Update systemd.nix

This commit is contained in:
Naïm Favier 2020-11-29 14:35:15 +01:00 committed by lewo
parent de84ba1aeb
commit 7c06f610f1
2 changed files with 23 additions and 30 deletions

View file

@ -385,7 +385,7 @@ in
type = types.path; type = types.path;
default = "/var/certs"; default = "/var/certs";
description = '' description = ''
Sceme 2) Scheme 2)
This is the folder where the certificate will be created. The name is This is the folder where the certificate will be created. The name is
hardcoded to "cert-<domain>.pem" and "key-<domain>.pem" and the hardcoded to "cert-<domain>.pem" and "key-<domain>.pem" and the
certificate is valid for 10 years. certificate is valid for 10 years.

View file

@ -18,40 +18,32 @@
let let
cfg = config.mailserver; cfg = config.mailserver;
preliminarySelfsigned = config.security.acme.preliminarySelfsigned; certificatesDeps =
acmeWantsTarget = [ "acme-certificates.target" ] if cfg.certificateScheme == 1 then
++ (lib.optional preliminarySelfsigned "acme-selfsigned-certificates.target"); []
acmeAfterTarget = if preliminarySelfsigned else if cfg.certificateScheme == 2 then
then [ "acme-selfsigned-certificates.target" ] [ "mailserver-selfsigned-certificate.service" ]
else [ "acme-certificates.target" ]; else
[ "acme-finished-${cfg.fqdn}.target" ];
in in
{ {
config = with cfg; lib.mkIf enable { config = with cfg; lib.mkIf enable {
# Add target for when certificates are available
systemd.targets."mailserver-certificates" = {
wants = lib.mkIf (cfg.certificateScheme == 3) acmeWantsTarget;
after = lib.mkIf (cfg.certificateScheme == 3) acmeAfterTarget;
};
# Create self signed certificate # Create self signed certificate
systemd.services.mailserver-selfsigned-certificate = lib.mkIf (cfg.certificateScheme == 2) { systemd.services.mailserver-selfsigned-certificate = lib.mkIf (cfg.certificateScheme == 2) {
wantedBy = [ "mailserver-certificates.target" ];
after = [ "local-fs.target" ]; after = [ "local-fs.target" ];
before = [ "mailserver-certificates.target" ];
script = '' script = ''
# Create certificates if they do not exist yet # Create certificates if they do not exist yet
dir="${cfg.certificateDirectory}" dir="${cfg.certificateDirectory}"
fqdn="${cfg.fqdn}" fqdn="${cfg.fqdn}"
case $fqdn in /*) fqdn=$(cat "$fqdn");; esac [[ $fqdn == /* ]] && fqdn=$(< "$fqdn")
key="''${dir}/key-${cfg.fqdn}.pem"; key="$dir/key-${cfg.fqdn}.pem";
cert="''${dir}/cert-${cfg.fqdn}.pem"; cert="$dir/cert-${cfg.fqdn}.pem";
if [ ! -f "''${key}" ] || [ ! -f "''${cert}" ] if [[ ! -f $key || ! -f $cert ]]; then
then
mkdir -p "${cfg.certificateDirectory}" mkdir -p "${cfg.certificateDirectory}"
(umask 077; "${pkgs.openssl}/bin/openssl" genrsa -out "''${key}" 2048) && (umask 077; "${pkgs.openssl}/bin/openssl" genrsa -out "$key" 2048) &&
"${pkgs.openssl}/bin/openssl" req -new -key "''${key}" -x509 -subj "/CN=''${fqdn}" \ "${pkgs.openssl}/bin/openssl" req -new -key "$key" -x509 -subj "/CN=$fqdn" \
-days 3650 -out "''${cert}" -days 3650 -out "$cert"
fi fi
''; '';
serviceConfig = { serviceConfig = {
@ -62,8 +54,8 @@ in
# Create maildir folder before dovecot startup # Create maildir folder before dovecot startup
systemd.services.dovecot2 = { systemd.services.dovecot2 = {
after = [ "mailserver-certificates.target" ]; wants = certificatesDeps;
wants = [ "mailserver-certificates.target" ]; after = certificatesDeps;
preStart = '' preStart = ''
# Create mail directory and set permissions. See # Create mail directory and set permissions. See
# <http://wiki2.dovecot.org/SharedMailboxes/Permissions>. # <http://wiki2.dovecot.org/SharedMailboxes/Permissions>.
@ -75,11 +67,12 @@ in
# Postfix requires dovecot lmtp socket, dovecot auth socket and certificate to work # Postfix requires dovecot lmtp socket, dovecot auth socket and certificate to work
systemd.services.postfix = { systemd.services.postfix = {
after = [ "dovecot2.service" "mailserver-certificates.target" ] wants = certificatesDeps;
++ (lib.optional cfg.dkimSigning "opendkim.service"); after = [ "dovecot2.service" ]
wants = [ "mailserver-certificates.target" ]; ++ lib.optional cfg.dkimSigning "opendkim.service"
++ certificatesDeps;
requires = [ "dovecot2.service" ] requires = [ "dovecot2.service" ]
++ (lib.optional cfg.dkimSigning "opendkim.service"); ++ lib.optional cfg.dkimSigning "opendkim.service";
}; };
}; };
} }