{config, ...}: let taskStore = "/var/lib/taskserver"; in { environment.etc = { "tmpfiles.d/taskserver.conf".source = config.age.secrets.taskserverSystemdTmpfiles.path; }; vhack.persist.directories = [ "/var/lib/taskserver" ]; services.taskserver = { enable = true; pki.manual = { ca.cert = ./certs/ca.cert.pem; server = { cert = "${taskStore}/fullchain.pem"; key = "${taskStore}/key.pem"; }; }; debug = false; ipLog = false; trust = "strict"; organisations = import ./organisations.nix; openFirewall = true; fqdn = "taskserver.vhack.eu"; # This should tell taskd to bind to both ipv6 and ipv4 domains: # This will ONLY work when the kernel option `sys.net.ipv6.bindv6only` is false listenHost = "::"; }; boot.kernelParams = [ "sys.net.ipv6.bindv6only=0" ]; security.acme.certs.taskserver = { domain = "taskserver.vhack.eu"; postRun = /* bash */ '' set -x rm "${taskStore}/key.pem" rm "${taskStore}/fullchain.pem" cp key.pem "${taskStore}"; cp fullchain.pem "${taskStore}"; chown taskd:taskd "${taskStore}/key.pem" chown taskd:taskd "${taskStore}/fullchain.pem" ''; }; }