frumar: add self-signed ssl cert
parent
a5f62702b2
commit
b40d20c445
|
@ -13,6 +13,31 @@
|
|||
};
|
||||
}) ];
|
||||
|
||||
systemd.tmpfiles.rules = lib.mkAfter [
|
||||
"d ${config.services.acme-sh.stateDir}/selfsign 0700 nginx nginx"
|
||||
];
|
||||
systemd.services."yori-selfsigned-ca" = {
|
||||
description = "Generate self-signed fallback";
|
||||
path = with pkgs; [ minica ];
|
||||
unitConfig = {
|
||||
ConditionPathExists = "!${config.services.acme-sh.stateDir}/selfsign/selfsigned.local/key.pem";
|
||||
StartLimitIntervalSec = 0;
|
||||
};
|
||||
serviceConfig = {
|
||||
User = "nginx";
|
||||
Group = "nginx";
|
||||
UMask = "0077";
|
||||
Type = "oneshot";
|
||||
PrivateTmp = true;
|
||||
WorkingDirectory = "${config.services.acme-sh.stateDir}/selfsign";
|
||||
};
|
||||
script = "minica --domains selfsigned.local";
|
||||
};
|
||||
systemd.services.nginx = {
|
||||
requires = [ "yori-selfsigned-ca.service" ];
|
||||
after = [ "yori-selfsigned-ca.service" ];
|
||||
};
|
||||
|
||||
services.nginx = let
|
||||
cert = config.services.acme-sh.certs.wildcard-yori-cc;
|
||||
sslCertificate = cert.certPath;
|
||||
|
@ -37,7 +62,9 @@
|
|||
};
|
||||
virtualHosts."frumar.yori.cc" = {
|
||||
enableACME = lib.mkForce false;
|
||||
forceSSL = lib.mkForce false;
|
||||
forceSSL = true;
|
||||
sslCertificate = "/var/lib/acme.sh/selfsign/selfsigned.local/cert.pem";
|
||||
sslCertificateKey = "/var/lib/acme.sh/selfsign/selfsigned.local/key.pem";
|
||||
default = true;
|
||||
};
|
||||
};
|
||||
|
|
|
@ -96,6 +96,9 @@ in
|
|||
};
|
||||
};
|
||||
config = {
|
||||
systemd.tmpfiles.rules = if cfg.certs != {} then [
|
||||
"d ${cfg.stateDir} 0755 root root"
|
||||
] else [];
|
||||
systemd.services = lib.mapAttrs' (name: value: lib.nameValuePair "acme-sh-${name}" (with value; {
|
||||
description = "Renew ACME Certificate for ${name}";
|
||||
after =
|
||||
|
@ -114,9 +117,6 @@ in
|
|||
};
|
||||
path = with pkgs; [ acme-sh systemd util-linuxMinimal procps ];
|
||||
preStart = ''
|
||||
mkdir -p ${cfg.stateDir}
|
||||
chown 'root:root' ${cfg.stateDir}
|
||||
chmod 755 ${cfg.stateDir}
|
||||
mkdir -p "${statePath}"
|
||||
chown -R '${user}:${group}' "${statePath}"
|
||||
chmod 750 "${statePath}"
|
||||
|
|
Loading…
Reference in New Issue