From 29b855818da2e47bf7607c2ad57680cf3a752d0a Mon Sep 17 00:00:00 2001 From: Inex Code Date: Fri, 21 Jul 2023 20:59:34 +0300 Subject: [PATCH] fix: acme retrieval --- letsencrypt/acme.nix | 7 ++++++- webserver/nginx.nix | 30 +++++++++++++++--------------- 2 files changed, 21 insertions(+), 16 deletions(-) diff --git a/letsencrypt/acme.nix b/letsencrypt/acme.nix index 347ea82..e5b9a12 100644 --- a/letsencrypt/acme.nix +++ b/letsencrypt/acme.nix @@ -15,12 +15,17 @@ in reloadServices = [ "nginx" ]; }; certs = lib.mkForce { - "${cfg.domain}" = { + "wildcard-${cfg.domain}" = { domain = "*.${cfg.domain}"; group = "acmerecievers"; dnsProvider = lib.strings.toLower cfg.dns.provider; credentialsFile = "/var/lib/cloudflare/Credentials.ini"; }; + "${cfg.domain}" = { + domain = cfg.domain; + group = "acmerecievers"; + webroot = "/var/lib/acme/acme-challenge"; + }; }; }; } diff --git a/webserver/nginx.nix b/webserver/nginx.nix index f04c0d4..eacc916 100644 --- a/webserver/nginx.nix +++ b/webserver/nginx.nix @@ -34,8 +34,8 @@ in ''; }; "vpn.${domain}" = { - sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; + sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem"; forceSSL = true; extraConfig = '' add_header Strict-Transport-Security $hsts_header; @@ -49,8 +49,8 @@ in ''; }; "git.${domain}" = { - sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; + sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem"; forceSSL = true; extraConfig = '' add_header Strict-Transport-Security $hsts_header; @@ -69,8 +69,8 @@ in }; }; "cloud.${domain}" = { - sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; + sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem"; forceSSL = true; extraConfig = '' add_header Strict-Transport-Security $hsts_header; @@ -89,8 +89,8 @@ in }; }; "password.${domain}" = { - sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; + sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem"; forceSSL = true; extraConfig = '' add_header Strict-Transport-Security $hsts_header; @@ -109,8 +109,8 @@ in }; }; "api.${domain}" = { - sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; + sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem"; forceSSL = true; extraConfig = '' add_header Strict-Transport-Security $hsts_header; @@ -130,8 +130,8 @@ in }; }; "social.${domain}" = { - sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; + sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem"; root = "/var/www/social.${domain}"; forceSSL = true; extraConfig = '' @@ -151,10 +151,10 @@ in }; }; "meet.${domain}" = { - sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; + sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem"; forceSSL = true; - useACMEHost = domain; + useACMEHost = "wildcard-${domain}"; enableACME = false; }; };