frumar: add self-signed ssl cert
parent
a5f62702b2
commit
b40d20c445
|
@ -13,6 +13,31 @@
|
||||||
};
|
};
|
||||||
}) ];
|
}) ];
|
||||||
|
|
||||||
|
systemd.tmpfiles.rules = lib.mkAfter [
|
||||||
|
"d ${config.services.acme-sh.stateDir}/selfsign 0700 nginx nginx"
|
||||||
|
];
|
||||||
|
systemd.services."yori-selfsigned-ca" = {
|
||||||
|
description = "Generate self-signed fallback";
|
||||||
|
path = with pkgs; [ minica ];
|
||||||
|
unitConfig = {
|
||||||
|
ConditionPathExists = "!${config.services.acme-sh.stateDir}/selfsign/selfsigned.local/key.pem";
|
||||||
|
StartLimitIntervalSec = 0;
|
||||||
|
};
|
||||||
|
serviceConfig = {
|
||||||
|
User = "nginx";
|
||||||
|
Group = "nginx";
|
||||||
|
UMask = "0077";
|
||||||
|
Type = "oneshot";
|
||||||
|
PrivateTmp = true;
|
||||||
|
WorkingDirectory = "${config.services.acme-sh.stateDir}/selfsign";
|
||||||
|
};
|
||||||
|
script = "minica --domains selfsigned.local";
|
||||||
|
};
|
||||||
|
systemd.services.nginx = {
|
||||||
|
requires = [ "yori-selfsigned-ca.service" ];
|
||||||
|
after = [ "yori-selfsigned-ca.service" ];
|
||||||
|
};
|
||||||
|
|
||||||
services.nginx = let
|
services.nginx = let
|
||||||
cert = config.services.acme-sh.certs.wildcard-yori-cc;
|
cert = config.services.acme-sh.certs.wildcard-yori-cc;
|
||||||
sslCertificate = cert.certPath;
|
sslCertificate = cert.certPath;
|
||||||
|
@ -37,7 +62,9 @@
|
||||||
};
|
};
|
||||||
virtualHosts."frumar.yori.cc" = {
|
virtualHosts."frumar.yori.cc" = {
|
||||||
enableACME = lib.mkForce false;
|
enableACME = lib.mkForce false;
|
||||||
forceSSL = lib.mkForce false;
|
forceSSL = true;
|
||||||
|
sslCertificate = "/var/lib/acme.sh/selfsign/selfsigned.local/cert.pem";
|
||||||
|
sslCertificateKey = "/var/lib/acme.sh/selfsign/selfsigned.local/key.pem";
|
||||||
default = true;
|
default = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -96,6 +96,9 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
config = {
|
config = {
|
||||||
|
systemd.tmpfiles.rules = if cfg.certs != {} then [
|
||||||
|
"d ${cfg.stateDir} 0755 root root"
|
||||||
|
] else [];
|
||||||
systemd.services = lib.mapAttrs' (name: value: lib.nameValuePair "acme-sh-${name}" (with value; {
|
systemd.services = lib.mapAttrs' (name: value: lib.nameValuePair "acme-sh-${name}" (with value; {
|
||||||
description = "Renew ACME Certificate for ${name}";
|
description = "Renew ACME Certificate for ${name}";
|
||||||
after =
|
after =
|
||||||
|
@ -114,9 +117,6 @@ in
|
||||||
};
|
};
|
||||||
path = with pkgs; [ acme-sh systemd util-linuxMinimal procps ];
|
path = with pkgs; [ acme-sh systemd util-linuxMinimal procps ];
|
||||||
preStart = ''
|
preStart = ''
|
||||||
mkdir -p ${cfg.stateDir}
|
|
||||||
chown 'root:root' ${cfg.stateDir}
|
|
||||||
chmod 755 ${cfg.stateDir}
|
|
||||||
mkdir -p "${statePath}"
|
mkdir -p "${statePath}"
|
||||||
chown -R '${user}:${group}' "${statePath}"
|
chown -R '${user}:${group}' "${statePath}"
|
||||||
chmod 750 "${statePath}"
|
chmod 750 "${statePath}"
|
||||||
|
|
Loading…
Reference in New Issue