aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2020-04-07 23:01:14 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2020-04-07 23:02:01 +0200
commit3ffa15baf832f5b94cfd8d1b978eaa42f4102e07 (patch)
tree9c49e8f236c0f25e9d6761a5e26567fdd87aff6d
parentca732a83f6d298847560f66b4aa4cb53011c0c88 (diff)
downloadNix-3ffa15baf832f5b94cfd8d1b978eaa42f4102e07.tar.gz
Nix-3ffa15baf832f5b94cfd8d1b978eaa42f4102e07.tar.zst
Nix-3ffa15baf832f5b94cfd8d1b978eaa42f4102e07.zip
Fix acme challenge folders
Diffstat
-rw-r--r--modules/private/certificates.nix12
-rw-r--r--modules/private/monitoring/status.nix1
-rw-r--r--modules/private/websites/default.nix2
3 files changed, 11 insertions, 4 deletions
diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix
index 82ff52f..c68bbee 100644
--- a/modules/private/certificates.nix
+++ b/modules/private/certificates.nix
@@ -4,7 +4,7 @@
4 enable = lib.mkEnableOption "enable certificates"; 4 enable = lib.mkEnableOption "enable certificates";
5 certConfig = lib.mkOption { 5 certConfig = lib.mkOption {
6 default = { 6 default = {
7 webroot = "/var/lib/acme/acme-challenge"; 7 webroot = "/var/lib/acme/acme-challenges";
8 email = "ismael@bouya.org"; 8 email = "ismael@bouya.org";
9 postRun = builtins.concatStringsSep "\n" [ 9 postRun = builtins.concatStringsSep "\n" [
10 (lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service") 10 (lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service")
@@ -19,11 +19,17 @@
19 19
20 config = lib.mkIf config.myServices.certificates.enable { 20 config = lib.mkIf config.myServices.certificates.enable {
21 services.duplyBackup.profiles.system.excludeFile = '' 21 services.duplyBackup.profiles.system.excludeFile = ''
22 + /var/lib/acme/acme-challenge 22 + /var/lib/acme/acme-challenges
23 ''; 23 '';
24 services.nginx = { 24 services.nginx = {
25 recommendedTlsSettings = true; 25 recommendedTlsSettings = true;
26 virtualHosts = { "${config.hostEnv.fqdn}" = { useACMEHost = name; forceSSL = true; }; }; 26 virtualHosts = {
27 "${config.hostEnv.fqdn}" = {
28 acmeRoot = config.security.acme.certs."${name}".webroot;
29 useACMEHost = name;
30 forceSSL = true;
31 };
32 };
27 }; 33 };
28 services.websites.certs = config.myServices.certificates.certConfig; 34 services.websites.certs = config.myServices.certificates.certConfig;
29 myServices.databasesCerts = config.myServices.certificates.certConfig; 35 myServices.databasesCerts = config.myServices.certificates.certConfig;
diff --git a/modules/private/monitoring/status.nix b/modules/private/monitoring/status.nix
index 7810a1f..e0bc0e1 100644
--- a/modules/private/monitoring/status.nix
+++ b/modules/private/monitoring/status.nix
@@ -29,6 +29,7 @@
29 recommendedGzipSettings = true; 29 recommendedGzipSettings = true;
30 recommendedProxySettings = true; 30 recommendedProxySettings = true;
31 virtualHosts."status.immae.eu" = { 31 virtualHosts."status.immae.eu" = {
32 acmeRoot = config.security.acme.certs."${name}".webroot;
32 useACMEHost = name; 33 useACMEHost = name;
33 forceSSL = true; 34 forceSSL = true;
34 locations."/".proxyPass = "http://unix:/run/naemon-status/socket.sock:/"; 35 locations."/".proxyPass = "http://unix:/run/naemon-status/socket.sock:/";
diff --git a/modules/private/websites/default.nix b/modules/private/websites/default.nix
index 529ec5c..f9689ec 100644
--- a/modules/private/websites/default.nix
+++ b/modules/private/websites/default.nix
@@ -125,7 +125,7 @@ in
125 125
126 system.activationScripts = { 126 system.activationScripts = {
127 httpd = '' 127 httpd = ''
128 install -d -m 0755 /var/lib/acme/acme-challenge 128 install -d -m 0755 /var/lib/acme/acme-challenges
129 install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions 129 install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions
130 ''; 130 '';
131 }; 131 };
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-13 14:58:25 +0000