forked from M-Labs/it-infra
nixbld: set up ACME certificate for AFWS
This commit is contained in:
parent
0442916420
commit
6c6f11ed7d
|
@ -529,6 +529,26 @@ in
|
|||
};
|
||||
};
|
||||
services.afws.enable = true;
|
||||
security.acme.certs."afws.m-labs.hk".postRun =
|
||||
''
|
||||
# ensure initial state
|
||||
mkdir -p /var/lib/afws/cert-new /var/lib/afws/cert-current
|
||||
ln -sf /var/lib/afws/cert-current /var/lib/afws/cert
|
||||
|
||||
# populate new directory
|
||||
cp cert.pem /var/lib/afws/cert-new
|
||||
cp key.pem /var/lib/afws/cert-new
|
||||
chown afws:afws /var/lib/afws/cert-new/*
|
||||
|
||||
# atomic replace
|
||||
ln -s /var/lib/afws/cert-new /var/lib/afws/tmp
|
||||
mv -T /var/lib/afws/tmp /var/lib/afws/cert
|
||||
rm -rf /var/lib/afws/cert-current
|
||||
cp -a /var/lib/afws/cert-new /var/lib/afws/cert-current
|
||||
ln -s /var/lib/afws/cert-current /var/lib/afws/tmp
|
||||
mv -T /var/lib/afws/tmp /var/lib/afws/cert
|
||||
rm -rf /var/lib/afws/cert-new
|
||||
'';
|
||||
|
||||
nix.extraOptions = ''
|
||||
secret-key-files = /etc/nixos/secret/nixbld.m-labs.hk-1
|
||||
|
@ -768,6 +788,7 @@ in
|
|||
};
|
||||
};
|
||||
"afws.m-labs.hk" = {
|
||||
enableACME = true;
|
||||
locations."/".proxyPass = "http://localhost:3771";
|
||||
locations."/".proxyWebsockets = true;
|
||||
};
|
||||
|
|
Loading…
Reference in New Issue