diff options
author | Christian Kögler <ck3d@gmx.de> | 2022-10-07 12:53:15 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-10-07 12:53:15 +0200 |
commit | aff16d8bc8aba966c1fb3399e3480af816442dc4 (patch) | |
tree | 708952c912c8f8a6a5caa04f41767ebf0b81df95 /nixos/modules/security | |
parent | bcfd4d2c8de72c9d72c6b06fee68921e07946af3 (diff) | |
parent | 7e5617aa7a0401e3d765489295d22caf9926a90b (diff) | |
download | nixpkgs-aff16d8bc8aba966c1fb3399e3480af816442dc4.tar nixpkgs-aff16d8bc8aba966c1fb3399e3480af816442dc4.tar.gz nixpkgs-aff16d8bc8aba966c1fb3399e3480af816442dc4.tar.bz2 nixpkgs-aff16d8bc8aba966c1fb3399e3480af816442dc4.tar.lz nixpkgs-aff16d8bc8aba966c1fb3399e3480af816442dc4.tar.xz nixpkgs-aff16d8bc8aba966c1fb3399e3480af816442dc4.tar.zst nixpkgs-aff16d8bc8aba966c1fb3399e3480af816442dc4.zip |
Merge pull request #190052 from JasonWoof/acme-example
nixos/doc: fix acme dns-01 example
Diffstat (limited to 'nixos/modules/security')
-rw-r--r-- | nixos/modules/security/acme/doc.xml | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/nixos/modules/security/acme/doc.xml b/nixos/modules/security/acme/doc.xml index 4817f7a7fc6..1439594a5ac 100644 --- a/nixos/modules/security/acme/doc.xml +++ b/nixos/modules/security/acme/doc.xml @@ -237,8 +237,8 @@ services.bind = { <programlisting> systemd.services.dns-rfc2136-conf = { - requiredBy = ["acme-example.com.service", "bind.service"]; - before = ["acme-example.com.service", "bind.service"]; + requiredBy = ["acme-example.com.service" "bind.service"]; + before = ["acme-example.com.service" "bind.service"]; unitConfig = { ConditionPathExists = "!/var/lib/secrets/dnskeys.conf"; }; @@ -249,18 +249,19 @@ systemd.services.dns-rfc2136-conf = { path = [ pkgs.bind ]; script = '' mkdir -p /var/lib/secrets + chmod 755 /var/lib/secrets tsig-keygen rfc2136key.example.com > /var/lib/secrets/dnskeys.conf chown named:root /var/lib/secrets/dnskeys.conf chmod 400 /var/lib/secrets/dnskeys.conf - # Copy the secret value from the dnskeys.conf, and put it in - # RFC2136_TSIG_SECRET below + # extract secret value from the dnskeys.conf + while read x y; do if [ "$x" = "secret" ]; then secret="''${y:1:''${#y}-3}"; fi; done < /var/lib/secrets/dnskeys.conf cat > /var/lib/secrets/certs.secret << EOF RFC2136_NAMESERVER='127.0.0.1:53' RFC2136_TSIG_ALGORITHM='hmac-sha256.' RFC2136_TSIG_KEY='rfc2136key.example.com' - RFC2136_TSIG_SECRET='your secret key' + RFC2136_TSIG_SECRET='$secret' EOF chmod 400 /var/lib/secrets/certs.secret ''; |