diff options
| author | Gregor Kleen <gkleen@yggdrasil.li> | 2021-09-19 16:15:48 +0200 |
|---|---|---|
| committer | Gregor Kleen <gkleen@yggdrasil.li> | 2021-09-19 16:15:48 +0200 |
| commit | 21e6da21152e5a232247477d6c5422a6b0dddaea (patch) | |
| tree | 074d554b651d01c5e9eebac8d5a92606d58fbeae | |
| parent | 8dc44d61522a9d949ab73c8fd9834e4f62d618ea (diff) | |
| download | nixos-21e6da21152e5a232247477d6c5422a6b0dddaea.tar nixos-21e6da21152e5a232247477d6c5422a6b0dddaea.tar.gz nixos-21e6da21152e5a232247477d6c5422a6b0dddaea.tar.bz2 nixos-21e6da21152e5a232247477d6c5422a6b0dddaea.tar.xz nixos-21e6da21152e5a232247477d6c5422a6b0dddaea.zip | |
surtr(tls): allow access to knot
| -rw-r--r-- | hosts/surtr/tls.nix | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/hosts/surtr/tls.nix b/hosts/surtr/tls.nix index 773d9379..6e7fcabc 100644 --- a/hosts/surtr/tls.nix +++ b/hosts/surtr/tls.nix | |||
| @@ -44,6 +44,8 @@ let | |||
| 44 | ${knotCfg.cliWrappers}/bin/knotc zone-commit "${zone}" | 44 | ${knotCfg.cliWrappers}/bin/knotc zone-commit "${zone}" |
| 45 | commited=yes | 45 | commited=yes |
| 46 | ''; | 46 | ''; |
| 47 | |||
| 48 | domains = ["dirty-haskell.org" "141.li" "xmpp.li" "yggdrasil.li" "praseodym.org" "rheperire.org" "kleen.li" "nights.email"]; | ||
| 47 | in { | 49 | in { |
| 48 | config = { | 50 | config = { |
| 49 | fileSystems."/var/lib/acme" = | 51 | fileSystems."/var/lib/acme" = |
| @@ -57,7 +59,6 @@ in { | |||
| 57 | email = "phikeebaogobaegh@141.li"; | 59 | email = "phikeebaogobaegh@141.li"; |
| 58 | certs = | 60 | certs = |
| 59 | let | 61 | let |
| 60 | domains = ["dirty-haskell.org" "141.li" "xmpp.li" "yggdrasil.li" "praseodym.org" "rheperire.org" "kleen.li" "nights.email"]; | ||
| 61 | domainAttrset = domain: { | 62 | domainAttrset = domain: { |
| 62 | inherit domain; | 63 | inherit domain; |
| 63 | extraDomainNames = [ "*.${domain}" ]; | 64 | extraDomainNames = [ "*.${domain}" ]; |
| @@ -68,6 +69,15 @@ in { | |||
| 68 | in genAttrs domains domainAttrset; | 69 | in genAttrs domains domainAttrset; |
| 69 | }; | 70 | }; |
| 70 | 71 | ||
| 71 | users.groups."knot".members = [ "acme" ]; | 72 | systemd.services = |
| 73 | let | ||
| 74 | serviceAttrset = domain: { | ||
| 75 | bindsTo = [ "knot.service" ]; | ||
| 76 | serviceConfig = { | ||
| 77 | ReadWritePaths = ["/run/knot/knot.sock"]; | ||
| 78 | SupplementaryGroups = ["knot"]; | ||
| 79 | }; | ||
| 80 | }; | ||
| 81 | in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs domains serviceAttrset); | ||
| 72 | }; | 82 | }; |
| 73 | } | 83 | } |