add wildcard ACME certificate

2024-11-22 11:41:26 +00:00 · 2023-12-19 01:07:05 +04:00 · 2023-12-19 01:07:05 +04:00 · b37cadff68
parent 312077240a
commit b37cadff68
9 changed files with 45 additions and 40 deletions
--- a/letsencrypt/acme.nix
+++ b/letsencrypt/acme.nix
@ -27,13 +27,18 @@ in
      reloadServices = [ "nginx" ];
    };
    certs = lib.mkForce {
-      "${cfg.domain}" = {
+      "wildcard-${cfg.domain}" = {
        domain = "*.${cfg.domain}";
        extraDomainNames = [ "${cfg.domain}" ];
        group = "acmereceivers";
        dnsProvider = lib.strings.toLower cfg.dns.provider;
        credentialsFile = acme-env-filepath;
      };
+      "${cfg.domain}" = {
+        domain = cfg.domain;
+        group = "acmereceivers";
+        webroot = "/var/lib/acme/acme-challenge";
+      };
    };
  };
  systemd.services.acme-secrets = {
--- a/sp-modules/bitwarden/module.nix
+++ b/sp-modules/bitwarden/module.nix
@ -72,8 +72,8 @@ in
      '';
    };
    services.nginx.virtualHosts."password.${sp.domain}" = {
-      sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
-      sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
+      sslCertificate = "/var/lib/acme/wildcard-${sp.domain}/fullchain.pem";
+      sslCertificateKey = "/var/lib/acme/wildcard-${sp.domain}/key.pem";
      forceSSL = true;
      extraConfig = ''
        add_header Strict-Transport-Security $hsts_header;
--- a/sp-modules/gitea/module.nix
+++ b/sp-modules/gitea/module.nix
@ -79,8 +79,8 @@ in
      };
    };
    services.nginx.virtualHosts."git.${sp.domain}" = {
-      sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
-      sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
+      sslCertificate = "/var/lib/acme/wildcard-${sp.domain}/fullchain.pem";
+      sslCertificateKey = "/var/lib/acme/wildcard-${sp.domain}/key.pem";
      forceSSL = true;
      extraConfig = ''
        add_header Strict-Transport-Security $hsts_header;
--- a/sp-modules/jitsi-meet/module.nix
+++ b/sp-modules/jitsi-meet/module.nix
@ -21,8 +21,8 @@ in
      };
    };
    services.nginx.virtualHosts."meet.${domain}" = {
-      sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
-      sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
+      sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
+      sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
      forceSSL = true;
      useACMEHost = domain;
      enableACME = false;
--- a/sp-modules/nextcloud/module.nix
+++ b/sp-modules/nextcloud/module.nix
@ -69,8 +69,8 @@
        };
      };
      services.nginx.virtualHosts.${hostName} = {
-        sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
+        sslCertificate = "/var/lib/acme/wildcard-${sp.domain}/fullchain.pem";
+        sslCertificateKey = "/var/lib/acme/wildcard-${sp.domain}/key.pem";
        forceSSL = true;
        extraConfig = ''
          add_header Strict-Transport-Security $hsts_header;
--- a/sp-modules/ocserv/module.nix
+++ b/sp-modules/ocserv/module.nix
@ -28,8 +28,8 @@ in
        tcp-port = 8443
        udp-port = 8443

-        server-cert = /var/lib/acme/${domain}/fullchain.pem
-        server-key = /var/lib/acme/${domain}/key.pem
+        server-cert = /var/lib/acme/wildcard-${domain}/fullchain.pem
+        server-key = /var/lib/acme/wildcard-${domain}/key.pem

        compression = true

@ -56,8 +56,8 @@ in
      '';
    };
    services.nginx.virtualHosts."vpn.${domain}" = {
-      sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
-      sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
+      sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
+      sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
      forceSSL = true;
      extraConfig = ''
        add_header Strict-Transport-Security $hsts_header;
--- a/sp-modules/pleroma/module.nix
+++ b/sp-modules/pleroma/module.nix
@ -99,5 +99,26 @@ in
    };
    # seems to be an upstream nixpkgs/nixos bug (missing hexdump)
    systemd.services.pleroma.path = [ pkgs.util-linux ];
+    services.nginx.virtualHosts."social.${sp.domain}" = {
+      sslCertificate = "/var/lib/acme/wildcard-${sp.domain}/fullchain.pem";
+      sslCertificateKey = "/var/lib/acme/wildcard-${sp.domain}/key.pem";
+      root = "/var/www/social.${sp.domain}";
+      forceSSL = true;
+      extraConfig = ''
+        add_header Strict-Transport-Security $hsts_header;
+        #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+        add_header 'Referrer-Policy' 'origin-when-cross-origin';
+        add_header X-Frame-Options DENY;
+        add_header X-Content-Type-Options nosniff;
+        add_header X-XSS-Protection "1; mode=block";
+        proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+        expires 10m;
+      '';
+      locations = {
+        "/" = {
+          proxyPass = "http://127.0.0.1:4000";
+        };
+      };
+    };
  };
 }
--- a/sp-modules/simple-nixos-mailserver/config.nix
+++ b/sp-modules/simple-nixos-mailserver/config.nix
@ -67,8 +67,8 @@ lib.mkIf sp.modules.simple-nixos-mailserver.enable
    };

    certificateScheme = "manual";
-    certificateFile = "/var/lib/acme/${sp.domain}/fullchain.pem";
-    keyFile = "/var/lib/acme/${sp.domain}/key.pem";
+    certificateFile = "/var/lib/acme/wildcard-${sp.domain}/fullchain.pem";
+    keyFile = "/var/lib/acme/wildcard-${sp.domain}/key.pem";

    # Enable IMAP and POP3
    enableImap = true;
--- a/webserver/nginx.nix
+++ b/webserver/nginx.nix
@ -22,8 +22,8 @@ in

    virtualHosts = {
      "${domain}" = {
-        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
+        sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
+        sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
        forceSSL = true;
        extraConfig = ''
          add_header Strict-Transport-Security $hsts_header;
@ -37,8 +37,8 @@ in
        '';
      };
      "api.${domain}" = {
-        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
+        sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
+        sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
        forceSSL = true;
        extraConfig = ''
          add_header Strict-Transport-Security $hsts_header;
@ -57,27 +57,6 @@ in
          };
        };
      };
-      "social.${domain}" = {
-        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
-        root = "/var/www/social.${domain}";
-        forceSSL = true;
-        extraConfig = ''
-          add_header Strict-Transport-Security $hsts_header;
-          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
-          add_header 'Referrer-Policy' 'origin-when-cross-origin';
-          add_header X-Frame-Options DENY;
-          add_header X-Content-Type-Options nosniff;
-          add_header X-XSS-Protection "1; mode=block";
-          proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
-          expires 10m;
-        '';
-        locations = {
-          "/" = {
-            proxyPass = "http://127.0.0.1:4000";
-          };
-        };
-      };
    };
  };
 }