diff options
| author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-03-25 11:57:48 +0100 |
|---|---|---|
| committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-04-03 16:25:07 +0200 |
| commit | 5400b9b6f65451d41a9106fae6fc00f97d83f4ef (patch) | |
| tree | 6ed072da7b1f17ac3994ffea052aa0c0822f8446 /modules/private/certificates.nix | |
| parent | 441da8aac378f401625e82caf281fa0e26128310 (diff) | |
| download | Nix-5400b9b6f65451d41a9106fae6fc00f97d83f4ef.tar.gz Nix-5400b9b6f65451d41a9106fae6fc00f97d83f4ef.tar.zst Nix-5400b9b6f65451d41a9106fae6fc00f97d83f4ef.zip | |
Upgrade nixos
Diffstat (limited to 'modules/private/certificates.nix')
| -rw-r--r-- | modules/private/certificates.nix | 34 |
1 files changed, 25 insertions, 9 deletions
diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix index f057200..2bf2730 100644 --- a/modules/private/certificates.nix +++ b/modules/private/certificates.nix | |||
| @@ -30,9 +30,9 @@ | |||
| 30 | myServices.databasesCerts = config.myServices.certificates.certConfig; | 30 | myServices.databasesCerts = config.myServices.certificates.certConfig; |
| 31 | myServices.ircCerts = config.myServices.certificates.certConfig; | 31 | myServices.ircCerts = config.myServices.certificates.certConfig; |
| 32 | 32 | ||
| 33 | security.acme2.preliminarySelfsigned = true; | 33 | security.acme.preliminarySelfsigned = true; |
| 34 | 34 | ||
| 35 | security.acme2.certs = { | 35 | security.acme.certs = { |
| 36 | "${name}" = config.myServices.certificates.certConfig // { | 36 | "${name}" = config.myServices.certificates.certConfig // { |
| 37 | domain = config.hostEnv.fqdn; | 37 | domain = config.hostEnv.fqdn; |
| 38 | }; | 38 | }; |
| @@ -41,17 +41,33 @@ | |||
| 41 | systemd.services = lib.attrsets.mapAttrs' (k: v: | 41 | systemd.services = lib.attrsets.mapAttrs' (k: v: |
| 42 | lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script = | 42 | lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script = |
| 43 | (lib.optionalString (builtins.elem "cert.pem" v.plugins) '' | 43 | (lib.optionalString (builtins.elem "cert.pem" v.plugins) '' |
| 44 | cp $workdir/server.crt ${config.security.acme2.certs."${k}".directory}/cert.pem | 44 | cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem |
| 45 | chown '${v.user}:${v.group}' ${config.security.acme2.certs."${k}".directory}/cert.pem | 45 | chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem |
| 46 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme2.certs."${k}".directory}/cert.pem | 46 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem |
| 47 | '') + | 47 | '') + |
| 48 | (lib.optionalString (builtins.elem "chain.pem" v.plugins) '' | 48 | (lib.optionalString (builtins.elem "chain.pem" v.plugins) '' |
| 49 | cp $workdir/ca.crt ${config.security.acme2.certs."${k}".directory}/chain.pem | 49 | cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem |
| 50 | chown '${v.user}:${v.group}' ${config.security.acme2.certs."${k}".directory}/chain.pem | 50 | chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem |
| 51 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme2.certs."${k}".directory}/chain.pem | 51 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem |
| 52 | '') | 52 | '') |
| 53 | ; }) | 53 | ; }) |
| 54 | ) config.security.acme2.certs // { | 54 | ) config.security.acme.certs // |
| 55 | lib.attrsets.mapAttrs' (k: data: | ||
| 56 | lib.attrsets.nameValuePair "acme-${k}" { | ||
| 57 | serviceConfig.ExecStartPre = | ||
| 58 | let | ||
| 59 | script = pkgs.writeScript "acme-pre-start" '' | ||
| 60 | #!${pkgs.runtimeShell} -e | ||
| 61 | mkdir -p '${data.webroot}/.well-known/acme-challenge' | ||
| 62 | chmod a+w '${data.webroot}/.well-known/acme-challenge' | ||
| 63 | #doesn't work for multiple concurrent runs | ||
| 64 | #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge' | ||
| 65 | ''; | ||
| 66 | in | ||
| 67 | "+${script}"; | ||
| 68 | } | ||
| 69 | ) config.security.acme.certs // | ||
| 70 | { | ||
| 55 | httpdProd = lib.mkIf config.services.httpd.Prod.enable | 71 | httpdProd = lib.mkIf config.services.httpd.Prod.enable |
| 56 | { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; }; | 72 | { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; }; |
| 57 | httpdTools = lib.mkIf config.services.httpd.Tools.enable | 73 | httpdTools = lib.mkIf config.services.httpd.Tools.enable |