Compare commits
26 Commits
flakes
...
flake-to-o
Author | SHA1 | Date |
---|---|---|
Alexander Tomokhov | fcbde507fc | |
Alexander Tomokhov | c20bef314e | |
Alexander Tomokhov | e1204fb065 | |
Alexander Tomokhov | 049ecd3e32 | |
Alexander Tomokhov | b9dad899de | |
Alexander Tomokhov | 2d7680d456 | |
Inex Code | f11d8cc902 | |
Inex Code | e417c57a60 | |
Inex Code | 5cbb31bac6 | |
Inex Code | 17cadf4ffc | |
Inex Code | 8b68457c71 | |
Inex Code | c26abadbec | |
Inex Code | 3872646e97 | |
Inex Code | 3487513e34 | |
Inex Code | ab27cbd27a | |
Inex Code | 306a572e12 | |
Inex Code | 5d49b8b416 | |
Inex Code | 2f07bb37ce | |
Alexander Tomokhov | 11567d4db9 | |
Alexander Tomokhov | 9370d17b82 | |
Alexander Tomokhov | 5643877cc1 | |
Alexander Tomokhov | 3bf91c25c3 | |
Alexander Tomokhov | e4473ec733 | |
Alexander Tomokhov | 50c554e6e7 | |
Alexander Tomokhov | d1d025dda6 | |
Alexander Tomokhov | afcec981bc |
|
@ -1,4 +1,4 @@
|
||||||
userdata/userdata.json
|
userdata/userdata.json
|
||||||
userdata/tokens.json
|
userdata/tokens.json
|
||||||
hardware-configuration.nix
|
networking.nix
|
||||||
networking.nix
|
/result
|
||||||
|
|
10
README.md
10
README.md
|
@ -64,4 +64,12 @@ Example JSON config:
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
# flakes edition
|
||||||
|
|
||||||
|
Build with:
|
||||||
|
```console
|
||||||
|
$ nixos-rebuild build --flake .#just-nixos
|
||||||
|
```
|
||||||
|
|
||||||
|
|
|
@ -18,19 +18,6 @@ in
|
||||||
Enable SelfPrivacy API service
|
Enable SelfPrivacy API service
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
enableSwagger = mkOption {
|
|
||||||
default = false;
|
|
||||||
type = types.bool;
|
|
||||||
description = ''
|
|
||||||
Enable Swagger UI
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
b2Bucket = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = ''
|
|
||||||
B2 bucket
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
|
|
||||||
|
@ -40,8 +27,6 @@ in
|
||||||
inherit (config.environment.sessionVariables) NIX_PATH;
|
inherit (config.environment.sessionVariables) NIX_PATH;
|
||||||
HOME = "/root";
|
HOME = "/root";
|
||||||
PYTHONUNBUFFERED = "1";
|
PYTHONUNBUFFERED = "1";
|
||||||
ENABLE_SWAGGER = (if cfg.enableSwagger then "1" else "0");
|
|
||||||
B2_BUCKET = cfg.b2Bucket;
|
|
||||||
} // config.networking.proxy.envVars;
|
} // config.networking.proxy.envVars;
|
||||||
path = [
|
path = [
|
||||||
"/var/"
|
"/var/"
|
||||||
|
@ -53,11 +38,14 @@ in
|
||||||
pkgs.gitMinimal
|
pkgs.gitMinimal
|
||||||
config.nix.package.out
|
config.nix.package.out
|
||||||
pkgs.nixos-rebuild
|
pkgs.nixos-rebuild
|
||||||
|
pkgs.rclone
|
||||||
pkgs.restic
|
pkgs.restic
|
||||||
pkgs.mkpasswd
|
pkgs.mkpasswd
|
||||||
pkgs.util-linux
|
pkgs.util-linux
|
||||||
pkgs.e2fsprogs
|
pkgs.e2fsprogs
|
||||||
pkgs.iproute2
|
pkgs.iproute2
|
||||||
|
pkgs.fuse-overlayfs
|
||||||
|
pkgs.fuse
|
||||||
];
|
];
|
||||||
after = [ "network-online.target" ];
|
after = [ "network-online.target" ];
|
||||||
wantedBy = [ "network-online.target" ];
|
wantedBy = [ "network-online.target" ];
|
||||||
|
@ -74,8 +62,6 @@ in
|
||||||
inherit (config.environment.sessionVariables) NIX_PATH;
|
inherit (config.environment.sessionVariables) NIX_PATH;
|
||||||
HOME = "/root";
|
HOME = "/root";
|
||||||
PYTHONUNBUFFERED = "1";
|
PYTHONUNBUFFERED = "1";
|
||||||
ENABLE_SWAGGER = (if cfg.enableSwagger then "1" else "0");
|
|
||||||
B2_BUCKET = cfg.b2Bucket;
|
|
||||||
PYTHONPATH = pkgs.selfprivacy-graphql-api.pythonPath + ":${pkgs.selfprivacy-graphql-api}/lib/python3.10/site-packages/";
|
PYTHONPATH = pkgs.selfprivacy-graphql-api.pythonPath + ":${pkgs.selfprivacy-graphql-api}/lib/python3.10/site-packages/";
|
||||||
} // config.networking.proxy.envVars;
|
} // config.networking.proxy.envVars;
|
||||||
path = [
|
path = [
|
||||||
|
@ -88,11 +74,14 @@ in
|
||||||
pkgs.gitMinimal
|
pkgs.gitMinimal
|
||||||
config.nix.package.out
|
config.nix.package.out
|
||||||
pkgs.nixos-rebuild
|
pkgs.nixos-rebuild
|
||||||
|
pkgs.rclone
|
||||||
pkgs.restic
|
pkgs.restic
|
||||||
pkgs.mkpasswd
|
pkgs.mkpasswd
|
||||||
pkgs.util-linux
|
pkgs.util-linux
|
||||||
pkgs.e2fsprogs
|
pkgs.e2fsprogs
|
||||||
pkgs.iproute2
|
pkgs.iproute2
|
||||||
|
pkgs.fuse-overlayfs
|
||||||
|
pkgs.fuse
|
||||||
];
|
];
|
||||||
after = [ "network-online.target" ];
|
after = [ "network-online.target" ];
|
||||||
wantedBy = [ "network-online.target" ];
|
wantedBy = [ "network-online.target" ];
|
||||||
|
|
|
@ -2,8 +2,6 @@
|
||||||
{
|
{
|
||||||
services.selfprivacy-api = {
|
services.selfprivacy-api = {
|
||||||
enable = true;
|
enable = true;
|
||||||
enableSwagger = config.services.userdata.api.enableSwagger;
|
|
||||||
b2Bucket = config.services.userdata.backup.bucket;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
users.users."selfprivacy-api" = {
|
users.users."selfprivacy-api" = {
|
||||||
|
|
|
@ -1,29 +0,0 @@
|
||||||
{ config, pkgs, ... }:
|
|
||||||
let
|
|
||||||
cfg = config.services.userdata;
|
|
||||||
in
|
|
||||||
{
|
|
||||||
services.restic.backups = {
|
|
||||||
options = {
|
|
||||||
passwordFile = "/etc/restic/resticPasswd";
|
|
||||||
repository = "s3:s3.anazonaws.com/${cfg.backup.bucket}";
|
|
||||||
initialize = true;
|
|
||||||
paths = [
|
|
||||||
"/var/dkim"
|
|
||||||
"/var/vmail"
|
|
||||||
];
|
|
||||||
timerConfig = {
|
|
||||||
OnCalendar = [ "daily" ];
|
|
||||||
};
|
|
||||||
user = "restic";
|
|
||||||
pruneOpts = [
|
|
||||||
"--keep-daily 5"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
users.users.restic = {
|
|
||||||
isNormalUser = false;
|
|
||||||
isSystemUser = true;
|
|
||||||
group = "restic";
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,7 +1,6 @@
|
||||||
{ userdata, selfprivacy-overlay, config, pkgs, lib, ... }:
|
{ userdata, config, pkgs, lib, ... }:
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
./hardware-configuration.nix
|
|
||||||
./variables-module.nix
|
./variables-module.nix
|
||||||
./variables.nix
|
./variables.nix
|
||||||
./files.nix
|
./files.nix
|
||||||
|
@ -14,7 +13,6 @@
|
||||||
./social/pleroma.nix
|
./social/pleroma.nix
|
||||||
./letsencrypt/acme.nix
|
./letsencrypt/acme.nix
|
||||||
./letsencrypt/resolve.nix
|
./letsencrypt/resolve.nix
|
||||||
./backup/restic.nix
|
|
||||||
./passmgr/bitwarden.nix
|
./passmgr/bitwarden.nix
|
||||||
./webserver/nginx.nix
|
./webserver/nginx.nix
|
||||||
./webserver/memcached.nix
|
./webserver/memcached.nix
|
||||||
|
@ -24,7 +22,6 @@
|
||||||
./git/gitea.nix
|
./git/gitea.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
nixpkgs.overlays = [ (import selfprivacy-overlay) ];
|
|
||||||
# this should be specified in hardware-configuration.nix?
|
# this should be specified in hardware-configuration.nix?
|
||||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
|
|
||||||
|
@ -72,7 +69,7 @@
|
||||||
openFirewall = false;
|
openFirewall = false;
|
||||||
};
|
};
|
||||||
programs.ssh = {
|
programs.ssh = {
|
||||||
pubkeyAcceptedKeyTypes = [ "ssh-ed25519" "ssh-rsa" ];
|
pubkeyAcceptedKeyTypes = [ "ssh-ed25519" "ssh-rsa" "ecdsa-sha2-nistp256" ];
|
||||||
hostKeyAlgorithms = [ "ssh-ed25519" "ssh-rsa" ];
|
hostKeyAlgorithms = [ "ssh-ed25519" "ssh-rsa" ];
|
||||||
};
|
};
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
|
|
27
files.nix
27
files.nix
|
@ -18,13 +18,13 @@ in
|
||||||
domain = builtins.replaceStrings [ "\n" "\"" "\\" "%" ] [ "\\n" "\\\"" "\\\\" "%%" ] cfg.domain;
|
domain = builtins.replaceStrings [ "\n" "\"" "\\" "%" ] [ "\\n" "\\\"" "\\\\" "%%" ] cfg.domain;
|
||||||
in
|
in
|
||||||
[
|
[
|
||||||
(if cfg.bitwarden.enable then "d /var/lib/bitwarden 0777 vaultwarden vaultwarden -" else "")
|
(if cfg.bitwarden.enable then "d /var/lib/bitwarden 0770 vaultwarden vaultwarden -" else "")
|
||||||
(if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0777 vaultwarden vaultwarden -" else "")
|
(if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0770 vaultwarden vaultwarden -" else "")
|
||||||
(if cfg.pleroma.enable then "d /var/lib/pleroma 0700 pleroma pleroma - -" else "")
|
(if cfg.pleroma.enable then "d /var/lib/pleroma 0700 pleroma pleroma - -" else "")
|
||||||
"d /var/lib/restic 0600 restic - - -"
|
(if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0750 pleroma pleroma - -" else "")
|
||||||
(if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "")
|
|
||||||
"f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}"
|
"f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}"
|
||||||
(if cfg.bitwarden.enable then "f /var/lib/bitwarden/.env 0640 vaultwarden vaultwarden - -" else "")
|
(if cfg.bitwarden.enable then "f /var/lib/bitwarden/.env 0640 vaultwarden vaultwarden - -" else "")
|
||||||
|
"d /var/sieve 0770 virtualMail virtualMail - -"
|
||||||
];
|
];
|
||||||
system.activationScripts =
|
system.activationScripts =
|
||||||
let
|
let
|
||||||
|
@ -56,25 +56,6 @@ in
|
||||||
chmod 0440 /var/lib/cloudflare/Credentials.ini
|
chmod 0440 /var/lib/cloudflare/Credentials.ini
|
||||||
chown nginx:acmerecievers /var/lib/cloudflare/Credentials.ini
|
chown nginx:acmerecievers /var/lib/cloudflare/Credentials.ini
|
||||||
'';
|
'';
|
||||||
resticCredentials = ''
|
|
||||||
mkdir -p /root/.config/rclone
|
|
||||||
chmod 0400 /root/.config/rclone
|
|
||||||
chown root:root /root/.config/rclone
|
|
||||||
echo '[backblaze]' > /root/.config/rclone/rclone.conf
|
|
||||||
echo 'type = b2' >> /root/.config/rclone/rclone.conf
|
|
||||||
echo 'account = REPLACEME1' >> /root/.config/rclone/rclone.conf
|
|
||||||
echo 'key = REPLACEME2' >> /root/.config/rclone/rclone.conf
|
|
||||||
|
|
||||||
${sed} -i "s/REPLACEME1/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backup.accountId')/g" /root/.config/rclone/rclone.conf
|
|
||||||
${sed} -i "s/REPLACEME2/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backup.accountKey')/g" /root/.config/rclone/rclone.conf
|
|
||||||
|
|
||||||
chmod 0400 /root/.config/rclone/rclone.conf
|
|
||||||
chown root:root /root/.config/rclone/rclone.conf
|
|
||||||
|
|
||||||
cat /etc/nixos/userdata/userdata.json | ${jq} -r '.resticPassword' > /var/lib/restic/pass
|
|
||||||
chmod 0400 /var/lib/restic/pass
|
|
||||||
chown restic /var/lib/restic/pass
|
|
||||||
'';
|
|
||||||
pleromaCredentials =
|
pleromaCredentials =
|
||||||
if cfg.pleroma.enable then ''
|
if cfg.pleroma.enable then ''
|
||||||
echo 'import Config' > /var/lib/pleroma/secrets.exs
|
echo 'import Config' > /var/lib/pleroma/secrets.exs
|
||||||
|
|
39
flake.nix
39
flake.nix
|
@ -2,23 +2,46 @@
|
||||||
description = "Selfprivacy NixOS configuration flake";
|
description = "Selfprivacy NixOS configuration flake";
|
||||||
|
|
||||||
inputs = {
|
inputs = {
|
||||||
#nixpkgs.url = "https://github.com/NixOS/nixpkgs/archive/eef86b8a942913a828b9ef13722835f359deef29.tar.gz";
|
|
||||||
nixpkgs.url = "github:nixos/nixpkgs";
|
nixpkgs.url = "github:nixos/nixpkgs";
|
||||||
|
|
||||||
selfprivacy-overlay.url =
|
selfprivacy-overlay.url =
|
||||||
"git+https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nix-repo.git";
|
"git+https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nix-repo.git";
|
||||||
|
|
||||||
|
# the /etc/nixos folder input is expected to be set by the caller
|
||||||
|
# for example, upon nix build using --override-input
|
||||||
|
etc-nixos.flake = false;
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs = { self, nixpkgs, selfprivacy-overlay }:
|
outputs =
|
||||||
|
{ self
|
||||||
|
, etc-nixos
|
||||||
|
, nixpkgs
|
||||||
|
, selfprivacy-overlay
|
||||||
|
} @ inputs:
|
||||||
let
|
let
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
|
userdata =
|
||||||
|
builtins.fromJSON (builtins.readFile "${etc-nixos}/userdata.json");
|
||||||
|
sp-extensions =
|
||||||
|
builtins.fromJSON (builtins.readFile "${etc-nixos}/sp-extensions.json");
|
||||||
|
lib = nixpkgs.legacyPackages.${system}.lib;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
nixosConfigurations-fun = userdata: {
|
nixosConfigurations.just-nixos = nixpkgs.lib.nixosSystem {
|
||||||
just-nixos = nixpkgs.lib.nixosSystem {
|
specialArgs = { inherit system userdata; };
|
||||||
specialArgs = { inherit system selfprivacy-overlay userdata; };
|
modules = [
|
||||||
|
# SelfPrivacy overlay
|
||||||
modules = [ ./configuration.nix ];
|
{
|
||||||
};
|
nixpkgs.overlays = builtins.trace (sp-extensions.mailserver) [ selfprivacy-overlay.overlay ];
|
||||||
|
environment.etc.selfprivacy-nixos-config-source.source =
|
||||||
|
etc-nixos.outPath;
|
||||||
|
nix.registry = lib.mapAttrs (_n: flake: { inherit flake; }) inputs;
|
||||||
|
}
|
||||||
|
# machine specifics
|
||||||
|
"${etc-nixos}/hardware-configuration.nix"
|
||||||
|
# main configuration part
|
||||||
|
./configuration.nix
|
||||||
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
let
|
let
|
||||||
cfg = config.services.userdata;
|
cfg = config.services.userdata;
|
||||||
|
dnsPropagationCheckExceptions = [ "DIGITALOCEAN" ];
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
users.groups.acmerecievers = {
|
users.groups.acmerecievers = {
|
||||||
|
@ -11,17 +12,21 @@ in
|
||||||
defaults = {
|
defaults = {
|
||||||
email = "${cfg.username}@${cfg.domain}";
|
email = "${cfg.username}@${cfg.domain}";
|
||||||
server = if cfg.dns.useStagingACME then "https://acme-staging-v02.api.letsencrypt.org/directory" else "https://acme-v02.api.letsencrypt.org/directory";
|
server = if cfg.dns.useStagingACME then "https://acme-staging-v02.api.letsencrypt.org/directory" else "https://acme-v02.api.letsencrypt.org/directory";
|
||||||
dnsPropagationCheck = false;
|
dnsPropagationCheck = if lib.elem cfg.dns.provider dnsPropagationCheckExceptions then false else true;
|
||||||
reloadServices = [ "nginx" ];
|
reloadServices = [ "nginx" ];
|
||||||
};
|
};
|
||||||
certs = lib.mkForce {
|
certs = lib.mkForce {
|
||||||
"${cfg.domain}" = {
|
"wildcard-${cfg.domain}" = {
|
||||||
domain = "*.${cfg.domain}";
|
domain = "*.${cfg.domain}";
|
||||||
extraDomainNames = [ "${cfg.domain}" ];
|
|
||||||
group = "acmerecievers";
|
group = "acmerecievers";
|
||||||
dnsProvider = lib.strings.toLower cfg.dns.provider;
|
dnsProvider = lib.strings.toLower cfg.dns.provider;
|
||||||
credentialsFile = "/var/lib/cloudflare/Credentials.ini";
|
credentialsFile = "/var/lib/cloudflare/Credentials.ini";
|
||||||
};
|
};
|
||||||
|
"${cfg.domain}" = {
|
||||||
|
domain = cfg.domain;
|
||||||
|
group = "acmerecievers";
|
||||||
|
webroot = "/var/lib/acme/acme-challenge";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -74,13 +74,6 @@ in
|
||||||
# API options #
|
# API options #
|
||||||
###############
|
###############
|
||||||
api = {
|
api = {
|
||||||
enableSwagger = mkOption {
|
|
||||||
default = true;
|
|
||||||
description = ''
|
|
||||||
Enable Swagger UI
|
|
||||||
'';
|
|
||||||
type = types.bool;
|
|
||||||
};
|
|
||||||
skippedMigrations = mkOption {
|
skippedMigrations = mkOption {
|
||||||
default = [ ];
|
default = [ ];
|
||||||
description = ''
|
description = ''
|
||||||
|
|
|
@ -16,7 +16,6 @@ in
|
||||||
hashedMasterPassword = lib.attrsets.attrByPath [ "hashedMasterPassword" ] null jsonData;
|
hashedMasterPassword = lib.attrsets.attrByPath [ "hashedMasterPassword" ] null jsonData;
|
||||||
sshKeys = lib.attrsets.attrByPath [ "sshKeys" ] [ ] jsonData;
|
sshKeys = lib.attrsets.attrByPath [ "sshKeys" ] [ ] jsonData;
|
||||||
api = {
|
api = {
|
||||||
enableSwagger = lib.attrsets.attrByPath [ "api" "enableSwagger" ] false jsonData;
|
|
||||||
skippedMigrations = lib.attrsets.attrByPath [ "api" "skippedMigrations" ] [ ] jsonData;
|
skippedMigrations = lib.attrsets.attrByPath [ "api" "skippedMigrations" ] [ ] jsonData;
|
||||||
};
|
};
|
||||||
dns = {
|
dns = {
|
||||||
|
|
|
@ -20,8 +20,7 @@ in
|
||||||
|
|
||||||
virtualHosts = {
|
virtualHosts = {
|
||||||
"${domain}" = {
|
"${domain}" = {
|
||||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
enableACME = true;
|
||||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
add_header Strict-Transport-Security $hsts_header;
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
@ -35,8 +34,8 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
"vpn.${domain}" = {
|
"vpn.${domain}" = {
|
||||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
|
||||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
add_header Strict-Transport-Security $hsts_header;
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
@ -50,8 +49,8 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
"git.${domain}" = {
|
"git.${domain}" = {
|
||||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
|
||||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
add_header Strict-Transport-Security $hsts_header;
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
@ -70,8 +69,8 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
"cloud.${domain}" = {
|
"cloud.${domain}" = {
|
||||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
|
||||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
add_header Strict-Transport-Security $hsts_header;
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
@ -90,8 +89,8 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
"password.${domain}" = {
|
"password.${domain}" = {
|
||||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
|
||||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
add_header Strict-Transport-Security $hsts_header;
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
@ -110,8 +109,8 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
"api.${domain}" = {
|
"api.${domain}" = {
|
||||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
|
||||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
add_header Strict-Transport-Security $hsts_header;
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
@ -131,8 +130,8 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
"social.${domain}" = {
|
"social.${domain}" = {
|
||||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
|
||||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
|
||||||
root = "/var/www/social.${domain}";
|
root = "/var/www/social.${domain}";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
|
@ -152,10 +151,10 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
"meet.${domain}" = {
|
"meet.${domain}" = {
|
||||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
|
||||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
useACMEHost = domain;
|
useACMEHost = "wildcard-${domain}";
|
||||||
enableACME = false;
|
enableACME = false;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in New Issue