summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--hosts/surtr/http.nix13
-rw-r--r--hosts/surtr/tls.nix6
2 files changed, 17 insertions, 2 deletions
diff --git a/hosts/surtr/http.nix b/hosts/surtr/http.nix
index bf5e0335..0e9146c4 100644
--- a/hosts/surtr/http.nix
+++ b/hosts/surtr/http.nix
@@ -51,7 +51,7 @@
51 "webdav.141.li" = { 51 "webdav.141.li" = {
52 forceSSL = true; 52 forceSSL = true;
53 sslCertificate = "${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem"; 53 sslCertificate = "${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem";
54 sslCertificateKey = "${config.security.acme.certs."webdav.141.li".directory}/key.pem"; 54 sslCertificateKey = "/run/credentials/nginx.service/webdav.141.li.key.pem";
55 locations."/" = { 55 locations."/" = {
56 proxyPass = "http://webdav/"; 56 proxyPass = "http://webdav/";
57 }; 57 };
@@ -60,6 +60,17 @@
60 }; 60 };
61 security.acme.domains."webdav.141.li" = { 61 security.acme.domains."webdav.141.li" = {
62 zone = "141.li"; 62 zone = "141.li";
63 certCfg = {
64 postRun = ''
65 ${pkgs.systemd}/bin/systemctl try-restart nginx.service
66 '';
67 };
68 };
69 systemd.services.nginx = {
70 preStart = lib.mkForce config.services.nginx.preStart;
71 serviceConfig = {
72 LoadCredential = [ "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem" ];
73 };
63 }; 74 };
64 }; 75 };
65} 76}
diff --git a/hosts/surtr/tls.nix b/hosts/surtr/tls.nix
index 53fe1e5e..17de1319 100644
--- a/hosts/surtr/tls.nix
+++ b/hosts/surtr/tls.nix
@@ -60,6 +60,10 @@ let
60 type = types.nullOr types.str; 60 type = types.nullOr types.str;
61 default = null; 61 default = null;
62 }; 62 };
63 certCfg = mkOption {
64 type = types.attrs;
65 default = {};
66 };
63 }; 67 };
64 }; 68 };
65in { 69in {
@@ -93,7 +97,7 @@ in {
93 credentialsFile = knotDNSCredentials domain; 97 credentialsFile = knotDNSCredentials domain;
94 dnsResolver = "1.1.1.1:53"; 98 dnsResolver = "1.1.1.1:53";
95 keyType = "rsa4096"; # we don't like NIST curves 99 keyType = "rsa4096"; # we don't like NIST curves
96 }; 100 } // cfg.domains.${domain}.certCfg;
97 in genAttrs (attrNames cfg.domains) domainAttrset; 101 in genAttrs (attrNames cfg.domains) domainAttrset;
98 }; 102 };
99 103