From e6496b95a411f1b3bd8d829fa254ef511dc3826b Mon Sep 17 00:00:00 2001 From: Alexander Tomokhov Date: Fri, 22 Dec 2023 19:57:48 +0400 Subject: [PATCH] useACMEHost for all services --- sp-modules/bitwarden/module.nix | 3 +-- sp-modules/gitea/module.nix | 3 +-- sp-modules/jitsi-meet/module.nix | 2 -- sp-modules/nextcloud/module.nix | 3 +-- sp-modules/ocserv/config-paths-needed.json | 1 + sp-modules/ocserv/module.nix | 10 ++++++---- sp-modules/pleroma/module.nix | 3 +-- .../simple-nixos-mailserver/config-paths-needed.json | 1 + sp-modules/simple-nixos-mailserver/config.nix | 4 +--- webserver/nginx.nix | 6 ++---- 10 files changed, 15 insertions(+), 21 deletions(-) diff --git a/sp-modules/bitwarden/module.nix b/sp-modules/bitwarden/module.nix index d225c7c..d549366 100644 --- a/sp-modules/bitwarden/module.nix +++ b/sp-modules/bitwarden/module.nix @@ -78,8 +78,7 @@ in ''; }; services.nginx.virtualHosts."password.${sp.domain}" = { - sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem"; + useACMEHost = sp.domain; forceSSL = true; extraConfig = '' add_header Strict-Transport-Security $hsts_header; diff --git a/sp-modules/gitea/module.nix b/sp-modules/gitea/module.nix index 5023f8d..73aaea0 100644 --- a/sp-modules/gitea/module.nix +++ b/sp-modules/gitea/module.nix @@ -85,8 +85,7 @@ in }; }; services.nginx.virtualHosts."git.${sp.domain}" = { - sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem"; + useACMEHost = sp.domain; forceSSL = true; extraConfig = '' add_header Strict-Transport-Security $hsts_header; diff --git a/sp-modules/jitsi-meet/module.nix b/sp-modules/jitsi-meet/module.nix index d23207a..6fd7a69 100644 --- a/sp-modules/jitsi-meet/module.nix +++ b/sp-modules/jitsi-meet/module.nix @@ -21,8 +21,6 @@ in }; }; services.nginx.virtualHosts."meet.${domain}" = { - sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; forceSSL = true; useACMEHost = domain; enableACME = false; diff --git a/sp-modules/nextcloud/module.nix b/sp-modules/nextcloud/module.nix index aa086f8..913e752 100644 --- a/sp-modules/nextcloud/module.nix +++ b/sp-modules/nextcloud/module.nix @@ -71,8 +71,7 @@ }; }; services.nginx.virtualHosts.${hostName} = { - sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem"; + useACMEHost = config.selfprivacy.domain; forceSSL = true; extraConfig = '' add_header Strict-Transport-Security $hsts_header; diff --git a/sp-modules/ocserv/config-paths-needed.json b/sp-modules/ocserv/config-paths-needed.json index a433c68..30afb5f 100644 --- a/sp-modules/ocserv/config-paths-needed.json +++ b/sp-modules/ocserv/config-paths-needed.json @@ -1,4 +1,5 @@ [ + [ "security", "acme", "certs" ], [ "selfprivacy", "domain" ], [ "selfprivacy", "modules", "ocserv" ] ] diff --git a/sp-modules/ocserv/module.nix b/sp-modules/ocserv/module.nix index d33369a..dfb7318 100644 --- a/sp-modules/ocserv/module.nix +++ b/sp-modules/ocserv/module.nix @@ -1,6 +1,8 @@ { config, lib, ... }: let domain = config.selfprivacy.domain; + cert = "${config.security.acme.certs.${domain}.directory}/fullchain.pem"; + key = "${config.security.acme.certs.${domain}.directory}/key.pem"; in { options.selfprivacy.modules.ocserv = { @@ -28,8 +30,8 @@ in tcp-port = 8443 udp-port = 8443 - server-cert = /var/lib/acme/${domain}/fullchain.pem - server-key = /var/lib/acme/${domain}/key.pem + server-cert = ${cert} + server-key = ${key} compression = true @@ -56,8 +58,7 @@ in ''; }; services.nginx.virtualHosts."vpn.${domain}" = { - sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; + useACMEHost = domain; forceSSL = true; extraConfig = '' add_header Strict-Transport-Security $hsts_header; @@ -70,5 +71,6 @@ in expires 10m; ''; }; + systemd.services.ocserv.unitConfig.ConditionPathExists = [ cert key ]; }; } diff --git a/sp-modules/pleroma/module.nix b/sp-modules/pleroma/module.nix index 3ed64ee..ef5296f 100644 --- a/sp-modules/pleroma/module.nix +++ b/sp-modules/pleroma/module.nix @@ -104,8 +104,7 @@ in # seems to be an upstream nixpkgs/nixos bug (missing hexdump) systemd.services.pleroma.path = [ pkgs.util-linux ]; services.nginx.virtualHosts."social.${sp.domain}" = { - sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem"; + useACMEHost = config.selfprivacy.domain; root = "/var/www/social.${sp.domain}"; forceSSL = true; extraConfig = '' diff --git a/sp-modules/simple-nixos-mailserver/config-paths-needed.json b/sp-modules/simple-nixos-mailserver/config-paths-needed.json index 27c44ff..9341829 100644 --- a/sp-modules/simple-nixos-mailserver/config-paths-needed.json +++ b/sp-modules/simple-nixos-mailserver/config-paths-needed.json @@ -1,5 +1,6 @@ [ [ "mailserver" ], + [ "security", "acme", "certs" ], [ "selfprivacy", "domain" ], [ "selfprivacy", "hashedMasterPassword" ], [ "selfprivacy", "useBinds" ], diff --git a/sp-modules/simple-nixos-mailserver/config.nix b/sp-modules/simple-nixos-mailserver/config.nix index ea2d6ca..81d847f 100644 --- a/sp-modules/simple-nixos-mailserver/config.nix +++ b/sp-modules/simple-nixos-mailserver/config.nix @@ -75,9 +75,7 @@ lib.mkIf sp.modules.simple-nixos-mailserver.enable "admin@${sp.domain}" = "${sp.username}@${sp.domain}"; }; - certificateScheme = "manual"; - certificateFile = "/var/lib/acme/${sp.domain}/fullchain.pem"; - keyFile = "/var/lib/acme/${sp.domain}/key.pem"; + certificateScheme = "acme"; # Enable IMAP and POP3 enableImap = true; diff --git a/webserver/nginx.nix b/webserver/nginx.nix index 03320db..db242ed 100644 --- a/webserver/nginx.nix +++ b/webserver/nginx.nix @@ -21,8 +21,7 @@ in ''; virtualHosts = { "${domain}" = { - sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; + useACMEHost = domain; forceSSL = true; extraConfig = '' add_header Strict-Transport-Security $hsts_header; @@ -41,8 +40,7 @@ in }; }; "api.${domain}" = { - sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; + useACMEHost = domain; forceSSL = true; extraConfig = '' add_header Strict-Transport-Security $hsts_header;