mirror of
https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config.git
synced 2024-11-25 12:31:27 +00:00
fix: Split wildcard and root domains for ACME (#98)
Reviewed-on: https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config/pulls/98
This commit is contained in:
parent
30e4f0a2cc
commit
46bb08581b
|
@ -33,13 +33,17 @@ in
|
||||||
certs = {
|
certs = {
|
||||||
"${cfg.domain}" = {
|
"${cfg.domain}" = {
|
||||||
domain = "*.${cfg.domain}";
|
domain = "*.${cfg.domain}";
|
||||||
extraDomainNames = [ "${cfg.domain}" ];
|
|
||||||
group = "acmereceivers";
|
group = "acmereceivers";
|
||||||
dnsProvider = lib.strings.toLower cfg.dns.provider;
|
dnsProvider = lib.strings.toLower cfg.dns.provider;
|
||||||
credentialsFile = acme-env-filepath;
|
credentialsFile = acme-env-filepath;
|
||||||
dnsPropagationCheck =
|
dnsPropagationCheck =
|
||||||
! (lib.elem cfg.dns.provider dnsPropagationCheckExceptions);
|
! (lib.elem cfg.dns.provider dnsPropagationCheckExceptions);
|
||||||
};
|
};
|
||||||
|
"root-${cfg.domain}" = {
|
||||||
|
domain = cfg.domain;
|
||||||
|
group = "acmereceivers";
|
||||||
|
webroot = "/var/lib/acme/acme-challenge";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
systemd.services.acme-secrets = {
|
systemd.services.acme-secrets = {
|
||||||
|
|
|
@ -21,7 +21,7 @@ in
|
||||||
'';
|
'';
|
||||||
virtualHosts = {
|
virtualHosts = {
|
||||||
"${domain}" = {
|
"${domain}" = {
|
||||||
useACMEHost = domain;
|
useACMEHost = "root-${domain}";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
add_header Strict-Transport-Security $hsts_header;
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
|
Loading…
Reference in a new issue