Upgrade acme bot

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2020-01-15 20:41:19 +0100
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2020-01-15 20:41:19 +0100
commit: 981fa80354fd6f00f49446777c38f77bd8a65f65 (patch)
tree: 878a24e3daa325cfec75b1a413e5144829558d38 /modules/private/certificates.nix
parent: 258441019881c451686dbe537069228cc8e49612 (diff)
download: Nix-981fa80354fd6f00f49446777c38f77bd8a65f65.tar.gz
Nix-981fa80354fd6f00f49446777c38f77bd8a65f65.tar.zst
Nix-981fa80354fd6f00f49446777c38f77bd8a65f65.zip
1 files changed, 12 insertions, 12 deletions
diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix
index 2d24579..f057200 100644
--- a/modules/private/certificates.nix
+++ b/modules/private/certificates.nix
@@ -4,7 +4,7 @@
    enable = lib.mkEnableOption "enable certificates";
    certConfig = lib.mkOption {
      default = {
-        webroot = "${config.security.acme.directory}/acme-challenge";
+        webroot = "/var/lib/acme/acme-challenge";
        email = "ismael@bouya.org";
        postRun = builtins.concatStringsSep "\n" [
          (lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service")
@@ -12,7 +12,7 @@
          (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service")
          (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
        ];
-        plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
+        plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" "account_reg.json"];
      };
      description = "Default configuration for certificates";
    };
@@ -20,7 +20,7 @@
  config = lib.mkIf config.myServices.certificates.enable {
    services.duplyBackup.profiles.system.excludeFile = ''
-      + ${config.security.acme.directory}
+      + /var/lib/acme/acme-challenge
      '';
    services.nginx = {
      recommendedTlsSettings = true;
@@ -30,9 +30,9 @@
    myServices.databasesCerts = config.myServices.certificates.certConfig;
    myServices.ircCerts = config.myServices.certificates.certConfig;
-    security.acme.preliminarySelfsigned = true;
+    security.acme2.preliminarySelfsigned = true;
-    security.acme.certs = {
+    security.acme2.certs = {
      "${name}" = config.myServices.certificates.certConfig // {
        domain = config.hostEnv.fqdn;
      };
@@ -41,17 +41,17 @@
    systemd.services = lib.attrsets.mapAttrs' (k: v:
      lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script =
        (lib.optionalString (builtins.elem "cert.pem" v.plugins) ''
-        cp $workdir/server.crt ${config.security.acme.directory}/${k}/cert.pem
+        cp $workdir/server.crt ${config.security.acme2.certs."${k}".directory}/cert.pem
-        chown '${v.user}:${v.group}' ${config.security.acme.directory}/${k}/cert.pem
+        chown '${v.user}:${v.group}' ${config.security.acme2.certs."${k}".directory}/cert.pem
-        chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.directory}/${k}/cert.pem
+        chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme2.certs."${k}".directory}/cert.pem
        '') +
        (lib.optionalString (builtins.elem "chain.pem" v.plugins) ''
-        cp $workdir/ca.crt ${config.security.acme.directory}/${k}/chain.pem
+        cp $workdir/ca.crt ${config.security.acme2.certs."${k}".directory}/chain.pem
-        chown '${v.user}:${v.group}' ${config.security.acme.directory}/${k}/chain.pem
+        chown '${v.user}:${v.group}' ${config.security.acme2.certs."${k}".directory}/chain.pem
-        chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.directory}/${k}/chain.pem
+        chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme2.certs."${k}".directory}/chain.pem
        '')
      ; })
-    ) config.security.acme.certs // {
+    ) config.security.acme2.certs // {
      httpdProd = lib.mkIf config.services.httpd.Prod.enable
        { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
      httpdTools = lib.mkIf config.services.httpd.Tools.enable
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2020-01-15 20:41:19 +0100
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2020-01-15 20:41:19 +0100
commit	981fa80354fd6f00f49446777c38f77bd8a65f65 (patch)
tree	878a24e3daa325cfec75b1a413e5144829558d38 /modules/private/certificates.nix
parent	258441019881c451686dbe537069228cc8e49612 (diff)
download	Nix-981fa80354fd6f00f49446777c38f77bd8a65f65.tar.gz Nix-981fa80354fd6f00f49446777c38f77bd8a65f65.tar.zst Nix-981fa80354fd6f00f49446777c38f77bd8a65f65.zip

diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix index 2d24579..f057200 100644 --- a/modules/private/certificates.nix +++ b/modules/private/certificates.nix
@@ -4,7 +4,7 @@
4	enable = lib.mkEnableOption "enable certificates";	4	enable = lib.mkEnableOption "enable certificates";
5	certConfig = lib.mkOption {	5	certConfig = lib.mkOption {
6	default = {	6	default = {
7	webroot = "${config.security.acme.directory}/acme-challenge";	7	webroot = "/var/lib/acme/acme-challenge";
8	email = "ismael@bouya.org";	8	email = "ismael@bouya.org";
9	postRun = builtins.concatStringsSep "\n" [	9	postRun = builtins.concatStringsSep "\n" [
10	(lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service")	10	(lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service")
@@ -12,7 +12,7 @@
12	(lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service")	12	(lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service")
13	(lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")	13	(lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
14	];	14	];
15	plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];	15	plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" "account_reg.json"];
16	};	16	};
17	description = "Default configuration for certificates";	17	description = "Default configuration for certificates";
18	};	18	};
@@ -20,7 +20,7 @@
20		20
21	config = lib.mkIf config.myServices.certificates.enable {	21	config = lib.mkIf config.myServices.certificates.enable {
22	services.duplyBackup.profiles.system.excludeFile = ''	22	services.duplyBackup.profiles.system.excludeFile = ''
23	+ ${config.security.acme.directory}	23	+ /var/lib/acme/acme-challenge
24	'';	24	'';
25	services.nginx = {	25	services.nginx = {
26	recommendedTlsSettings = true;	26	recommendedTlsSettings = true;
@@ -30,9 +30,9 @@
30	myServices.databasesCerts = config.myServices.certificates.certConfig;	30	myServices.databasesCerts = config.myServices.certificates.certConfig;
31	myServices.ircCerts = config.myServices.certificates.certConfig;	31	myServices.ircCerts = config.myServices.certificates.certConfig;
32		32
33	security.acme.preliminarySelfsigned = true;	33	security.acme2.preliminarySelfsigned = true;
34		34
35	security.acme.certs = {	35	security.acme2.certs = {
36	"${name}" = config.myServices.certificates.certConfig // {	36	"${name}" = config.myServices.certificates.certConfig // {
37	domain = config.hostEnv.fqdn;	37	domain = config.hostEnv.fqdn;
38	};	38	};
@@ -41,17 +41,17 @@
41	systemd.services = lib.attrsets.mapAttrs' (k: v:	41	systemd.services = lib.attrsets.mapAttrs' (k: v:
42	lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script =	42	lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script =
43	(lib.optionalString (builtins.elem "cert.pem" v.plugins) ''	43	(lib.optionalString (builtins.elem "cert.pem" v.plugins) ''
44	cp $workdir/server.crt ${config.security.acme.directory}/${k}/cert.pem	44	cp $workdir/server.crt ${config.security.acme2.certs."${k}".directory}/cert.pem
45	chown '${v.user}:${v.group}' ${config.security.acme.directory}/${k}/cert.pem	45	chown '${v.user}:${v.group}' ${config.security.acme2.certs."${k}".directory}/cert.pem
46	chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.directory}/${k}/cert.pem	46	chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme2.certs."${k}".directory}/cert.pem
47	'') +	47	'') +
48	(lib.optionalString (builtins.elem "chain.pem" v.plugins) ''	48	(lib.optionalString (builtins.elem "chain.pem" v.plugins) ''
49	cp $workdir/ca.crt ${config.security.acme.directory}/${k}/chain.pem	49	cp $workdir/ca.crt ${config.security.acme2.certs."${k}".directory}/chain.pem
50	chown '${v.user}:${v.group}' ${config.security.acme.directory}/${k}/chain.pem	50	chown '${v.user}:${v.group}' ${config.security.acme2.certs."${k}".directory}/chain.pem
51	chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.directory}/${k}/chain.pem	51	chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme2.certs."${k}".directory}/chain.pem
52	'')	52	'')
53	; })	53	; })
54	) config.security.acme.certs // {	54	) config.security.acme2.certs // {
55	httpdProd = lib.mkIf config.services.httpd.Prod.enable	55	httpdProd = lib.mkIf config.services.httpd.Prod.enable
56	{ after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };	56	{ after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
57	httpdTools = lib.mkIf config.services.httpd.Tools.enable	57	httpdTools = lib.mkIf config.services.httpd.Tools.enable