use enableACME for all virtualHosts

letsencrypt/acme.nix

@@ -25,15 +25,8 @@ in
       dnsPropagationCheck =
         ! (lib.elem cfg.dns.provider dnsPropagationCheckExceptions);
       reloadServices = [ "nginx" ];
-    };
-    certs = lib.mkForce {
-      "${cfg.domain}" = {
-        domain = "*.${cfg.domain}";
-        extraDomainNames = [ "${cfg.domain}" ];
-        group = "acmereceivers";
-        dnsProvider = lib.strings.toLower cfg.dns.provider;
-        credentialsFile = acme-env-filepath;
-      };
+      dnsProvider = lib.strings.toLower cfg.dns.provider;
+      credentialsFile = acme-env-filepath;
     };
   };
   systemd.services.acme-secrets = {

sp-modules/bitwarden/module.nix

@@ -72,9 +72,8 @@ in
       '';
     };
     services.nginx.virtualHosts."password.${sp.domain}" = {
-      sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
-      sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
       forceSSL = true;
+      enableACME = true;
       extraConfig = ''
         add_header Strict-Transport-Security $hsts_header;
         #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;

sp-modules/gitea/module.nix

@@ -85,9 +85,8 @@ in
       };
     };
     services.nginx.virtualHosts."git.${sp.domain}" = {
-      sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
-      sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
       forceSSL = true;
+      enableACME = true;
       extraConfig = ''
         add_header Strict-Transport-Security $hsts_header;
         #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;

sp-modules/jitsi-meet/module.nix

@@ -21,11 +21,8 @@ in
       };
     };
     services.nginx.virtualHosts."meet.${domain}" = {
-      sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
-      sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
       forceSSL = true;
-      useACMEHost = domain;
-      enableACME = false;
+      enableACME = true;
     };
   };
 }

sp-modules/nextcloud/module.nix

@@ -69,9 +69,8 @@
         };
       };
       services.nginx.virtualHosts.${hostName} = {
-        sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
         forceSSL = true;
+        enableACME = true;
         extraConfig = ''
           add_header Strict-Transport-Security $hsts_header;
           #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;

sp-modules/ocserv/module.nix

@@ -56,9 +56,8 @@ in
       '';
     };
     services.nginx.virtualHosts."vpn.${domain}" = {
-      sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
-      sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
       forceSSL = true;
+      enableACME = true;
       extraConfig = ''
         add_header Strict-Transport-Security $hsts_header;
         #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;

sp-modules/pleroma/module.nix

@@ -100,10 +100,9 @@ in
     # seems to be an upstream nixpkgs/nixos bug (missing hexdump)
     systemd.services.pleroma.path = [ pkgs.util-linux ];
     services.nginx.virtualHosts."social.${sp.domain}" = {
-      sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
-      sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
       root = "/var/www/social.${sp.domain}";
       forceSSL = true;
+      enableACME = true;
       extraConfig = ''
         add_header Strict-Transport-Security $hsts_header;
         #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;

sp-modules/simple-nixos-mailserver/config-paths-needed.json

@@ -11,5 +11,6 @@
   [ "services", "postfix", "user" ],
   [ "services", "redis" ],
   [ "services", "rspamd" ],
+  [ "security", "acme", "certs" ],
   [ "selfprivacy", "modules", "simple-nixos-mailserver" ]
 ]

sp-modules/simple-nixos-mailserver/config.nix

@@ -66,9 +66,7 @@ lib.mkIf sp.modules.simple-nixos-mailserver.enable
       "admin@${sp.domain}" = "${sp.username}@${sp.domain}";
     };
 
-    certificateScheme = "manual";
-    certificateFile = "/var/lib/acme/${sp.domain}/fullchain.pem";
-    keyFile = "/var/lib/acme/${sp.domain}/key.pem";
+    certificateScheme = "acme";
 
     # Enable IMAP and POP3
     enableImap = true;

webserver/nginx.nix

@@ -21,9 +21,8 @@ in
     '';
     virtualHosts = {
       "${domain}" = {
-        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
         forceSSL = true;
+        enableACME = true;
         extraConfig = ''
           add_header Strict-Transport-Security $hsts_header;
           #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
@@ -41,9 +40,8 @@ in
         };
       };
       "api.${domain}" = {
-        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
         forceSSL = true;
+        enableACME = true;
         extraConfig = ''
           add_header Strict-Transport-Security $hsts_header;
           #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;