felixalb/pvv-nixos-config
1
0
Fork 0
mirror of https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git synced 2026-05-02 04:33:15 +02:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: felixalb:shellcheck
Branches Tags
felixalb:main felixalb:friendship-with-bakke-ended felixalb:bicep-garage-test-deployment felixalb:shellcheck felixalb:bicep-revival felixalb:drumknotty felixalb:fmt felixalb:errorpages felixalb:PVVtheme2026 felixalb:dagali-heimdal-openldap-sasl-stack felixalb:skrot-new-thing felixalb:loginpage felixalb:temmie-userweb felixalb:gitea-robots-txt felixalb:kommode-disko felixalb:skrott-cross-compile felixalb:nettsiden-postgresql felixalb:gitea-vaskepersonalet felixalb:create-flake-input-exporter felixalb:gitea-runners-secrets felixalb:nom felixalb:add-skrott felixalb:pvvvvv felixalb:gitea-show-license-in-list-view felixalb:backup-databases felixalb:openwebui felixalb:setup-openvpn-tunnel felixalb:gitea-gpg-signing felixalb:sleipner-authorised-keys felixalb:openstack-image-builder felixalb:elysium felixalb:smartd-notifs felixalb:systemd-journald-remote felixalb:skrot felixalb:deploy-doorbell felixalb:misc-gitea-fixes felixalb:spotifyd felixalb:remote felixalb:setup-bikkje-login felixalb:ozai-prod felixalb:add-bluemap felixalb:ozai felixalb:setup-postfix-for-service-machines felixalb:fix-gitea-ci-runner-network-issues felixalb:heimdal-openldap-sasl-testing-on-salsa-on-buskerud felixalb:gitea-metrics felixalb:misc1 felixalb:add-simple-saml-theme felixalb:misc-extra-gitea-setup felixalb:setup-kerberos felixalb:setup-home-areas felixalb:shark-kanidm felixalb:prometheusexim
..
compare: felixalb:bicep-revival
Branches Tags
felixalb:friendship-with-bakke-ended felixalb:bicep-garage-test-deployment felixalb:main felixalb:shellcheck felixalb:bicep-revival felixalb:drumknotty felixalb:fmt felixalb:errorpages felixalb:PVVtheme2026 felixalb:dagali-heimdal-openldap-sasl-stack felixalb:skrot-new-thing felixalb:loginpage felixalb:temmie-userweb felixalb:gitea-robots-txt felixalb:kommode-disko felixalb:skrott-cross-compile felixalb:nettsiden-postgresql felixalb:gitea-vaskepersonalet felixalb:create-flake-input-exporter felixalb:gitea-runners-secrets felixalb:nom felixalb:add-skrott felixalb:pvvvvv felixalb:gitea-show-license-in-list-view felixalb:backup-databases felixalb:openwebui felixalb:setup-openvpn-tunnel felixalb:gitea-gpg-signing felixalb:sleipner-authorised-keys felixalb:openstack-image-builder felixalb:elysium felixalb:smartd-notifs felixalb:systemd-journald-remote felixalb:skrot felixalb:deploy-doorbell felixalb:misc-gitea-fixes felixalb:spotifyd felixalb:remote felixalb:setup-bikkje-login felixalb:ozai-prod felixalb:add-bluemap felixalb:ozai felixalb:setup-postfix-for-service-machines felixalb:fix-gitea-ci-runner-network-issues felixalb:heimdal-openldap-sasl-testing-on-salsa-on-buskerud felixalb:gitea-metrics felixalb:misc1 felixalb:add-simple-saml-theme felixalb:misc-extra-gitea-setup felixalb:setup-kerberos felixalb:setup-home-areas felixalb:shark-kanidm felixalb:prometheusexim

1 Commits
shellcheck ... bicep-revi

Author SHA1 Message Date
Felix Albrigtsen
4a53612a74 bicep: start revival 2026-04-18 22:51:57 +02:00
9 changed files with 94 additions and 88 deletions
Expand all files Collapse all files

10
hosts/bekkalokk/services/website/fetch-gallery.nix
View File

@@ -47,8 +47,8 @@ in {
}} }}
# Delete files and directories that exists in the gallery that don't exist in the tarball # Delete files and directories that exists in the gallery that don't exist in the tarball
filesToRemove=$(uniq -u <(sort <(find . -not -path './.thumbnails*') <(tar -tf '${transferDir}/gallery.tar.gz' | sed 's|/$||'))) filesToRemove=$(uniq -u <(sort <(find . -not -path "./.thumbnails*") <(tar -tf ${transferDir}/gallery.tar.gz | sed 's|/$||')))
while IFS= read -r fname; do while IFS= read fname; do
rm -f "$fname" ||: rm -f "$fname" ||:
rm -f ".thumbnails/$fname.png" ||: rm -f ".thumbnails/$fname.png" ||:
done <<< "$filesToRemove" done <<< "$filesToRemove"
@@ -56,9 +56,9 @@ in {
find . -type d -empty -delete find . -type d -empty -delete
mkdir -p .thumbnails mkdir -p .thumbnails
images=$(find . -type f -not -path './.thumbnails*') images=$(find . -type f -not -path "./.thumbnails*")
while IFS= read -r fname; do while IFS= read fname; do
# Skip this file if an up-to-date thumbnail already exists # Skip this file if an up-to-date thumbnail already exists
if [ -f ".thumbnails/$fname.png" ] && \ if [ -f ".thumbnails/$fname.png" ] && \
[ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ] [ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ]
@@ -67,7 +67,7 @@ in {
fi fi
echo "Creating thumbnail for $fname" echo "Creating thumbnail for $fname"
mkdir -p "$(dirname ".thumbnails/$fname")" mkdir -p $(dirname ".thumbnails/$fname")
magick -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||: magick -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png" touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
done <<< "$images" done <<< "$images"

52
hosts/bicep/configuration.nix
View File

@@ -1,32 +1,56 @@
{ fp, pkgs, values, ... }: { fp, pkgs, values, lib, ... }:
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
(fp /base) (fp /base)
./services/nginx #./services/nginx
./services/calendar-bot.nix #./services/calendar-bot.nix
#./services/git-mirrors #./services/git-mirrors
./services/minecraft-heatmap.nix #./services/minecraft-heatmap.nix
./services/mysql #./services/mysql
./services/postgresql #./services/postgresql
./services/matrix #./services/matrix
]; ];
#systemd.network.networks."30-enp6s0f0" = values.defaultNetworkConfig // { boot.loader = {
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // { systemd-boot.enable = false; # no uefi support on this device
#matchConfig.Name = "enp6s0f0"; grub.device = "/dev/disk/by-id/scsi-3600508b1001ca9cf1c96afea40d5451d";
matchConfig.Name = "ens18"; grub.enable = true;
address = with values.hosts.bicep; [ (ipv4 + "/25") (ipv6 + "/64") ] };
++ (with values.services.turn; [ (ipv4 + "/25") (ipv6 + "/64") ]);
boot = {
zfs = {
extraPools = [ "bicepdata" ];
requestEncryptionCredentials = false;
};
supportedFilesystems.zfs = true;
kernelPackages = pkgs.linuxPackages;
};
services.zfs.autoScrub = {
enable = true;
interval = "Wed *-*-8..14 00:00:00";
};
networking.hostId = "3b4bf6a5";
systemd.network.networks."30-ens10f3" = values.defaultNetworkConfig // {
matchConfig.Name = "ens10f3";
# IPs belong to guest1.pvv.ntnu.no
address = [ "129.241.210.248/25" "2001:700:300:1900::248/63" ];
}; };
systemd.network.wait-online = { systemd.network.wait-online = {
anyInterface = true; anyInterface = true;
}; };
services.qemuGuest.enable = true; # local overrides
services.smartd.enable = lib.mkForce false;
system.autoUpgrade.enable = lib.mkForce false;
#services.userborn.enable = lib.mkForce false;
#services.userdbd.enable = lib.mkForce false;
# Don't change (even during upgrades) unless you know what you are doing. # Don't change (even during upgrades) unless you know what you are doing.
# See https://search.nixos.org/options?show=system.stateVersion # See https://search.nixos.org/options?show=system.stateVersion

37
hosts/bicep/hardware-configuration.nix
View File

@@ -5,39 +5,26 @@
{ {
imports = imports =
[ (modulesPath + "/profiles/qemu-guest.nix") [ (modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "ahci" "sd_mod" "sr_mod" ]; boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "hpsa" "ohci_pci" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" =
{ device = "/dev/disk/by-uuid/20e06202-7a09-47cc-8ef6-5e7afe19453a"; { device = "/dev/disk/by-uuid/ec4ab82a-f31e-4f02-a988-99c18160d04a";
fsType = "ext4"; fsType = "btrfs";
}; };
# temp data disk, only 128gb not enough until we can add another disk to the system. swapDevices = [
fileSystems."/data" = {
{ device = "/dev/disk/by-uuid/c81af266-0781-4084-b8eb-c2587cbcf1ba"; device = "/var/lib/swapfile";
fsType = "ext4"; size = 8 * 1024;
}; }
];
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/198B-E363";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
} }

2
hosts/bicep/services/mysql/backup.nix
View File

@@ -57,7 +57,7 @@ in
rm "$STATE_DIRECTORY/mysql-dump-latest.sql.zst" ||: rm "$STATE_DIRECTORY/mysql-dump-latest.sql.zst" ||:
ln -T "$OUT_FILE" "$STATE_DIRECTORY/mysql-dump-latest.sql.zst" ln -T "$OUT_FILE" "$STATE_DIRECTORY/mysql-dump-latest.sql.zst"
while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt '${toString (rotations + 1)}' ]; do while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)" rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
done done
''; '';

2
hosts/bicep/services/postgresql/backup.nix
View File

@@ -58,7 +58,7 @@ in
rm "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst" ||: rm "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst" ||:
ln -T "$OUT_FILE" "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst" ln -T "$OUT_FILE" "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst"
while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt '${toString (rotations + 1)}' ]; do while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)" rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
done done
''; '';

24
hosts/kommode/services/gitea/customization/default.nix
View File

@@ -99,23 +99,23 @@ in
]; ];
} '' } ''
# Bigger icons # Bigger icons
install -Dm444 '${cfg.package.src}/templates/repo/icon.tmpl' "$out/repo/icon.tmpl" install -Dm444 "${cfg.package.src}/templates/repo/icon.tmpl" "$out/repo/icon.tmpl"
sed -i -e 's/24/60/g' "$out/repo/icon.tmpl" sed -i -e 's/24/60/g' "$out/repo/icon.tmpl"
''; '';
in '' in ''
install -Dm444 '${logo-svg}' '${cfg.customDir}/public/assets/img/logo.svg' install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
install -Dm444 '${logo-png}' '${cfg.customDir}/public/assets/img/logo.png' install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
install -Dm444 '${./loading.apng}' '${cfg.customDir}/public/assets/img/loading.png' install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
install -Dm444 '${extraLinks}' '${cfg.customDir}/templates/custom/extra_links.tmpl' install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
install -Dm444 '${extraLinksFooter}' '${cfg.customDir}/templates/custom/extra_links_footer.tmpl' install -Dm444 ${extraLinksFooter} ${cfg.customDir}/templates/custom/extra_links_footer.tmpl
install -Dm444 '${project-labels}' '${cfg.customDir}/options/label/project-labels.yaml' install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml
install -Dm644 '${./emotes/bruh.png}' '${cfg.customDir}/public/assets/img/emoji/bruh.png' install -Dm644 ${./emotes/bruh.png} ${cfg.customDir}/public/assets/img/emoji/bruh.png
install -Dm644 '${./emotes/huh.gif}' '${cfg.customDir}/public/assets/img/emoji/huh.png' install -Dm644 ${./emotes/huh.gif} ${cfg.customDir}/public/assets/img/emoji/huh.png
install -Dm644 '${./emotes/grr.png}' '${cfg.customDir}/public/assets/img/emoji/grr.png' install -Dm644 ${./emotes/grr.png} ${cfg.customDir}/public/assets/img/emoji/grr.png
install -Dm644 '${./emotes/okiedokie.jpg}' '${cfg.customDir}/public/assets/img/emoji/okiedokie.png' install -Dm644 ${./emotes/okiedokie.jpg} ${cfg.customDir}/public/assets/img/emoji/okiedokie.png
'${lib.getExe pkgs.rsync}' -a '${customTemplates}/' '${cfg.customDir}/templates/' "${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/
''; '';
}; };
} }

5
hosts/lupine/services/gitea-runner.nix
View File

@@ -39,22 +39,17 @@
"debian-bullseye-slim:docker://node:current-bullseye-slim" "debian-bullseye-slim:docker://node:current-bullseye-slim"
"alpine-latest:docker://node:current-alpine" "alpine-latest:docker://node:current-alpine"
"alpine-3.23:docker://node:current-alpine3.23"
"alpine-3.22:docker://node:current-alpine3.22" "alpine-3.22:docker://node:current-alpine3.22"
"alpine-3.21:docker://node:current-alpine3.21" "alpine-3.21:docker://node:current-alpine3.21"
# See https://gitea.com/gitea/runner-images # See https://gitea.com/gitea/runner-images
"ubuntu-latest:docker://docker.gitea.com/runner-images:ubuntu-latest" "ubuntu-latest:docker://docker.gitea.com/runner-images:ubuntu-latest"
"ubuntu-26.04:docker://docker.gitea.com/runner-images:ubuntu-26.04"
"ubuntu-resolute:docker://docker.gitea.com/runner-images:ubuntu-26.04"
"ubuntu-24.04:docker://docker.gitea.com/runner-images:ubuntu-24.04" "ubuntu-24.04:docker://docker.gitea.com/runner-images:ubuntu-24.04"
"ubuntu-noble:docker://docker.gitea.com/runner-images:ubuntu-24.04" "ubuntu-noble:docker://docker.gitea.com/runner-images:ubuntu-24.04"
"ubuntu-22.04:docker://docker.gitea.com/runner-images:ubuntu-22.04" "ubuntu-22.04:docker://docker.gitea.com/runner-images:ubuntu-22.04"
"ubuntu-jammy:docker://docker.gitea.com/runner-images:ubuntu-22.04" "ubuntu-jammy:docker://docker.gitea.com/runner-images:ubuntu-22.04"
"ubuntu-latest-slim:docker://docker.gitea.com/runner-images:ubuntu-latest-slim" "ubuntu-latest-slim:docker://docker.gitea.com/runner-images:ubuntu-latest-slim"
"ubuntu-26.04-slim:docker://docker.gitea.com/runner-images:ubuntu-26.04-slim"
"ubuntu-resolute-slim:docker://docker.gitea.com/runner-images:ubuntu-26.04-slim"
"ubuntu-24.04-slim:docker://docker.gitea.com/runner-images:ubuntu-24.04-slim" "ubuntu-24.04-slim:docker://docker.gitea.com/runner-images:ubuntu-24.04-slim"
"ubuntu-noble-slim:docker://docker.gitea.com/runner-images:ubuntu-24.04-slim" "ubuntu-noble-slim:docker://docker.gitea.com/runner-images:ubuntu-24.04-slim"
"ubuntu-22.04-slim:docker://docker.gitea.com/runner-images:ubuntu-22.04-slim" "ubuntu-22.04-slim:docker://docker.gitea.com/runner-images:ubuntu-22.04-slim"

30
modules/matrix-ooye.nix
View File

@@ -77,29 +77,29 @@ in
id id
echo "Before if statement" echo "Before if statement"
stat "''${REGISTRATION_FILE}" stat ''${REGISTRATION_FILE}
if [[ ! -f "''${REGISTRATION_FILE}" ]]; then if [[ ! -f ''${REGISTRATION_FILE} ]]; then
echo "No registration file found at '$REGISTRATION_FILE'" echo "No registration file found at '$REGISTRATION_FILE'"
cp --no-preserve=mode,ownership "${baseConfig}" "''${REGISTRATION_FILE}" cp --no-preserve=mode,ownership ${baseConfig} ''${REGISTRATION_FILE}
fi fi
echo "After if statement" echo "After if statement"
stat "''${REGISTRATION_FILE}" stat ''${REGISTRATION_FILE}
AS_TOKEN="$('${lib.getExe pkgs.jq}' -r .as_token "''${REGISTRATION_FILE}")" AS_TOKEN=$(${lib.getExe pkgs.jq} -r .as_token ''${REGISTRATION_FILE})
HS_TOKEN="$('${lib.getExe pkgs.jq}' -r .hs_token "''${REGISTRATION_FILE}")" HS_TOKEN=$(${lib.getExe pkgs.jq} -r .hs_token ''${REGISTRATION_FILE})
DISCORD_TOKEN="$(cat /run/credentials/matrix-ooye-pre-start.service/discord_token)" DISCORD_TOKEN=$(cat /run/credentials/matrix-ooye-pre-start.service/discord_token)
DISCORD_CLIENT_SECRET="$(cat /run/credentials/matrix-ooye-pre-start.service/discord_client_secret)" DISCORD_CLIENT_SECRET=$(cat /run/credentials/matrix-ooye-pre-start.service/discord_client_secret)
# Check if we have all required tokens # Check if we have all required tokens
if [[ -z "$AS_TOKEN" || "$AS_TOKEN" == "null" ]]; then if [[ -z "$AS_TOKEN" || "$AS_TOKEN" == "null" ]]; then
AS_TOKEN="$('${lib.getExe pkgs.openssl}' rand -hex 64)" AS_TOKEN=$(${lib.getExe pkgs.openssl} rand -hex 64)
echo "Generated new AS token: ''${AS_TOKEN}" echo "Generated new AS token: ''${AS_TOKEN}"
fi fi
if [[ -z "$HS_TOKEN" || "$HS_TOKEN" == "null" ]]; then if [[ -z "$HS_TOKEN" || "$HS_TOKEN" == "null" ]]; then
HS_TOKEN="$('${lib.getExe pkgs.openssl}' rand -hex 64)" HS_TOKEN=$(${lib.getExe pkgs.openssl} rand -hex 64)
echo "Generated new HS token: ''${HS_TOKEN}" echo "Generated new HS token: ''${HS_TOKEN}"
fi fi
@@ -115,13 +115,13 @@ in
exit 1 exit 1
fi fi
shred -u "''${REGISTRATION_FILE}" shred -u ''${REGISTRATION_FILE}
cp --no-preserve=mode,ownership "${baseConfig}" "''${REGISTRATION_FILE}" cp --no-preserve=mode,ownership ${baseConfig} ''${REGISTRATION_FILE}
'${lib.getExe pkgs.jq}' '.as_token = "'$AS_TOKEN'" | .hs_token = "'$HS_TOKEN'" | .ooye.discord_token = "'$DISCORD_TOKEN'" | .ooye.discord_client_secret = "'$DISCORD_CLIENT_SECRET'"' "''${REGISTRATION_FILE}" > "''${REGISTRATION_FILE}.tmp" ${lib.getExe pkgs.jq} '.as_token = "'$AS_TOKEN'" | .hs_token = "'$HS_TOKEN'" | .ooye.discord_token = "'$DISCORD_TOKEN'" | .ooye.discord_client_secret = "'$DISCORD_CLIENT_SECRET'"' ''${REGISTRATION_FILE} > ''${REGISTRATION_FILE}.tmp
shred -u "''${REGISTRATION_FILE}" shred -u ''${REGISTRATION_FILE}
mv "''${REGISTRATION_FILE}.tmp" "''${REGISTRATION_FILE}" mv ''${REGISTRATION_FILE}.tmp ''${REGISTRATION_FILE}
''; '';
in in

20
modules/snakeoil-certs.nix
View File

@@ -51,24 +51,24 @@ in
script = let script = let
openssl = lib.getExe pkgs.openssl; openssl = lib.getExe pkgs.openssl;
in lib.concatMapStringsSep "\n" ({ name, value }: '' in lib.concatMapStringsSep "\n" ({ name, value }: ''
mkdir -p "$(dirname '${value.certificate}')" "$(dirname '${value.certificateKey}')" mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}")
if ! ${openssl} x509 -checkend 86400 -noout -in '${value.certificate}' if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate}
then then
echo "Regenerating '${value.certificate}'" echo "Regenerating '${value.certificate}'"
${openssl} req \ ${openssl} req \
-newkey rsa:4096 \ -newkey rsa:4096 \
-new -x509 \ -new -x509 \
-days '${toString value.daysValid}' \ -days "${toString value.daysValid}" \
-nodes \ -nodes \
-subj '${value.subject}' \ -subj "${value.subject}" \
-out '${value.certificate}' \ -out "${value.certificate}" \
-keyout '${value.certificateKey}' \ -keyout "${value.certificateKey}" \
${lib.escapeShellArgs value.extraOpenSSLArgs} ${lib.escapeShellArgs value.extraOpenSSLArgs}
fi fi
chown '${value.owner}:${value.group}' '${value.certificate}' chown "${value.owner}:${value.group}" "${value.certificate}"
chown '${value.owner}:${value.group}' '${value.certificateKey}' chown "${value.owner}:${value.group}" "${value.certificateKey}"
chmod '${value.mode}' '${value.certificate}' chmod "${value.mode}" "${value.certificate}"
chmod '${value.mode}' '${value.certificateKey}' chmod "${value.mode}" "${value.certificateKey}"
echo "\n-----------------\n" echo "\n-----------------\n"
'') (lib.attrsToList cfg); '') (lib.attrsToList cfg);