public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/acme: support "full.pem" (for lighttpd)

Browse Source 
* Create "full.pem" from selfsigned certificate
* Tell simp_le to create "full.pem"
* Inject service dependency between lighttpd and the generation of certificates

Side note: According to the internet these servers also use the
"full.pem" format: pound, ejabberd, pure-ftpd.
This commit is contained in:
Bjørn Forsman 2017-06-07 21:38:01 +02:00
parent b615c2e992
commit 7a0e958b97
1 changed files with 14 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
nixos/modules/security/acme.nix
View File

@ -65,11 +65,12 @@ let
"cert.der" "cert.pem" "chain.pem" "external.sh" "cert.der" "cert.pem" "chain.pem" "external.sh"
"fullchain.pem" "full.pem" "key.der" "key.pem" "account_key.json" "fullchain.pem" "full.pem" "key.der" "key.pem" "account_key.json"
]); ]);
default = [ "fullchain.pem" "key.pem" "account_key.json" ]; default = [ "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
description = '' description = ''
Plugins to enable. With default settings simp_le will Plugins to enable. With default settings simp_le will
store public certificate bundle in <filename>fullchain.pem</filename> store public certificate bundle in <filename>fullchain.pem</filename>,
and private key in <filename>key.pem</filename> in its state directory. private key in <filename>key.pem</filename> and those two previous
files combined in <filename>full.pem</filename> in its state directory.
''; '';
}; };
@ -238,6 +239,9 @@ in
mv $workdir/server.key ${cpath}/key.pem mv $workdir/server.key ${cpath}/key.pem
mv $workdir/server.crt ${cpath}/fullchain.pem mv $workdir/server.crt ${cpath}/fullchain.pem
# Create full.pem for e.g. lighttpd (same format as "simp_le ... -f full.pem" creates)
cat "${cpath}/key.pem" "${cpath}/fullchain.pem" > "${cpath}/full.pem"
# Clean up working directory # Clean up working directory
rm $workdir/server.csr rm $workdir/server.csr
rm $workdir/server.pass.key rm $workdir/server.pass.key
@ -247,6 +251,8 @@ in
chown '${data.user}:${data.group}' '${cpath}/key.pem' chown '${data.user}:${data.group}' '${cpath}/key.pem'
chmod ${rights} '${cpath}/fullchain.pem' chmod ${rights} '${cpath}/fullchain.pem'
chown '${data.user}:${data.group}' '${cpath}/fullchain.pem' chown '${data.user}:${data.group}' '${cpath}/fullchain.pem'
chmod ${rights} '${cpath}/full.pem'
chown '${data.user}:${data.group}' '${cpath}/full.pem'
''; '';
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
@ -275,15 +281,14 @@ in
) )
); );
servicesAttr = listToAttrs services; servicesAttr = listToAttrs services;
nginxAttr = { injectServiceDep = {
nginx = { after = [ "acme-selfsigned-certificates.target" ];
after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" "acme-certificates.target" ];
wants = [ "acme-selfsigned-certificates.target" "acme-certificates.target" ];
};
}; };
in in
servicesAttr // servicesAttr //
(if config.services.nginx.enable then nginxAttr else {}); (if config.services.nginx.enable then { nginx = injectServiceDep; } else {}) //
(if config.services.lighttpd.enable then { lighttpd = injectServiceDep; } else {});
systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair
("acme-${cert}") ("acme-${cert}")