Upgrade acme bot

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2020-01-15 20:41:19 +0100
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2020-01-15 20:41:19 +0100
commit: 981fa80354fd6f00f49446777c38f77bd8a65f65 (patch)
tree: 878a24e3daa325cfec75b1a413e5144829558d38 /modules/private/databases
parent: 258441019881c451686dbe537069228cc8e49612 (diff)
download: Nix-981fa80354fd6f00f49446777c38f77bd8a65f65.tar.gz
Nix-981fa80354fd6f00f49446777c38f77bd8a65f65.tar.zst
Nix-981fa80354fd6f00f49446777c38f77bd8a65f65.zip
3 files changed, 13 insertions, 13 deletions
diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix
index 3359064..ed647ea 100644
--- a/modules/private/databases/mariadb.nix
+++ b/modules/private/databases/mariadb.nix
@@ -96,8 +96,8 @@ in {
      dataDir = cfg.dataDir;
      extraOptions = ''
        ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
-        ssl_key = ${config.security.acme.directory}/mysql/key.pem
+        ssl_key = ${config.security.acme2.certs.mysql.directory}/key.pem
-        ssl_cert = ${config.security.acme.directory}/mysql/fullchain.pem
+        ssl_cert = ${config.security.acme2.certs.mysql.directory}/fullchain.pem
        # for replication
        log-bin=mariadb-bin
@@ -110,10 +110,10 @@ in {
    };
    users.users.mysql.extraGroups = [ "keys" ];
-    security.acme.certs."mysql" = config.myServices.databasesCerts // {
+    security.acme2.certs."mysql" = config.myServices.databasesCerts // {
      user = "mysql";
      group = "mysql";
-      plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
+      plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ];
      domain = "db-1.immae.eu";
      postRun = ''
        systemctl restart mysql.service
diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix
index 22f6f7b..d7d61db 100644
--- a/modules/private/databases/openldap/default.nix
+++ b/modules/private/databases/openldap/default.nix
@@ -24,9 +24,9 @@ let
    overlay         syncprov
    syncprov-checkpoint 100 10
-    TLSCertificateFile    ${config.security.acme.directory}/ldap/cert.pem
+    TLSCertificateFile    ${config.security.acme2.certs.ldap.directory}/cert.pem
-    TLSCertificateKeyFile ${config.security.acme.directory}/ldap/key.pem
+    TLSCertificateKeyFile ${config.security.acme2.certs.ldap.directory}/key.pem
-    TLSCACertificateFile  ${config.security.acme.directory}/ldap/fullchain.pem
+    TLSCACertificateFile  ${config.security.acme2.certs.ldap.directory}/fullchain.pem
    TLSCACertificatePath  ${pkgs.cacert.unbundled}/etc/ssl/certs/
    #This makes openldap crash
    #TLSCipherSuite        DEFAULT
@@ -117,10 +117,10 @@ in
    users.users.openldap.extraGroups = [ "keys" ];
    networking.firewall.allowedTCPPorts = [ 636 389 ];
-    security.acme.certs."ldap" = config.myServices.databasesCerts // {
+    security.acme2.certs."ldap" = config.myServices.databasesCerts // {
      user = "openldap";
      group = "openldap";
-      plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ];
+      plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ];
      domain = "ldap.immae.eu";
      postRun = ''
        systemctl restart openldap.service
diff --git a/modules/private/databases/postgresql.nix b/modules/private/databases/postgresql.nix
index 3dcd311..27ea59c 100644
--- a/modules/private/databases/postgresql.nix
+++ b/modules/private/databases/postgresql.nix
@@ -107,10 +107,10 @@ in {
  config = lib.mkIf cfg.enable {
    networking.firewall.allowedTCPPorts = [ 5432 ];
-    security.acme.certs."postgresql" = config.myServices.databasesCerts // {
+    security.acme2.certs."postgresql" = config.myServices.databasesCerts // {
      user = "postgres";
      group = "postgres";
-      plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
+      plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ];
      domain = "db-1.immae.eu";
      postRun = ''
        systemctl reload postgresql.service
@@ -165,8 +165,8 @@ in {
        # makes it order of magnitudes quicker
        synchronous_commit = off
        ssl = on
-        ssl_cert_file = '${config.security.acme.directory}/postgresql/fullchain.pem'
+        ssl_cert_file = '${config.security.acme2.certs.postgresql.directory}/fullchain.pem'
-        ssl_key_file = '${config.security.acme.directory}/postgresql/key.pem'
+        ssl_key_file = '${config.security.acme2.certs.postgresql.directory}/key.pem'
        '';
      authentication = let
        hosts = builtins.concatStringsSep "\n" (
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2020-01-15 20:41:19 +0100
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2020-01-15 20:41:19 +0100
commit	981fa80354fd6f00f49446777c38f77bd8a65f65 (patch)
tree	878a24e3daa325cfec75b1a413e5144829558d38 /modules/private/databases
parent	258441019881c451686dbe537069228cc8e49612 (diff)
download	Nix-981fa80354fd6f00f49446777c38f77bd8a65f65.tar.gz Nix-981fa80354fd6f00f49446777c38f77bd8a65f65.tar.zst Nix-981fa80354fd6f00f49446777c38f77bd8a65f65.zip

diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix index 3359064..ed647ea 100644 --- a/modules/private/databases/mariadb.nix +++ b/modules/private/databases/mariadb.nix
@@ -96,8 +96,8 @@ in {
96	dataDir = cfg.dataDir;	96	dataDir = cfg.dataDir;
97	extraOptions = ''	97	extraOptions = ''
98	ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt	98	ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
99	ssl_key = ${config.security.acme.directory}/mysql/key.pem	99	ssl_key = ${config.security.acme2.certs.mysql.directory}/key.pem
100	ssl_cert = ${config.security.acme.directory}/mysql/fullchain.pem	100	ssl_cert = ${config.security.acme2.certs.mysql.directory}/fullchain.pem
101		101
102	# for replication	102	# for replication
103	log-bin=mariadb-bin	103	log-bin=mariadb-bin
@@ -110,10 +110,10 @@ in {
110	};	110	};
111		111
112	users.users.mysql.extraGroups = [ "keys" ];	112	users.users.mysql.extraGroups = [ "keys" ];
113	security.acme.certs."mysql" = config.myServices.databasesCerts // {	113	security.acme2.certs."mysql" = config.myServices.databasesCerts // {
114	user = "mysql";	114	user = "mysql";
115	group = "mysql";	115	group = "mysql";
116	plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];	116	plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ];
117	domain = "db-1.immae.eu";	117	domain = "db-1.immae.eu";
118	postRun = ''	118	postRun = ''
119	systemctl restart mysql.service	119	systemctl restart mysql.service


diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix index 22f6f7b..d7d61db 100644 --- a/modules/private/databases/openldap/default.nix +++ b/modules/private/databases/openldap/default.nix
@@ -24,9 +24,9 @@ let
24	overlay syncprov	24	overlay syncprov
25	syncprov-checkpoint 100 10	25	syncprov-checkpoint 100 10
26		26
27	TLSCertificateFile ${config.security.acme.directory}/ldap/cert.pem	27	TLSCertificateFile ${config.security.acme2.certs.ldap.directory}/cert.pem
28	TLSCertificateKeyFile ${config.security.acme.directory}/ldap/key.pem	28	TLSCertificateKeyFile ${config.security.acme2.certs.ldap.directory}/key.pem
29	TLSCACertificateFile ${config.security.acme.directory}/ldap/fullchain.pem	29	TLSCACertificateFile ${config.security.acme2.certs.ldap.directory}/fullchain.pem
30	TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/	30	TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/
31	#This makes openldap crash	31	#This makes openldap crash
32	#TLSCipherSuite DEFAULT	32	#TLSCipherSuite DEFAULT
@@ -117,10 +117,10 @@ in
117	users.users.openldap.extraGroups = [ "keys" ];	117	users.users.openldap.extraGroups = [ "keys" ];
118	networking.firewall.allowedTCPPorts = [ 636 389 ];	118	networking.firewall.allowedTCPPorts = [ 636 389 ];
119		119
120	security.acme.certs."ldap" = config.myServices.databasesCerts // {	120	security.acme2.certs."ldap" = config.myServices.databasesCerts // {
121	user = "openldap";	121	user = "openldap";
122	group = "openldap";	122	group = "openldap";
123	plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ];	123	plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ];
124	domain = "ldap.immae.eu";	124	domain = "ldap.immae.eu";
125	postRun = ''	125	postRun = ''
126	systemctl restart openldap.service	126	systemctl restart openldap.service


diff --git a/modules/private/databases/postgresql.nix b/modules/private/databases/postgresql.nix index 3dcd311..27ea59c 100644 --- a/modules/private/databases/postgresql.nix +++ b/modules/private/databases/postgresql.nix
@@ -107,10 +107,10 @@ in {
107	config = lib.mkIf cfg.enable {	107	config = lib.mkIf cfg.enable {
108	networking.firewall.allowedTCPPorts = [ 5432 ];	108	networking.firewall.allowedTCPPorts = [ 5432 ];
109		109
110	security.acme.certs."postgresql" = config.myServices.databasesCerts // {	110	security.acme2.certs."postgresql" = config.myServices.databasesCerts // {
111	user = "postgres";	111	user = "postgres";
112	group = "postgres";	112	group = "postgres";
113	plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];	113	plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ];
114	domain = "db-1.immae.eu";	114	domain = "db-1.immae.eu";
115	postRun = ''	115	postRun = ''
116	systemctl reload postgresql.service	116	systemctl reload postgresql.service
@@ -165,8 +165,8 @@ in {
165	# makes it order of magnitudes quicker	165	# makes it order of magnitudes quicker
166	synchronous_commit = off	166	synchronous_commit = off
167	ssl = on	167	ssl = on
168	ssl_cert_file = '${config.security.acme.directory}/postgresql/fullchain.pem'	168	ssl_cert_file = '${config.security.acme2.certs.postgresql.directory}/fullchain.pem'
169	ssl_key_file = '${config.security.acme.directory}/postgresql/key.pem'	169	ssl_key_file = '${config.security.acme2.certs.postgresql.directory}/key.pem'
170	'';	170	'';
171	authentication = let	171	authentication = let
172	hosts = builtins.concatStringsSep "\n" (	172	hosts = builtins.concatStringsSep "\n" (