SelfPrivacy
/
selfprivacy-nixos-config
6
3
Fork 6
Code Issues 19 Pull Requests 1 Projects Releases Wiki Activity

Revert "Revert "add wildcard ACME certificate"" 

This reverts commit 0c4d57c33d.
pull/55/head
Alexander 2023-12-20 16:59:57 +04:00
parent c18f332f5f
commit 4faf8e7dda
9 changed files with 26 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
letsencrypt/acme.nix
View File

@ -27,13 +27,18 @@ in
reloadServices = [ "nginx" ];
};
certs = lib.mkForce {
"${cfg.domain}" = {
"wildcard-${cfg.domain}" = {
domain = "*.${cfg.domain}";
extraDomainNames = [ "${cfg.domain}" ];
group = "acmereceivers";
dnsProvider = lib.strings.toLower cfg.dns.provider;
credentialsFile = acme-env-filepath;
};
"${cfg.domain}" = {
domain = cfg.domain;
group = "acmereceivers";
webroot = "/var/lib/acme/acme-challenge";
};
};
};
systemd.services.acme-secrets = {

4
sp-modules/bitwarden/module.nix
View File

@ -72,8 +72,8 @@ in
'';
};
services.nginx.virtualHosts."password.${sp.domain}" = {
sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
sslCertificate = "/var/lib/acme/wildcard-${sp.domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/wildcard-${sp.domain}/key.pem";
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;

4
sp-modules/gitea/module.nix
View File

@ -85,8 +85,8 @@ in
};
};
services.nginx.virtualHosts."git.${sp.domain}" = {
sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
sslCertificate = "/var/lib/acme/wildcard-${sp.domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/wildcard-${sp.domain}/key.pem";
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;

4
sp-modules/jitsi-meet/module.nix
View File

@ -21,8 +21,8 @@ in
};
};
services.nginx.virtualHosts."meet.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
forceSSL = true;
useACMEHost = domain;
enableACME = false;

4
sp-modules/nextcloud/module.nix
View File

@ -69,8 +69,8 @@
};
};
services.nginx.virtualHosts.${hostName} = {
sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
sslCertificate = "/var/lib/acme/wildcard-${sp.domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/wildcard-${sp.domain}/key.pem";
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;

8
sp-modules/ocserv/module.nix
View File

@ -28,8 +28,8 @@ in
tcp-port = 8443
udp-port = 8443
server-cert = /var/lib/acme/${domain}/fullchain.pem
server-key = /var/lib/acme/${domain}/key.pem
server-cert = /var/lib/acme/wildcard-${domain}/fullchain.pem
server-key = /var/lib/acme/wildcard-${domain}/key.pem
compression = true
@ -56,8 +56,8 @@ in
'';
};
services.nginx.virtualHosts."vpn.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;

4
sp-modules/pleroma/module.nix
View File

@ -100,8 +100,8 @@ in
# seems to be an upstream nixpkgs/nixos bug (missing hexdump)
systemd.services.pleroma.path = [ pkgs.util-linux ];
services.nginx.virtualHosts."social.${sp.domain}" = {
sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
sslCertificate = "/var/lib/acme/wildcard-${sp.domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/wildcard-${sp.domain}/key.pem";
root = "/var/www/social.${sp.domain}";
forceSSL = true;
extraConfig = ''

4
sp-modules/simple-nixos-mailserver/config.nix
View File

@ -67,8 +67,8 @@ lib.mkIf sp.modules.simple-nixos-mailserver.enable
};
certificateScheme = "manual";
certificateFile = "/var/lib/acme/${sp.domain}/fullchain.pem";
keyFile = "/var/lib/acme/${sp.domain}/key.pem";
certificateFile = "/var/lib/acme/wildcard-${sp.domain}/fullchain.pem";
keyFile = "/var/lib/acme/wildcard-${sp.domain}/key.pem";
# Enable IMAP and POP3
enableImap = true;

8
webserver/nginx.nix
View File

@ -21,8 +21,8 @@ in
'';
virtualHosts = {
"${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
@ -41,8 +41,8 @@ in
};
};
"api.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;