diff options
| author | Wojtek Kosior <koszko@koszko.org> | 2023-05-03 21:12:43 +0200 |
|---|---|---|
| committer | Wojtek Kosior <koszko@koszko.org> | 2023-05-03 21:52:45 +0200 |
| commit | 75af5d1e53c8564767589bd0978fe5255f44394b (patch) | |
| tree | f9be2216d9a4e5dc4db2fca0e943b8ea395bc339 /container.scm | |
| parent | 73cc7aac7d7bd5ee01cad2b9ed34af31345bde3d (diff) | |
| download | koszko-org-server-75af5d1e53c8564767589bd0978fe5255f44394b.tar.gz koszko-org-server-75af5d1e53c8564767589bd0978fe5255f44394b.zip | |
make TLS certs usable by both guix' and host's daemons
Diffstat (limited to 'container.scm')
| -rw-r--r-- | container.scm | 33 |
1 files changed, 24 insertions, 9 deletions
diff --git a/container.scm b/container.scm index 5eead94..7af2a25 100644 --- a/container.scm +++ b/container.scm @@ -368,8 +368,15 @@ (define %koszko-httpd-deploy-hook (program-file "httpd-deploy-hook" - #~(let ((pid (call-with-input-file "/var/run/httpd" read))) - (kill pid SIGHUP)))) + #~(begin + (for-each (lambda (subdir) + (system* "chgrp" "-R" "certsaccess" + (string-append "/etc/letsencrypt/" subdir))) + '("live" "archive")) + (system* "find" "/etc/letsencrypt/archive/" "-name" "privkey1.pem" + "-exec" "chmod" "640" "{}" ";") + (kill (call-with-input-file "/var/run/httpd" read) + SIGHUP)))) (define %certbot-token-filename-gexp #~(format #f "/srv/http/acme-challenge/~a" (getenv "CERTBOT_TOKEN"))) @@ -403,6 +410,7 @@ (service-type-extensions certbot-service-type)))) (certbot-configuration (email "koszko@koszko.org") + (rsa-key-size 4096) (certificates (map (match-lambda @@ -410,8 +418,9 @@ (let ((www-aliases (map (cut string-append "www." <>) (if auto-www-aliases name-and-aliases '())))) (certificate-configuration - (challenge "http") + (name (string-append "guixbot_" (car name-and-aliases))) (domains (append name-and-aliases www-aliases)) + (challenge "http") (authentication-hook %koszko-certbot-auth-hook) (cleanup-hook %koszko-certbot-cleanup-hook) (deploy-hook %koszko-httpd-deploy-hook))))) @@ -421,9 +430,9 @@ (host-name "koszko") (timezone "Europe/Warsaw") (groups (cons* - ;; The `httpd` and `gitolite3` groups must have explicit ids so that - ;; the host can provide files that are readable by Apache and not - ;; readable by the world. + ;; Some groups must have explicit ids so that the host can provide + ;; files that are readable by certain daemons and not readable by the + ;; world. (user-group (name "httpd") (id 133) @@ -432,15 +441,21 @@ (name "gitolite3") (id 118) (system? #t)) + (user-group + (name "certsaccess") + (id 1001) + (system? #t)) %base-groups)) (users (cons* (user-account (name "httpd") (group "httpd") - (supplementary-groups '("gitolite3")) + (supplementary-groups '("gitolite3" "certsaccess")) (system? #t)) - ;; the gitolite user must also have an id that matches the respective - ;; host user's one + ;; The gitolite user must also have an id that matches the respective + ;; host user's one — otherwise the cgit CGI process floods logs with + ;; an error about being unable to determine permissions of some + ;; files... (user-account (name "gitolite3") (group "gitolite3") |