diff --git a/letsencrypt/acme.nix b/letsencrypt/acme.nix index b01b6f2..bbafccc 100644 --- a/letsencrypt/acme.nix +++ b/letsencrypt/acme.nix @@ -27,13 +27,18 @@ in reloadServices = [ "nginx" ]; }; certs = lib.mkForce { - "${cfg.domain}" = { + "wildcard-${cfg.domain}" = { domain = "*.${cfg.domain}"; extraDomainNames = [ "${cfg.domain}" ]; group = "acmereceivers"; dnsProvider = lib.strings.toLower cfg.dns.provider; credentialsFile = acme-env-filepath; }; + "${cfg.domain}" = { + domain = cfg.domain; + group = "acmereceivers"; + webroot = "/var/lib/acme/acme-challenge"; + }; }; }; systemd.services.acme-secrets = { diff --git a/sp-modules/bitwarden/module.nix b/sp-modules/bitwarden/module.nix index d7a50cf..3b4a516 100644 --- a/sp-modules/bitwarden/module.nix +++ b/sp-modules/bitwarden/module.nix @@ -72,8 +72,8 @@ in ''; }; services.nginx.virtualHosts."password.${sp.domain}" = { - sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem"; + sslCertificate = "/var/lib/acme/wildcard-${sp.domain}/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/wildcard-${sp.domain}/key.pem"; forceSSL = true; extraConfig = '' add_header Strict-Transport-Security $hsts_header; diff --git a/sp-modules/gitea/module.nix b/sp-modules/gitea/module.nix index d03b6fd..4d8b4f8 100644 --- a/sp-modules/gitea/module.nix +++ b/sp-modules/gitea/module.nix @@ -79,8 +79,8 @@ in }; }; services.nginx.virtualHosts."git.${sp.domain}" = { - sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem"; + sslCertificate = "/var/lib/acme/wildcard-${sp.domain}/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/wildcard-${sp.domain}/key.pem"; forceSSL = true; extraConfig = '' add_header Strict-Transport-Security $hsts_header; diff --git a/sp-modules/jitsi-meet/module.nix b/sp-modules/jitsi-meet/module.nix index d23207a..fb5ed56 100644 --- a/sp-modules/jitsi-meet/module.nix +++ b/sp-modules/jitsi-meet/module.nix @@ -21,8 +21,8 @@ in }; }; services.nginx.virtualHosts."meet.${domain}" = { - sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; + sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem"; forceSSL = true; useACMEHost = domain; enableACME = false; diff --git a/sp-modules/nextcloud/module.nix b/sp-modules/nextcloud/module.nix index 3b4a183..89eeef3 100644 --- a/sp-modules/nextcloud/module.nix +++ b/sp-modules/nextcloud/module.nix @@ -69,8 +69,8 @@ }; }; services.nginx.virtualHosts.${hostName} = { - sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem"; + sslCertificate = "/var/lib/acme/wildcard-${sp.domain}/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/wildcard-${sp.domain}/key.pem"; forceSSL = true; extraConfig = '' add_header Strict-Transport-Security $hsts_header; diff --git a/sp-modules/ocserv/module.nix b/sp-modules/ocserv/module.nix index d33369a..6c022d9 100644 --- a/sp-modules/ocserv/module.nix +++ b/sp-modules/ocserv/module.nix @@ -28,8 +28,8 @@ in tcp-port = 8443 udp-port = 8443 - server-cert = /var/lib/acme/${domain}/fullchain.pem - server-key = /var/lib/acme/${domain}/key.pem + server-cert = /var/lib/acme/wildcard-${domain}/fullchain.pem + server-key = /var/lib/acme/wildcard-${domain}/key.pem compression = true @@ -56,8 +56,8 @@ in ''; }; services.nginx.virtualHosts."vpn.${domain}" = { - sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; + sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem"; forceSSL = true; extraConfig = '' add_header Strict-Transport-Security $hsts_header; diff --git a/sp-modules/pleroma/module.nix b/sp-modules/pleroma/module.nix index 4e80b22..d9f54a2 100644 --- a/sp-modules/pleroma/module.nix +++ b/sp-modules/pleroma/module.nix @@ -99,5 +99,26 @@ in }; # seems to be an upstream nixpkgs/nixos bug (missing hexdump) systemd.services.pleroma.path = [ pkgs.util-linux ]; + services.nginx.virtualHosts."social.${sp.domain}" = { + sslCertificate = "/var/lib/acme/wildcard-${sp.domain}/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/wildcard-${sp.domain}/key.pem"; + root = "/var/www/social.${sp.domain}"; + forceSSL = true; + extraConfig = '' + add_header Strict-Transport-Security $hsts_header; + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + expires 10m; + ''; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:4000"; + }; + }; + }; }; } diff --git a/sp-modules/simple-nixos-mailserver/config.nix b/sp-modules/simple-nixos-mailserver/config.nix index 3ac1145..aeceeb9 100644 --- a/sp-modules/simple-nixos-mailserver/config.nix +++ b/sp-modules/simple-nixos-mailserver/config.nix @@ -67,8 +67,8 @@ lib.mkIf sp.modules.simple-nixos-mailserver.enable }; certificateScheme = "manual"; - certificateFile = "/var/lib/acme/${sp.domain}/fullchain.pem"; - keyFile = "/var/lib/acme/${sp.domain}/key.pem"; + certificateFile = "/var/lib/acme/wildcard-${sp.domain}/fullchain.pem"; + keyFile = "/var/lib/acme/wildcard-${sp.domain}/key.pem"; # Enable IMAP and POP3 enableImap = true; diff --git a/webserver/nginx.nix b/webserver/nginx.nix index b4e8dc7..5185d22 100644 --- a/webserver/nginx.nix +++ b/webserver/nginx.nix @@ -22,8 +22,8 @@ in virtualHosts = { "${domain}" = { - sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; + sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem"; forceSSL = true; extraConfig = '' add_header Strict-Transport-Security $hsts_header; @@ -37,8 +37,8 @@ in ''; }; "api.${domain}" = { - sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; + sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem"; forceSSL = true; extraConfig = '' add_header Strict-Transport-Security $hsts_header; @@ -57,27 +57,6 @@ in }; }; }; - "social.${domain}" = { - sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; - root = "/var/www/social.${domain}"; - forceSSL = true; - extraConfig = '' - add_header Strict-Transport-Security $hsts_header; - #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; - add_header 'Referrer-Policy' 'origin-when-cross-origin'; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; - expires 10m; - ''; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:4000"; - }; - }; - }; }; }; }