From 46bb08581bc84ce9454d574a3a52d420f41d01e8 Mon Sep 17 00:00:00 2001
From: Inex Code <inex.code@selfprivacy.org>
Date: Sat, 7 Sep 2024 00:57:25 +0300
Subject: [PATCH] fix: Split wildcard and root domains for ACME (#98)

Reviewed-on: https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config/pulls/98
---
 letsencrypt/acme.nix | 6 +++++-
 webserver/nginx.nix  | 2 +-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/letsencrypt/acme.nix b/letsencrypt/acme.nix
index 734769f..ae206ac 100644
--- a/letsencrypt/acme.nix
+++ b/letsencrypt/acme.nix
@@ -33,13 +33,17 @@ in
     certs = {
       "${cfg.domain}" = {
         domain = "*.${cfg.domain}";
-        extraDomainNames = [ "${cfg.domain}" ];
         group = "acmereceivers";
         dnsProvider = lib.strings.toLower cfg.dns.provider;
         credentialsFile = acme-env-filepath;
         dnsPropagationCheck =
           ! (lib.elem cfg.dns.provider dnsPropagationCheckExceptions);
       };
+      "root-${cfg.domain}" = {
+        domain = cfg.domain;
+        group = "acmereceivers";
+        webroot = "/var/lib/acme/acme-challenge";
+      };
     };
   };
   systemd.services.acme-secrets = {
diff --git a/webserver/nginx.nix b/webserver/nginx.nix
index 1857b56..5955c1a 100644
--- a/webserver/nginx.nix
+++ b/webserver/nginx.nix
@@ -21,7 +21,7 @@ in
     '';
     virtualHosts = {
       "${domain}" = {
-        useACMEHost = domain;
+        useACMEHost = "root-${domain}";
         forceSSL = true;
         extraConfig = ''
           add_header Strict-Transport-Security $hsts_header;