diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-04-05 15:57:20 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-04-06 00:25:00 +0200 |
commit | 258dd18bac4bf5dd03cf1098ffa35cb954f9e015 (patch) | |
tree | 03ca447495573f6745b701096d8b31283ce30466 /modules/private/certificates.nix | |
parent | e7b890d0999fe54a99f84fe92d625d9d488358dc (diff) | |
download | Nix-258dd18bac4bf5dd03cf1098ffa35cb954f9e015.tar.gz Nix-258dd18bac4bf5dd03cf1098ffa35cb954f9e015.tar.zst Nix-258dd18bac4bf5dd03cf1098ffa35cb954f9e015.zip |
Upgrade to nixos-unstable
Diffstat (limited to 'modules/private/certificates.nix')
-rw-r--r-- | modules/private/certificates.nix | 12 |
1 files changed, 5 insertions, 7 deletions
diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix index 2bf2730..82ff52f 100644 --- a/modules/private/certificates.nix +++ b/modules/private/certificates.nix | |||
@@ -12,7 +12,6 @@ | |||
12 | (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service") | 12 | (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service") |
13 | (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service") | 13 | (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service") |
14 | ]; | 14 | ]; |
15 | plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" "account_reg.json"]; | ||
16 | }; | 15 | }; |
17 | description = "Default configuration for certificates"; | 16 | description = "Default configuration for certificates"; |
18 | }; | 17 | }; |
@@ -30,6 +29,7 @@ | |||
30 | myServices.databasesCerts = config.myServices.certificates.certConfig; | 29 | myServices.databasesCerts = config.myServices.certificates.certConfig; |
31 | myServices.ircCerts = config.myServices.certificates.certConfig; | 30 | myServices.ircCerts = config.myServices.certificates.certConfig; |
32 | 31 | ||
32 | security.acme.acceptTerms = true; | ||
33 | security.acme.preliminarySelfsigned = true; | 33 | security.acme.preliminarySelfsigned = true; |
34 | 34 | ||
35 | security.acme.certs = { | 35 | security.acme.certs = { |
@@ -39,18 +39,16 @@ | |||
39 | }; | 39 | }; |
40 | 40 | ||
41 | systemd.services = lib.attrsets.mapAttrs' (k: v: | 41 | systemd.services = lib.attrsets.mapAttrs' (k: v: |
42 | lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script = | 42 | lib.attrsets.nameValuePair "acme-selfsigned-${k}" { script = lib.mkBefore '' |
43 | (lib.optionalString (builtins.elem "cert.pem" v.plugins) '' | ||
44 | cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem | 43 | cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem |
45 | chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem | 44 | chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem |
46 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem | 45 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem |
47 | '') + | 46 | |
48 | (lib.optionalString (builtins.elem "chain.pem" v.plugins) '' | ||
49 | cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem | 47 | cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem |
50 | chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem | 48 | chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem |
51 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem | 49 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem |
52 | '') | 50 | ''; |
53 | ; }) | 51 | } |
54 | ) config.security.acme.certs // | 52 | ) config.security.acme.certs // |
55 | lib.attrsets.mapAttrs' (k: data: | 53 | lib.attrsets.mapAttrs' (k: data: |
56 | lib.attrsets.nameValuePair "acme-${k}" { | 54 | lib.attrsets.nameValuePair "acme-${k}" { |