32 lines
1.1 KiB
Nix
32 lines
1.1 KiB
Nix
{ config, ... }:
|
|
{
|
|
users.users."cert-store" = {
|
|
isNormalUser = true;
|
|
description = "Read-only access to certs";
|
|
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys ++ [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHj2PK6LHsanSqaz8Gf/VqHaurd5e6Y7KnZNBiHb9adT nextcloud"
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDiJZWlmiEkVzlf5/KV/jKkCGlgp8mnEeCnwk/dhdctJ gitea"
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOgIXTr7HxC13UNZP0UCALBRJuiDh4U0Nnd4GPIE4RQR vaultwarden"
|
|
];
|
|
};
|
|
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
certs."vsinerva.fi".extraDomainNames = [ "*.vsinerva.fi" ];
|
|
defaults = {
|
|
email = "vili.m.sinerva@gmail.com";
|
|
environmentFile = "/var/lib/acme/dns-creds";
|
|
dnsProvider = "ovh";
|
|
extraLegoFlags = [
|
|
"--dns.propagation-wait"
|
|
"60s"
|
|
];
|
|
postRun = ''
|
|
mkdir -p ${config.users.users."cert-store".home}/acme
|
|
cp fullchain.pem ${config.users.users."cert-store".home}/acme/
|
|
cp key.pem ${config.users.users."cert-store".home}/acme/
|
|
chmod o+r ${config.users.users."cert-store".home}/acme/*.pem
|
|
'';
|
|
};
|
|
};
|
|
}
|