From 0eacd61dfbda6aed732e0d196fd8fe3d97bdcf63 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Mon, 31 Jan 2022 17:52:33 +0100 Subject: ... --- hosts/surtr/http.nix | 13 ++++++++++++- hosts/surtr/tls.nix | 6 +++++- 2 files changed, 17 insertions(+), 2 deletions(-) (limited to 'hosts') diff --git a/hosts/surtr/http.nix b/hosts/surtr/http.nix index bf5e0335..0e9146c4 100644 --- a/hosts/surtr/http.nix +++ b/hosts/surtr/http.nix @@ -51,7 +51,7 @@ "webdav.141.li" = { forceSSL = true; sslCertificate = "${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem"; - sslCertificateKey = "${config.security.acme.certs."webdav.141.li".directory}/key.pem"; + sslCertificateKey = "/run/credentials/nginx.service/webdav.141.li.key.pem"; locations."/" = { proxyPass = "http://webdav/"; }; @@ -60,6 +60,17 @@ }; security.acme.domains."webdav.141.li" = { zone = "141.li"; + certCfg = { + postRun = '' + ${pkgs.systemd}/bin/systemctl try-restart nginx.service + ''; + }; + }; + systemd.services.nginx = { + preStart = lib.mkForce config.services.nginx.preStart; + serviceConfig = { + LoadCredential = [ "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem" ]; + }; }; }; } diff --git a/hosts/surtr/tls.nix b/hosts/surtr/tls.nix index 53fe1e5e..17de1319 100644 --- a/hosts/surtr/tls.nix +++ b/hosts/surtr/tls.nix @@ -60,6 +60,10 @@ let type = types.nullOr types.str; default = null; }; + certCfg = mkOption { + type = types.attrs; + default = {}; + }; }; }; in { @@ -93,7 +97,7 @@ in { credentialsFile = knotDNSCredentials domain; dnsResolver = "1.1.1.1:53"; keyType = "rsa4096"; # we don't like NIST curves - }; + } // cfg.domains.${domain}.certCfg; in genAttrs (attrNames cfg.domains) domainAttrset; }; -- cgit v1.2.3