Use acme directory config rather than hardcoding the value

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-05-17 01:43:18 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-05-17 01:43:18 +0200
commit: 9ade8f6eb774dc7d19d82a070199b5024786b819 (patch)
tree: e5a2d49050d4a426fa1d0412d88bbfab11b500d3 /modules
parent: 182ae57f53731be220075bc87aff4d47a35563b8 (diff)
download: Nix-9ade8f6eb774dc7d19d82a070199b5024786b819.tar.gz
Nix-9ade8f6eb774dc7d19d82a070199b5024786b819.tar.zst
Nix-9ade8f6eb774dc7d19d82a070199b5024786b819.zip
4 files changed, 11 insertions, 11 deletions
diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix
index 21f4359..cc99c3c 100644
--- a/modules/private/databases/mariadb.nix
+++ b/modules/private/databases/mariadb.nix
@@ -54,8 +54,8 @@ in {
      dataDir = cfg.dataDir;
      extraOptions = ''
        ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
-        ssl_key = /var/lib/acme/mysql/key.pem
+        ssl_key = ${config.security.acme.directory}/mysql/key.pem
-        ssl_cert = /var/lib/acme/mysql/fullchain.pem
+        ssl_cert = ${config.security.acme.directory}/mysql/fullchain.pem
        '';
    };
diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix
index 850f3ff..46f85d2 100644
--- a/modules/private/databases/openldap/default.nix
+++ b/modules/private/databases/openldap/default.nix
@@ -33,9 +33,9 @@ let
    directory       ${cfg.dataDir}
    overlay         memberof
-    TLSCertificateFile    /var/lib/acme/ldap/cert.pem
+    TLSCertificateFile    ${config.security.acme.directory}/ldap/cert.pem
-    TLSCertificateKeyFile /var/lib/acme/ldap/key.pem
+    TLSCertificateKeyFile ${config.security.acme.directory}/ldap/key.pem
-    TLSCACertificateFile  /var/lib/acme/ldap/fullchain.pem
+    TLSCACertificateFile  ${config.security.acme.directory}/ldap/fullchain.pem
    TLSCACertificatePath  ${pkgs.cacert.unbundled}/etc/ssl/certs/
    #This makes openldap crash
    #TLSCipherSuite        DEFAULT
diff --git a/modules/private/databases/postgresql.nix b/modules/private/databases/postgresql.nix
index 26242a8..8c36d84 100644
--- a/modules/private/databases/postgresql.nix
+++ b/modules/private/databases/postgresql.nix
@@ -73,8 +73,8 @@ in {
        lc_time = 'en_US.UTF-8'
        default_text_search_config = 'pg_catalog.english'
        ssl = on
-        ssl_cert_file = '/var/lib/acme/postgresql/fullchain.pem'
+        ssl_cert_file = '${config.security.acme.directory}/postgresql/fullchain.pem'
-        ssl_key_file = '/var/lib/acme/postgresql/key.pem'
+        ssl_key_file = '${config.security.acme.directory}/postgresql/key.pem'
        '';
      authentication = ''
        local   all     postgres                                ident
diff --git a/modules/websites/default.nix b/modules/websites/default.nix
index b76aeea..e57f505 100644
--- a/modules/websites/default.nix
+++ b/modules/websites/default.nix
@@ -102,7 +102,7 @@ in
      serverAliases = [ "*" ];
      enableSSL = false;
      logFormat = "combinedVhost";
-      documentRoot = "/var/lib/acme/acme-challenge";
+      documentRoot = "${config.security.acme.directory}/acme-challenge";
      extraConfig = ''
        RewriteEngine on
        RewriteCond "%{REQUEST_URI}"   "!^/\.well-known"
@@ -131,9 +131,9 @@ in
    };
    toVhost = ips: vhostConf: {
      enableSSL = true;
-      sslServerCert = "/var/lib/acme/${vhostConf.certName}/cert.pem";
+      sslServerCert = "${config.security.acme.directory}/${vhostConf.certName}/cert.pem";
-      sslServerKey = "/var/lib/acme/${vhostConf.certName}/key.pem";
+      sslServerKey = "${config.security.acme.directory}/${vhostConf.certName}/key.pem";
-      sslServerChain = "/var/lib/acme/${vhostConf.certName}/chain.pem";
+      sslServerChain = "${config.security.acme.directory}/${vhostConf.certName}/chain.pem";
      logFormat = "combinedVhost";
      listen = map (ip: { inherit ip; port = 443; }) ips;
      hostName = builtins.head vhostConf.hosts;
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-05-17 01:43:18 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-05-17 01:43:18 +0200
commit	9ade8f6eb774dc7d19d82a070199b5024786b819 (patch)
tree	e5a2d49050d4a426fa1d0412d88bbfab11b500d3 /modules
parent	182ae57f53731be220075bc87aff4d47a35563b8 (diff)
download	Nix-9ade8f6eb774dc7d19d82a070199b5024786b819.tar.gz Nix-9ade8f6eb774dc7d19d82a070199b5024786b819.tar.zst Nix-9ade8f6eb774dc7d19d82a070199b5024786b819.zip

diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix index 21f4359..cc99c3c 100644 --- a/modules/private/databases/mariadb.nix +++ b/modules/private/databases/mariadb.nix
@@ -54,8 +54,8 @@ in {
54	dataDir = cfg.dataDir;	54	dataDir = cfg.dataDir;
55	extraOptions = ''	55	extraOptions = ''
56	ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt	56	ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
57	ssl_key = /var/lib/acme/mysql/key.pem	57	ssl_key = ${config.security.acme.directory}/mysql/key.pem
58	ssl_cert = /var/lib/acme/mysql/fullchain.pem	58	ssl_cert = ${config.security.acme.directory}/mysql/fullchain.pem
59	'';	59	'';
60	};	60	};
61		61


diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix index 850f3ff..46f85d2 100644 --- a/modules/private/databases/openldap/default.nix +++ b/modules/private/databases/openldap/default.nix
@@ -33,9 +33,9 @@ let
33	directory ${cfg.dataDir}	33	directory ${cfg.dataDir}
34	overlay memberof	34	overlay memberof
35		35
36	TLSCertificateFile /var/lib/acme/ldap/cert.pem	36	TLSCertificateFile ${config.security.acme.directory}/ldap/cert.pem
37	TLSCertificateKeyFile /var/lib/acme/ldap/key.pem	37	TLSCertificateKeyFile ${config.security.acme.directory}/ldap/key.pem
38	TLSCACertificateFile /var/lib/acme/ldap/fullchain.pem	38	TLSCACertificateFile ${config.security.acme.directory}/ldap/fullchain.pem
39	TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/	39	TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/
40	#This makes openldap crash	40	#This makes openldap crash
41	#TLSCipherSuite DEFAULT	41	#TLSCipherSuite DEFAULT


diff --git a/modules/private/databases/postgresql.nix b/modules/private/databases/postgresql.nix index 26242a8..8c36d84 100644 --- a/modules/private/databases/postgresql.nix +++ b/modules/private/databases/postgresql.nix
@@ -73,8 +73,8 @@ in {
73	lc_time = 'en_US.UTF-8'	73	lc_time = 'en_US.UTF-8'
74	default_text_search_config = 'pg_catalog.english'	74	default_text_search_config = 'pg_catalog.english'
75	ssl = on	75	ssl = on
76	ssl_cert_file = '/var/lib/acme/postgresql/fullchain.pem'	76	ssl_cert_file = '${config.security.acme.directory}/postgresql/fullchain.pem'
77	ssl_key_file = '/var/lib/acme/postgresql/key.pem'	77	ssl_key_file = '${config.security.acme.directory}/postgresql/key.pem'
78	'';	78	'';
79	authentication = ''	79	authentication = ''
80	local all postgres ident	80	local all postgres ident


diff --git a/modules/websites/default.nix b/modules/websites/default.nix index b76aeea..e57f505 100644 --- a/modules/websites/default.nix +++ b/modules/websites/default.nix
@@ -102,7 +102,7 @@ in
102	serverAliases = [ "*" ];	102	serverAliases = [ "*" ];
103	enableSSL = false;	103	enableSSL = false;
104	logFormat = "combinedVhost";	104	logFormat = "combinedVhost";
105	documentRoot = "/var/lib/acme/acme-challenge";	105	documentRoot = "${config.security.acme.directory}/acme-challenge";
106	extraConfig = ''	106	extraConfig = ''
107	RewriteEngine on	107	RewriteEngine on
108	RewriteCond "%{REQUEST_URI}" "!^/\.well-known"	108	RewriteCond "%{REQUEST_URI}" "!^/\.well-known"
@@ -131,9 +131,9 @@ in
131	};	131	};
132	toVhost = ips: vhostConf: {	132	toVhost = ips: vhostConf: {
133	enableSSL = true;	133	enableSSL = true;
134	sslServerCert = "/var/lib/acme/${vhostConf.certName}/cert.pem";	134	sslServerCert = "${config.security.acme.directory}/${vhostConf.certName}/cert.pem";
135	sslServerKey = "/var/lib/acme/${vhostConf.certName}/key.pem";	135	sslServerKey = "${config.security.acme.directory}/${vhostConf.certName}/key.pem";
136	sslServerChain = "/var/lib/acme/${vhostConf.certName}/chain.pem";	136	sslServerChain = "${config.security.acme.directory}/${vhostConf.certName}/chain.pem";
137	logFormat = "combinedVhost";	137	logFormat = "combinedVhost";
138	listen = map (ip: { inherit ip; port = 443; }) ips;	138	listen = map (ip: { inherit ip; port = 443; }) ips;
139	hostName = builtins.head vhostConf.hosts;	139	hostName = builtins.head vhostConf.hosts;