From d41cf6a4db5c73d0b995e45d42a16bab308f5268 Mon Sep 17 00:00:00 2001
From: Inex Code <inex.code@selfprivacy.org>
Date: Fri, 21 Jul 2023 20:32:03 +0300
Subject: [PATCH] fix: do not use DNS challenge for root domain TLS

Previous solution made ACME create two TXT records
on the same subdomain, creating the conflict
---
 letsencrypt/acme.nix | 1 -
 webserver/nginx.nix  | 3 +--
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/letsencrypt/acme.nix b/letsencrypt/acme.nix
index 588a05e..347ea82 100644
--- a/letsencrypt/acme.nix
+++ b/letsencrypt/acme.nix
@@ -17,7 +17,6 @@ in
     certs = lib.mkForce {
       "${cfg.domain}" = {
         domain = "*.${cfg.domain}";
-        extraDomainNames = [ "${cfg.domain}" ];
         group = "acmerecievers";
         dnsProvider = lib.strings.toLower cfg.dns.provider;
         credentialsFile = "/var/lib/cloudflare/Credentials.ini";
diff --git a/webserver/nginx.nix b/webserver/nginx.nix
index cb7fdf5..f04c0d4 100644
--- a/webserver/nginx.nix
+++ b/webserver/nginx.nix
@@ -20,8 +20,7 @@ in
 
     virtualHosts = {
       "${domain}" = {
-        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
+        enableACME = true;
         forceSSL = true;
         extraConfig = ''
           add_header Strict-Transport-Security $hsts_header;