dataDir = cfg.dataDir;
extraOptions = ''
ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
- ssl_key = /var/lib/acme/mysql/key.pem
- ssl_cert = /var/lib/acme/mysql/fullchain.pem
+ ssl_key = ${config.security.acme.directory}/mysql/key.pem
+ ssl_cert = ${config.security.acme.directory}/mysql/fullchain.pem
'';
};
directory ${cfg.dataDir}
overlay memberof
- TLSCertificateFile /var/lib/acme/ldap/cert.pem
- TLSCertificateKeyFile /var/lib/acme/ldap/key.pem
- TLSCACertificateFile /var/lib/acme/ldap/fullchain.pem
+ TLSCertificateFile ${config.security.acme.directory}/ldap/cert.pem
+ TLSCertificateKeyFile ${config.security.acme.directory}/ldap/key.pem
+ TLSCACertificateFile ${config.security.acme.directory}/ldap/fullchain.pem
TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/
#This makes openldap crash
#TLSCipherSuite DEFAULT
lc_time = 'en_US.UTF-8'
default_text_search_config = 'pg_catalog.english'
ssl = on
- ssl_cert_file = '/var/lib/acme/postgresql/fullchain.pem'
- ssl_key_file = '/var/lib/acme/postgresql/key.pem'
+ ssl_cert_file = '${config.security.acme.directory}/postgresql/fullchain.pem'
+ ssl_key_file = '${config.security.acme.directory}/postgresql/key.pem'
'';
authentication = ''
local all postgres ident
serverAliases = [ "*" ];
enableSSL = false;
logFormat = "combinedVhost";
- documentRoot = "/var/lib/acme/acme-challenge";
+ documentRoot = "${config.security.acme.directory}/acme-challenge";
extraConfig = ''
RewriteEngine on
RewriteCond "%{REQUEST_URI}" "!^/\.well-known"
};
toVhost = ips: vhostConf: {
enableSSL = true;
- sslServerCert = "/var/lib/acme/${vhostConf.certName}/cert.pem";
- sslServerKey = "/var/lib/acme/${vhostConf.certName}/key.pem";
- sslServerChain = "/var/lib/acme/${vhostConf.certName}/chain.pem";
+ sslServerCert = "${config.security.acme.directory}/${vhostConf.certName}/cert.pem";
+ sslServerKey = "${config.security.acme.directory}/${vhostConf.certName}/key.pem";
+ sslServerChain = "${config.security.acme.directory}/${vhostConf.certName}/chain.pem";
logFormat = "combinedVhost";
listen = map (ip: { inherit ip; port = 443; }) ips;
hostName = builtins.head vhostConf.hosts;
options.services.myCertificates = {
certConfig = lib.mkOption {
default = {
- webroot = "/var/lib/acme/acme-challenge";
+ webroot = "${config.security.acme.directory}/acme-challenge";
email = "ismael@bouya.org";
postRun = ''
systemctl reload httpdTools.service httpdInte.service httpdProd.service
systemd.services = lib.attrsets.mapAttrs' (k: v:
lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script =
(lib.optionalString (builtins.elem "cert.pem" v.plugins) ''
- cp $workdir/server.crt /var/lib/acme/${k}/cert.pem
- chown '${v.user}:${v.group}' /var/lib/acme/${k}/cert.pem
- chmod ${if v.allowKeysForGroup then "750" else "700"} /var/lib/acme/${k}/cert.pem
+ cp $workdir/server.crt ${config.security.acme.directory}/${k}/cert.pem
+ chown '${v.user}:${v.group}' ${config.security.acme.directory}/${k}/cert.pem
+ chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.directory}/${k}/cert.pem
'') +
(lib.optionalString (builtins.elem "chain.pem" v.plugins) ''
- cp $workdir/ca.crt /var/lib/acme/${k}/chain.pem
- chown '${v.user}:${v.group}' /var/lib/acme/${k}/chain.pem
- chmod ${if v.allowKeysForGroup then "750" else "700"} /var/lib/acme/${k}/chain.pem
+ cp $workdir/ca.crt ${config.security.acme.directory}/${k}/chain.pem
+ chown '${v.user}:${v.group}' ${config.security.acme.directory}/${k}/chain.pem
+ chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.directory}/${k}/chain.pem
'')
; })
) config.security.acme.certs // {
MaxDiskUsage 99
CustomerProof yes
TLS 1
- CertFile /var/lib/acme/ftp/full.pem
+ CertFile ${config.security.acme.directory}/ftp/full.pem
'';
in {
description = "Pure-FTPd server";
bitlbee = {
accept = 6697;
connect = 6667;
- cert = "/var/lib/acme/irc/full.pem";
+ cert = "${config.security.acme.directory}/irc/full.pem";
};
};
};
inherit fqdn;
listenHost = "::";
pki.manual.ca.cert = "${server_vardir}/keys/ca.cert";
- pki.manual.server.cert = "/var/lib/acme/task/fullchain.pem";
- pki.manual.server.crl = "/var/lib/acme/task/invalid.crl";
- pki.manual.server.key = "/var/lib/acme/task/key.pem";
+ pki.manual.server.cert = "${config.security.acme.directory}/task/fullchain.pem";
+ pki.manual.server.crl = "${config.security.acme.directory}/task/invalid.crl";
+ pki.manual.server.key = "${config.security.acme.directory}/task/key.pem";
requestLimit = 104857600;
};
system.activationScripts = {
httpd = ''
- install -d -m 0755 /var/lib/acme/acme-challenge
+ install -d -m 0755 ${config.security.acme.directory}/acme-challenge
install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions
install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/adminer
install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/tmp/adminer
projects / perso / Immae / Config / Nix.git / commitdiff
