Add config for CI

[perso/Immae/Config/Nix.git] / modules / private / certificates.nix

diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix
index c568783b622c17ecb32ca43257070e6daaa3d50e..9879946d07b0da37ce600d506a09f78ac382bd4e 100644 (file)
--- a/modules/private/certificates.nix
+++ b/modules/private/certificates.nix
@@ -24,9 +24,6 @@
   };
 
   config = lib.mkIf config.myServices.certificates.enable {
-    services.duplyBackup.profiles.system.excludeFile = ''
-      + ${config.myServices.certificates.webroot}
-      '';
     services.nginx = {
       recommendedTlsSettings = true;
       virtualHosts = {
@@ -145,6 +142,18 @@
             '');
             ExecStartPost =
               let
+                ISRG_Root_X1 = pkgs.fetchurl {
+                  url = "https://letsencrypt.org/certs/isrgrootx1.pem";
+                  sha256 = "1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92";
+                };
+                fix_ISRG_Root_X1 = pkgs.writeScript "fix-pem" ''
+                  for file in chain fullchain full; do
+                    if grep -q MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA "$file.pem"; then
+                      cat ${ISRG_Root_X1} | grep -v " CERTIFICATE" | \
+                      sed -i.bak -ne "/MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ {r /dev/stdin" -e ":a; n; /Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5/ { b }; ba };p" $file.pem
+                    fi
+                  done
+                '';
                 script = pkgs.writeScript "acme-post-start" ''
                   #!${pkgs.runtimeShell} -e
                   install -m 0755 -o root -g root -d /var/lib/acme
@@ -164,6 +173,7 @@
                     echo -n "${hashOptions}" > ${spath}/currentDomains
                   fi
 
+                  ${fix_ISRG_Root_X1}
                   chmod ${fileMode} *.pem
                   chown '${data.user}:${data.group}' *.pem