X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Fcertificates.nix;h=b97d0bc1dd3c3492a6c90b5dd42aac5b80f73ac9;hb=ad6d50d9968b271480ff68c018b12623ad553e87;hp=c568783b622c17ecb32ca43257070e6daaa3d50e;hpb=cfda3cfc35445979225850f686f338e6d4ace372;p=perso%2FImmae%2FConfig%2FNix.git

diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix
index c568783..b97d0bc 100644
--- a/modules/private/certificates.nix
+++ b/modules/private/certificates.nix
@@ -24,9 +24,6 @@
   };
 
   config = lib.mkIf config.myServices.certificates.enable {
-    services.duplyBackup.profiles.system.excludeFile = ''
-      + ${config.myServices.certificates.webroot}
-      '';
     services.nginx = {
       recommendedTlsSettings = true;
       virtualHosts = {
@@ -145,6 +142,14 @@
             '');
             ExecStartPost =
               let
+                ISRG_Root_X1 = pkgs.fetchurl {
+                  url = "https://letsencrypt.org/certs/isrgrootx1.pem";
+                  sha256 = "1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92";
+                };
+                fix_ISRG_Root_X1 = pkgs.writeScript "fix-pem" ''
+                  cat ${ISRG_Root_X1} | grep -v " CERTIFICATE" | \
+                    sed -i.bak -ne "/MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ {r /dev/stdin" -e ":a; n; /Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5/ { b }; ba };p" chain.pem fullchain.pem full.pem
+                '';
                 script = pkgs.writeScript "acme-post-start" ''
                   #!${pkgs.runtimeShell} -e
                   install -m 0755 -o root -g root -d /var/lib/acme
@@ -166,6 +171,7 @@
 
                   chmod ${fileMode} *.pem
                   chown '${data.user}:${data.group}' *.pem
+                  ${fix_ISRG_Root_X1}
 
                   if [ "$KEY_CHANGED" = "yes" ]; then
                     : # noop in case postRun is empty