SelfPrivacy
/
selfprivacy-nixos-config
6
3
Fork 6
Code Issues 17 Pull Requests 1 Projects Releases Wiki Activity

Compare commits

base: SelfPrivacy:master
Branches Tags
SelfPrivacy:flakes
SelfPrivacy:inex/test-collect-garbage
SelfPrivacy:inex/test-autobackup
SelfPrivacy:inex/test-systemd-rebuild
SelfPrivacy:master
SelfPrivacy:pre-release
SelfPrivacy:flake-to-override-folder
SelfPrivacy:flake-to-override
SelfPrivacy:systemd-limits
SelfPrivacy:ldap
SelfPrivacy:api-redis
SelfPrivacy:pleroma-fixes
SelfPrivacy:development
SelfPrivacy:rolling-testing
houkime:houkime-providers-api
houkime:3rd-party-bumps/nextcloud-24
houkime:mailserver-22.05
houkime:master
houkime:volumes
houkime:pleroma-fixes
houkime:development
houkime:rolling-testing
houkime:jitsi-fixes
houkime:vpn-and-volume-fixes
houkime:vaultwarden-admin
houkime:b2-backups
houkime:aws-to-backblaze
..
compare: houkime:master
Branches Tags
houkime:houkime-providers-api
houkime:3rd-party-bumps/nextcloud-24
houkime:mailserver-22.05
houkime:master
houkime:volumes
houkime:pleroma-fixes
houkime:development
houkime:rolling-testing
houkime:jitsi-fixes
houkime:vpn-and-volume-fixes
houkime:vaultwarden-admin
houkime:b2-backups
houkime:aws-to-backblaze
SelfPrivacy:flakes
SelfPrivacy:inex/test-collect-garbage
SelfPrivacy:inex/test-autobackup
SelfPrivacy:inex/test-systemd-rebuild
SelfPrivacy:master
SelfPrivacy:pre-release
SelfPrivacy:flake-to-override-folder
SelfPrivacy:flake-to-override
SelfPrivacy:systemd-limits
SelfPrivacy:ldap
SelfPrivacy:api-redis
SelfPrivacy:pleroma-fixes
SelfPrivacy:development
SelfPrivacy:rolling-testing

No commits in common. "master" and "master" have entirely different histories.
master ... master

15 changed files with 133 additions and 163 deletions
Show Stats Expand all files Collapse all files

3
.gitignore vendored
View File

@ -1,5 +1,4 @@
userdata/userdata.json
userdata/tokens.json
hardware-configuration.nix
networking.nix
/result
networking.nix

27
api/api-module.nix
View File

@ -18,6 +18,19 @@ in
Enable SelfPrivacy API service
'';
};
enableSwagger = mkOption {
default = false;
type = types.bool;
description = ''
Enable Swagger UI
'';
};
b2Bucket = mkOption {
type = types.str;
description = ''
B2 bucket
'';
};
};
config = lib.mkIf cfg.enable {
@ -27,6 +40,8 @@ in
inherit (config.environment.sessionVariables) NIX_PATH;
HOME = "/root";
PYTHONUNBUFFERED = "1";
ENABLE_SWAGGER = (if cfg.enableSwagger then "1" else "0");
B2_BUCKET = cfg.b2Bucket;
} // config.networking.proxy.envVars;
path = [
"/var/"
@ -38,14 +53,11 @@ in
pkgs.gitMinimal
config.nix.package.out
pkgs.nixos-rebuild
pkgs.rclone
pkgs.restic
pkgs.mkpasswd
pkgs.util-linux
pkgs.e2fsprogs
pkgs.iproute2
pkgs.fuse-overlayfs
pkgs.fuse
];
after = [ "network-online.target" ];
wantedBy = [ "network-online.target" ];
@ -62,7 +74,9 @@ in
inherit (config.environment.sessionVariables) NIX_PATH;
HOME = "/root";
PYTHONUNBUFFERED = "1";
PYTHONPATH = pkgs.selfprivacy-graphql-api.pythonPath + ":${pkgs.selfprivacy-graphql-api}/lib/python3.10/site-packages/";
ENABLE_SWAGGER = (if cfg.enableSwagger then "1" else "0");
B2_BUCKET = cfg.b2Bucket;
PYTHONPATH = pkgs.selfprivacy-graphql-api.pythonPath + ":${pkgs.selfprivacy-graphql-api}/lib/python3.9/site-packages/";
} // config.networking.proxy.envVars;
path = [
"/var/"
@ -74,20 +88,17 @@ in
pkgs.gitMinimal
config.nix.package.out
pkgs.nixos-rebuild
pkgs.rclone
pkgs.restic
pkgs.mkpasswd
pkgs.util-linux
pkgs.e2fsprogs
pkgs.iproute2
pkgs.fuse-overlayfs
pkgs.fuse
];
after = [ "network-online.target" ];
wantedBy = [ "network-online.target" ];
serviceConfig = {
User = "root";
ExecStart = "${pkgs.python310Packages.huey}/bin/huey_consumer.py selfprivacy_api.task_registry.huey";
ExecStart = "${pkgs.python39Packages.huey}/bin/huey_consumer.py selfprivacy_api.task_registry.huey";
Restart = "always";
RestartSec = "5";
};

2
api/api.nix
View File

@ -2,6 +2,8 @@
{
services.selfprivacy-api = {
enable = true;
enableSwagger = config.services.userdata.api.enableSwagger;
b2Bucket = config.services.userdata.backblaze.bucket;
};
users.users."selfprivacy-api" = {

29
backup/restic.nix Normal file
View File

@ -0,0 +1,29 @@
{ config, pkgs, ... }:
let
cfg = config.services.userdata;
in
{
services.restic.backups = {
options = {
passwordFile = "/etc/restic/resticPasswd";
repository = "s3:s3.anazonaws.com/${cfg.backblaze.bucket}";
initialize = true;
paths = [
"/var/dkim"
"/var/vmail"
];
timerConfig = {
OnCalendar = [ "daily" ];
};
user = "restic";
pruneOpts = [
"--keep-daily 5"
];
};
};
users.users.restic = {
isNormalUser = false;
isSystemUser = true;
group = "restic";
};
}

29
configuration.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, lib, ... }:
let
url-overlay = "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nix-repo/archive/test-migration.tar.gz";
url-overlay = "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nix-repo/archive/master.tar.gz";
nix-overlay = (import (builtins.fetchTarball url-overlay));
in
{
@ -18,6 +18,7 @@ in
./social/pleroma.nix
./letsencrypt/acme.nix
./letsencrypt/resolve.nix
./backup/restic.nix
./passmgr/bitwarden.nix
./webserver/nginx.nix
./webserver/memcached.nix
@ -29,26 +30,6 @@ in
nixpkgs.overlays = [ (nix-overlay) ];
services.redis.servers.sp-api = {
enable = true;
save = [
[
30
1
]
[
10
10
]
];
port = 0;
settings = {
notify-keyspace-events = "KEA";
};
};
services.do-agent.enable = if config.services.userdata.server.provider == "DIGITALOCEAN" then true else false;
boot.cleanTmpDir = true;
networking = {
hostName = config.services.userdata.hostname;
@ -73,7 +54,7 @@ in
openFirewall = false;
};
programs.ssh = {
pubkeyAcceptedKeyTypes = [ "ssh-ed25519" "ssh-rsa" "ecdsa-sha2-nistp256" ];
pubkeyAcceptedKeyTypes = [ "ssh-ed25519" "ssh-rsa" ];
hostKeyAlgorithms = [ "ssh-ed25519" "ssh-rsa" ];
};
environment.systemPackages = with pkgs; [
@ -88,16 +69,12 @@ in
allowReboot = config.services.userdata.autoUpgrade.allowReboot;
channel = "https://channel.selfprivacy.org/nixos-selfpricacy";
};
system.stateVersion = config.services.userdata.stateVersion;
nix = {
optimise.automatic = true;
gc = {
automatic = true;
options = "--delete-older-than 7d";
};
extraOptions = ''
experimental-features = nix-command flakes repl-flake
'';
};
services.journald.extraConfig = "SystemMaxUse=500M";
boot.kernel.sysctl = {

60
files.nix
View File

@ -1,16 +1,6 @@
{ config, pkgs, ... }:
let
cfg = config.services.userdata;
dnsCredentialsTemplates = {
DIGITALOCEAN = "DO_AUTH_TOKEN=REPLACEME";
CLOUDFLARE = ''
CF_API_KEY=REPLACEME
CLOUDFLARE_DNS_API_TOKEN=REPLACEME
CLOUDFLARE_ZONE_API_TOKEN=REPLACEME
'';
DESEC = "DESEC_TOKEN=REPLACEME";
};
dnsCredentialsTemplate = dnsCredentialsTemplates.${cfg.dns.provider};
in
{
systemd.tmpfiles.rules =
@ -18,14 +8,12 @@ in
domain = builtins.replaceStrings [ "\n" "\"" "\\" "%" ] [ "\\n" "\\\"" "\\\\" "%%" ] cfg.domain;
in
[
(if cfg.bitwarden.enable then "d /var/lib/bitwarden 0770 vaultwarden vaultwarden -" else "")
(if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0770 vaultwarden vaultwarden -" else "")
(if cfg.bitwarden.enable then "d /var/lib/bitwarden 0777 vaultwarden vaultwarden -" else "")
(if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0777 vaultwarden vaultwarden -" else "")
(if cfg.pleroma.enable then "d /var/lib/pleroma 0700 pleroma pleroma - -" else "")
(if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0750 pleroma pleroma - -" else "")
"d /var/lib/restic 0600 restic - - -"
(if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "")
"f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}"
(if cfg.bitwarden.enable then "f /var/lib/bitwarden/.env 0640 vaultwarden vaultwarden - -" else "")
"d /var/sieve 0770 virtualMail virtualMail - -"
"d /var/www/root 0750 nginx nginx - -"
];
system.activationScripts =
let
@ -52,11 +40,32 @@ in
mkdir -p /var/lib/cloudflare
chmod 0440 /var/lib/cloudflare
chown nginx:acmerecievers /var/lib/cloudflare
echo '${dnsCredentialsTemplate}' > /var/lib/cloudflare/Credentials.ini
${sed} -i "s/REPLACEME/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.dns.apiKey')/g" /var/lib/cloudflare/Credentials.ini
echo 'CF_API_KEY=REPLACEME' > /var/lib/cloudflare/Credentials.ini
echo 'CLOUDFLARE_DNS_API_TOKEN=REPLACEME' >> /var/lib/cloudflare/Credentials.ini
echo 'CLOUDFLARE_ZONE_API_TOKEN=REPLACEME' >> /var/lib/cloudflare/Credentials.ini
${sed} -i "s/REPLACEME/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.cloudflare.apiKey')/g" /var/lib/cloudflare/Credentials.ini
chmod 0440 /var/lib/cloudflare/Credentials.ini
chown nginx:acmerecievers /var/lib/cloudflare/Credentials.ini
'';
resticCredentials = ''
mkdir -p /root/.config/rclone
chmod 0400 /root/.config/rclone
chown root:root /root/.config/rclone
echo '[backblaze]' > /root/.config/rclone/rclone.conf
echo 'type = b2' >> /root/.config/rclone/rclone.conf
echo 'account = REPLACEME1' >> /root/.config/rclone/rclone.conf
echo 'key = REPLACEME2' >> /root/.config/rclone/rclone.conf
${sed} -i "s/REPLACEME1/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backblaze.accountId')/g" /root/.config/rclone/rclone.conf
${sed} -i "s/REPLACEME2/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backblaze.accountKey')/g" /root/.config/rclone/rclone.conf
chmod 0400 /root/.config/rclone/rclone.conf
chown root:root /root/.config/rclone/rclone.conf
cat /etc/nixos/userdata/userdata.json | ${jq} -r '.resticPassword' > /var/lib/restic/pass
chmod 0400 /var/lib/restic/pass
chown restic /var/lib/restic/pass
'';
pleromaCredentials =
if cfg.pleroma.enable then ''
echo 'import Config' > /var/lib/pleroma/secrets.exs
@ -70,20 +79,5 @@ in
'' else ''
rm -f /var/lib/pleroma/secrets.exs
'';
bitwardenCredentials =
if cfg.bitwarden.enable then ''
mkdir -p /var/lib/bitwarden
token=$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.bitwarden.adminToken')
if [ "$token" == "null" ]; then
# If it's null, delete the contents of the file
> /var/lib/bitwarden/.env
else
echo "ADMIN_TOKEN=$token" > /var/lib/bitwarden/.env
fi
chmod 0640 /var/lib/bitwarden/.env
chown vaultwarden:vaultwarden /var/lib/bitwarden/.env
'' else ''
rm -f /var/lib/bitwarden/.env
'';
};
}

28
git/gitea.nix
View File

@ -13,10 +13,10 @@ in
gitea = {
enable = cfg.gitea.enable;
stateDir = "/var/lib/gitea";
# log = {
# rootPath = "/var/lib/gitea/log";
# level = "Warn";
# };
log = {
rootPath = "/var/lib/gitea/log";
level = "Warn";
};
user = "gitea";
database = {
type = "sqlite3";
@ -26,10 +26,10 @@ in
path = "/var/lib/gitea/data/gitea.db";
createDatabase = true;
};
# ssh = {
# enable = true;
# clonePort = 22;
# };
ssh = {
enable = true;
clonePort = 22;
};
lfs = {
enable = true;
contentDir = "/var/lib/gitea/lfs";
@ -37,17 +37,16 @@ in
appName = "SelfPrivacy git Service";
repositoryRoot = "/var/lib/gitea/repositories";
domain = "git.${cfg.domain}";
rootUrl = "https://git.${cfg.domain}/";
rootUrl = "https://${cfg.domain}/";
httpAddress = "0.0.0.0";
httpPort = 3000;
# cookieSecure = true;
cookieSecure = true;
settings = {
mailer = {
ENABLED = false;
};
ui = {
DEFAULT_THEME = "arc-green";
SHOW_USER_EMAIL = false;
};
picture = {
DISABLE_GRAVATAR = true;
@ -58,13 +57,6 @@ in
repository = {
FORCE_PRIVATE = false;
};
session = {
COOKIE_SECURE = true;
};
log = {
ROOT_PATH = "/var/lib/gitea/log";
LEVEL = "Warn";
};
};
};
};

20
letsencrypt/acme.nix
View File

@ -1,7 +1,6 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.userdata;
dnsPropagationCheckExceptions = [ "DIGITALOCEAN" ];
in
{
users.groups.acmerecievers = {
@ -9,23 +8,20 @@ in
};
security.acme = {
acceptTerms = true;
defaults = {
email = "${cfg.username}@${cfg.domain}";
server = if cfg.dns.useStagingACME then "https://acme-staging-v02.api.letsencrypt.org/directory" else "https://acme-v02.api.letsencrypt.org/directory";
dnsPropagationCheck = if lib.elem cfg.dns.provider dnsPropagationCheckExceptions then false else true;
reloadServices = [ "nginx" ];
};
email = "${cfg.username}@${cfg.domain}";
certs = lib.mkForce {
"wildcard-${cfg.domain}" = {
"${cfg.domain}" = {
domain = "*.${cfg.domain}";
extraDomainNames = [ "${cfg.domain}" ];
group = "acmerecievers";
dnsProvider = lib.strings.toLower cfg.dns.provider;
dnsProvider = "cloudflare";
credentialsFile = "/var/lib/cloudflare/Credentials.ini";
};
"${cfg.domain}" = {
domain = cfg.domain;
"meet.${cfg.domain}" = {
domain = "meet.${cfg.domain}";
group = "acmerecievers";
webroot = "/var/lib/acme/acme-challenge";
dnsProvider = "cloudflare";
credentialsFile = "/var/lib/cloudflare/Credentials.ini";
};
};
};

5
letsencrypt/resolve.nix
View File

@ -12,6 +12,11 @@ in
Restart = "on-failure";
};
};
"nginx-config-reload" = {
serviceConfig = {
After = [ "acme-${domain}.service" ];
};
};
};
};
}

4
mailserver/system/mailserver.nix
View File

@ -6,10 +6,10 @@ in
imports = [
(builtins.fetchTarball {
# Pick a commit from the branch you are interested in
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/6d0d9fb9/nixos-mailserver-6d0d9fb9.tar.gz";
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/5675b122/nixos-mailserver-5675b122.tar.gz";
# And set its hash
sha256 = "sha256:0h35al73p15z9v8zb6hi5nq987sfl5wp4rm5c8947nlzlnsjl61x";
sha256 = "1fwhb7a5v9c98nzhf3dyqf3a5ianqh7k50zizj8v5nmj3blxw4pi";
})
];

2
nextcloud/nextcloud.nix
View File

@ -11,7 +11,7 @@ in
};
services.nextcloud = {
enable = cfg.nextcloud.enable;
package = pkgs.nextcloud25;
package = pkgs.nextcloud23;
hostName = "cloud.${cfg.domain}";
# Use HTTPS for links

1
passmgr/bitwarden.nix
View File

@ -17,7 +17,6 @@ in
enable = cfg.bitwarden.enable;
dbBackend = "sqlite";
backupDir = "/var/lib/bitwarden/backup";
environmentFile = "/var/lib/bitwarden/.env";
config = {
domain = "https://password.${cfg.domain}/";
signupsAllowed = true;

34
variables-module.nix
View File

@ -41,13 +41,6 @@ in
type = types.nullOr types.bool;
};
};
stateVersion = mkOption {
description = ''
State version of the server
'';
type = types.str;
default = "22.11";
};
########################
# Server admin options #
########################
@ -74,6 +67,13 @@ in
# API options #
###############
api = {
enableSwagger = mkOption {
default = true;
description = ''
Enable Swagger UI
'';
type = types.bool;
};
skippedMigrations = mkOption {
default = [ ];
description = ''
@ -85,28 +85,12 @@ in
#############
# Secrets #
#############
dns = {
provider = mkOption {
description = "DNS provider that was defined at the initial setup process. Default is ClOUDFLARE";
type = types.nullOr types.str;
};
useStagingACME = mkOption {
description = "Use staging ACME server. Default is false";
type = types.nullOr types.bool;
};
};
backup = {
backblaze = {
bucket = mkOption {
description = "Bucket name used for userdata backups";
type = types.nullOr types.str;
};
};
server = {
provider = mkOption {
description = "Server provider that was defined at the initial setup process. Default is HETZNER";
type = types.nullOr types.str;
};
};
##############
# Services #
##############
@ -187,7 +171,7 @@ in
description = ''
Password authentication for SSH
'';
default = false;
default = true;
type = types.nullOr types.bool;
};
};

13
variables.nix
View File

@ -7,7 +7,6 @@ in
hostname = lib.attrsets.attrByPath [ "hostname" ] null jsonData;
domain = lib.attrsets.attrByPath [ "domain" ] null jsonData;
timezone = lib.attrsets.attrByPath [ "timezone" ] "Europe/Uzhgorod" jsonData;
stateVersion = lib.attrsets.attrByPath [ "stateVersion" ] "22.05" jsonData;
autoUpgrade = {
enable = lib.attrsets.attrByPath [ "autoUpgrade" "enable" ] true jsonData;
allowReboot = lib.attrsets.attrByPath [ "autoUpgrade" "allowReboot" ] true jsonData;
@ -16,17 +15,11 @@ in
hashedMasterPassword = lib.attrsets.attrByPath [ "hashedMasterPassword" ] null jsonData;
sshKeys = lib.attrsets.attrByPath [ "sshKeys" ] [ ] jsonData;
api = {
enableSwagger = lib.attrsets.attrByPath [ "api" "enableSwagger" ] false jsonData;
skippedMigrations = lib.attrsets.attrByPath [ "api" "skippedMigrations" ] [ ] jsonData;
};
dns = {
provider = lib.attrsets.attrByPath [ "dns" "provider" ] "CLOUDFLARE" jsonData;
useStagingACME = lib.attrsets.attrByPath [ "dns" "useStagingACME" ] false jsonData;
};
backup = {
bucket = lib.attrsets.attrByPath [ "backup" "bucket" ] (lib.attrsets.attrByPath [ "backblaze" "bucket" ] "" jsonData) jsonData;
};
server = {
provider = lib.attrsets.attrByPath [ "server" "provider" ] "HETZNER" jsonData;
backblaze = {
bucket = lib.attrsets.attrByPath [ "backblaze" "bucket" ] "" jsonData;
};
bitwarden = {
enable = lib.attrsets.attrByPath [ "bitwarden" "enable" ] false jsonData;

39
webserver/nginx.nix
View File

@ -20,7 +20,8 @@ in
virtualHosts = {
"${domain}" = {
enableACME = true;
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
@ -32,15 +33,10 @@ in
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
expires 10m;
'';
locations = {
"/" = {
root = "/var/www/root";
};
};
};
"vpn.${domain}" = {
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
@ -54,8 +50,8 @@ in
'';
};
"git.${domain}" = {
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
@ -74,8 +70,8 @@ in
};
};
"cloud.${domain}" = {
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
@ -94,8 +90,8 @@ in
};
};
"password.${domain}" = {
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
@ -114,8 +110,8 @@ in
};
};
"api.${domain}" = {
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
@ -135,8 +131,8 @@ in
};
};
"social.${domain}" = {
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
root = "/var/www/social.${domain}";
forceSSL = true;
extraConfig = ''
@ -155,13 +151,6 @@ in
};
};
};
"meet.${domain}" = {
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
forceSSL = true;
useACMEHost = "wildcard-${domain}";
enableACME = false;
};
};
};
}