diff options
author | Bjørn Forsman <bjorn.forsman@gmail.com> | 2017-06-07 21:38:01 +0200 |
---|---|---|
committer | Bjørn Forsman <bjorn.forsman@gmail.com> | 2017-06-09 19:35:17 +0200 |
commit | 7a0e958b972f61b23f93a8e39fee5590aec47348 (patch) | |
tree | a797eebdb51cc68a4396fc6252a76595409d52ff /nixos/modules/security | |
parent | b615c2e9929e840e95408b511db7f03dbdd71143 (diff) | |
download | nixlib-7a0e958b972f61b23f93a8e39fee5590aec47348.tar nixlib-7a0e958b972f61b23f93a8e39fee5590aec47348.tar.gz nixlib-7a0e958b972f61b23f93a8e39fee5590aec47348.tar.bz2 nixlib-7a0e958b972f61b23f93a8e39fee5590aec47348.tar.lz nixlib-7a0e958b972f61b23f93a8e39fee5590aec47348.tar.xz nixlib-7a0e958b972f61b23f93a8e39fee5590aec47348.tar.zst nixlib-7a0e958b972f61b23f93a8e39fee5590aec47348.zip |
nixos/acme: support "full.pem" (for lighttpd)
* Create "full.pem" from selfsigned certificate * Tell simp_le to create "full.pem" * Inject service dependency between lighttpd and the generation of certificates Side note: According to the internet these servers also use the "full.pem" format: pound, ejabberd, pure-ftpd.
Diffstat (limited to 'nixos/modules/security')
-rw-r--r-- | nixos/modules/security/acme.nix | 23 |
1 files changed, 14 insertions, 9 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index 321b9f7f3753..dba858c00e07 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -65,11 +65,12 @@ let "cert.der" "cert.pem" "chain.pem" "external.sh" "fullchain.pem" "full.pem" "key.der" "key.pem" "account_key.json" ]); - default = [ "fullchain.pem" "key.pem" "account_key.json" ]; + default = [ "fullchain.pem" "full.pem" "key.pem" "account_key.json" ]; description = '' Plugins to enable. With default settings simp_le will - store public certificate bundle in <filename>fullchain.pem</filename> - and private key in <filename>key.pem</filename> in its state directory. + store public certificate bundle in <filename>fullchain.pem</filename>, + private key in <filename>key.pem</filename> and those two previous + files combined in <filename>full.pem</filename> in its state directory. ''; }; @@ -238,6 +239,9 @@ in mv $workdir/server.key ${cpath}/key.pem mv $workdir/server.crt ${cpath}/fullchain.pem + # Create full.pem for e.g. lighttpd (same format as "simp_le ... -f full.pem" creates) + cat "${cpath}/key.pem" "${cpath}/fullchain.pem" > "${cpath}/full.pem" + # Clean up working directory rm $workdir/server.csr rm $workdir/server.pass.key @@ -247,6 +251,8 @@ in chown '${data.user}:${data.group}' '${cpath}/key.pem' chmod ${rights} '${cpath}/fullchain.pem' chown '${data.user}:${data.group}' '${cpath}/fullchain.pem' + chmod ${rights} '${cpath}/full.pem' + chown '${data.user}:${data.group}' '${cpath}/full.pem' ''; serviceConfig = { Type = "oneshot"; @@ -275,15 +281,14 @@ in ) ); servicesAttr = listToAttrs services; - nginxAttr = { - nginx = { - after = [ "acme-selfsigned-certificates.target" ]; - wants = [ "acme-selfsigned-certificates.target" "acme-certificates.target" ]; - }; + injectServiceDep = { + after = [ "acme-selfsigned-certificates.target" ]; + wants = [ "acme-selfsigned-certificates.target" "acme-certificates.target" ]; }; in servicesAttr // - (if config.services.nginx.enable then nginxAttr else {}); + (if config.services.nginx.enable then { nginx = injectServiceDep; } else {}) // + (if config.services.lighttpd.enable then { lighttpd = injectServiceDep; } else {}); systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair ("acme-${cert}") |