enable = lib.mkEnableOption "enable certificates";
certConfig = lib.mkOption {
default = {
- webroot = "/var/lib/acme/acme-challenge";
+ webroot = "/var/lib/acme/acme-challenges";
email = "ismael@bouya.org";
postRun = builtins.concatStringsSep "\n" [
(lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service")
config = lib.mkIf config.myServices.certificates.enable {
services.duplyBackup.profiles.system.excludeFile = ''
- + /var/lib/acme/acme-challenge
+ + /var/lib/acme/acme-challenges
'';
services.nginx = {
recommendedTlsSettings = true;
- virtualHosts = { "${config.hostEnv.fqdn}" = { useACMEHost = name; forceSSL = true; }; };
+ virtualHosts = {
+ "${config.hostEnv.fqdn}" = {
+ acmeRoot = config.security.acme.certs."${name}".webroot;
+ useACMEHost = name;
+ forceSSL = true;
+ };
+ };
};
services.websites.certs = config.myServices.certificates.certConfig;
myServices.databasesCerts = config.myServices.certificates.certConfig;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts."status.immae.eu" = {
+ acmeRoot = config.security.acme.certs."${name}".webroot;
useACMEHost = name;
forceSSL = true;
locations."/".proxyPass = "http://unix:/run/naemon-status/socket.sock:/";
system.activationScripts = {
httpd = ''
- install -d -m 0755 /var/lib/acme/acme-challenge
+ install -d -m 0755 /var/lib/acme/acme-challenges
install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions
'';
};
projects / perso / Immae / Config / Nix.git / commitdiff
