diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-03-25 11:57:48 +0100 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-04-03 16:25:07 +0200 |
commit | 5400b9b6f65451d41a9106fae6fc00f97d83f4ef (patch) | |
tree | 6ed072da7b1f17ac3994ffea052aa0c0822f8446 /modules/private/certificates.nix | |
parent | 441da8aac378f401625e82caf281fa0e26128310 (diff) | |
download | Nix-5400b9b6f65451d41a9106fae6fc00f97d83f4ef.tar.gz Nix-5400b9b6f65451d41a9106fae6fc00f97d83f4ef.tar.zst Nix-5400b9b6f65451d41a9106fae6fc00f97d83f4ef.zip |
Upgrade nixos
Diffstat (limited to 'modules/private/certificates.nix')
-rw-r--r-- | modules/private/certificates.nix | 34 |
1 files changed, 25 insertions, 9 deletions
diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix index f057200..2bf2730 100644 --- a/modules/private/certificates.nix +++ b/modules/private/certificates.nix | |||
@@ -30,9 +30,9 @@ | |||
30 | myServices.databasesCerts = config.myServices.certificates.certConfig; | 30 | myServices.databasesCerts = config.myServices.certificates.certConfig; |
31 | myServices.ircCerts = config.myServices.certificates.certConfig; | 31 | myServices.ircCerts = config.myServices.certificates.certConfig; |
32 | 32 | ||
33 | security.acme2.preliminarySelfsigned = true; | 33 | security.acme.preliminarySelfsigned = true; |
34 | 34 | ||
35 | security.acme2.certs = { | 35 | security.acme.certs = { |
36 | "${name}" = config.myServices.certificates.certConfig // { | 36 | "${name}" = config.myServices.certificates.certConfig // { |
37 | domain = config.hostEnv.fqdn; | 37 | domain = config.hostEnv.fqdn; |
38 | }; | 38 | }; |
@@ -41,17 +41,33 @@ | |||
41 | systemd.services = lib.attrsets.mapAttrs' (k: v: | 41 | systemd.services = lib.attrsets.mapAttrs' (k: v: |
42 | lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script = | 42 | lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script = |
43 | (lib.optionalString (builtins.elem "cert.pem" v.plugins) '' | 43 | (lib.optionalString (builtins.elem "cert.pem" v.plugins) '' |
44 | cp $workdir/server.crt ${config.security.acme2.certs."${k}".directory}/cert.pem | 44 | cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem |
45 | chown '${v.user}:${v.group}' ${config.security.acme2.certs."${k}".directory}/cert.pem | 45 | chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem |
46 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme2.certs."${k}".directory}/cert.pem | 46 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem |
47 | '') + | 47 | '') + |
48 | (lib.optionalString (builtins.elem "chain.pem" v.plugins) '' | 48 | (lib.optionalString (builtins.elem "chain.pem" v.plugins) '' |
49 | cp $workdir/ca.crt ${config.security.acme2.certs."${k}".directory}/chain.pem | 49 | cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem |
50 | chown '${v.user}:${v.group}' ${config.security.acme2.certs."${k}".directory}/chain.pem | 50 | chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem |
51 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme2.certs."${k}".directory}/chain.pem | 51 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem |
52 | '') | 52 | '') |
53 | ; }) | 53 | ; }) |
54 | ) config.security.acme2.certs // { | 54 | ) config.security.acme.certs // |
55 | lib.attrsets.mapAttrs' (k: data: | ||
56 | lib.attrsets.nameValuePair "acme-${k}" { | ||
57 | serviceConfig.ExecStartPre = | ||
58 | let | ||
59 | script = pkgs.writeScript "acme-pre-start" '' | ||
60 | #!${pkgs.runtimeShell} -e | ||
61 | mkdir -p '${data.webroot}/.well-known/acme-challenge' | ||
62 | chmod a+w '${data.webroot}/.well-known/acme-challenge' | ||
63 | #doesn't work for multiple concurrent runs | ||
64 | #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge' | ||
65 | ''; | ||
66 | in | ||
67 | "+${script}"; | ||
68 | } | ||
69 | ) config.security.acme.certs // | ||
70 | { | ||
55 | httpdProd = lib.mkIf config.services.httpd.Prod.enable | 71 | httpdProd = lib.mkIf config.services.httpd.Prod.enable |
56 | { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; }; | 72 | { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; }; |
57 | httpdTools = lib.mkIf config.services.httpd.Tools.enable | 73 | httpdTools = lib.mkIf config.services.httpd.Tools.enable |