Revert "use enableACME for all virtualHosts"

This reverts commit 46366702bc.

letsencrypt/acme.nix

@@ -25,8 +25,15 @@ in
       dnsPropagationCheck =
         ! (lib.elem cfg.dns.provider dnsPropagationCheckExceptions);
       reloadServices = [ "nginx" ];
-      dnsProvider = lib.strings.toLower cfg.dns.provider;
-      credentialsFile = acme-env-filepath;
+    };
+    certs = lib.mkForce {
+      "${cfg.domain}" = {
+        domain = "*.${cfg.domain}";
+        extraDomainNames = [ "${cfg.domain}" ];
+        group = "acmereceivers";
+        dnsProvider = lib.strings.toLower cfg.dns.provider;
+        credentialsFile = acme-env-filepath;
+      };
     };
   };
   systemd.services.acme-secrets = {

sp-modules/bitwarden/module.nix

@@ -72,8 +72,9 @@ in
       '';
     };
     services.nginx.virtualHosts."password.${sp.domain}" = {
+      sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
+      sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
       forceSSL = true;
-      enableACME = true;
       extraConfig = ''
         add_header Strict-Transport-Security $hsts_header;
         #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;

sp-modules/gitea/module.nix

@@ -85,8 +85,9 @@ in
       };
     };
     services.nginx.virtualHosts."git.${sp.domain}" = {
+      sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
+      sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
       forceSSL = true;
-      enableACME = true;
       extraConfig = ''
         add_header Strict-Transport-Security $hsts_header;
         #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;

sp-modules/jitsi-meet/module.nix

@@ -21,8 +21,11 @@ in
       };
     };
     services.nginx.virtualHosts."meet.${domain}" = {
+      sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
+      sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
       forceSSL = true;
-      enableACME = true;
+      useACMEHost = domain;
+      enableACME = false;
     };
   };
 }

sp-modules/nextcloud/module.nix

@@ -69,8 +69,9 @@
         };
       };
       services.nginx.virtualHosts.${hostName} = {
+        sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
+        sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
         forceSSL = true;
-        enableACME = true;
         extraConfig = ''
           add_header Strict-Transport-Security $hsts_header;
           #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;

sp-modules/ocserv/module.nix

@@ -56,8 +56,9 @@ in
       '';
     };
     services.nginx.virtualHosts."vpn.${domain}" = {
+      sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
+      sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
       forceSSL = true;
-      enableACME = true;
       extraConfig = ''
         add_header Strict-Transport-Security $hsts_header;
         #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;

sp-modules/pleroma/module.nix

@@ -100,9 +100,10 @@ in
     # seems to be an upstream nixpkgs/nixos bug (missing hexdump)
     systemd.services.pleroma.path = [ pkgs.util-linux ];
     services.nginx.virtualHosts."social.${sp.domain}" = {
+      sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
+      sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
       root = "/var/www/social.${sp.domain}";
       forceSSL = true;
-      enableACME = true;
       extraConfig = ''
         add_header Strict-Transport-Security $hsts_header;
         #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;

sp-modules/simple-nixos-mailserver/config-paths-needed.json

@@ -11,6 +11,5 @@
   [ "services", "postfix", "user" ],
   [ "services", "redis" ],
   [ "services", "rspamd" ],
-  [ "security", "acme", "certs" ],
   [ "selfprivacy", "modules", "simple-nixos-mailserver" ]
 ]

sp-modules/simple-nixos-mailserver/config.nix

@@ -66,7 +66,9 @@ lib.mkIf sp.modules.simple-nixos-mailserver.enable
       "admin@${sp.domain}" = "${sp.username}@${sp.domain}";
     };
 
-    certificateScheme = "acme";
+    certificateScheme = "manual";
+    certificateFile = "/var/lib/acme/${sp.domain}/fullchain.pem";
+    keyFile = "/var/lib/acme/${sp.domain}/key.pem";
 
     # Enable IMAP and POP3
     enableImap = true;

webserver/nginx.nix

@@ -21,8 +21,9 @@ in
     '';
     virtualHosts = {
       "${domain}" = {
+        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
+        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
         forceSSL = true;
-        enableACME = true;
         extraConfig = ''
           add_header Strict-Transport-Security $hsts_header;
           #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
@@ -40,8 +41,9 @@ in
         };
       };
       "api.${domain}" = {
+        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
+        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
         forceSSL = true;
-        enableACME = true;
         extraConfig = ''
           add_header Strict-Transport-Security $hsts_header;
           #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;