felixalb/pvv-nixos-config
1
0
Fork 0
mirror of https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git synced 2026-05-02 12:43:17 +02:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: felixalb:bicep-revival
Branches Tags
felixalb:main felixalb:friendship-with-bakke-ended felixalb:bicep-garage-test-deployment felixalb:shellcheck felixalb:bicep-revival felixalb:drumknotty felixalb:fmt felixalb:errorpages felixalb:PVVtheme2026 felixalb:dagali-heimdal-openldap-sasl-stack felixalb:skrot-new-thing felixalb:loginpage felixalb:temmie-userweb felixalb:gitea-robots-txt felixalb:kommode-disko felixalb:skrott-cross-compile felixalb:nettsiden-postgresql felixalb:gitea-vaskepersonalet felixalb:create-flake-input-exporter felixalb:gitea-runners-secrets felixalb:nom felixalb:add-skrott felixalb:pvvvvv felixalb:gitea-show-license-in-list-view felixalb:backup-databases felixalb:openwebui felixalb:setup-openvpn-tunnel felixalb:gitea-gpg-signing felixalb:sleipner-authorised-keys felixalb:openstack-image-builder felixalb:elysium felixalb:smartd-notifs felixalb:systemd-journald-remote felixalb:skrot felixalb:deploy-doorbell felixalb:misc-gitea-fixes felixalb:spotifyd felixalb:remote felixalb:setup-bikkje-login felixalb:ozai-prod felixalb:add-bluemap felixalb:ozai felixalb:setup-postfix-for-service-machines felixalb:fix-gitea-ci-runner-network-issues felixalb:heimdal-openldap-sasl-testing-on-salsa-on-buskerud felixalb:gitea-metrics felixalb:misc1 felixalb:add-simple-saml-theme felixalb:misc-extra-gitea-setup felixalb:setup-kerberos felixalb:setup-home-areas felixalb:shark-kanidm felixalb:prometheusexim
..
compare: felixalb:2a062a6031eb63e8f5309ac39318f0f2cdec9447
Branches Tags
felixalb:friendship-with-bakke-ended felixalb:bicep-garage-test-deployment felixalb:main felixalb:shellcheck felixalb:bicep-revival felixalb:drumknotty felixalb:fmt felixalb:errorpages felixalb:PVVtheme2026 felixalb:dagali-heimdal-openldap-sasl-stack felixalb:skrot-new-thing felixalb:loginpage felixalb:temmie-userweb felixalb:gitea-robots-txt felixalb:kommode-disko felixalb:skrott-cross-compile felixalb:nettsiden-postgresql felixalb:gitea-vaskepersonalet felixalb:create-flake-input-exporter felixalb:gitea-runners-secrets felixalb:nom felixalb:add-skrott felixalb:pvvvvv felixalb:gitea-show-license-in-list-view felixalb:backup-databases felixalb:openwebui felixalb:setup-openvpn-tunnel felixalb:gitea-gpg-signing felixalb:sleipner-authorised-keys felixalb:openstack-image-builder felixalb:elysium felixalb:smartd-notifs felixalb:systemd-journald-remote felixalb:skrot felixalb:deploy-doorbell felixalb:misc-gitea-fixes felixalb:spotifyd felixalb:remote felixalb:setup-bikkje-login felixalb:ozai-prod felixalb:add-bluemap felixalb:ozai felixalb:setup-postfix-for-service-machines felixalb:fix-gitea-ci-runner-network-issues felixalb:heimdal-openldap-sasl-testing-on-salsa-on-buskerud felixalb:gitea-metrics felixalb:misc1 felixalb:add-simple-saml-theme felixalb:misc-extra-gitea-setup felixalb:setup-kerberos felixalb:setup-home-areas felixalb:shark-kanidm felixalb:prometheusexim

2 Commits
bicep-revi ... 2a062a6031

Author SHA1 Message Date
Felix Albrigtsen
2a062a6031 Run shellcheck 2026-04-24 05:11:14 +09:00
h7x4
eee7e9ad7b lupine/gitea-runner: register docker images for alpine v3.23 and ubuntu 26.04 2026-04-23 21:05:23 +09:00
9 changed files with 88 additions and 94 deletions
Expand all files Collapse all files

10
hosts/bekkalokk/services/website/fetch-gallery.nix
View File

@@ -47,8 +47,8 @@ in {
}} }}
# Delete files and directories that exists in the gallery that don't exist in the tarball # Delete files and directories that exists in the gallery that don't exist in the tarball
filesToRemove=$(uniq -u <(sort <(find . -not -path "./.thumbnails*") <(tar -tf ${transferDir}/gallery.tar.gz | sed 's|/$||'))) filesToRemove=$(uniq -u <(sort <(find . -not -path './.thumbnails*') <(tar -tf '${transferDir}/gallery.tar.gz' | sed 's|/$||')))
while IFS= read fname; do while IFS= read -r fname; do
rm -f "$fname" ||: rm -f "$fname" ||:
rm -f ".thumbnails/$fname.png" ||: rm -f ".thumbnails/$fname.png" ||:
done <<< "$filesToRemove" done <<< "$filesToRemove"
@@ -56,9 +56,9 @@ in {
find . -type d -empty -delete find . -type d -empty -delete
mkdir -p .thumbnails mkdir -p .thumbnails
images=$(find . -type f -not -path "./.thumbnails*") images=$(find . -type f -not -path './.thumbnails*')
while IFS= read fname; do while IFS= read -r fname; do
# Skip this file if an up-to-date thumbnail already exists # Skip this file if an up-to-date thumbnail already exists
if [ -f ".thumbnails/$fname.png" ] && \ if [ -f ".thumbnails/$fname.png" ] && \
[ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ] [ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ]
@@ -67,7 +67,7 @@ in {
fi fi
echo "Creating thumbnail for $fname" echo "Creating thumbnail for $fname"
mkdir -p $(dirname ".thumbnails/$fname") mkdir -p "$(dirname ".thumbnails/$fname")"
magick -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||: magick -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png" touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
done <<< "$images" done <<< "$images"

52
hosts/bicep/configuration.nix
View File

@@ -1,56 +1,32 @@
{ fp, pkgs, values, lib, ... }: { fp, pkgs, values, ... }:
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
(fp /base) (fp /base)
#./services/nginx ./services/nginx
#./services/calendar-bot.nix ./services/calendar-bot.nix
#./services/git-mirrors #./services/git-mirrors
#./services/minecraft-heatmap.nix ./services/minecraft-heatmap.nix
#./services/mysql ./services/mysql
#./services/postgresql ./services/postgresql
#./services/matrix ./services/matrix
]; ];
boot.loader = { #systemd.network.networks."30-enp6s0f0" = values.defaultNetworkConfig // {
systemd-boot.enable = false; # no uefi support on this device systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
grub.device = "/dev/disk/by-id/scsi-3600508b1001ca9cf1c96afea40d5451d"; #matchConfig.Name = "enp6s0f0";
grub.enable = true; matchConfig.Name = "ens18";
}; address = with values.hosts.bicep; [ (ipv4 + "/25") (ipv6 + "/64") ]
++ (with values.services.turn; [ (ipv4 + "/25") (ipv6 + "/64") ]);
boot = {
zfs = {
extraPools = [ "bicepdata" ];
requestEncryptionCredentials = false;
};
supportedFilesystems.zfs = true;
kernelPackages = pkgs.linuxPackages;
};
services.zfs.autoScrub = {
enable = true;
interval = "Wed *-*-8..14 00:00:00";
};
networking.hostId = "3b4bf6a5";
systemd.network.networks."30-ens10f3" = values.defaultNetworkConfig // {
matchConfig.Name = "ens10f3";
# IPs belong to guest1.pvv.ntnu.no
address = [ "129.241.210.248/25" "2001:700:300:1900::248/63" ];
}; };
systemd.network.wait-online = { systemd.network.wait-online = {
anyInterface = true; anyInterface = true;
}; };
# local overrides services.qemuGuest.enable = true;
services.smartd.enable = lib.mkForce false;
system.autoUpgrade.enable = lib.mkForce false;
#services.userborn.enable = lib.mkForce false;
#services.userdbd.enable = lib.mkForce false;
# Don't change (even during upgrades) unless you know what you are doing. # Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion # See https://search.nixos.org/options?show=system.stateVersion

37
hosts/bicep/hardware-configuration.nix
View File

@@ -5,26 +5,39 @@
{ {
imports = imports =
[ (modulesPath + "/installer/scan/not-detected.nix") [ (modulesPath + "/profiles/qemu-guest.nix")
]; ];
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "hpsa" "ohci_pci" "usbhid" "sd_mod" ]; boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "ahci" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" =
{ device = "/dev/disk/by-uuid/ec4ab82a-f31e-4f02-a988-99c18160d04a"; { device = "/dev/disk/by-uuid/20e06202-7a09-47cc-8ef6-5e7afe19453a";
fsType = "btrfs"; fsType = "ext4";
}; };
swapDevices = [ # temp data disk, only 128gb not enough until we can add another disk to the system.
{ fileSystems."/data" =
device = "/var/lib/swapfile"; { device = "/dev/disk/by-uuid/c81af266-0781-4084-b8eb-c2587cbcf1ba";
size = 8 * 1024; fsType = "ext4";
} };
];
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/198B-E363";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
} }

2
hosts/bicep/services/mysql/backup.nix
View File

@@ -57,7 +57,7 @@ in
rm "$STATE_DIRECTORY/mysql-dump-latest.sql.zst" ||: rm "$STATE_DIRECTORY/mysql-dump-latest.sql.zst" ||:
ln -T "$OUT_FILE" "$STATE_DIRECTORY/mysql-dump-latest.sql.zst" ln -T "$OUT_FILE" "$STATE_DIRECTORY/mysql-dump-latest.sql.zst"
while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt '${toString (rotations + 1)}' ]; do
rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)" rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
done done
''; '';

2
hosts/bicep/services/postgresql/backup.nix
View File

@@ -58,7 +58,7 @@ in
rm "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst" ||: rm "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst" ||:
ln -T "$OUT_FILE" "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst" ln -T "$OUT_FILE" "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst"
while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt '${toString (rotations + 1)}' ]; do
rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)" rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
done done
''; '';

24
hosts/kommode/services/gitea/customization/default.nix
View File

@@ -99,23 +99,23 @@ in
]; ];
} '' } ''
# Bigger icons # Bigger icons
install -Dm444 "${cfg.package.src}/templates/repo/icon.tmpl" "$out/repo/icon.tmpl" install -Dm444 '${cfg.package.src}/templates/repo/icon.tmpl' "$out/repo/icon.tmpl"
sed -i -e 's/24/60/g' "$out/repo/icon.tmpl" sed -i -e 's/24/60/g' "$out/repo/icon.tmpl"
''; '';
in '' in ''
install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg install -Dm444 '${logo-svg}' '${cfg.customDir}/public/assets/img/logo.svg'
install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png install -Dm444 '${logo-png}' '${cfg.customDir}/public/assets/img/logo.png'
install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png install -Dm444 '${./loading.apng}' '${cfg.customDir}/public/assets/img/loading.png'
install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl install -Dm444 '${extraLinks}' '${cfg.customDir}/templates/custom/extra_links.tmpl'
install -Dm444 ${extraLinksFooter} ${cfg.customDir}/templates/custom/extra_links_footer.tmpl install -Dm444 '${extraLinksFooter}' '${cfg.customDir}/templates/custom/extra_links_footer.tmpl'
install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml install -Dm444 '${project-labels}' '${cfg.customDir}/options/label/project-labels.yaml'
install -Dm644 ${./emotes/bruh.png} ${cfg.customDir}/public/assets/img/emoji/bruh.png install -Dm644 '${./emotes/bruh.png}' '${cfg.customDir}/public/assets/img/emoji/bruh.png'
install -Dm644 ${./emotes/huh.gif} ${cfg.customDir}/public/assets/img/emoji/huh.png install -Dm644 '${./emotes/huh.gif}' '${cfg.customDir}/public/assets/img/emoji/huh.png'
install -Dm644 ${./emotes/grr.png} ${cfg.customDir}/public/assets/img/emoji/grr.png install -Dm644 '${./emotes/grr.png}' '${cfg.customDir}/public/assets/img/emoji/grr.png'
install -Dm644 ${./emotes/okiedokie.jpg} ${cfg.customDir}/public/assets/img/emoji/okiedokie.png install -Dm644 '${./emotes/okiedokie.jpg}' '${cfg.customDir}/public/assets/img/emoji/okiedokie.png'
"${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/ '${lib.getExe pkgs.rsync}' -a '${customTemplates}/' '${cfg.customDir}/templates/'
''; '';
}; };
} }

5
hosts/lupine/services/gitea-runner.nix
View File

@@ -39,17 +39,22 @@
"debian-bullseye-slim:docker://node:current-bullseye-slim" "debian-bullseye-slim:docker://node:current-bullseye-slim"
"alpine-latest:docker://node:current-alpine" "alpine-latest:docker://node:current-alpine"
"alpine-3.23:docker://node:current-alpine3.23"
"alpine-3.22:docker://node:current-alpine3.22" "alpine-3.22:docker://node:current-alpine3.22"
"alpine-3.21:docker://node:current-alpine3.21" "alpine-3.21:docker://node:current-alpine3.21"
# See https://gitea.com/gitea/runner-images # See https://gitea.com/gitea/runner-images
"ubuntu-latest:docker://docker.gitea.com/runner-images:ubuntu-latest" "ubuntu-latest:docker://docker.gitea.com/runner-images:ubuntu-latest"
"ubuntu-26.04:docker://docker.gitea.com/runner-images:ubuntu-26.04"
"ubuntu-resolute:docker://docker.gitea.com/runner-images:ubuntu-26.04"
"ubuntu-24.04:docker://docker.gitea.com/runner-images:ubuntu-24.04" "ubuntu-24.04:docker://docker.gitea.com/runner-images:ubuntu-24.04"
"ubuntu-noble:docker://docker.gitea.com/runner-images:ubuntu-24.04" "ubuntu-noble:docker://docker.gitea.com/runner-images:ubuntu-24.04"
"ubuntu-22.04:docker://docker.gitea.com/runner-images:ubuntu-22.04" "ubuntu-22.04:docker://docker.gitea.com/runner-images:ubuntu-22.04"
"ubuntu-jammy:docker://docker.gitea.com/runner-images:ubuntu-22.04" "ubuntu-jammy:docker://docker.gitea.com/runner-images:ubuntu-22.04"
"ubuntu-latest-slim:docker://docker.gitea.com/runner-images:ubuntu-latest-slim" "ubuntu-latest-slim:docker://docker.gitea.com/runner-images:ubuntu-latest-slim"
"ubuntu-26.04-slim:docker://docker.gitea.com/runner-images:ubuntu-26.04-slim"
"ubuntu-resolute-slim:docker://docker.gitea.com/runner-images:ubuntu-26.04-slim"
"ubuntu-24.04-slim:docker://docker.gitea.com/runner-images:ubuntu-24.04-slim" "ubuntu-24.04-slim:docker://docker.gitea.com/runner-images:ubuntu-24.04-slim"
"ubuntu-noble-slim:docker://docker.gitea.com/runner-images:ubuntu-24.04-slim" "ubuntu-noble-slim:docker://docker.gitea.com/runner-images:ubuntu-24.04-slim"
"ubuntu-22.04-slim:docker://docker.gitea.com/runner-images:ubuntu-22.04-slim" "ubuntu-22.04-slim:docker://docker.gitea.com/runner-images:ubuntu-22.04-slim"

30
modules/matrix-ooye.nix
View File

@@ -77,29 +77,29 @@ in
id id
echo "Before if statement" echo "Before if statement"
stat ''${REGISTRATION_FILE} stat "''${REGISTRATION_FILE}"
if [[ ! -f ''${REGISTRATION_FILE} ]]; then if [[ ! -f "''${REGISTRATION_FILE}" ]]; then
echo "No registration file found at '$REGISTRATION_FILE'" echo "No registration file found at '$REGISTRATION_FILE'"
cp --no-preserve=mode,ownership ${baseConfig} ''${REGISTRATION_FILE} cp --no-preserve=mode,ownership "${baseConfig}" "''${REGISTRATION_FILE}"
fi fi
echo "After if statement" echo "After if statement"
stat ''${REGISTRATION_FILE} stat "''${REGISTRATION_FILE}"
AS_TOKEN=$(${lib.getExe pkgs.jq} -r .as_token ''${REGISTRATION_FILE}) AS_TOKEN="$('${lib.getExe pkgs.jq}' -r .as_token "''${REGISTRATION_FILE}")"
HS_TOKEN=$(${lib.getExe pkgs.jq} -r .hs_token ''${REGISTRATION_FILE}) HS_TOKEN="$('${lib.getExe pkgs.jq}' -r .hs_token "''${REGISTRATION_FILE}")"
DISCORD_TOKEN=$(cat /run/credentials/matrix-ooye-pre-start.service/discord_token) DISCORD_TOKEN="$(cat /run/credentials/matrix-ooye-pre-start.service/discord_token)"
DISCORD_CLIENT_SECRET=$(cat /run/credentials/matrix-ooye-pre-start.service/discord_client_secret) DISCORD_CLIENT_SECRET="$(cat /run/credentials/matrix-ooye-pre-start.service/discord_client_secret)"
# Check if we have all required tokens # Check if we have all required tokens
if [[ -z "$AS_TOKEN" || "$AS_TOKEN" == "null" ]]; then if [[ -z "$AS_TOKEN" || "$AS_TOKEN" == "null" ]]; then
AS_TOKEN=$(${lib.getExe pkgs.openssl} rand -hex 64) AS_TOKEN="$('${lib.getExe pkgs.openssl}' rand -hex 64)"
echo "Generated new AS token: ''${AS_TOKEN}" echo "Generated new AS token: ''${AS_TOKEN}"
fi fi
if [[ -z "$HS_TOKEN" || "$HS_TOKEN" == "null" ]]; then if [[ -z "$HS_TOKEN" || "$HS_TOKEN" == "null" ]]; then
HS_TOKEN=$(${lib.getExe pkgs.openssl} rand -hex 64) HS_TOKEN="$('${lib.getExe pkgs.openssl}' rand -hex 64)"
echo "Generated new HS token: ''${HS_TOKEN}" echo "Generated new HS token: ''${HS_TOKEN}"
fi fi
@@ -115,13 +115,13 @@ in
exit 1 exit 1
fi fi
shred -u ''${REGISTRATION_FILE} shred -u "''${REGISTRATION_FILE}"
cp --no-preserve=mode,ownership ${baseConfig} ''${REGISTRATION_FILE} cp --no-preserve=mode,ownership "${baseConfig}" "''${REGISTRATION_FILE}"
${lib.getExe pkgs.jq} '.as_token = "'$AS_TOKEN'" | .hs_token = "'$HS_TOKEN'" | .ooye.discord_token = "'$DISCORD_TOKEN'" | .ooye.discord_client_secret = "'$DISCORD_CLIENT_SECRET'"' ''${REGISTRATION_FILE} > ''${REGISTRATION_FILE}.tmp '${lib.getExe pkgs.jq}' '.as_token = "'$AS_TOKEN'" | .hs_token = "'$HS_TOKEN'" | .ooye.discord_token = "'$DISCORD_TOKEN'" | .ooye.discord_client_secret = "'$DISCORD_CLIENT_SECRET'"' "''${REGISTRATION_FILE}" > "''${REGISTRATION_FILE}.tmp"
shred -u ''${REGISTRATION_FILE} shred -u "''${REGISTRATION_FILE}"
mv ''${REGISTRATION_FILE}.tmp ''${REGISTRATION_FILE} mv "''${REGISTRATION_FILE}.tmp" "''${REGISTRATION_FILE}"
''; '';
in in

20
modules/snakeoil-certs.nix
View File

@@ -51,24 +51,24 @@ in
script = let script = let
openssl = lib.getExe pkgs.openssl; openssl = lib.getExe pkgs.openssl;
in lib.concatMapStringsSep "\n" ({ name, value }: '' in lib.concatMapStringsSep "\n" ({ name, value }: ''
mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}") mkdir -p "$(dirname '${value.certificate}')" "$(dirname '${value.certificateKey}')"
if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate} if ! ${openssl} x509 -checkend 86400 -noout -in '${value.certificate}'
then then
echo "Regenerating '${value.certificate}'" echo "Regenerating '${value.certificate}'"
${openssl} req \ ${openssl} req \
-newkey rsa:4096 \ -newkey rsa:4096 \
-new -x509 \ -new -x509 \
-days "${toString value.daysValid}" \ -days '${toString value.daysValid}' \
-nodes \ -nodes \
-subj "${value.subject}" \ -subj '${value.subject}' \
-out "${value.certificate}" \ -out '${value.certificate}' \
-keyout "${value.certificateKey}" \ -keyout '${value.certificateKey}' \
${lib.escapeShellArgs value.extraOpenSSLArgs} ${lib.escapeShellArgs value.extraOpenSSLArgs}
fi fi
chown "${value.owner}:${value.group}" "${value.certificate}" chown '${value.owner}:${value.group}' '${value.certificate}'
chown "${value.owner}:${value.group}" "${value.certificateKey}" chown '${value.owner}:${value.group}' '${value.certificateKey}'
chmod "${value.mode}" "${value.certificate}" chmod '${value.mode}' '${value.certificate}'
chmod "${value.mode}" "${value.certificateKey}" chmod '${value.mode}' '${value.certificateKey}'
echo "\n-----------------\n" echo "\n-----------------\n"
'') (lib.attrsToList cfg); '') (lib.attrsToList cfg);