encrypt pub
parent
0e1ffa99bd
commit
3e294aac74
|
@ -1,6 +1,10 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
let secrets = import <secrets>;
|
||||
acmeWebRoot = "/etc/sslcerts/acmeroot";
|
||||
acmeKeyDir = "${config.security.acme.directory}/pub.yori.cc";
|
||||
in
|
||||
{
|
||||
imports = [../modules/le_nginx.nix];
|
||||
imports = [../modules/nginx.nix];
|
||||
config = {
|
||||
users.extraUsers.public = {
|
||||
home = "/home/public";
|
||||
|
@ -8,11 +12,35 @@
|
|||
openssh.authorizedKeys.keys = with (import ../sshkeys.nix); [public];
|
||||
createHome = true;
|
||||
};
|
||||
le_nginx.servers."pub.yori.cc" = ''
|
||||
location / {
|
||||
root /home/public/public;
|
||||
index index.html;
|
||||
}
|
||||
'';
|
||||
nginxssl.servers."pub.yori.cc" = {
|
||||
key_root = acmeKeyDir;
|
||||
key_webroot = "/etc/sslcerts/acmeroot";
|
||||
contents = ''
|
||||
location / {
|
||||
root /home/public/public;
|
||||
index index.html;
|
||||
}
|
||||
'';
|
||||
};
|
||||
# Let's Encrypt configuration.
|
||||
security.acme.certs."pub.yori.cc" =
|
||||
{ email = secrets.email;
|
||||
webroot = config.nginxssl.servers."pub.yori.cc".key_webroot;
|
||||
postRun = "systemctl reload nginx.service";
|
||||
};
|
||||
# Generate a dummy self-signed certificate until we get one from
|
||||
# Let's Encrypt.
|
||||
system.activationScripts.letsEncryptKeys =
|
||||
''
|
||||
dir=${acmeKeyDir}
|
||||
mkdir -m 0700 -p $dir
|
||||
if ! [[ -e $dir/key.pem ]]; then
|
||||
${pkgs.openssl}/bin/openssl genrsa -passout pass:foo -des3 -out $dir/key-in.pem 1024
|
||||
${pkgs.openssl}/bin/openssl req -passin pass:foo -new -key $dir/key-in.pem -out $dir/key.csr \
|
||||
-subj "/C=NL/CN=www.example.com"
|
||||
${pkgs.openssl}/bin/openssl rsa -passin pass:foo -in $dir/key-in.pem -out $dir/key.pem
|
||||
${pkgs.openssl}/bin/openssl x509 -req -days 365 -in $dir/key.csr -signkey $dir/key.pem -out $dir/fullchain.pem
|
||||
fi
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue