${config.security.acme.directory}/${k}/chain.pem - chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.directory}/${k}/chain.pem + cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem + chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem + chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem '') ; }) - ) config.security.acme.certs // { + ) config.security.acme.certs // + lib.attrsets.mapAttrs' (k: data: + lib.attrsets.nameValuePair "acme-${k}" { + serviceConfig.ExecStartPre = + let + script = pkgs.writeScript "acme-pre-start" '' + #!${pkgs.runtimeShell} -e + mkdir -p '${data.webroot}/.well-known/acme-challenge' + chmod a+w '${data.webroot}/.well-known/acme-challenge' + #doesn't work for multiple concurrent runs + #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge' + ''; + in + "+${script}"; + } + ) config.security.acme.certs // + { httpdProd = lib.mkIf config.services.httpd.Prod.enable { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; }; httpdTools = lib.mkIf config.services.httpd.Tools.enable