From 46366702bc6fe1352588f8db7f1ca58b1cfb0a84 Mon Sep 17 00:00:00 2001 From: Alexander Tomokhov Date: Tue, 19 Dec 2023 16:38:46 +0400 Subject: [PATCH] use enableACME for all virtualHosts --- letsencrypt/acme.nix | 11 ++--------- sp-modules/bitwarden/module.nix | 3 +-- sp-modules/gitea/module.nix | 3 +-- sp-modules/jitsi-meet/module.nix | 5 +---- sp-modules/nextcloud/module.nix | 3 +-- sp-modules/ocserv/module.nix | 3 +-- sp-modules/pleroma/module.nix | 3 +-- .../simple-nixos-mailserver/config-paths-needed.json | 1 + sp-modules/simple-nixos-mailserver/config.nix | 4 +--- webserver/nginx.nix | 6 ++---- 10 files changed, 12 insertions(+), 30 deletions(-) diff --git a/letsencrypt/acme.nix b/letsencrypt/acme.nix index b01b6f2..22702f0 100644 --- a/letsencrypt/acme.nix +++ b/letsencrypt/acme.nix @@ -25,15 +25,8 @@ in dnsPropagationCheck = ! (lib.elem cfg.dns.provider dnsPropagationCheckExceptions); reloadServices = [ "nginx" ]; - }; - certs = lib.mkForce { - "${cfg.domain}" = { - domain = "*.${cfg.domain}"; - extraDomainNames = [ "${cfg.domain}" ]; - group = "acmereceivers"; - dnsProvider = lib.strings.toLower cfg.dns.provider; - credentialsFile = acme-env-filepath; - }; + dnsProvider = lib.strings.toLower cfg.dns.provider; + credentialsFile = acme-env-filepath; }; }; systemd.services.acme-secrets = { diff --git a/sp-modules/bitwarden/module.nix b/sp-modules/bitwarden/module.nix index d7a50cf..b1b510a 100644 --- a/sp-modules/bitwarden/module.nix +++ b/sp-modules/bitwarden/module.nix @@ -72,9 +72,8 @@ in ''; }; services.nginx.virtualHosts."password.${sp.domain}" = { - sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem"; forceSSL = true; + enableACME = true; extraConfig = '' add_header Strict-Transport-Security $hsts_header; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; diff --git a/sp-modules/gitea/module.nix b/sp-modules/gitea/module.nix index 5023f8d..7b7cbdf 100644 --- a/sp-modules/gitea/module.nix +++ b/sp-modules/gitea/module.nix @@ -85,9 +85,8 @@ in }; }; services.nginx.virtualHosts."git.${sp.domain}" = { - sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem"; forceSSL = true; + enableACME = true; extraConfig = '' add_header Strict-Transport-Security $hsts_header; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; diff --git a/sp-modules/jitsi-meet/module.nix b/sp-modules/jitsi-meet/module.nix index d23207a..2fedc99 100644 --- a/sp-modules/jitsi-meet/module.nix +++ b/sp-modules/jitsi-meet/module.nix @@ -21,11 +21,8 @@ in }; }; services.nginx.virtualHosts."meet.${domain}" = { - sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; forceSSL = true; - useACMEHost = domain; - enableACME = false; + enableACME = true; }; }; } diff --git a/sp-modules/nextcloud/module.nix b/sp-modules/nextcloud/module.nix index 3b4a183..35633e7 100644 --- a/sp-modules/nextcloud/module.nix +++ b/sp-modules/nextcloud/module.nix @@ -69,9 +69,8 @@ }; }; services.nginx.virtualHosts.${hostName} = { - sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem"; forceSSL = true; + enableACME = true; extraConfig = '' add_header Strict-Transport-Security $hsts_header; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; diff --git a/sp-modules/ocserv/module.nix b/sp-modules/ocserv/module.nix index d33369a..4d3bd34 100644 --- a/sp-modules/ocserv/module.nix +++ b/sp-modules/ocserv/module.nix @@ -56,9 +56,8 @@ in ''; }; services.nginx.virtualHosts."vpn.${domain}" = { - sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; forceSSL = true; + enableACME = true; extraConfig = '' add_header Strict-Transport-Security $hsts_header; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; diff --git a/sp-modules/pleroma/module.nix b/sp-modules/pleroma/module.nix index afb2969..0296ad4 100644 --- a/sp-modules/pleroma/module.nix +++ b/sp-modules/pleroma/module.nix @@ -100,10 +100,9 @@ in # seems to be an upstream nixpkgs/nixos bug (missing hexdump) systemd.services.pleroma.path = [ pkgs.util-linux ]; services.nginx.virtualHosts."social.${sp.domain}" = { - sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem"; root = "/var/www/social.${sp.domain}"; forceSSL = true; + enableACME = true; extraConfig = '' add_header Strict-Transport-Security $hsts_header; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; diff --git a/sp-modules/simple-nixos-mailserver/config-paths-needed.json b/sp-modules/simple-nixos-mailserver/config-paths-needed.json index 27c44ff..88475b9 100644 --- a/sp-modules/simple-nixos-mailserver/config-paths-needed.json +++ b/sp-modules/simple-nixos-mailserver/config-paths-needed.json @@ -11,5 +11,6 @@ [ "services", "postfix", "user" ], [ "services", "redis" ], [ "services", "rspamd" ], + [ "security", "acme", "certs" ], [ "selfprivacy", "modules", "simple-nixos-mailserver" ] ] diff --git a/sp-modules/simple-nixos-mailserver/config.nix b/sp-modules/simple-nixos-mailserver/config.nix index 3ac1145..f6fc53b 100644 --- a/sp-modules/simple-nixos-mailserver/config.nix +++ b/sp-modules/simple-nixos-mailserver/config.nix @@ -66,9 +66,7 @@ lib.mkIf sp.modules.simple-nixos-mailserver.enable "admin@${sp.domain}" = "${sp.username}@${sp.domain}"; }; - certificateScheme = "manual"; - certificateFile = "/var/lib/acme/${sp.domain}/fullchain.pem"; - keyFile = "/var/lib/acme/${sp.domain}/key.pem"; + certificateScheme = "acme"; # Enable IMAP and POP3 enableImap = true; diff --git a/webserver/nginx.nix b/webserver/nginx.nix index 03320db..8b97c38 100644 --- a/webserver/nginx.nix +++ b/webserver/nginx.nix @@ -21,9 +21,8 @@ in ''; virtualHosts = { "${domain}" = { - sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; forceSSL = true; + enableACME = true; extraConfig = '' add_header Strict-Transport-Security $hsts_header; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; @@ -41,9 +40,8 @@ in }; }; "api.${domain}" = { - sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; forceSSL = true; + enableACME = true; extraConfig = '' add_header Strict-Transport-Security $hsts_header; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;