[Nix-dev] Including SSL certificates with NixOS configuration
zimbatm
zimbatm at zimbatm.com
Tue Sep 13 20:06:17 CEST 2016
Another solution is to use a let's encrypt client. Then all your SSL certs
would automatically be generated on the server. I think it only works if
you don't need more than one server per domain.
On Mon, 12 Sep 2016 at 23:18 Tomasz Czyż <tomasz.czyz at gmail.com> wrote:
> Wilhelm,
>
> all files written by nix (or maybe almost all) end up in /nix/store and
> are world-readable, not the best way to keep secrets.
>
> You have to deploy secrets manually or you could use NixOps (and
> deployment.keys) to deploy server with NixOS and deploy keys/secrets.
>
> 2016-09-12 22:54 GMT+01:00 Wilhelm Schuster <ws at wilhelm.re>:
>
>> Hi,
>>
>> I’m quite new to Nix/NixOS; coming from Archlinux I like being able to
>> configure my system in a declarative manner. I tried setting up a small web
>> server using nginx and I hit an interesting challenge:
>>
>> How would be the a good way to include SSL certificates with the NixOS
>> configuration. I’d like to have all my system configuration inside a couple
>> of nix expressions to easily be able to move between different systems. I
>> figured I’d have a separate .nix file which includes all certificates,
>> dhparams, etc. as strings (PEM) which I import into my main
>> configuration.nix. I found builtins.toFile for writing a certificate file
>> from a string, but there doesn’t seem a way to set permissions, which would
>> be important for private certificates (chmod 400).
>>
>> How would you solve this? Is this even the right approach?
>>
>> Thanks and cheers, Wilhelm Schuster.
>> _______________________________________________
>> nix-dev mailing list
>> nix-dev at lists.science.uu.nl
>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>
>
>
>
> --
> Tomasz Czyż
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160913/b050e027/attachment.html>
More information about the nix-dev
mailing list