Fix selfsigned certificates

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2020-04-18 16:08:53 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2020-04-18 16:08:53 +0200
commit: 2fe37e4945c19d25ec65fb1591ee010a97d8bf80 (patch)
tree: 28ca779f22b73e465b12ce4fc57ef98abb9031b5 /modules/private/certificates.nix
parent: b23c5027b611a40ad348aaaa60cb8419fb7e1ba9 (diff)
download: Nix-2fe37e4945c19d25ec65fb1591ee010a97d8bf80.tar.gz
Nix-2fe37e4945c19d25ec65fb1591ee010a97d8bf80.tar.zst
Nix-2fe37e4945c19d25ec65fb1591ee010a97d8bf80.zip
1 files changed, 12 insertions, 10 deletions
diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix
index 5b86b6d..b9c0860 100644
--- a/modules/private/certificates.nix
+++ b/modules/private/certificates.nix
@@ -45,17 +45,19 @@
    };
    systemd.services = lib.attrsets.mapAttrs' (k: v:
-      lib.attrsets.nameValuePair "acme-selfsigned-${k}" { script = lib.mkBefore ''
+      lib.attrsets.nameValuePair "acme-selfsigned-${k}" {
-        cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem
+          wantedBy = [ "acme-selfsigned-certificates.target" ];
-        chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem
+          script = lib.mkAfter ''
-        chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem
+          cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem
+          chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem
+          chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem
-        cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem
+          cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem
-        chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem
+          chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem
-        chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem
+          chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem
-        '';
+          '';
-      }
+        }
-    ) config.security.acme.certs //
+      ) config.security.acme.certs //
    lib.attrsets.mapAttrs' (k: data:
      lib.attrsets.nameValuePair "acme-${k}" {
        serviceConfig.ExecStartPre =
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2020-04-18 16:08:53 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2020-04-18 16:08:53 +0200
commit	2fe37e4945c19d25ec65fb1591ee010a97d8bf80 (patch)
tree	28ca779f22b73e465b12ce4fc57ef98abb9031b5 /modules/private/certificates.nix
parent	b23c5027b611a40ad348aaaa60cb8419fb7e1ba9 (diff)
download	Nix-2fe37e4945c19d25ec65fb1591ee010a97d8bf80.tar.gz Nix-2fe37e4945c19d25ec65fb1591ee010a97d8bf80.tar.zst Nix-2fe37e4945c19d25ec65fb1591ee010a97d8bf80.zip

diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix index 5b86b6d..b9c0860 100644 --- a/modules/private/certificates.nix +++ b/modules/private/certificates.nix
@@ -45,17 +45,19 @@
45	};	45	};
46		46
47	systemd.services = lib.attrsets.mapAttrs' (k: v:	47	systemd.services = lib.attrsets.mapAttrs' (k: v:
48	lib.attrsets.nameValuePair "acme-selfsigned-${k}" { script = lib.mkBefore ''	48	lib.attrsets.nameValuePair "acme-selfsigned-${k}" {
49	cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem	49	wantedBy = [ "acme-selfsigned-certificates.target" ];
50	chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem	50	script = lib.mkAfter ''
51	chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem	51	cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem
		52	chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem
		53	chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem
52		54
53	cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem	55	cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem
54	chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem	56	chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem
55	chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem	57	chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem
56	'';	58	'';
57	}	59	}
58	) config.security.acme.certs //	60	) config.security.acme.certs //
59	lib.attrsets.mapAttrs' (k: data:	61	lib.attrsets.mapAttrs' (k: data:
60	lib.attrsets.nameValuePair "acme-${k}" {	62	lib.attrsets.nameValuePair "acme-${k}" {
61	serviceConfig.ExecStartPre =	63	serviceConfig.ExecStartPre =