diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-01-15 20:41:19 +0100 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-01-15 20:41:19 +0100 |
commit | 981fa80354fd6f00f49446777c38f77bd8a65f65 (patch) | |
tree | 878a24e3daa325cfec75b1a413e5144829558d38 /modules/private/certificates.nix | |
parent | 258441019881c451686dbe537069228cc8e49612 (diff) | |
download | Nix-981fa80354fd6f00f49446777c38f77bd8a65f65.tar.gz Nix-981fa80354fd6f00f49446777c38f77bd8a65f65.tar.zst Nix-981fa80354fd6f00f49446777c38f77bd8a65f65.zip |
Upgrade acme bot
Diffstat (limited to 'modules/private/certificates.nix')
-rw-r--r-- | modules/private/certificates.nix | 24 |
1 files changed, 12 insertions, 12 deletions
diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix index 2d24579..f057200 100644 --- a/modules/private/certificates.nix +++ b/modules/private/certificates.nix | |||
@@ -4,7 +4,7 @@ | |||
4 | enable = lib.mkEnableOption "enable certificates"; | 4 | enable = lib.mkEnableOption "enable certificates"; |
5 | certConfig = lib.mkOption { | 5 | certConfig = lib.mkOption { |
6 | default = { | 6 | default = { |
7 | webroot = "${config.security.acme.directory}/acme-challenge"; | 7 | webroot = "/var/lib/acme/acme-challenge"; |
8 | email = "ismael@bouya.org"; | 8 | email = "ismael@bouya.org"; |
9 | postRun = builtins.concatStringsSep "\n" [ | 9 | postRun = builtins.concatStringsSep "\n" [ |
10 | (lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service") | 10 | (lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service") |
@@ -12,7 +12,7 @@ | |||
12 | (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service") | 12 | (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service") |
13 | (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service") | 13 | (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service") |
14 | ]; | 14 | ]; |
15 | plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ]; | 15 | plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" "account_reg.json"]; |
16 | }; | 16 | }; |
17 | description = "Default configuration for certificates"; | 17 | description = "Default configuration for certificates"; |
18 | }; | 18 | }; |
@@ -20,7 +20,7 @@ | |||
20 | 20 | ||
21 | config = lib.mkIf config.myServices.certificates.enable { | 21 | config = lib.mkIf config.myServices.certificates.enable { |
22 | services.duplyBackup.profiles.system.excludeFile = '' | 22 | services.duplyBackup.profiles.system.excludeFile = '' |
23 | + ${config.security.acme.directory} | 23 | + /var/lib/acme/acme-challenge |
24 | ''; | 24 | ''; |
25 | services.nginx = { | 25 | services.nginx = { |
26 | recommendedTlsSettings = true; | 26 | recommendedTlsSettings = true; |
@@ -30,9 +30,9 @@ | |||
30 | myServices.databasesCerts = config.myServices.certificates.certConfig; | 30 | myServices.databasesCerts = config.myServices.certificates.certConfig; |
31 | myServices.ircCerts = config.myServices.certificates.certConfig; | 31 | myServices.ircCerts = config.myServices.certificates.certConfig; |
32 | 32 | ||
33 | security.acme.preliminarySelfsigned = true; | 33 | security.acme2.preliminarySelfsigned = true; |
34 | 34 | ||
35 | security.acme.certs = { | 35 | security.acme2.certs = { |
36 | "${name}" = config.myServices.certificates.certConfig // { | 36 | "${name}" = config.myServices.certificates.certConfig // { |
37 | domain = config.hostEnv.fqdn; | 37 | domain = config.hostEnv.fqdn; |
38 | }; | 38 | }; |
@@ -41,17 +41,17 @@ | |||
41 | systemd.services = lib.attrsets.mapAttrs' (k: v: | 41 | systemd.services = lib.attrsets.mapAttrs' (k: v: |
42 | lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script = | 42 | lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script = |
43 | (lib.optionalString (builtins.elem "cert.pem" v.plugins) '' | 43 | (lib.optionalString (builtins.elem "cert.pem" v.plugins) '' |
44 | cp $workdir/server.crt ${config.security.acme.directory}/${k}/cert.pem | 44 | cp $workdir/server.crt ${config.security.acme2.certs."${k}".directory}/cert.pem |
45 | chown '${v.user}:${v.group}' ${config.security.acme.directory}/${k}/cert.pem | 45 | chown '${v.user}:${v.group}' ${config.security.acme2.certs."${k}".directory}/cert.pem |
46 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.directory}/${k}/cert.pem | 46 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme2.certs."${k}".directory}/cert.pem |
47 | '') + | 47 | '') + |
48 | (lib.optionalString (builtins.elem "chain.pem" v.plugins) '' | 48 | (lib.optionalString (builtins.elem "chain.pem" v.plugins) '' |
49 | cp $workdir/ca.crt ${config.security.acme.directory}/${k}/chain.pem | 49 | cp $workdir/ca.crt ${config.security.acme2.certs."${k}".directory}/chain.pem |
50 | chown '${v.user}:${v.group}' ${config.security.acme.directory}/${k}/chain.pem | 50 | chown '${v.user}:${v.group}' ${config.security.acme2.certs."${k}".directory}/chain.pem |
51 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.directory}/${k}/chain.pem | 51 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme2.certs."${k}".directory}/chain.pem |
52 | '') | 52 | '') |
53 | ; }) | 53 | ; }) |
54 | ) config.security.acme.certs // { | 54 | ) config.security.acme2.certs // { |
55 | httpdProd = lib.mkIf config.services.httpd.Prod.enable | 55 | httpdProd = lib.mkIf config.services.httpd.Prod.enable |
56 | { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; }; | 56 | { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; }; |
57 | httpdTools = lib.mkIf config.services.httpd.Tools.enable | 57 | httpdTools = lib.mkIf config.services.httpd.Tools.enable |