fsagbuya
/
it-infra
forked from M-Labs/it-infra
1
0
Fork 0
Code Pull Requests Activity

nixbld: set up ACME certificate for AFWS

This commit is contained in:
Sebastien Bourdeauducq 2023-04-07 14:39:05 +08:00
parent 0442916420
commit 6c6f11ed7d
1 changed files with 21 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
nixbld-etc-nixos/configuration.nix
View File

@ -529,6 +529,26 @@ in
};
};
services.afws.enable = true;
security.acme.certs."afws.m-labs.hk".postRun =
''
# ensure initial state
mkdir -p /var/lib/afws/cert-new /var/lib/afws/cert-current
ln -sf /var/lib/afws/cert-current /var/lib/afws/cert
# populate new directory
cp cert.pem /var/lib/afws/cert-new
cp key.pem /var/lib/afws/cert-new
chown afws:afws /var/lib/afws/cert-new/*
# atomic replace
ln -s /var/lib/afws/cert-new /var/lib/afws/tmp
mv -T /var/lib/afws/tmp /var/lib/afws/cert
rm -rf /var/lib/afws/cert-current
cp -a /var/lib/afws/cert-new /var/lib/afws/cert-current
ln -s /var/lib/afws/cert-current /var/lib/afws/tmp
mv -T /var/lib/afws/tmp /var/lib/afws/cert
rm -rf /var/lib/afws/cert-new
'';
nix.extraOptions = ''
secret-key-files = /etc/nixos/secret/nixbld.m-labs.hk-1
@ -768,6 +788,7 @@ in
};
};
"afws.m-labs.hk" = {
enableACME = true;
locations."/".proxyPass = "http://localhost:3771";
locations."/".proxyWebsockets = true;
};