diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-01-05 17:09:33 +0100 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-01-05 17:09:33 +0100 |
commit | 6e9f30f4c63fddc5ce886b26b7e4e9ca23a93111 (patch) | |
tree | dbc218e3b671ca8e694e22f232252ae64e277bac /modules/private/certificates.nix | |
parent | e820134d38c3b7470ea5112f40a6dc967f039878 (diff) | |
download | Nix-6e9f30f4c63fddc5ce886b26b7e4e9ca23a93111.tar.gz Nix-6e9f30f4c63fddc5ce886b26b7e4e9ca23a93111.tar.zst Nix-6e9f30f4c63fddc5ce886b26b7e4e9ca23a93111.zip |
Add status page for monitoring host
Diffstat (limited to 'modules/private/certificates.nix')
-rw-r--r-- | modules/private/certificates.nix | 31 |
1 files changed, 19 insertions, 12 deletions
diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix index 337a7fc..9e60a09 100644 --- a/modules/private/certificates.nix +++ b/modules/private/certificates.nix | |||
@@ -1,4 +1,4 @@ | |||
1 | { lib, pkgs, config, ... }: | 1 | { lib, pkgs, config, name, ... }: |
2 | { | 2 | { |
3 | options.myServices.certificates = { | 3 | options.myServices.certificates = { |
4 | enable = lib.mkEnableOption "enable certificates"; | 4 | enable = lib.mkEnableOption "enable certificates"; |
@@ -6,9 +6,12 @@ | |||
6 | default = { | 6 | default = { |
7 | webroot = "${config.security.acme.directory}/acme-challenge"; | 7 | webroot = "${config.security.acme.directory}/acme-challenge"; |
8 | email = "ismael@bouya.org"; | 8 | email = "ismael@bouya.org"; |
9 | postRun = '' | 9 | postRun = builtins.concatStringsSep "\n" [ |
10 | systemctl reload httpdTools.service httpdInte.service httpdProd.service | 10 | (lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service") |
11 | ''; | 11 | (lib.optionalString config.services.httpd.Tools.enable "systemctl reload httpdTools.service") |
12 | (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service") | ||
13 | (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service") | ||
14 | ]; | ||
12 | plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ]; | 15 | plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ]; |
13 | }; | 16 | }; |
14 | description = "Default configuration for certificates"; | 17 | description = "Default configuration for certificates"; |
@@ -19,6 +22,10 @@ | |||
19 | services.duplyBackup.profiles.system.excludeFile = '' | 22 | services.duplyBackup.profiles.system.excludeFile = '' |
20 | + ${config.security.acme.directory} | 23 | + ${config.security.acme.directory} |
21 | ''; | 24 | ''; |
25 | services.nginx = { | ||
26 | recommendedTlsSettings = true; | ||
27 | virtualHosts = { "${config.hostEnv.FQDN}" = { useACMEHost = name; forceSSL = true; }; }; | ||
28 | }; | ||
22 | services.websites.certs = config.myServices.certificates.certConfig; | 29 | services.websites.certs = config.myServices.certificates.certConfig; |
23 | myServices.databasesCerts = config.myServices.certificates.certConfig; | 30 | myServices.databasesCerts = config.myServices.certificates.certConfig; |
24 | myServices.ircCerts = config.myServices.certificates.certConfig; | 31 | myServices.ircCerts = config.myServices.certificates.certConfig; |
@@ -26,8 +33,8 @@ | |||
26 | security.acme.preliminarySelfsigned = true; | 33 | security.acme.preliminarySelfsigned = true; |
27 | 34 | ||
28 | security.acme.certs = { | 35 | security.acme.certs = { |
29 | "eldiron" = config.myServices.certificates.certConfig // { | 36 | "${name}" = config.myServices.certificates.certConfig // { |
30 | domain = "eldiron.immae.eu"; | 37 | domain = config.hostEnv.FQDN; |
31 | }; | 38 | }; |
32 | }; | 39 | }; |
33 | 40 | ||
@@ -45,12 +52,12 @@ | |||
45 | '') | 52 | '') |
46 | ; }) | 53 | ; }) |
47 | ) config.security.acme.certs // { | 54 | ) config.security.acme.certs // { |
48 | httpdProd.after = [ "acme-selfsigned-certificates.target" ]; | 55 | httpdProd = lib.mkIf config.services.httpd.Prod.enable |
49 | httpdProd.wants = [ "acme-selfsigned-certificates.target" ]; | 56 | { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; }; |
50 | httpdTools.after = [ "acme-selfsigned-certificates.target" ]; | 57 | httpdTools = lib.mkIf config.services.httpd.Tools.enable |
51 | httpdTools.wants = [ "acme-selfsigned-certificates.target" ]; | 58 | { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; }; |
52 | httpdInte.after = [ "acme-selfsigned-certificates.target" ]; | 59 | httpdInte = lib.mkIf config.services.httpd.Inte.enable |
53 | httpdInte.wants = [ "acme-selfsigned-certificates.target" ]; | 60 | { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; }; |
54 | }; | 61 | }; |
55 | }; | 62 | }; |
56 | } | 63 | } |