Pre-generate certificates with acme

Fixes https://git.immae.eu/mantisbt/view.php?id=81
author: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-05-13 01:34:11 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-05-13 01:34:11 +0200
commit: 017cb76f3355369a57cee7e851e013fbe7b265b7 (patch)
tree: 0d5fe979c5e047595c8caa07b14bc79aa2637bf0 /nixops/modules/certificates.nix
parent: 581c499c06bcc834e084c49f284e18611fbc139b (diff)
download: Nix-017cb76f3355369a57cee7e851e013fbe7b265b7.tar.gz
Nix-017cb76f3355369a57cee7e851e013fbe7b265b7.tar.zst
Nix-017cb76f3355369a57cee7e851e013fbe7b265b7.zip
1 files changed, 22 insertions, 0 deletions
diff --git a/nixops/modules/certificates.nix b/nixops/modules/certificates.nix
index bfad4e1..08f84fd 100644
--- a/nixops/modules/certificates.nix
+++ b/nixops/modules/certificates.nix
@@ -22,5 +22,27 @@
        domain = "eldiron.immae.eu";
      };
    };
+    systemd.services = lib.attrsets.mapAttrs' (k: v:
+      lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script =
+        (lib.optionalString (builtins.elem "cert.pem" v.plugins) ''
+        cp $workdir/server.crt /var/lib/acme/${k}/cert.pem
+        chown '${v.user}:${v.group}' /var/lib/acme/${k}/cert.pem
+        chmod ${if v.allowKeysForGroup then "750" else "700"} /var/lib/acme/${k}/cert.pem
+        '') +
+        (lib.optionalString (builtins.elem "chain.pem" v.plugins) ''
+        cp $workdir/ca.crt /var/lib/acme/${k}/chain.pem
+        chown '${v.user}:${v.group}' /var/lib/acme/${k}/chain.pem
+        chmod ${if v.allowKeysForGroup then "750" else "700"} /var/lib/acme/${k}/chain.pem
+        '')
+      ; })
+    ) config.security.acme.certs // {
+      httpdProd.after = [ "acme-selfsigned-certificates.target" ];
+      httpdProd.wants = [ "acme-selfsigned-certificates.target" ];
+      httpdTools.after = [ "acme-selfsigned-certificates.target" ];
+      httpdTools.wants = [ "acme-selfsigned-certificates.target" ];
+      httpdInte.after = [ "acme-selfsigned-certificates.target" ];
+      httpdInte.wants = [ "acme-selfsigned-certificates.target" ];
+    };
  };
 }
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-05-13 01:34:11 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-05-13 01:34:11 +0200
commit	017cb76f3355369a57cee7e851e013fbe7b265b7 (patch)
tree	0d5fe979c5e047595c8caa07b14bc79aa2637bf0 /nixops/modules/certificates.nix
parent	581c499c06bcc834e084c49f284e18611fbc139b (diff)
download	Nix-017cb76f3355369a57cee7e851e013fbe7b265b7.tar.gz Nix-017cb76f3355369a57cee7e851e013fbe7b265b7.tar.zst Nix-017cb76f3355369a57cee7e851e013fbe7b265b7.zip

diff --git a/nixops/modules/certificates.nix b/nixops/modules/certificates.nix index bfad4e1..08f84fd 100644 --- a/nixops/modules/certificates.nix +++ b/nixops/modules/certificates.nix
@@ -22,5 +22,27 @@
22	domain = "eldiron.immae.eu";	22	domain = "eldiron.immae.eu";
23	};	23	};
24	};	24	};
		25
		26	systemd.services = lib.attrsets.mapAttrs' (k: v:
		27	lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script =
		28	(lib.optionalString (builtins.elem "cert.pem" v.plugins) ''
		29	cp $workdir/server.crt /var/lib/acme/${k}/cert.pem
		30	chown '${v.user}:${v.group}' /var/lib/acme/${k}/cert.pem
		31	chmod ${if v.allowKeysForGroup then "750" else "700"} /var/lib/acme/${k}/cert.pem
		32	'') +
		33	(lib.optionalString (builtins.elem "chain.pem" v.plugins) ''
		34	cp $workdir/ca.crt /var/lib/acme/${k}/chain.pem
		35	chown '${v.user}:${v.group}' /var/lib/acme/${k}/chain.pem
		36	chmod ${if v.allowKeysForGroup then "750" else "700"} /var/lib/acme/${k}/chain.pem
		37	'')
		38	; })
		39	) config.security.acme.certs // {
		40	httpdProd.after = [ "acme-selfsigned-certificates.target" ];
		41	httpdProd.wants = [ "acme-selfsigned-certificates.target" ];
		42	httpdTools.after = [ "acme-selfsigned-certificates.target" ];
		43	httpdTools.wants = [ "acme-selfsigned-certificates.target" ];
		44	httpdInte.after = [ "acme-selfsigned-certificates.target" ];
		45	httpdInte.wants = [ "acme-selfsigned-certificates.target" ];
		46	};
25	};	47	};
26	}	48	}