30 lines
950 B
Nix
30 lines
950 B
Nix
{ config, ... }:
|
|
{
|
|
users.users."cert-store" = {
|
|
isNormalUser = true;
|
|
description = "Read-only access to certs";
|
|
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys ++ [
|
|
];
|
|
};
|
|
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
certs."vsinerva.fi".extraDomainNames = [ "*.vsinerva.fi" ];
|
|
defaults = {
|
|
email = "vili.m.sinerva@gmail.com";
|
|
environmentFile = "/var/lib/acme/dns-creds";
|
|
dnsProvider = "ovh";
|
|
extraLegoFlags = [
|
|
"--dns.propagation-wait"
|
|
"60s"
|
|
];
|
|
postRun = ''
|
|
mkdir -p ${config.users.users."cert-store".home}/acme
|
|
cp fullchain.pem ${config.users.users."cert-store".home}/acme/
|
|
cp key.pem ${config.users.users."cert-store".home}/acme/
|
|
chown -R cert-store:cert-store ${config.users.users."cert-store".home}/acme/
|
|
chmod ugoa=r ${config.users.users."cert-store".home}/acme/*.pem
|
|
'';
|
|
};
|
|
};
|
|
}
|