summaryrefslogtreecommitdiff
path: root/hosts/surtr/tls.nix
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2021-09-19 16:15:48 +0200
committerGregor Kleen <gkleen@yggdrasil.li>2021-09-19 16:15:48 +0200
commit21e6da21152e5a232247477d6c5422a6b0dddaea (patch)
tree074d554b651d01c5e9eebac8d5a92606d58fbeae /hosts/surtr/tls.nix
parent8dc44d61522a9d949ab73c8fd9834e4f62d618ea (diff)
downloadnixos-21e6da21152e5a232247477d6c5422a6b0dddaea.tar
nixos-21e6da21152e5a232247477d6c5422a6b0dddaea.tar.gz
nixos-21e6da21152e5a232247477d6c5422a6b0dddaea.tar.bz2
nixos-21e6da21152e5a232247477d6c5422a6b0dddaea.tar.xz
nixos-21e6da21152e5a232247477d6c5422a6b0dddaea.zip
surtr(tls): allow access to knot
Diffstat (limited to 'hosts/surtr/tls.nix')
-rw-r--r--hosts/surtr/tls.nix14
1 files changed, 12 insertions, 2 deletions
diff --git a/hosts/surtr/tls.nix b/hosts/surtr/tls.nix
index 773d9379..6e7fcabc 100644
--- a/hosts/surtr/tls.nix
+++ b/hosts/surtr/tls.nix
@@ -44,6 +44,8 @@ let
44 ${knotCfg.cliWrappers}/bin/knotc zone-commit "${zone}" 44 ${knotCfg.cliWrappers}/bin/knotc zone-commit "${zone}"
45 commited=yes 45 commited=yes
46 ''; 46 '';
47
48 domains = ["dirty-haskell.org" "141.li" "xmpp.li" "yggdrasil.li" "praseodym.org" "rheperire.org" "kleen.li" "nights.email"];
47in { 49in {
48 config = { 50 config = {
49 fileSystems."/var/lib/acme" = 51 fileSystems."/var/lib/acme" =
@@ -57,7 +59,6 @@ in {
57 email = "phikeebaogobaegh@141.li"; 59 email = "phikeebaogobaegh@141.li";
58 certs = 60 certs =
59 let 61 let
60 domains = ["dirty-haskell.org" "141.li" "xmpp.li" "yggdrasil.li" "praseodym.org" "rheperire.org" "kleen.li" "nights.email"];
61 domainAttrset = domain: { 62 domainAttrset = domain: {
62 inherit domain; 63 inherit domain;
63 extraDomainNames = [ "*.${domain}" ]; 64 extraDomainNames = [ "*.${domain}" ];
@@ -68,6 +69,15 @@ in {
68 in genAttrs domains domainAttrset; 69 in genAttrs domains domainAttrset;
69 }; 70 };
70 71
71 users.groups."knot".members = [ "acme" ]; 72 systemd.services =
73 let
74 serviceAttrset = domain: {
75 bindsTo = [ "knot.service" ];
76 serviceConfig = {
77 ReadWritePaths = ["/run/knot/knot.sock"];
78 SupplementaryGroups = ["knot"];
79 };
80 };
81 in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs domains serviceAttrset);
72 }; 82 };
73} 83}