47 lines
1.6 KiB
Nix
47 lines
1.6 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
let secrets = import <secrets>;
|
|
acmeWebRoot = "/etc/sslcerts/acmeroot";
|
|
acmeKeyDir = "${config.security.acme.directory}/pub.yori.cc";
|
|
in
|
|
{
|
|
imports = [../modules/nginx.nix];
|
|
config = {
|
|
users.extraUsers.public = {
|
|
home = "/home/public";
|
|
useDefaultShell = true;
|
|
openssh.authorizedKeys.keys = with (import ../sshkeys.nix); [public];
|
|
createHome = true;
|
|
};
|
|
nginxssl.servers."pub.yori.cc" = {
|
|
key_root = acmeKeyDir;
|
|
key_webroot = "/etc/sslcerts/acmeroot";
|
|
contents = ''
|
|
location / {
|
|
root /home/public/public;
|
|
index index.html;
|
|
}
|
|
'';
|
|
};
|
|
# Let's Encrypt configuration.
|
|
security.acme.certs."pub.yori.cc" =
|
|
{ email = secrets.email;
|
|
webroot = config.nginxssl.servers."pub.yori.cc".key_webroot;
|
|
postRun = "systemctl reload nginx.service";
|
|
};
|
|
# Generate a dummy self-signed certificate until we get one from
|
|
# Let's Encrypt.
|
|
system.activationScripts.letsEncryptKeys =
|
|
''
|
|
dir=${acmeKeyDir}
|
|
mkdir -m 0700 -p $dir
|
|
if ! [[ -e $dir/key.pem ]]; then
|
|
${pkgs.openssl}/bin/openssl genrsa -passout pass:foo -des3 -out $dir/key-in.pem 1024
|
|
${pkgs.openssl}/bin/openssl req -passin pass:foo -new -key $dir/key-in.pem -out $dir/key.csr \
|
|
-subj "/C=NL/CN=www.example.com"
|
|
${pkgs.openssl}/bin/openssl rsa -passin pass:foo -in $dir/key-in.pem -out $dir/key.pem
|
|
${pkgs.openssl}/bin/openssl x509 -req -days 365 -in $dir/key.csr -signkey $dir/key.pem -out $dir/fullchain.pem
|
|
fi
|
|
'';
|
|
};
|
|
}
|