diff options
Diffstat (limited to 'modules/private')
-rw-r--r-- | modules/private/certificates.nix | 35 |
1 files changed, 34 insertions, 1 deletions
diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix index c68bbee..5b86b6d 100644 --- a/modules/private/certificates.nix +++ b/modules/private/certificates.nix | |||
@@ -68,7 +68,40 @@ | |||
68 | #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge' | 68 | #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge' |
69 | ''; | 69 | ''; |
70 | in | 70 | in |
71 | "+${script}"; | 71 | "+${script}"; |
72 | # This is a workaround to | ||
73 | # https://github.com/NixOS/nixpkgs/issues/84409 | ||
74 | # https://github.com/NixOS/nixpkgs/issues/84633 | ||
75 | serviceConfig.RemainAfterExit = lib.mkForce false; | ||
76 | serviceConfig.WorkingDirectory = lib.mkForce "/var/lib/acme/${k}/.lego"; | ||
77 | serviceConfig.StateDirectory = lib.mkForce "acme/${k}/.lego acme/${k}"; | ||
78 | serviceConfig.ExecStartPost = | ||
79 | let | ||
80 | keyName = builtins.replaceStrings ["*"] ["_"] data.domain; | ||
81 | fileMode = if data.allowKeysForGroup then "640" else "600"; | ||
82 | spath = "/var/lib/acme/${k}/.lego"; | ||
83 | script = pkgs.writeScript "acme-post-start" '' | ||
84 | #!${pkgs.runtimeShell} -e | ||
85 | cd /var/lib/acme/${k} | ||
86 | |||
87 | # Test that existing cert is older than new cert | ||
88 | KEY=${spath}/certificates/${keyName}.key | ||
89 | if [ -e $KEY -a $KEY -nt key.pem ]; then | ||
90 | cp -p ${spath}/certificates/${keyName}.key key.pem | ||
91 | cp -p ${spath}/certificates/${keyName}.crt fullchain.pem | ||
92 | cp -p ${spath}/certificates/${keyName}.issuer.crt chain.pem | ||
93 | ln -sf fullchain.pem cert.pem | ||
94 | cat key.pem fullchain.pem > full.pem | ||
95 | |||
96 | ${data.postRun} | ||
97 | fi | ||
98 | |||
99 | chmod ${fileMode} *.pem | ||
100 | chown '${data.user}:${data.group}' *.pem | ||
101 | ''; | ||
102 | in | ||
103 | lib.mkForce "+${script}"; | ||
104 | |||
72 | } | 105 | } |
73 | ) config.security.acme.certs // | 106 | ) config.security.acme.certs // |
74 | { | 107 | { |