diff options
Diffstat (limited to 'nixops/modules/certificates.nix')
-rw-r--r-- | nixops/modules/certificates.nix | 52 |
1 files changed, 0 insertions, 52 deletions
diff --git a/nixops/modules/certificates.nix b/nixops/modules/certificates.nix deleted file mode 100644 index 43f6a23..0000000 --- a/nixops/modules/certificates.nix +++ /dev/null | |||
@@ -1,52 +0,0 @@ | |||
1 | { lib, pkgs, config, ... }: | ||
2 | { | ||
3 | options.services.myCertificates = { | ||
4 | certConfig = lib.mkOption { | ||
5 | default = { | ||
6 | webroot = "${config.security.acme.directory}/acme-challenge"; | ||
7 | email = "ismael@bouya.org"; | ||
8 | postRun = '' | ||
9 | systemctl reload httpdTools.service httpdInte.service httpdProd.service | ||
10 | ''; | ||
11 | plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ]; | ||
12 | }; | ||
13 | description = "Default configuration for certificates"; | ||
14 | }; | ||
15 | }; | ||
16 | |||
17 | config = { | ||
18 | services.websitesCerts = config.services.myCertificates.certConfig; | ||
19 | myServices.databasesCerts = config.services.myCertificates.certConfig; | ||
20 | myServices.ircCerts = config.services.myCertificates.certConfig; | ||
21 | |||
22 | security.acme.preliminarySelfsigned = true; | ||
23 | |||
24 | security.acme.certs = { | ||
25 | "eldiron" = config.services.myCertificates.certConfig // { | ||
26 | domain = "eldiron.immae.eu"; | ||
27 | }; | ||
28 | }; | ||
29 | |||
30 | systemd.services = lib.attrsets.mapAttrs' (k: v: | ||
31 | lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script = | ||
32 | (lib.optionalString (builtins.elem "cert.pem" v.plugins) '' | ||
33 | cp $workdir/server.crt ${config.security.acme.directory}/${k}/cert.pem | ||
34 | chown '${v.user}:${v.group}' ${config.security.acme.directory}/${k}/cert.pem | ||
35 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.directory}/${k}/cert.pem | ||
36 | '') + | ||
37 | (lib.optionalString (builtins.elem "chain.pem" v.plugins) '' | ||
38 | cp $workdir/ca.crt ${config.security.acme.directory}/${k}/chain.pem | ||
39 | chown '${v.user}:${v.group}' ${config.security.acme.directory}/${k}/chain.pem | ||
40 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.directory}/${k}/chain.pem | ||
41 | '') | ||
42 | ; }) | ||
43 | ) config.security.acme.certs // { | ||
44 | httpdProd.after = [ "acme-selfsigned-certificates.target" ]; | ||
45 | httpdProd.wants = [ "acme-selfsigned-certificates.target" ]; | ||
46 | httpdTools.after = [ "acme-selfsigned-certificates.target" ]; | ||
47 | httpdTools.wants = [ "acme-selfsigned-certificates.target" ]; | ||
48 | httpdInte.after = [ "acme-selfsigned-certificates.target" ]; | ||
49 | httpdInte.wants = [ "acme-selfsigned-certificates.target" ]; | ||
50 | }; | ||
51 | }; | ||
52 | } | ||