{...}: let taskStore = "/var/lib/taskserver"; in { services.taskserver = { enable = true; pki.manual = { ca.cert = ./ca.cert.pem; server = { cert = "${taskStore}/fullchain.pem"; key = "${taskStore}/key.pem"; }; }; debug = false; ipLog = false; trust = "strict"; organisations = import ./organisations.nix; openFirewall = true; fqdn = "taskserver.vhack.eu"; listenHost = "taskserver.vhack.eu"; }; security.acme.certs.taskserver = { domain = "taskserver.vhack.eu"; postRun = /* bash */ '' set -x rm "${taskStore}/key.pem" rm "${taskStore}/fullchain.pem" cp key.pem "${taskStore}"; cp fullchain.pem "${taskStore}"; chown taskd:taskd "${taskStore}/key.pem" chown taskd:taskd "${taskStore}/fullchain.pem" ''; }; }