diff --git a/nixbld-etc-nixos/configuration.nix b/nixbld-etc-nixos/configuration.nix index ecc402f5..df36eb91 100644 --- a/nixbld-etc-nixos/configuration.nix +++ b/nixbld-etc-nixos/configuration.nix @@ -529,6 +529,26 @@ in }; }; services.afws.enable = true; + security.acme.certs."afws.m-labs.hk".postRun = + '' + # ensure initial state + mkdir -p /var/lib/afws/cert-new /var/lib/afws/cert-current + ln -sf /var/lib/afws/cert-current /var/lib/afws/cert + + # populate new directory + cp cert.pem /var/lib/afws/cert-new + cp key.pem /var/lib/afws/cert-new + chown afws:afws /var/lib/afws/cert-new/* + + # atomic replace + ln -s /var/lib/afws/cert-new /var/lib/afws/tmp + mv -T /var/lib/afws/tmp /var/lib/afws/cert + rm -rf /var/lib/afws/cert-current + cp -a /var/lib/afws/cert-new /var/lib/afws/cert-current + ln -s /var/lib/afws/cert-current /var/lib/afws/tmp + mv -T /var/lib/afws/tmp /var/lib/afws/cert + rm -rf /var/lib/afws/cert-new + ''; nix.extraOptions = '' secret-key-files = /etc/nixos/secret/nixbld.m-labs.hk-1 @@ -768,6 +788,7 @@ in }; }; "afws.m-labs.hk" = { + enableACME = true; locations."/".proxyPass = "http://localhost:3771"; locations."/".proxyWebsockets = true; };