From 6c6f11ed7dfe2740504c060b233cc9f60e68cc31 Mon Sep 17 00:00:00 2001
From: Sebastien Bourdeauducq <sb@m-labs.hk>
Date: Fri, 7 Apr 2023 14:39:05 +0800
Subject: [PATCH] nixbld: set up ACME certificate for AFWS

---
 nixbld-etc-nixos/configuration.nix | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/nixbld-etc-nixos/configuration.nix b/nixbld-etc-nixos/configuration.nix
index ecc402f..df36eb9 100644
--- a/nixbld-etc-nixos/configuration.nix
+++ b/nixbld-etc-nixos/configuration.nix
@@ -529,6 +529,26 @@ in
     };
   };
   services.afws.enable = true;
+  security.acme.certs."afws.m-labs.hk".postRun =
+    ''
+    # ensure initial state
+    mkdir -p /var/lib/afws/cert-new /var/lib/afws/cert-current
+    ln -sf /var/lib/afws/cert-current /var/lib/afws/cert
+
+    # populate new directory
+    cp cert.pem /var/lib/afws/cert-new
+    cp key.pem /var/lib/afws/cert-new
+    chown afws:afws /var/lib/afws/cert-new/*
+
+    # atomic replace
+    ln -s /var/lib/afws/cert-new /var/lib/afws/tmp
+    mv -T /var/lib/afws/tmp /var/lib/afws/cert
+    rm -rf /var/lib/afws/cert-current
+    cp -a /var/lib/afws/cert-new /var/lib/afws/cert-current
+    ln -s /var/lib/afws/cert-current /var/lib/afws/tmp
+    mv -T /var/lib/afws/tmp /var/lib/afws/cert
+    rm -rf /var/lib/afws/cert-new
+    '';
 
   nix.extraOptions = ''
     secret-key-files = /etc/nixos/secret/nixbld.m-labs.hk-1
@@ -768,6 +788,7 @@ in
         };
       };
       "afws.m-labs.hk" = {
+        enableACME = true;
         locations."/".proxyPass = "http://localhost:3771";
         locations."/".proxyWebsockets = true;
       };