From bb0e1f1b5d7f2b6030e6b2e6f8eb8fd177acf6de Mon Sep 17 00:00:00 2001
From: Alyssa Ross <hi@alyssa.is>
Date: Wed, 15 Apr 2020 16:22:56 +0000
Subject: sys/atuin: add tls group

This will allow services other than nginx to access the ACME TLS
certificates.
---
 sys/atuin.nix | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'sys')

diff --git a/sys/atuin.nix b/sys/atuin.nix
index 4b19d187b5c8..e8c8647b27e8 100644
--- a/sys/atuin.nix
+++ b/sys/atuin.nix
@@ -114,6 +114,8 @@
         domain:
         { postRun ? "systemctl reload nginx.service"
         , webroot ? "/var/lib/acme/acme-challenge"
+        , group ? "tls"
+        , allowKeysForGroup ? true
         , extraDomains ? {}
         , ...
         } @ value:
@@ -123,11 +125,13 @@
             toAttrs (filter (hasSuffix ".${domain}") vhostDomains);
         in
           value // {
-            inherit postRun webroot;
+            inherit postRun webroot group allowKeysForGroup;
             extraDomains = extraDomainsFromVhosts // (toAttrs extraDomains);
           }
       ) domains;
 
+  users.groups.tls.members = [ "nginx" ];
+
   services.nginx.virtualHosts =
     let
       vhosts = {
-- 
cgit 1.4.1