pyrox.dev / nixpkgs
lol
fork atom

nixos/acme: support "full.pem" (for lighttpd)

* Create "full.pem" from selfsigned certificate
* Tell simp_le to create "full.pem"
* Inject service dependency between lighttpd and the generation of certificates

Side note: According to the internet these servers also use the
"full.pem" format: pound, ejabberd, pure-ftpd.

Bjørn Forsman 7a0e958b b615c2e9

+14 -9
unified split
+14 -9
nixos/modules/security/acme.nix
··· 65 65 "cert.der" "cert.pem" "chain.pem" "external.sh" 66 66 "fullchain.pem" "full.pem" "key.der" "key.pem" "account_key.json" 67 67 ]); 68 - default = [ "fullchain.pem" "key.pem" "account_key.json" ]; 68 + default = [ "fullchain.pem" "full.pem" "key.pem" "account_key.json" ]; 69 69 description = '' 70 70 Plugins to enable. With default settings simp_le will 71 - store public certificate bundle in <filename>fullchain.pem</filename> 72 - and private key in <filename>key.pem</filename> in its state directory. 71 + store public certificate bundle in <filename>fullchain.pem</filename>, 72 + private key in <filename>key.pem</filename> and those two previous 73 + files combined in <filename>full.pem</filename> in its state directory. 73 74 ''; 74 75 }; 75 76 ··· 238 239 mv $workdir/server.key ${cpath}/key.pem 239 240 mv $workdir/server.crt ${cpath}/fullchain.pem 240 241 242 + # Create full.pem for e.g. lighttpd (same format as "simp_le ... -f full.pem" creates) 243 + cat "${cpath}/key.pem" "${cpath}/fullchain.pem" > "${cpath}/full.pem" 244 + 241 245 # Clean up working directory 242 246 rm $workdir/server.csr 243 247 rm $workdir/server.pass.key ··· 247 251 chown '${data.user}:${data.group}' '${cpath}/key.pem' 248 252 chmod ${rights} '${cpath}/fullchain.pem' 249 253 chown '${data.user}:${data.group}' '${cpath}/fullchain.pem' 254 + chmod ${rights} '${cpath}/full.pem' 255 + chown '${data.user}:${data.group}' '${cpath}/full.pem' 250 256 ''; 251 257 serviceConfig = { 252 258 Type = "oneshot"; ··· 275 281 ) 276 282 ); 277 283 servicesAttr = listToAttrs services; 278 - nginxAttr = { 279 - nginx = { 280 - after = [ "acme-selfsigned-certificates.target" ]; 281 - wants = [ "acme-selfsigned-certificates.target" "acme-certificates.target" ]; 282 - }; 284 + injectServiceDep = { 285 + after = [ "acme-selfsigned-certificates.target" ]; 286 + wants = [ "acme-selfsigned-certificates.target" "acme-certificates.target" ]; 283 287 }; 284 288 in 285 289 servicesAttr // 286 - (if config.services.nginx.enable then nginxAttr else {}); 290 + (if config.services.nginx.enable then { nginx = injectServiceDep; } else {}) // 291 + (if config.services.lighttpd.enable then { lighttpd = injectServiceDep; } else {}); 287 292 288 293 systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair 289 294 ("acme-${cert}")