matrix-synapse: utilisation du certificat ACME

2019-02-12 11:15:01 +01:00 · 2019-02-12 11:15:01 +01:00 · b51cde0014
commit b51cde0014
parent c8f2fd50e5
2 changed files with 8 additions and 2 deletions
--- a/services/haproxy-acme.nix
+++ b/services/haproxy-acme.nix
@ -133,8 +133,8 @@ in
        ) cfg.services;
        webroot = "/var/www/challenges";
        email = "paul@nyanlout.re";
-        user = "haproxy";
-        group = "haproxy";
+        allowKeysForGroup = true;
+        group = "acme";
        postRun = ''
          systemctl reload haproxy.service
        '';
@ -142,6 +142,8 @@ in
    };
    security.acme.directory = "/var/lib/acme";

+    users.groups.acme.members = [ "haproxy" ];
+
    networking.firewall.allowedTCPPorts = [
      80 443
    ];
--- a/systems/LoutreOS/services.nix
+++ b/systems/LoutreOS/services.nix
@ -254,6 +254,8 @@ in
      database_args = {
        database = "matrix-synapse";
      };
+      tls_private_key_path = "/var/lib/acme/${domaine}/key.pem";
+      tls_certificate_path = "/var/lib/acme/${domaine}/fullchain.pem";
      extraConfig = ''
        max_upload_size: "100M"
      '';
@ -411,6 +413,8 @@ in
    };
  };

+  users.groups.acme.members = [ "matrix-synapse" ];
+
  security.sudo.extraRules = [
    { commands = [ { command = "${pkgs.smartmontools}/bin/smartctl"; options = [ "NOPASSWD" ]; } ]; users = [ "telegraf" ]; }
  ];