X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Fcertificates.nix;h=bbe4c3bbf1c093510aed37622d30aa149ab3729b;hb=34c7b88e16d1768b1b9a0cfa6dd21ea5d9b1b308;hp=5b86b6d1da4e9fa637afcbde31821dfbb30d095f;hpb=364b709fc590aca7ab9b38be97c91431abf011e1;p=perso%2FImmae%2FConfig%2FNix.git

diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix
index 5b86b6d..bbe4c3b 100644
--- a/modules/private/certificates.nix
+++ b/modules/private/certificates.nix
@@ -12,6 +12,7 @@
           (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service")
           (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
         ];
+        extraLegoRenewFlags = [ "--reuse-key" ];
       };
       description = "Default configuration for certificates";
     };
@@ -45,19 +46,22 @@
     };
 
     systemd.services = lib.attrsets.mapAttrs' (k: v:
-      lib.attrsets.nameValuePair "acme-selfsigned-${k}" { script = lib.mkBefore ''
-        cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem
-        chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem
-        chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem
+      lib.attrsets.nameValuePair "acme-selfsigned-${k}" {
+          wantedBy = [ "acme-selfsigned-certificates.target" ];
+          script = lib.mkAfter ''
+          cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem
+          chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem
+          chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem
 
-        cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem
-        chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem
-        chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem
-        '';
-      }
-    ) config.security.acme.certs //
+          cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem
+          chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem
+          chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem
+          '';
+        }
+      ) config.security.acme.certs //
     lib.attrsets.mapAttrs' (k: data:
       lib.attrsets.nameValuePair "acme-${k}" {
+        after = lib.mkAfter [ "bind.service" ];
         serviceConfig.ExecStartPre =
           let
             script = pkgs.writeScript "acme-pre-start" ''
@@ -74,7 +78,7 @@
         # https://github.com/NixOS/nixpkgs/issues/84633
         serviceConfig.RemainAfterExit = lib.mkForce false;
         serviceConfig.WorkingDirectory = lib.mkForce "/var/lib/acme/${k}/.lego";
-        serviceConfig.StateDirectory = lib.mkForce "acme/${k}/.lego acme/${k}";
+        serviceConfig.StateDirectory = lib.mkForce "acme/${k}/.lego acme/${k} acme/.lego/${k} acme/.lego/accounts";
         serviceConfig.ExecStartPost =
           let
             keyName = builtins.replaceStrings ["*"] ["_"] data.domain;