feat: Migrate to flakes

Reviewed-on: SelfPrivacy/selfprivacy-nixos-config#49
Reviewed-by: Inex Code <inex.code@selfprivacy.org>

.gitignore

@@ -2,3 +2,4 @@ userdata/userdata.json
 userdata/tokens.json
 hardware-configuration.nix
 networking.nix
+/result

api/api-module.nix

@@ -18,19 +18,6 @@ in
         Enable SelfPrivacy API service
       '';
     };
-    enableSwagger = mkOption {
-      default = false;
-      type = types.bool;
-      description = ''
-        Enable Swagger UI
-      '';
-    };
-    b2Bucket = mkOption {
-      type = types.str;
-      description = ''
-        B2 bucket
-      '';
-    };
   };
   config = lib.mkIf cfg.enable {
 
@@ -40,8 +27,6 @@ in
         inherit (config.environment.sessionVariables) NIX_PATH;
         HOME = "/root";
         PYTHONUNBUFFERED = "1";
-        ENABLE_SWAGGER = (if cfg.enableSwagger then "1" else "0");
-        B2_BUCKET = cfg.b2Bucket;
       } // config.networking.proxy.envVars;
       path = [
         "/var/"
@@ -53,11 +38,14 @@ in
         pkgs.gitMinimal
         config.nix.package.out
         pkgs.nixos-rebuild
+        pkgs.rclone
         pkgs.restic
         pkgs.mkpasswd
         pkgs.util-linux
         pkgs.e2fsprogs
         pkgs.iproute2
+        pkgs.fuse-overlayfs
+        pkgs.fuse
       ];
       after = [ "network-online.target" ];
       wantedBy = [ "network-online.target" ];
@@ -74,9 +62,7 @@ in
         inherit (config.environment.sessionVariables) NIX_PATH;
         HOME = "/root";
         PYTHONUNBUFFERED = "1";
-        ENABLE_SWAGGER = (if cfg.enableSwagger then "1" else "0");
+        PYTHONPATH = pkgs.selfprivacy-graphql-api.pythonPath + ":${pkgs.selfprivacy-graphql-api}/lib/python3.10/site-packages/";
-        B2_BUCKET = cfg.b2Bucket;
-        PYTHONPATH = pkgs.selfprivacy-graphql-api.pythonPath + ":${pkgs.selfprivacy-graphql-api}/lib/python3.9/site-packages/";
       } // config.networking.proxy.envVars;
       path = [
         "/var/"
@@ -88,17 +74,20 @@ in
         pkgs.gitMinimal
         config.nix.package.out
         pkgs.nixos-rebuild
+        pkgs.rclone
         pkgs.restic
         pkgs.mkpasswd
         pkgs.util-linux
         pkgs.e2fsprogs
         pkgs.iproute2
+        pkgs.fuse-overlayfs
+        pkgs.fuse
       ];
       after = [ "network-online.target" ];
       wantedBy = [ "network-online.target" ];
       serviceConfig = {
         User = "root";
-        ExecStart = "${pkgs.python39Packages.huey}/bin/huey_consumer.py selfprivacy_api.task_registry.huey";
+        ExecStart = "${pkgs.python310Packages.huey}/bin/huey_consumer.py selfprivacy_api.task_registry.huey";
         Restart = "always";
         RestartSec = "5";
       };

api/api.nix

@@ -2,8 +2,6 @@
 {
   services.selfprivacy-api = {
     enable = true;
-    enableSwagger = config.services.userdata.api.enableSwagger;
-    b2Bucket = config.services.userdata.backblaze.bucket;
   };
 
   users.users."selfprivacy-api" = {

backup/restic.nix

@@ -1,29 +0,0 @@
-{ config, pkgs, ... }:
-let
-  cfg = config.services.userdata;
-in
-{
-  services.restic.backups = {
-    options = {
-      passwordFile = "/etc/restic/resticPasswd";
-      repository = "s3:s3.anazonaws.com/${cfg.backblaze.bucket}";
-      initialize = true;
-      paths = [
-        "/var/dkim"
-        "/var/vmail"
-      ];
-      timerConfig = {
-        OnCalendar = [ "daily" ];
-      };
-      user = "restic";
-      pruneOpts = [
-        "--keep-daily 5"
-      ];
-    };
-  };
-  users.users.restic = {
-    isNormalUser = false;
-    isSystemUser = true;
-    group = "restic";
-  };
-}

configuration.nix

@@ -1,6 +1,6 @@
 { config, pkgs, lib, ... }:
 let
-  url-overlay = "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nix-repo/archive/master.tar.gz";
+  url-overlay = "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nix-repo/archive/test-migration.tar.gz";
   nix-overlay = (import (builtins.fetchTarball url-overlay));
 in
 {
@@ -18,7 +18,6 @@ in
     ./social/pleroma.nix
     ./letsencrypt/acme.nix
     ./letsencrypt/resolve.nix
-    ./backup/restic.nix
     ./passmgr/bitwarden.nix
     ./webserver/nginx.nix
     ./webserver/memcached.nix
@@ -30,6 +29,26 @@ in
 
   nixpkgs.overlays = [ (nix-overlay) ];
 
+  services.redis.servers.sp-api = {
+    enable = true;
+    save = [
+      [
+        30
+        1
+      ]
+      [
+        10
+        10
+      ]
+    ];
+    port = 0;
+    settings = {
+      notify-keyspace-events = "KEA";
+    };
+  };
+
+  services.do-agent.enable = if config.services.userdata.server.provider == "DIGITALOCEAN" then true else false;
+
   boot.cleanTmpDir = true;
   networking = {
     hostName = config.services.userdata.hostname;
@@ -54,7 +73,7 @@ in
     openFirewall = false;
   };
   programs.ssh = {
-    pubkeyAcceptedKeyTypes = [ "ssh-ed25519" "ssh-rsa" ];
+    pubkeyAcceptedKeyTypes = [ "ssh-ed25519" "ssh-rsa" "ecdsa-sha2-nistp256" ];
     hostKeyAlgorithms = [ "ssh-ed25519" "ssh-rsa" ];
   };
   environment.systemPackages = with pkgs; [
@@ -69,12 +88,16 @@ in
     allowReboot = config.services.userdata.autoUpgrade.allowReboot;
     channel = "https://channel.selfprivacy.org/nixos-selfpricacy";
   };
+  system.stateVersion = config.services.userdata.stateVersion;
   nix = {
     optimise.automatic = true;
     gc = {
       automatic = true;
       options = "--delete-older-than 7d";
     };
+    extraOptions = ''
+      experimental-features = nix-command flakes repl-flake
+    '';
   };
   services.journald.extraConfig = "SystemMaxUse=500M";
   boot.kernel.sysctl = {

files.nix

@@ -1,6 +1,16 @@
 { config, pkgs, ... }:
 let
   cfg = config.services.userdata;
+  dnsCredentialsTemplates = {
+    DIGITALOCEAN = "DO_AUTH_TOKEN=REPLACEME";
+    CLOUDFLARE = ''
+      CF_API_KEY=REPLACEME
+      CLOUDFLARE_DNS_API_TOKEN=REPLACEME
+      CLOUDFLARE_ZONE_API_TOKEN=REPLACEME
+    '';
+    DESEC = "DESEC_TOKEN=REPLACEME";
+  };
+  dnsCredentialsTemplate = dnsCredentialsTemplates.${cfg.dns.provider};
 in
 {
   systemd.tmpfiles.rules =
@@ -8,12 +18,14 @@ in
       domain = builtins.replaceStrings [ "\n" "\"" "\\" "%" ] [ "\\n" "\\\"" "\\\\" "%%" ] cfg.domain;
     in
     [
-      (if cfg.bitwarden.enable then "d /var/lib/bitwarden 0777 vaultwarden vaultwarden -" else "")
+      (if cfg.bitwarden.enable then "d /var/lib/bitwarden 0770 vaultwarden vaultwarden -" else "")
-      (if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0777 vaultwarden vaultwarden -" else "")
+      (if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0770 vaultwarden vaultwarden -" else "")
       (if cfg.pleroma.enable then "d /var/lib/pleroma 0700 pleroma pleroma - -" else "")
-      "d /var/lib/restic 0600 restic - - -"
+      (if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0750 pleroma pleroma - -" else "")
-      (if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "")
       "f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}"
+      (if cfg.bitwarden.enable then "f /var/lib/bitwarden/.env 0640 vaultwarden vaultwarden - -" else "")
+      "d /var/sieve 0770 virtualMail virtualMail - -"
+      "d /var/www/root 0750 nginx nginx - -"
     ];
   system.activationScripts =
     let
@@ -40,32 +52,11 @@ in
         mkdir -p /var/lib/cloudflare
         chmod 0440 /var/lib/cloudflare
         chown nginx:acmerecievers /var/lib/cloudflare
-        echo 'CF_API_KEY=REPLACEME' > /var/lib/cloudflare/Credentials.ini
+        echo '${dnsCredentialsTemplate}' > /var/lib/cloudflare/Credentials.ini
-        echo 'CLOUDFLARE_DNS_API_TOKEN=REPLACEME' >> /var/lib/cloudflare/Credentials.ini
+        ${sed} -i "s/REPLACEME/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.dns.apiKey')/g" /var/lib/cloudflare/Credentials.ini
-        echo 'CLOUDFLARE_ZONE_API_TOKEN=REPLACEME' >> /var/lib/cloudflare/Credentials.ini
-        ${sed} -i "s/REPLACEME/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.cloudflare.apiKey')/g" /var/lib/cloudflare/Credentials.ini
         chmod 0440 /var/lib/cloudflare/Credentials.ini
         chown nginx:acmerecievers /var/lib/cloudflare/Credentials.ini
       '';
-      resticCredentials = ''
-        mkdir -p /root/.config/rclone
-        chmod 0400 /root/.config/rclone
-        chown root:root /root/.config/rclone
-        echo '[backblaze]' > /root/.config/rclone/rclone.conf
-        echo 'type = b2' >> /root/.config/rclone/rclone.conf
-        echo 'account = REPLACEME1' >> /root/.config/rclone/rclone.conf
-        echo 'key = REPLACEME2' >> /root/.config/rclone/rclone.conf
-
-        ${sed} -i "s/REPLACEME1/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backblaze.accountId')/g" /root/.config/rclone/rclone.conf
-        ${sed} -i "s/REPLACEME2/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backblaze.accountKey')/g" /root/.config/rclone/rclone.conf
-
-        chmod 0400 /root/.config/rclone/rclone.conf
-        chown root:root /root/.config/rclone/rclone.conf
-
-        cat /etc/nixos/userdata/userdata.json | ${jq} -r '.resticPassword' > /var/lib/restic/pass
-        chmod 0400 /var/lib/restic/pass
-        chown restic /var/lib/restic/pass
-      '';
       pleromaCredentials =
         if cfg.pleroma.enable then ''
           echo 'import Config' > /var/lib/pleroma/secrets.exs
@@ -79,5 +70,20 @@ in
         '' else ''
           rm -f /var/lib/pleroma/secrets.exs
         '';
+      bitwardenCredentials =
+        if cfg.bitwarden.enable then ''
+          mkdir -p /var/lib/bitwarden
+          token=$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.bitwarden.adminToken')
+          if [ "$token" == "null" ]; then
+            # If it's null, delete the contents of the file
+            > /var/lib/bitwarden/.env
+          else
+            echo "ADMIN_TOKEN=$token" > /var/lib/bitwarden/.env
+          fi
+          chmod 0640 /var/lib/bitwarden/.env
+          chown vaultwarden:vaultwarden /var/lib/bitwarden/.env
+        '' else ''
+          rm -f /var/lib/bitwarden/.env
+        '';
     };
 }

git/gitea.nix

@@ -13,10 +13,10 @@ in
     gitea = {
       enable = cfg.gitea.enable;
       stateDir = "/var/lib/gitea";
-      log = {
+#      log = {
-        rootPath = "/var/lib/gitea/log";
+#        rootPath = "/var/lib/gitea/log";
-        level = "Warn";
+#        level = "Warn";
-      };
+#      };
       user = "gitea";
       database = {
         type = "sqlite3";
@@ -26,10 +26,10 @@ in
         path = "/var/lib/gitea/data/gitea.db";
         createDatabase = true;
       };
-      ssh = {
+      # ssh = {
-        enable = true;
+      #   enable = true;
-        clonePort = 22;
+      #   clonePort = 22;
-      };
+      # };
       lfs = {
         enable = true;
         contentDir = "/var/lib/gitea/lfs";
@@ -37,16 +37,17 @@ in
       appName = "SelfPrivacy git Service";
       repositoryRoot = "/var/lib/gitea/repositories";
       domain = "git.${cfg.domain}";
-      rootUrl = "https://${cfg.domain}/";
+      rootUrl = "https://git.${cfg.domain}/";
       httpAddress = "0.0.0.0";
       httpPort = 3000;
-      cookieSecure = true;
+#      cookieSecure = true;
       settings = {
         mailer = {
           ENABLED = false;
         };
         ui = {
           DEFAULT_THEME = "arc-green";
+          SHOW_USER_EMAIL = false;
         };
         picture = {
           DISABLE_GRAVATAR = true;
@@ -57,6 +58,13 @@ in
         repository = {
           FORCE_PRIVATE = false;
         };
+        session = {
+          COOKIE_SECURE = true;
+        };
+        log = {
+          ROOT_PATH = "/var/lib/gitea/log";
+          LEVEL = "Warn";
+        };
       };
     };
   };

letsencrypt/acme.nix

@@ -1,6 +1,7 @@
 { config, pkgs, lib, ... }:
 let
   cfg = config.services.userdata;
+  dnsPropagationCheckExceptions = [ "DIGITALOCEAN" ];
 in
 {
   users.groups.acmerecievers = {
@@ -8,20 +9,23 @@ in
   };
   security.acme = {
     acceptTerms = true;
+    defaults = {
       email = "${cfg.username}@${cfg.domain}";
+      server = if cfg.dns.useStagingACME then "https://acme-staging-v02.api.letsencrypt.org/directory" else "https://acme-v02.api.letsencrypt.org/directory";
+      dnsPropagationCheck = if lib.elem cfg.dns.provider dnsPropagationCheckExceptions then false else true;
+      reloadServices = [ "nginx" ];
+    };
     certs = lib.mkForce {
-      "${cfg.domain}" = {
+      "wildcard-${cfg.domain}" = {
         domain = "*.${cfg.domain}";
-        extraDomainNames = [ "${cfg.domain}" ];
         group = "acmerecievers";
-        dnsProvider = "cloudflare";
+        dnsProvider = lib.strings.toLower cfg.dns.provider;
         credentialsFile = "/var/lib/cloudflare/Credentials.ini";
       };
-      "meet.${cfg.domain}" = {
+      "${cfg.domain}" = {
-        domain = "meet.${cfg.domain}";
+        domain = cfg.domain;
         group = "acmerecievers";
-        dnsProvider = "cloudflare";
+        webroot = "/var/lib/acme/acme-challenge";
-        credentialsFile = "/var/lib/cloudflare/Credentials.ini";
       };
     };
   };

letsencrypt/resolve.nix

@@ -12,11 +12,6 @@ in
           Restart = "on-failure";
         };
       };
-      "nginx-config-reload" = {
-        serviceConfig = {
-          After = [ "acme-${domain}.service" ];
-        };
-      };
     };
   };
 }

mailserver/system/mailserver.nix

@@ -6,10 +6,10 @@ in
   imports = [
     (builtins.fetchTarball {
       # Pick a commit from the branch you are interested in
-      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/5675b122/nixos-mailserver-5675b122.tar.gz";
+      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/6d0d9fb9/nixos-mailserver-6d0d9fb9.tar.gz";
 
       # And set its hash
-      sha256 = "1fwhb7a5v9c98nzhf3dyqf3a5ianqh7k50zizj8v5nmj3blxw4pi";
+      sha256 = "sha256:0h35al73p15z9v8zb6hi5nq987sfl5wp4rm5c8947nlzlnsjl61x";
     })
   ];
 

nextcloud/nextcloud.nix

@@ -11,7 +11,7 @@ in
   };
   services.nextcloud = {
     enable = cfg.nextcloud.enable;
-    package = pkgs.nextcloud23;
+    package = pkgs.nextcloud25;
     hostName = "cloud.${cfg.domain}";
 
     # Use HTTPS for links

passmgr/bitwarden.nix

@@ -17,6 +17,7 @@ in
     enable = cfg.bitwarden.enable;
     dbBackend = "sqlite";
     backupDir = "/var/lib/bitwarden/backup";
+    environmentFile = "/var/lib/bitwarden/.env";
     config = {
       domain = "https://password.${cfg.domain}/";
       signupsAllowed = true;

variables-module.nix

@@ -41,6 +41,13 @@ in
         type = types.nullOr types.bool;
       };
     };
+    stateVersion = mkOption {
+      description = ''
+        State version of the server
+      '';
+      type = types.str;
+      default = "22.11";
+    };
     ########################
     # Server admin options #
     ########################
@@ -67,13 +74,6 @@ in
     # API options #
     ###############
     api = {
-      enableSwagger = mkOption {
-        default = true;
-        description = ''
-          Enable Swagger UI
-        '';
-        type = types.bool;
-      };
       skippedMigrations = mkOption {
         default = [ ];
         description = ''
@@ -85,12 +85,28 @@ in
     #############
     #  Secrets  #
     #############
-    backblaze = {
+    dns = {
+      provider = mkOption {
+        description = "DNS provider that was defined at the initial setup process. Default is ClOUDFLARE";
+        type = types.nullOr types.str;
+      };
+      useStagingACME = mkOption {
+        description = "Use staging ACME server. Default is false";
+        type = types.nullOr types.bool;
+      };
+    };
+    backup = {
       bucket = mkOption {
         description = "Bucket name used for userdata backups";
         type = types.nullOr types.str;
       };
     };
+    server = {
+      provider = mkOption {
+        description = "Server provider that was defined at the initial setup process. Default is HETZNER";
+        type = types.nullOr types.str;
+      };
+    };
     ##############
     #  Services  #
     ##############
@@ -171,7 +187,7 @@ in
         description = ''
           Password authentication for SSH
         '';
-        default = true;
+        default = false;
         type = types.nullOr types.bool;
       };
     };

variables.nix

@@ -7,6 +7,7 @@ in
     hostname = lib.attrsets.attrByPath [ "hostname" ] null jsonData;
     domain = lib.attrsets.attrByPath [ "domain" ] null jsonData;
     timezone = lib.attrsets.attrByPath [ "timezone" ] "Europe/Uzhgorod" jsonData;
+    stateVersion = lib.attrsets.attrByPath [ "stateVersion" ] "22.05" jsonData;
     autoUpgrade = {
       enable = lib.attrsets.attrByPath [ "autoUpgrade" "enable" ] true jsonData;
       allowReboot = lib.attrsets.attrByPath [ "autoUpgrade" "allowReboot" ] true jsonData;
@@ -15,11 +16,17 @@ in
     hashedMasterPassword = lib.attrsets.attrByPath [ "hashedMasterPassword" ] null jsonData;
     sshKeys = lib.attrsets.attrByPath [ "sshKeys" ] [ ] jsonData;
     api = {
-      enableSwagger = lib.attrsets.attrByPath [ "api" "enableSwagger" ] false jsonData;
       skippedMigrations = lib.attrsets.attrByPath [ "api" "skippedMigrations" ] [ ] jsonData;
     };
-    backblaze = {
+    dns = {
-      bucket = lib.attrsets.attrByPath [ "backblaze" "bucket" ] "" jsonData;
+      provider = lib.attrsets.attrByPath [ "dns" "provider" ] "CLOUDFLARE" jsonData;
+      useStagingACME = lib.attrsets.attrByPath [ "dns" "useStagingACME" ] false jsonData;
+    };
+    backup = {
+      bucket = lib.attrsets.attrByPath [ "backup" "bucket" ] (lib.attrsets.attrByPath [ "backblaze" "bucket" ] "" jsonData) jsonData;
+    };
+    server = {
+      provider = lib.attrsets.attrByPath [ "server" "provider" ] "HETZNER" jsonData;
     };
     bitwarden = {
       enable = lib.attrsets.attrByPath [ "bitwarden" "enable" ] false jsonData;

webserver/nginx.nix

@@ -20,8 +20,7 @@ in
 
     virtualHosts = {
       "${domain}" = {
-        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
+        enableACME = true;
-        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
         forceSSL = true;
         extraConfig = ''
           add_header Strict-Transport-Security $hsts_header;
@@ -33,10 +32,15 @@ in
           proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
           expires 10m;
         '';
+        locations = {
+          "/" = {
+            root = "/var/www/root";
+          };
+        };
       };
       "vpn.${domain}" = {
-        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
+        sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
+        sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
         forceSSL = true;
         extraConfig = ''
           add_header Strict-Transport-Security $hsts_header;
@@ -50,8 +54,8 @@ in
         '';
       };
       "git.${domain}" = {
-        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
+        sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
+        sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
         forceSSL = true;
         extraConfig = ''
           add_header Strict-Transport-Security $hsts_header;
@@ -70,8 +74,8 @@ in
         };
       };
       "cloud.${domain}" = {
-        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
+        sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
+        sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
         forceSSL = true;
         extraConfig = ''
           add_header Strict-Transport-Security $hsts_header;
@@ -90,8 +94,8 @@ in
         };
       };
       "password.${domain}" = {
-        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
+        sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
+        sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
         forceSSL = true;
         extraConfig = ''
           add_header Strict-Transport-Security $hsts_header;
@@ -110,8 +114,8 @@ in
         };
       };
       "api.${domain}" = {
-        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
+        sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
+        sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
         forceSSL = true;
         extraConfig = ''
           add_header Strict-Transport-Security $hsts_header;
@@ -131,8 +135,8 @@ in
         };
       };
       "social.${domain}" = {
-        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
+        sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
+        sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
         root = "/var/www/social.${domain}";
         forceSSL = true;
         extraConfig = ''
@@ -151,6 +155,13 @@ in
           };
         };
       };
+      "meet.${domain}" = {
+        sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
+        sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
+        forceSSL = true;
+        useACMEHost = "wildcard-${domain}";
+        enableACME = false;
+      };
     };
   };
 }