X-Git-Url: https://git.immae.eu/?p=perso%2FImmae%2FConfig%2FNix.git;a=blobdiff_plain;f=modules%2Fprivate%2Fcertificates.nix;h=2bf27302edb8ae8ad435c7df8fb2f4c1d2bfc9ef;hp=f057200263416c9aeaa33d20c80b20c4f19e4098;hb=5400b9b6f65451d41a9106fae6fc00f97d83f4ef;hpb=441da8aac378f401625e82caf281fa0e26128310

diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix
index f057200..2bf2730 100644
--- a/modules/private/certificates.nix
+++ b/modules/private/certificates.nix
@@ -30,9 +30,9 @@
     myServices.databasesCerts = config.myServices.certificates.certConfig;
     myServices.ircCerts = config.myServices.certificates.certConfig;
 
-    security.acme2.preliminarySelfsigned = true;
+    security.acme.preliminarySelfsigned = true;
 
-    security.acme2.certs = {
+    security.acme.certs = {
       "${name}" = config.myServices.certificates.certConfig // {
         domain = config.hostEnv.fqdn;
       };
@@ -41,17 +41,33 @@
     systemd.services = lib.attrsets.mapAttrs' (k: v:
       lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script =
         (lib.optionalString (builtins.elem "cert.pem" v.plugins) ''
-        cp $workdir/server.crt ${config.security.acme2.certs."${k}".directory}/cert.pem
-        chown '${v.user}:${v.group}' ${config.security.acme2.certs."${k}".directory}/cert.pem
-        chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme2.certs."${k}".directory}/cert.pem
+        cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem
+        chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem
+        chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem
         '') +
         (lib.optionalString (builtins.elem "chain.pem" v.plugins) ''
-        cp $workdir/ca.crt ${config.security.acme2.certs."${k}".directory}/chain.pem
-        chown '${v.user}:${v.group}' ${config.security.acme2.certs."${k}".directory}/chain.pem
-        chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme2.certs."${k}".directory}/chain.pem
+        cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem
+        chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem
+        chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem
         '')
       ; })
-    ) config.security.acme2.certs // {
+    ) config.security.acme.certs //
+    lib.attrsets.mapAttrs' (k: data:
+      lib.attrsets.nameValuePair "acme-${k}" {
+        serviceConfig.ExecStartPre =
+          let
+            script = pkgs.writeScript "acme-pre-start" ''
+              #!${pkgs.runtimeShell} -e
+              mkdir -p '${data.webroot}/.well-known/acme-challenge'
+              chmod a+w '${data.webroot}/.well-known/acme-challenge'
+              #doesn't work for multiple concurrent runs
+              #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge'
+            '';
+          in
+            "+${script}";
+      }
+    ) config.security.acme.certs //
+    {
       httpdProd = lib.mkIf config.services.httpd.Prod.enable
         { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
       httpdTools = lib.mkIf config.services.httpd.Tools.enable