nixbld: set up ACME certificate for AFWS

This commit is contained in:
Sebastien Bourdeauducq 2023-04-07 14:39:05 +08:00
parent 0442916420
commit 6c6f11ed7d
1 changed files with 21 additions and 0 deletions

View File

@ -529,6 +529,26 @@ in
}; };
}; };
services.afws.enable = true; services.afws.enable = true;
security.acme.certs."afws.m-labs.hk".postRun =
''
# ensure initial state
mkdir -p /var/lib/afws/cert-new /var/lib/afws/cert-current
ln -sf /var/lib/afws/cert-current /var/lib/afws/cert
# populate new directory
cp cert.pem /var/lib/afws/cert-new
cp key.pem /var/lib/afws/cert-new
chown afws:afws /var/lib/afws/cert-new/*
# atomic replace
ln -s /var/lib/afws/cert-new /var/lib/afws/tmp
mv -T /var/lib/afws/tmp /var/lib/afws/cert
rm -rf /var/lib/afws/cert-current
cp -a /var/lib/afws/cert-new /var/lib/afws/cert-current
ln -s /var/lib/afws/cert-current /var/lib/afws/tmp
mv -T /var/lib/afws/tmp /var/lib/afws/cert
rm -rf /var/lib/afws/cert-new
'';
nix.extraOptions = '' nix.extraOptions = ''
secret-key-files = /etc/nixos/secret/nixbld.m-labs.hk-1 secret-key-files = /etc/nixos/secret/nixbld.m-labs.hk-1
@ -768,6 +788,7 @@ in
}; };
}; };
"afws.m-labs.hk" = { "afws.m-labs.hk" = {
enableACME = true;
locations."/".proxyPass = "http://localhost:3771"; locations."/".proxyPass = "http://localhost:3771";
locations."/".proxyWebsockets = true; locations."/".proxyWebsockets = true;
}; };