nixos/acme: ensure web servers using certs can access them

2022-01-08 15:05:34 -05:00
parent 85a078a25d
commit b52607f43b
8 changed files with 36 additions and 13 deletions
--- a/nixos/modules/services/web-servers/apache-httpd/default.nix
+++ b/nixos/modules/services/web-servers/apache-httpd/default.nix
@@ -370,6 +370,8 @@ let
      cat ${php.phpIni} > $out
      echo "$options" >> $out
    '';
+
+  mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix;
 in


@@ -657,7 +659,11 @@ in
          `services.httpd.virtualHosts.<name>.useACMEHost` are mutually exclusive.
        '';
      }
-    ];
+    ] ++ map (name: mkCertOwnershipAssertion {
+      inherit (cfg) group user;
+      cert = config.security.acme.certs.${name};
+      groups = config.users.groups;
+    }) dependentCertNames;

    warnings =
      mapAttrsToList (name: hostOpts: ''