Another solution is to use a let's encrypt client. Then all your SSL certs would automatically be generated on the server. I think it only works if you don't need more than one server per domain.
On Mon, 12 Sep 2016 at 23:18 Tomasz Czyż <[email protected]> wrote: > Wilhelm, > > all files written by nix (or maybe almost all) end up in /nix/store and > are world-readable, not the best way to keep secrets. > > You have to deploy secrets manually or you could use NixOps (and > deployment.keys) to deploy server with NixOS and deploy keys/secrets. > > 2016-09-12 22:54 GMT+01:00 Wilhelm Schuster <[email protected]>: > >> Hi, >> >> I’m quite new to Nix/NixOS; coming from Archlinux I like being able to >> configure my system in a declarative manner. I tried setting up a small web >> server using nginx and I hit an interesting challenge: >> >> How would be the a good way to include SSL certificates with the NixOS >> configuration. I’d like to have all my system configuration inside a couple >> of nix expressions to easily be able to move between different systems. I >> figured I’d have a separate .nix file which includes all certificates, >> dhparams, etc. as strings (PEM) which I import into my main >> configuration.nix. I found builtins.toFile for writing a certificate file >> from a string, but there doesn’t seem a way to set permissions, which would >> be important for private certificates (chmod 400). >> >> How would you solve this? Is this even the right approach? >> >> Thanks and cheers, Wilhelm Schuster. >> _______________________________________________ >> nix-dev mailing list >> [email protected] >> http://lists.science.uu.nl/mailman/listinfo/nix-dev >> > > > > -- > Tomasz Czyż > _______________________________________________ > nix-dev mailing list > [email protected] > http://lists.science.uu.nl/mailman/listinfo/nix-dev >
_______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
