From 7a0e958b972f61b23f93a8e39fee5590aec47348 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B8rn=20Forsman?= Date: Wed, 7 Jun 2017 21:38:01 +0200 Subject: [PATCH] nixos/acme: support "full.pem" (for lighttpd) * Create "full.pem" from selfsigned certificate * Tell simp_le to create "full.pem" * Inject service dependency between lighttpd and the generation of certificates Side note: According to the internet these servers also use the "full.pem" format: pound, ejabberd, pure-ftpd. --- nixos/modules/security/acme.nix | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index 321b9f7f3753..dba858c00e07 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -65,11 +65,12 @@ let "cert.der" "cert.pem" "chain.pem" "external.sh" "fullchain.pem" "full.pem" "key.der" "key.pem" "account_key.json" ]); - default = [ "fullchain.pem" "key.pem" "account_key.json" ]; + default = [ "fullchain.pem" "full.pem" "key.pem" "account_key.json" ]; description = '' Plugins to enable. With default settings simp_le will - store public certificate bundle in fullchain.pem - and private key in key.pem in its state directory. + store public certificate bundle in fullchain.pem, + private key in key.pem and those two previous + files combined in full.pem in its state directory. ''; }; @@ -238,6 +239,9 @@ in mv $workdir/server.key ${cpath}/key.pem mv $workdir/server.crt ${cpath}/fullchain.pem + # Create full.pem for e.g. lighttpd (same format as "simp_le ... -f full.pem" creates) + cat "${cpath}/key.pem" "${cpath}/fullchain.pem" > "${cpath}/full.pem" + # Clean up working directory rm $workdir/server.csr rm $workdir/server.pass.key @@ -247,6 +251,8 @@ in chown '${data.user}:${data.group}' '${cpath}/key.pem' chmod ${rights} '${cpath}/fullchain.pem' chown '${data.user}:${data.group}' '${cpath}/fullchain.pem' + chmod ${rights} '${cpath}/full.pem' + chown '${data.user}:${data.group}' '${cpath}/full.pem' ''; serviceConfig = { Type = "oneshot"; @@ -275,15 +281,14 @@ in ) ); servicesAttr = listToAttrs services; - nginxAttr = { - nginx = { - after = [ "acme-selfsigned-certificates.target" ]; - wants = [ "acme-selfsigned-certificates.target" "acme-certificates.target" ]; - }; + injectServiceDep = { + after = [ "acme-selfsigned-certificates.target" ]; + wants = [ "acme-selfsigned-certificates.target" "acme-certificates.target" ]; }; in servicesAttr // - (if config.services.nginx.enable then nginxAttr else {}); + (if config.services.nginx.enable then { nginx = injectServiceDep; } else {}) // + (if config.services.lighttpd.enable then { lighttpd = injectServiceDep; } else {}); systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair ("acme-${cert}")