diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-01-31 17:52:33 +0100 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-01-31 17:52:33 +0100 |
commit | 0eacd61dfbda6aed732e0d196fd8fe3d97bdcf63 (patch) | |
tree | f9344e18bf0da6295dbe79fc85f5cdcfac6fbd1f | |
parent | 8a53478d3d43940736e936244d24bd47d5a3788c (diff) | |
download | nixos-0eacd61dfbda6aed732e0d196fd8fe3d97bdcf63.tar nixos-0eacd61dfbda6aed732e0d196fd8fe3d97bdcf63.tar.gz nixos-0eacd61dfbda6aed732e0d196fd8fe3d97bdcf63.tar.bz2 nixos-0eacd61dfbda6aed732e0d196fd8fe3d97bdcf63.tar.xz nixos-0eacd61dfbda6aed732e0d196fd8fe3d97bdcf63.zip |
...
-rw-r--r-- | hosts/surtr/http.nix | 13 | ||||
-rw-r--r-- | hosts/surtr/tls.nix | 6 |
2 files changed, 17 insertions, 2 deletions
diff --git a/hosts/surtr/http.nix b/hosts/surtr/http.nix index bf5e0335..0e9146c4 100644 --- a/hosts/surtr/http.nix +++ b/hosts/surtr/http.nix | |||
@@ -51,7 +51,7 @@ | |||
51 | "webdav.141.li" = { | 51 | "webdav.141.li" = { |
52 | forceSSL = true; | 52 | forceSSL = true; |
53 | sslCertificate = "${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem"; | 53 | sslCertificate = "${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem"; |
54 | sslCertificateKey = "${config.security.acme.certs."webdav.141.li".directory}/key.pem"; | 54 | sslCertificateKey = "/run/credentials/nginx.service/webdav.141.li.key.pem"; |
55 | locations."/" = { | 55 | locations."/" = { |
56 | proxyPass = "http://webdav/"; | 56 | proxyPass = "http://webdav/"; |
57 | }; | 57 | }; |
@@ -60,6 +60,17 @@ | |||
60 | }; | 60 | }; |
61 | security.acme.domains."webdav.141.li" = { | 61 | security.acme.domains."webdav.141.li" = { |
62 | zone = "141.li"; | 62 | zone = "141.li"; |
63 | certCfg = { | ||
64 | postRun = '' | ||
65 | ${pkgs.systemd}/bin/systemctl try-restart nginx.service | ||
66 | ''; | ||
67 | }; | ||
68 | }; | ||
69 | systemd.services.nginx = { | ||
70 | preStart = lib.mkForce config.services.nginx.preStart; | ||
71 | serviceConfig = { | ||
72 | LoadCredential = [ "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem" ]; | ||
73 | }; | ||
63 | }; | 74 | }; |
64 | }; | 75 | }; |
65 | } | 76 | } |
diff --git a/hosts/surtr/tls.nix b/hosts/surtr/tls.nix index 53fe1e5e..17de1319 100644 --- a/hosts/surtr/tls.nix +++ b/hosts/surtr/tls.nix | |||
@@ -60,6 +60,10 @@ let | |||
60 | type = types.nullOr types.str; | 60 | type = types.nullOr types.str; |
61 | default = null; | 61 | default = null; |
62 | }; | 62 | }; |
63 | certCfg = mkOption { | ||
64 | type = types.attrs; | ||
65 | default = {}; | ||
66 | }; | ||
63 | }; | 67 | }; |
64 | }; | 68 | }; |
65 | in { | 69 | in { |
@@ -93,7 +97,7 @@ in { | |||
93 | credentialsFile = knotDNSCredentials domain; | 97 | credentialsFile = knotDNSCredentials domain; |
94 | dnsResolver = "1.1.1.1:53"; | 98 | dnsResolver = "1.1.1.1:53"; |
95 | keyType = "rsa4096"; # we don't like NIST curves | 99 | keyType = "rsa4096"; # we don't like NIST curves |
96 | }; | 100 | } // cfg.domains.${domain}.certCfg; |
97 | in genAttrs (attrNames cfg.domains) domainAttrset; | 101 | in genAttrs (attrNames cfg.domains) domainAttrset; |
98 | }; | 102 | }; |
99 | 103 | ||