aboutsummaryrefslogtreecommitdiff
path: root/modules/private/certificates.nix
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2020-04-05 15:57:20 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2020-04-06 00:25:00 +0200
commit258dd18bac4bf5dd03cf1098ffa35cb954f9e015 (patch)
tree03ca447495573f6745b701096d8b31283ce30466 /modules/private/certificates.nix
parente7b890d0999fe54a99f84fe92d625d9d488358dc (diff)
downloadNix-258dd18bac4bf5dd03cf1098ffa35cb954f9e015.tar.gz
Nix-258dd18bac4bf5dd03cf1098ffa35cb954f9e015.tar.zst
Nix-258dd18bac4bf5dd03cf1098ffa35cb954f9e015.zip
Upgrade to nixos-unstable
Diffstat (limited to 'modules/private/certificates.nix')
-rw-r--r--modules/private/certificates.nix12
1 files changed, 5 insertions, 7 deletions
diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix
index 2bf2730..82ff52f 100644
--- a/modules/private/certificates.nix
+++ b/modules/private/certificates.nix
@@ -12,7 +12,6 @@
12 (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service") 12 (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service")
13 (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service") 13 (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
14 ]; 14 ];
15 plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" "account_reg.json"];
16 }; 15 };
17 description = "Default configuration for certificates"; 16 description = "Default configuration for certificates";
18 }; 17 };
@@ -30,6 +29,7 @@
30 myServices.databasesCerts = config.myServices.certificates.certConfig; 29 myServices.databasesCerts = config.myServices.certificates.certConfig;
31 myServices.ircCerts = config.myServices.certificates.certConfig; 30 myServices.ircCerts = config.myServices.certificates.certConfig;
32 31
32 security.acme.acceptTerms = true;
33 security.acme.preliminarySelfsigned = true; 33 security.acme.preliminarySelfsigned = true;
34 34
35 security.acme.certs = { 35 security.acme.certs = {
@@ -39,18 +39,16 @@
39 }; 39 };
40 40
41 systemd.services = lib.attrsets.mapAttrs' (k: v: 41 systemd.services = lib.attrsets.mapAttrs' (k: v:
42 lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script = 42 lib.attrsets.nameValuePair "acme-selfsigned-${k}" { script = lib.mkBefore ''
43 (lib.optionalString (builtins.elem "cert.pem" v.plugins) ''
44 cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem 43 cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem
45 chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem 44 chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem
46 chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem 45 chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem
47 '') + 46
48 (lib.optionalString (builtins.elem "chain.pem" v.plugins) ''
49 cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem 47 cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem
50 chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem 48 chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem
51 chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem 49 chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem
52 '') 50 '';
53 ; }) 51 }
54 ) config.security.acme.certs // 52 ) config.security.acme.certs //
55 lib.attrsets.mapAttrs' (k: data: 53 lib.attrsets.mapAttrs' (k: data:
56 lib.attrsets.nameValuePair "acme-${k}" { 54 lib.attrsets.nameValuePair "acme-${k}" {
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-03 04:56:53 +0000