diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-04-07 23:01:14 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-04-07 23:02:01 +0200 |
commit | 3ffa15baf832f5b94cfd8d1b978eaa42f4102e07 (patch) | |
tree | 9c49e8f236c0f25e9d6761a5e26567fdd87aff6d /modules/private/certificates.nix | |
parent | ca732a83f6d298847560f66b4aa4cb53011c0c88 (diff) | |
download | Nix-3ffa15baf832f5b94cfd8d1b978eaa42f4102e07.tar.gz Nix-3ffa15baf832f5b94cfd8d1b978eaa42f4102e07.tar.zst Nix-3ffa15baf832f5b94cfd8d1b978eaa42f4102e07.zip |
Fix acme challenge folders
Diffstat (limited to 'modules/private/certificates.nix')
-rw-r--r-- | modules/private/certificates.nix | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix index 82ff52f..c68bbee 100644 --- a/modules/private/certificates.nix +++ b/modules/private/certificates.nix | |||
@@ -4,7 +4,7 @@ | |||
4 | enable = lib.mkEnableOption "enable certificates"; | 4 | enable = lib.mkEnableOption "enable certificates"; |
5 | certConfig = lib.mkOption { | 5 | certConfig = lib.mkOption { |
6 | default = { | 6 | default = { |
7 | webroot = "/var/lib/acme/acme-challenge"; | 7 | webroot = "/var/lib/acme/acme-challenges"; |
8 | email = "ismael@bouya.org"; | 8 | email = "ismael@bouya.org"; |
9 | postRun = builtins.concatStringsSep "\n" [ | 9 | postRun = builtins.concatStringsSep "\n" [ |
10 | (lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service") | 10 | (lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service") |
@@ -19,11 +19,17 @@ | |||
19 | 19 | ||
20 | config = lib.mkIf config.myServices.certificates.enable { | 20 | config = lib.mkIf config.myServices.certificates.enable { |
21 | services.duplyBackup.profiles.system.excludeFile = '' | 21 | services.duplyBackup.profiles.system.excludeFile = '' |
22 | + /var/lib/acme/acme-challenge | 22 | + /var/lib/acme/acme-challenges |
23 | ''; | 23 | ''; |
24 | services.nginx = { | 24 | services.nginx = { |
25 | recommendedTlsSettings = true; | 25 | recommendedTlsSettings = true; |
26 | virtualHosts = { "${config.hostEnv.fqdn}" = { useACMEHost = name; forceSSL = true; }; }; | 26 | virtualHosts = { |
27 | "${config.hostEnv.fqdn}" = { | ||
28 | acmeRoot = config.security.acme.certs."${name}".webroot; | ||
29 | useACMEHost = name; | ||
30 | forceSSL = true; | ||
31 | }; | ||
32 | }; | ||
27 | }; | 33 | }; |
28 | services.websites.certs = config.myServices.certificates.certConfig; | 34 | services.websites.certs = config.myServices.certificates.certConfig; |
29 | myServices.databasesCerts = config.myServices.certificates.certConfig; | 35 | myServices.databasesCerts = config.myServices.certificates.certConfig; |