SelfPrivacy
/
selfprivacy-nixos-config
6
3
Fork 6
Code Issues 19 Pull Requests 1 Projects Releases Wiki Activity

Compare commits

merge into: SelfPrivacy:flakes
Branches Tags
SelfPrivacy:flakes
SelfPrivacy:inex/test-collect-garbage
SelfPrivacy:inex/test-autobackup
SelfPrivacy:inex/test-systemd-rebuild
SelfPrivacy:master
SelfPrivacy:pre-release
SelfPrivacy:flake-to-override-folder
SelfPrivacy:flake-to-override
SelfPrivacy:systemd-limits
SelfPrivacy:ldap
SelfPrivacy:api-redis
SelfPrivacy:pleroma-fixes
SelfPrivacy:development
SelfPrivacy:rolling-testing
...
pull from: SelfPrivacy:flake-to-override-folder
Branches Tags
SelfPrivacy:flakes
SelfPrivacy:inex/test-collect-garbage
SelfPrivacy:inex/test-autobackup
SelfPrivacy:inex/test-systemd-rebuild
SelfPrivacy:master
SelfPrivacy:pre-release
SelfPrivacy:flake-to-override-folder
SelfPrivacy:flake-to-override
SelfPrivacy:systemd-limits
SelfPrivacy:ldap
SelfPrivacy:api-redis
SelfPrivacy:pleroma-fixes
SelfPrivacy:development
SelfPrivacy:rolling-testing

26 Commits
flakes ... flake-to-o

Author SHA1 Message Date
Alexander Tomokhov fcbde507fc sp-extensions.json is read from /etc/nixos flake input 2023-11-08 21:01:11 +04:00
Alexander Tomokhov c20bef314e add sp-extensions-json flake input 2023-11-08 20:55:31 +04:00
Alexander Tomokhov e1204fb065 all flake inputs into nix.registry 2023-11-08 18:32:30 +04:00
Alexander Tomokhov 049ecd3e32 embed etc-nixos 2023-11-08 16:27:52 +04:00
Alexander Tomokhov b9dad899de pass /etc/nixos folder as an input to override 
This way it is expected to have access to this path from build results,
making it possible to reproduce the build.
 2023-11-08 16:27:52 +04:00
Alexander Tomokhov 2d7680d456 do not try to embed flake's git revision 2023-10-18 16:25:18 +04:00
Inex Code f11d8cc902 feat(ssh): Allow ecdsa-sha2-nistp256 keys 2023-10-18 13:59:42 +03:00
Inex Code e417c57a60 fix: permissions for vaultwarden backups were too broad 2023-10-18 13:59:42 +03:00
Inex Code 5cbb31bac6 fix(email): make sure /var/sieve owned my mail user 2023-10-18 13:59:42 +03:00
Inex Code 17cadf4ffc fix(acme): add dns propagation check exceptions 2023-10-18 13:59:42 +03:00
Inex Code 8b68457c71 fix(acme): enable DNS propagation check 2023-10-18 13:59:42 +03:00
Inex Code c26abadbec fix: acme retrieval 2023-10-18 13:59:42 +03:00
Inex Code 3872646e97 Revert "fix: rename the cert name" 
This reverts commit e8a25ec565.
 2023-10-18 13:59:42 +03:00
Inex Code 3487513e34 fix: rename the cert name 2023-10-18 13:59:42 +03:00
Inex Code ab27cbd27a fix: do not use DNS challenge for root domain TLS 
Previous solution made ACME create two TXT records
on the same subdomain, creating the conflict
 2023-10-18 13:59:42 +03:00
Inex Code 306a572e12 refactor: remove unused restic-related code 2023-10-18 13:59:42 +03:00
Inex Code 5d49b8b416 refactor: remove restic credentials from post-installation scripts 
These are handled by API now.
 2023-10-18 13:59:42 +03:00
Inex Code 2f07bb37ce feat: update API deps 2023-10-18 13:59:42 +03:00
Alexander Tomokhov 11567d4db9 flake: revert from self.dirtyRev to self.rev 2023-10-09 02:23:45 +04:00
Alexander Tomokhov 9370d17b82 flake: embed dirty revision of NixOS configuration instead 
The inevitable `--override-input` nix build (and nixos-rebuild) option
induces dirty state of the NixOS flake, thus `self.rev` couldn't be used
together.
 2023-10-09 02:07:49 +04:00
Alexander Tomokhov 5643877cc1 flake: embed NixOS configuration git commit sha1 into nixos.label 2023-09-28 00:56:47 +04:00
Alexander Tomokhov 3bf91c25c3 readme: add build command for flakes 2023-09-18 17:23:22 +04:00
Alexander Tomokhov e4473ec733 do not import selfprivacy overlay path, but use flake overlay output 2023-09-18 17:22:13 +04:00
Alexander Tomokhov 50c554e6e7 don't pass selfprivacy-overlay to configuration.nix; nix flake lock 2023-08-23 02:06:33 +04:00
Alexander Tomokhov d1d025dda6 use hardware-configuration.nix as a flake input 2023-08-23 00:37:16 +04:00
Alexander Tomokhov afcec981bc experiment with userdata flake input to override by caller 2023-08-22 22:22:13 +04:00
12 changed files with 78 additions and 115 deletions
Show Stats Expand all files Collapse all files

4
.gitignore vendored
View File

@ -1,4 +1,4 @@
userdata/userdata.json userdata/userdata.json
userdata/tokens.json userdata/tokens.json
hardware-configuration.nix networking.nix
networking.nix /result

10
README.md
View File

@ -64,4 +64,12 @@ Example JSON config:
} }
] ]
} }
``` ```
# flakes edition
Build with:
```console
$ nixos-rebuild build --flake .#just-nixos
```

23
api/api-module.nix
View File

@ -18,19 +18,6 @@ in
Enable SelfPrivacy API service Enable SelfPrivacy API service
''; '';
}; };
enableSwagger = mkOption {
default = false;
type = types.bool;
description = ''
Enable Swagger UI
'';
};
b2Bucket = mkOption {
type = types.str;
description = ''
B2 bucket
'';
};
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
@ -40,8 +27,6 @@ in
inherit (config.environment.sessionVariables) NIX_PATH; inherit (config.environment.sessionVariables) NIX_PATH;
HOME = "/root"; HOME = "/root";
PYTHONUNBUFFERED = "1"; PYTHONUNBUFFERED = "1";
ENABLE_SWAGGER = (if cfg.enableSwagger then "1" else "0");
B2_BUCKET = cfg.b2Bucket;
} // config.networking.proxy.envVars; } // config.networking.proxy.envVars;
path = [ path = [
"/var/" "/var/"
@ -53,11 +38,14 @@ in
pkgs.gitMinimal pkgs.gitMinimal
config.nix.package.out config.nix.package.out
pkgs.nixos-rebuild pkgs.nixos-rebuild
pkgs.rclone
pkgs.restic pkgs.restic
pkgs.mkpasswd pkgs.mkpasswd
pkgs.util-linux pkgs.util-linux
pkgs.e2fsprogs pkgs.e2fsprogs
pkgs.iproute2 pkgs.iproute2
pkgs.fuse-overlayfs
pkgs.fuse
]; ];
after = [ "network-online.target" ]; after = [ "network-online.target" ];
wantedBy = [ "network-online.target" ]; wantedBy = [ "network-online.target" ];
@ -74,8 +62,6 @@ in
inherit (config.environment.sessionVariables) NIX_PATH; inherit (config.environment.sessionVariables) NIX_PATH;
HOME = "/root"; HOME = "/root";
PYTHONUNBUFFERED = "1"; PYTHONUNBUFFERED = "1";
ENABLE_SWAGGER = (if cfg.enableSwagger then "1" else "0");
B2_BUCKET = cfg.b2Bucket;
PYTHONPATH = pkgs.selfprivacy-graphql-api.pythonPath + ":${pkgs.selfprivacy-graphql-api}/lib/python3.10/site-packages/"; PYTHONPATH = pkgs.selfprivacy-graphql-api.pythonPath + ":${pkgs.selfprivacy-graphql-api}/lib/python3.10/site-packages/";
} // config.networking.proxy.envVars; } // config.networking.proxy.envVars;
path = [ path = [
@ -88,11 +74,14 @@ in
pkgs.gitMinimal pkgs.gitMinimal
config.nix.package.out config.nix.package.out
pkgs.nixos-rebuild pkgs.nixos-rebuild
pkgs.rclone
pkgs.restic pkgs.restic
pkgs.mkpasswd pkgs.mkpasswd
pkgs.util-linux pkgs.util-linux
pkgs.e2fsprogs pkgs.e2fsprogs
pkgs.iproute2 pkgs.iproute2
pkgs.fuse-overlayfs
pkgs.fuse
]; ];
after = [ "network-online.target" ]; after = [ "network-online.target" ];
wantedBy = [ "network-online.target" ]; wantedBy = [ "network-online.target" ];

2
api/api.nix
View File

@ -2,8 +2,6 @@
{ {
services.selfprivacy-api = { services.selfprivacy-api = {
enable = true; enable = true;
enableSwagger = config.services.userdata.api.enableSwagger;
b2Bucket = config.services.userdata.backup.bucket;
}; };
users.users."selfprivacy-api" = { users.users."selfprivacy-api" = {

29
backup/restic.nix
View File

@ -1,29 +0,0 @@
{ config, pkgs, ... }:
let
cfg = config.services.userdata;
in
{
services.restic.backups = {
options = {
passwordFile = "/etc/restic/resticPasswd";
repository = "s3:s3.anazonaws.com/${cfg.backup.bucket}";
initialize = true;
paths = [
"/var/dkim"
"/var/vmail"
];
timerConfig = {
OnCalendar = [ "daily" ];
};
user = "restic";
pruneOpts = [
"--keep-daily 5"
];
};
};
users.users.restic = {
isNormalUser = false;
isSystemUser = true;
group = "restic";
};
}

7
configuration.nix
View File

@ -1,7 +1,6 @@
{ userdata, selfprivacy-overlay, config, pkgs, lib, ... }: { userdata, config, pkgs, lib, ... }:
{ {
imports = [ imports = [
./hardware-configuration.nix
./variables-module.nix ./variables-module.nix
./variables.nix ./variables.nix
./files.nix ./files.nix
@ -14,7 +13,6 @@
./social/pleroma.nix ./social/pleroma.nix
./letsencrypt/acme.nix ./letsencrypt/acme.nix
./letsencrypt/resolve.nix ./letsencrypt/resolve.nix
./backup/restic.nix
./passmgr/bitwarden.nix ./passmgr/bitwarden.nix
./webserver/nginx.nix ./webserver/nginx.nix
./webserver/memcached.nix ./webserver/memcached.nix
@ -24,7 +22,6 @@
./git/gitea.nix ./git/gitea.nix
]; ];
nixpkgs.overlays = [ (import selfprivacy-overlay) ];
# this should be specified in hardware-configuration.nix? # this should be specified in hardware-configuration.nix?
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
@ -72,7 +69,7 @@
openFirewall = false; openFirewall = false;
}; };
programs.ssh = { programs.ssh = {
pubkeyAcceptedKeyTypes = [ "ssh-ed25519" "ssh-rsa" ]; pubkeyAcceptedKeyTypes = [ "ssh-ed25519" "ssh-rsa" "ecdsa-sha2-nistp256" ];
hostKeyAlgorithms = [ "ssh-ed25519" "ssh-rsa" ]; hostKeyAlgorithms = [ "ssh-ed25519" "ssh-rsa" ];
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [

27
files.nix
View File

@ -18,13 +18,13 @@ in
domain = builtins.replaceStrings [ "\n" "\"" "\\" "%" ] [ "\\n" "\\\"" "\\\\" "%%" ] cfg.domain; domain = builtins.replaceStrings [ "\n" "\"" "\\" "%" ] [ "\\n" "\\\"" "\\\\" "%%" ] cfg.domain;
in in
[ [
(if cfg.bitwarden.enable then "d /var/lib/bitwarden 0777 vaultwarden vaultwarden -" else "") (if cfg.bitwarden.enable then "d /var/lib/bitwarden 0770 vaultwarden vaultwarden -" else "")
(if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0777 vaultwarden vaultwarden -" else "") (if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0770 vaultwarden vaultwarden -" else "")
(if cfg.pleroma.enable then "d /var/lib/pleroma 0700 pleroma pleroma - -" else "") (if cfg.pleroma.enable then "d /var/lib/pleroma 0700 pleroma pleroma - -" else "")
"d /var/lib/restic 0600 restic - - -" (if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0750 pleroma pleroma - -" else "")
(if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "")
"f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}" "f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}"
(if cfg.bitwarden.enable then "f /var/lib/bitwarden/.env 0640 vaultwarden vaultwarden - -" else "") (if cfg.bitwarden.enable then "f /var/lib/bitwarden/.env 0640 vaultwarden vaultwarden - -" else "")
"d /var/sieve 0770 virtualMail virtualMail - -"
]; ];
system.activationScripts = system.activationScripts =
let let
@ -56,25 +56,6 @@ in
chmod 0440 /var/lib/cloudflare/Credentials.ini chmod 0440 /var/lib/cloudflare/Credentials.ini
chown nginx:acmerecievers /var/lib/cloudflare/Credentials.ini chown nginx:acmerecievers /var/lib/cloudflare/Credentials.ini
''; '';
resticCredentials = ''
mkdir -p /root/.config/rclone
chmod 0400 /root/.config/rclone
chown root:root /root/.config/rclone
echo '[backblaze]' > /root/.config/rclone/rclone.conf
echo 'type = b2' >> /root/.config/rclone/rclone.conf
echo 'account = REPLACEME1' >> /root/.config/rclone/rclone.conf
echo 'key = REPLACEME2' >> /root/.config/rclone/rclone.conf
${sed} -i "s/REPLACEME1/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backup.accountId')/g" /root/.config/rclone/rclone.conf
${sed} -i "s/REPLACEME2/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backup.accountKey')/g" /root/.config/rclone/rclone.conf
chmod 0400 /root/.config/rclone/rclone.conf
chown root:root /root/.config/rclone/rclone.conf
cat /etc/nixos/userdata/userdata.json | ${jq} -r '.resticPassword' > /var/lib/restic/pass
chmod 0400 /var/lib/restic/pass
chown restic /var/lib/restic/pass
'';
pleromaCredentials = pleromaCredentials =
if cfg.pleroma.enable then '' if cfg.pleroma.enable then ''
echo 'import Config' > /var/lib/pleroma/secrets.exs echo 'import Config' > /var/lib/pleroma/secrets.exs

39
flake.nix
View File

@ -2,23 +2,46 @@
description = "Selfprivacy NixOS configuration flake"; description = "Selfprivacy NixOS configuration flake";
inputs = { inputs = {
#nixpkgs.url = "https://github.com/NixOS/nixpkgs/archive/eef86b8a942913a828b9ef13722835f359deef29.tar.gz";
nixpkgs.url = "github:nixos/nixpkgs"; nixpkgs.url = "github:nixos/nixpkgs";
selfprivacy-overlay.url = selfprivacy-overlay.url =
"git+https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nix-repo.git"; "git+https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nix-repo.git";
# the /etc/nixos folder input is expected to be set by the caller
# for example, upon nix build using --override-input
etc-nixos.flake = false;
}; };
outputs = { self, nixpkgs, selfprivacy-overlay }: outputs =
{ self
, etc-nixos
, nixpkgs
, selfprivacy-overlay
} @ inputs:
let let
system = "x86_64-linux"; system = "x86_64-linux";
userdata =
builtins.fromJSON (builtins.readFile "${etc-nixos}/userdata.json");
sp-extensions =
builtins.fromJSON (builtins.readFile "${etc-nixos}/sp-extensions.json");
lib = nixpkgs.legacyPackages.${system}.lib;
in in
{ {
nixosConfigurations-fun = userdata: { nixosConfigurations.just-nixos = nixpkgs.lib.nixosSystem {
just-nixos = nixpkgs.lib.nixosSystem { specialArgs = { inherit system userdata; };
specialArgs = { inherit system selfprivacy-overlay userdata; }; modules = [
# SelfPrivacy overlay
modules = [ ./configuration.nix ]; {
}; nixpkgs.overlays = builtins.trace (sp-extensions.mailserver) [ selfprivacy-overlay.overlay ];
environment.etc.selfprivacy-nixos-config-source.source =
etc-nixos.outPath;
nix.registry = lib.mapAttrs (_n: flake: { inherit flake; }) inputs;
}
# machine specifics
"${etc-nixos}/hardware-configuration.nix"
# main configuration part
./configuration.nix
];
}; };
}; };
} }

11
letsencrypt/acme.nix
View File

@ -1,6 +1,7 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let
cfg = config.services.userdata; cfg = config.services.userdata;
dnsPropagationCheckExceptions = [ "DIGITALOCEAN" ];
in in
{ {
users.groups.acmerecievers = { users.groups.acmerecievers = {
@ -11,17 +12,21 @@ in
defaults = { defaults = {
email = "${cfg.username}@${cfg.domain}"; email = "${cfg.username}@${cfg.domain}";
server = if cfg.dns.useStagingACME then "https://acme-staging-v02.api.letsencrypt.org/directory" else "https://acme-v02.api.letsencrypt.org/directory"; server = if cfg.dns.useStagingACME then "https://acme-staging-v02.api.letsencrypt.org/directory" else "https://acme-v02.api.letsencrypt.org/directory";
dnsPropagationCheck = false; dnsPropagationCheck = if lib.elem cfg.dns.provider dnsPropagationCheckExceptions then false else true;
reloadServices = [ "nginx" ]; reloadServices = [ "nginx" ];
}; };
certs = lib.mkForce { certs = lib.mkForce {
"${cfg.domain}" = { "wildcard-${cfg.domain}" = {
domain = "*.${cfg.domain}"; domain = "*.${cfg.domain}";
extraDomainNames = [ "${cfg.domain}" ];
group = "acmerecievers"; group = "acmerecievers";
dnsProvider = lib.strings.toLower cfg.dns.provider; dnsProvider = lib.strings.toLower cfg.dns.provider;
credentialsFile = "/var/lib/cloudflare/Credentials.ini"; credentialsFile = "/var/lib/cloudflare/Credentials.ini";
}; };
"${cfg.domain}" = {
domain = cfg.domain;
group = "acmerecievers";
webroot = "/var/lib/acme/acme-challenge";
};
}; };
}; };
} }

7
variables-module.nix
View File

@ -74,13 +74,6 @@ in
# API options # # API options #
############### ###############
api = { api = {
enableSwagger = mkOption {
default = true;
description = ''
Enable Swagger UI
'';
type = types.bool;
};
skippedMigrations = mkOption { skippedMigrations = mkOption {
default = [ ]; default = [ ];
description = '' description = ''

1
variables.nix
View File

@ -16,7 +16,6 @@ in
hashedMasterPassword = lib.attrsets.attrByPath [ "hashedMasterPassword" ] null jsonData; hashedMasterPassword = lib.attrsets.attrByPath [ "hashedMasterPassword" ] null jsonData;
sshKeys = lib.attrsets.attrByPath [ "sshKeys" ] [ ] jsonData; sshKeys = lib.attrsets.attrByPath [ "sshKeys" ] [ ] jsonData;
api = { api = {
enableSwagger = lib.attrsets.attrByPath [ "api" "enableSwagger" ] false jsonData;
skippedMigrations = lib.attrsets.attrByPath [ "api" "skippedMigrations" ] [ ] jsonData; skippedMigrations = lib.attrsets.attrByPath [ "api" "skippedMigrations" ] [ ] jsonData;
}; };
dns = { dns = {

33
webserver/nginx.nix
View File

@ -20,8 +20,7 @@ in
virtualHosts = { virtualHosts = {
"${domain}" = { "${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; enableACME = true;
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;
@ -35,8 +34,8 @@ in
''; '';
}; };
"vpn.${domain}" = { "vpn.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;
@ -50,8 +49,8 @@ in
''; '';
}; };
"git.${domain}" = { "git.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;
@ -70,8 +69,8 @@ in
}; };
}; };
"cloud.${domain}" = { "cloud.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;
@ -90,8 +89,8 @@ in
}; };
}; };
"password.${domain}" = { "password.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;
@ -110,8 +109,8 @@ in
}; };
}; };
"api.${domain}" = { "api.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;
@ -131,8 +130,8 @@ in
}; };
}; };
"social.${domain}" = { "social.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
root = "/var/www/social.${domain}"; root = "/var/www/social.${domain}";
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''
@ -152,10 +151,10 @@ in
}; };
}; };
"meet.${domain}" = { "meet.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
forceSSL = true; forceSSL = true;
useACMEHost = domain; useACMEHost = "wildcard-${domain}";
enableACME = false; enableACME = false;
}; };
}; };