diff --git a/letsencrypt/acme.nix b/letsencrypt/acme.nix index 22702f0..b01b6f2 100644 --- a/letsencrypt/acme.nix +++ b/letsencrypt/acme.nix @@ -25,8 +25,15 @@ in dnsPropagationCheck = ! (lib.elem cfg.dns.provider dnsPropagationCheckExceptions); reloadServices = [ "nginx" ]; - dnsProvider = lib.strings.toLower cfg.dns.provider; - credentialsFile = acme-env-filepath; + }; + certs = lib.mkForce { + "${cfg.domain}" = { + domain = "*.${cfg.domain}"; + extraDomainNames = [ "${cfg.domain}" ]; + group = "acmereceivers"; + dnsProvider = lib.strings.toLower cfg.dns.provider; + credentialsFile = acme-env-filepath; + }; }; }; systemd.services.acme-secrets = { diff --git a/sp-modules/bitwarden/module.nix b/sp-modules/bitwarden/module.nix index b1b510a..d7a50cf 100644 --- a/sp-modules/bitwarden/module.nix +++ b/sp-modules/bitwarden/module.nix @@ -72,8 +72,9 @@ in ''; }; services.nginx.virtualHosts."password.${sp.domain}" = { + sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem"; forceSSL = true; - enableACME = true; extraConfig = '' add_header Strict-Transport-Security $hsts_header; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; diff --git a/sp-modules/gitea/module.nix b/sp-modules/gitea/module.nix index 7b7cbdf..5023f8d 100644 --- a/sp-modules/gitea/module.nix +++ b/sp-modules/gitea/module.nix @@ -85,8 +85,9 @@ in }; }; services.nginx.virtualHosts."git.${sp.domain}" = { + sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem"; forceSSL = true; - enableACME = true; extraConfig = '' add_header Strict-Transport-Security $hsts_header; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; diff --git a/sp-modules/jitsi-meet/module.nix b/sp-modules/jitsi-meet/module.nix index 2fedc99..d23207a 100644 --- a/sp-modules/jitsi-meet/module.nix +++ b/sp-modules/jitsi-meet/module.nix @@ -21,8 +21,11 @@ in }; }; services.nginx.virtualHosts."meet.${domain}" = { + sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; forceSSL = true; - enableACME = true; + useACMEHost = domain; + enableACME = false; }; }; } diff --git a/sp-modules/nextcloud/module.nix b/sp-modules/nextcloud/module.nix index 35633e7..3b4a183 100644 --- a/sp-modules/nextcloud/module.nix +++ b/sp-modules/nextcloud/module.nix @@ -69,8 +69,9 @@ }; }; services.nginx.virtualHosts.${hostName} = { + sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem"; forceSSL = true; - enableACME = true; extraConfig = '' add_header Strict-Transport-Security $hsts_header; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; diff --git a/sp-modules/ocserv/module.nix b/sp-modules/ocserv/module.nix index 4d3bd34..d33369a 100644 --- a/sp-modules/ocserv/module.nix +++ b/sp-modules/ocserv/module.nix @@ -56,8 +56,9 @@ in ''; }; services.nginx.virtualHosts."vpn.${domain}" = { + sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; forceSSL = true; - enableACME = true; extraConfig = '' add_header Strict-Transport-Security $hsts_header; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; diff --git a/sp-modules/pleroma/module.nix b/sp-modules/pleroma/module.nix index 0296ad4..afb2969 100644 --- a/sp-modules/pleroma/module.nix +++ b/sp-modules/pleroma/module.nix @@ -100,9 +100,10 @@ in # seems to be an upstream nixpkgs/nixos bug (missing hexdump) systemd.services.pleroma.path = [ pkgs.util-linux ]; services.nginx.virtualHosts."social.${sp.domain}" = { + sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem"; root = "/var/www/social.${sp.domain}"; forceSSL = true; - enableACME = true; extraConfig = '' add_header Strict-Transport-Security $hsts_header; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; diff --git a/sp-modules/simple-nixos-mailserver/config-paths-needed.json b/sp-modules/simple-nixos-mailserver/config-paths-needed.json index 88475b9..27c44ff 100644 --- a/sp-modules/simple-nixos-mailserver/config-paths-needed.json +++ b/sp-modules/simple-nixos-mailserver/config-paths-needed.json @@ -11,6 +11,5 @@ [ "services", "postfix", "user" ], [ "services", "redis" ], [ "services", "rspamd" ], - [ "security", "acme", "certs" ], [ "selfprivacy", "modules", "simple-nixos-mailserver" ] ] diff --git a/sp-modules/simple-nixos-mailserver/config.nix b/sp-modules/simple-nixos-mailserver/config.nix index f6fc53b..3ac1145 100644 --- a/sp-modules/simple-nixos-mailserver/config.nix +++ b/sp-modules/simple-nixos-mailserver/config.nix @@ -66,7 +66,9 @@ lib.mkIf sp.modules.simple-nixos-mailserver.enable "admin@${sp.domain}" = "${sp.username}@${sp.domain}"; }; - certificateScheme = "acme"; + certificateScheme = "manual"; + certificateFile = "/var/lib/acme/${sp.domain}/fullchain.pem"; + keyFile = "/var/lib/acme/${sp.domain}/key.pem"; # Enable IMAP and POP3 enableImap = true; diff --git a/webserver/nginx.nix b/webserver/nginx.nix index 8b97c38..03320db 100644 --- a/webserver/nginx.nix +++ b/webserver/nginx.nix @@ -21,8 +21,9 @@ in ''; virtualHosts = { "${domain}" = { + sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; forceSSL = true; - enableACME = true; extraConfig = '' add_header Strict-Transport-Security $hsts_header; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; @@ -40,8 +41,9 @@ in }; }; "api.${domain}" = { + sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; forceSSL = true; - enableACME = true; extraConfig = '' add_header Strict-Transport-Security $hsts_header; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;