nixos-conf/services/acme-cert-store.nix

32 lines
1.1 KiB
Nix

{ config, ... }:
{
users.users."cert-store" = {
isNormalUser = true;
description = "Read-only access to certs";
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys ++ [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHj2PK6LHsanSqaz8Gf/VqHaurd5e6Y7KnZNBiHb9adT nextcloud"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDiJZWlmiEkVzlf5/KV/jKkCGlgp8mnEeCnwk/dhdctJ gitea"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOgIXTr7HxC13UNZP0UCALBRJuiDh4U0Nnd4GPIE4RQR vaultwarden"
];
};
security.acme = {
acceptTerms = true;
certs."vsinerva.fi".extraDomainNames = [ "*.vsinerva.fi" ];
defaults = {
email = "vili.m.sinerva@gmail.com";
environmentFile = "/var/lib/acme/dns-creds";
dnsProvider = "ovh";
extraLegoFlags = [
"--dns.propagation-wait"
"60s"
];
postRun = ''
mkdir -p ${config.users.users."cert-store".home}/acme
cp fullchain.pem ${config.users.users."cert-store".home}/acme/
cp key.pem ${config.users.users."cert-store".home}/acme/
chmod o+r ${config.users.users."cert-store".home}/acme/*.pem
'';
};
};
}