mirror of
https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config.git
synced 2024-11-26 21:01:31 +00:00
add wildcard ACME certificate
This commit is contained in:
parent
312077240a
commit
b37cadff68
|
@ -27,13 +27,18 @@ in
|
||||||
reloadServices = [ "nginx" ];
|
reloadServices = [ "nginx" ];
|
||||||
};
|
};
|
||||||
certs = lib.mkForce {
|
certs = lib.mkForce {
|
||||||
"${cfg.domain}" = {
|
"wildcard-${cfg.domain}" = {
|
||||||
domain = "*.${cfg.domain}";
|
domain = "*.${cfg.domain}";
|
||||||
extraDomainNames = [ "${cfg.domain}" ];
|
extraDomainNames = [ "${cfg.domain}" ];
|
||||||
group = "acmereceivers";
|
group = "acmereceivers";
|
||||||
dnsProvider = lib.strings.toLower cfg.dns.provider;
|
dnsProvider = lib.strings.toLower cfg.dns.provider;
|
||||||
credentialsFile = acme-env-filepath;
|
credentialsFile = acme-env-filepath;
|
||||||
};
|
};
|
||||||
|
"${cfg.domain}" = {
|
||||||
|
domain = cfg.domain;
|
||||||
|
group = "acmereceivers";
|
||||||
|
webroot = "/var/lib/acme/acme-challenge";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
systemd.services.acme-secrets = {
|
systemd.services.acme-secrets = {
|
||||||
|
|
|
@ -72,8 +72,8 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
services.nginx.virtualHosts."password.${sp.domain}" = {
|
services.nginx.virtualHosts."password.${sp.domain}" = {
|
||||||
sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
|
sslCertificate = "/var/lib/acme/wildcard-${sp.domain}/fullchain.pem";
|
||||||
sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
|
sslCertificateKey = "/var/lib/acme/wildcard-${sp.domain}/key.pem";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
add_header Strict-Transport-Security $hsts_header;
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
|
|
@ -79,8 +79,8 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
services.nginx.virtualHosts."git.${sp.domain}" = {
|
services.nginx.virtualHosts."git.${sp.domain}" = {
|
||||||
sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
|
sslCertificate = "/var/lib/acme/wildcard-${sp.domain}/fullchain.pem";
|
||||||
sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
|
sslCertificateKey = "/var/lib/acme/wildcard-${sp.domain}/key.pem";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
add_header Strict-Transport-Security $hsts_header;
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
|
|
@ -21,8 +21,8 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
services.nginx.virtualHosts."meet.${domain}" = {
|
services.nginx.virtualHosts."meet.${domain}" = {
|
||||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
|
||||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
useACMEHost = domain;
|
useACMEHost = domain;
|
||||||
enableACME = false;
|
enableACME = false;
|
||||||
|
|
|
@ -69,8 +69,8 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
services.nginx.virtualHosts.${hostName} = {
|
services.nginx.virtualHosts.${hostName} = {
|
||||||
sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
|
sslCertificate = "/var/lib/acme/wildcard-${sp.domain}/fullchain.pem";
|
||||||
sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
|
sslCertificateKey = "/var/lib/acme/wildcard-${sp.domain}/key.pem";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
add_header Strict-Transport-Security $hsts_header;
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
|
|
@ -28,8 +28,8 @@ in
|
||||||
tcp-port = 8443
|
tcp-port = 8443
|
||||||
udp-port = 8443
|
udp-port = 8443
|
||||||
|
|
||||||
server-cert = /var/lib/acme/${domain}/fullchain.pem
|
server-cert = /var/lib/acme/wildcard-${domain}/fullchain.pem
|
||||||
server-key = /var/lib/acme/${domain}/key.pem
|
server-key = /var/lib/acme/wildcard-${domain}/key.pem
|
||||||
|
|
||||||
compression = true
|
compression = true
|
||||||
|
|
||||||
|
@ -56,8 +56,8 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
services.nginx.virtualHosts."vpn.${domain}" = {
|
services.nginx.virtualHosts."vpn.${domain}" = {
|
||||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
|
||||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
add_header Strict-Transport-Security $hsts_header;
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
|
|
@ -99,5 +99,26 @@ in
|
||||||
};
|
};
|
||||||
# seems to be an upstream nixpkgs/nixos bug (missing hexdump)
|
# seems to be an upstream nixpkgs/nixos bug (missing hexdump)
|
||||||
systemd.services.pleroma.path = [ pkgs.util-linux ];
|
systemd.services.pleroma.path = [ pkgs.util-linux ];
|
||||||
|
services.nginx.virtualHosts."social.${sp.domain}" = {
|
||||||
|
sslCertificate = "/var/lib/acme/wildcard-${sp.domain}/fullchain.pem";
|
||||||
|
sslCertificateKey = "/var/lib/acme/wildcard-${sp.domain}/key.pem";
|
||||||
|
root = "/var/www/social.${sp.domain}";
|
||||||
|
forceSSL = true;
|
||||||
|
extraConfig = ''
|
||||||
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||||
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||||
|
add_header X-Frame-Options DENY;
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||||
|
expires 10m;
|
||||||
|
'';
|
||||||
|
locations = {
|
||||||
|
"/" = {
|
||||||
|
proxyPass = "http://127.0.0.1:4000";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -67,8 +67,8 @@ lib.mkIf sp.modules.simple-nixos-mailserver.enable
|
||||||
};
|
};
|
||||||
|
|
||||||
certificateScheme = "manual";
|
certificateScheme = "manual";
|
||||||
certificateFile = "/var/lib/acme/${sp.domain}/fullchain.pem";
|
certificateFile = "/var/lib/acme/wildcard-${sp.domain}/fullchain.pem";
|
||||||
keyFile = "/var/lib/acme/${sp.domain}/key.pem";
|
keyFile = "/var/lib/acme/wildcard-${sp.domain}/key.pem";
|
||||||
|
|
||||||
# Enable IMAP and POP3
|
# Enable IMAP and POP3
|
||||||
enableImap = true;
|
enableImap = true;
|
||||||
|
|
|
@ -22,8 +22,8 @@ in
|
||||||
|
|
||||||
virtualHosts = {
|
virtualHosts = {
|
||||||
"${domain}" = {
|
"${domain}" = {
|
||||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
|
||||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
add_header Strict-Transport-Security $hsts_header;
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
@ -37,8 +37,8 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
"api.${domain}" = {
|
"api.${domain}" = {
|
||||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
|
||||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
add_header Strict-Transport-Security $hsts_header;
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
@ -57,27 +57,6 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
"social.${domain}" = {
|
|
||||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
|
||||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
|
||||||
root = "/var/www/social.${domain}";
|
|
||||||
forceSSL = true;
|
|
||||||
extraConfig = ''
|
|
||||||
add_header Strict-Transport-Security $hsts_header;
|
|
||||||
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
|
||||||
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
|
||||||
add_header X-Frame-Options DENY;
|
|
||||||
add_header X-Content-Type-Options nosniff;
|
|
||||||
add_header X-XSS-Protection "1; mode=block";
|
|
||||||
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
|
||||||
expires 10m;
|
|
||||||
'';
|
|
||||||
locations = {
|
|
||||||
"/" = {
|
|
||||||
proxyPass = "http://127.0.0.1:4000";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue