SelfPrivacy/selfprivacy-nixos-config
1
0
Fork 0
mirror of https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config.git synced 2025-03-12 17:03:49 +00:00
Code Issues Projects Releases Wiki Activity

Revert "use enableACME for all virtualHosts"

Browse source 
This reverts commit 46366702bc.
This commit is contained in:
Alexander Tomokhov 2023-12-19 23:46:42 +04:00
parent 46366702bc
commit c18f332f5f
10 changed files with 30 additions and 12 deletions
letsencrypt
acme.nix
sp-modules
bitwarden
module.nix
gitea
module.nix
jitsi-meet
module.nix
nextcloud
module.nix
ocserv
module.nix
pleroma
module.nix
simple-nixos-mailserver
config-paths-needed.jsonconfig.nix
webserver
nginx.nix

7
letsencrypt/acme.nix
View file

@ -25,10 +25,17 @@ in
dnsPropagationCheck = dnsPropagationCheck =
! (lib.elem cfg.dns.provider dnsPropagationCheckExceptions); ! (lib.elem cfg.dns.provider dnsPropagationCheckExceptions);
reloadServices = [ "nginx" ]; reloadServices = [ "nginx" ];
};
certs = lib.mkForce {
"${cfg.domain}" = {
domain = "*.${cfg.domain}";
extraDomainNames = [ "${cfg.domain}" ];
group = "acmereceivers";
dnsProvider = lib.strings.toLower cfg.dns.provider; dnsProvider = lib.strings.toLower cfg.dns.provider;
credentialsFile = acme-env-filepath; credentialsFile = acme-env-filepath;
}; };
}; };
};
systemd.services.acme-secrets = { systemd.services.acme-secrets = {
before = [ "acme-${cfg.domain}.service" ]; before = [ "acme-${cfg.domain}.service" ];
requiredBy = [ "acme-${cfg.domain}.service" ]; requiredBy = [ "acme-${cfg.domain}.service" ];

3
sp-modules/bitwarden/module.nix
View file

@ -72,8 +72,9 @@ in
''; '';
}; };
services.nginx.virtualHosts."password.${sp.domain}" = { services.nginx.virtualHosts."password.${sp.domain}" = {
sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
forceSSL = true; forceSSL = true;
enableACME = true;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;

3
sp-modules/gitea/module.nix
View file

@ -85,8 +85,9 @@ in
}; };
}; };
services.nginx.virtualHosts."git.${sp.domain}" = { services.nginx.virtualHosts."git.${sp.domain}" = {
sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
forceSSL = true; forceSSL = true;
enableACME = true;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;

5
sp-modules/jitsi-meet/module.nix
View file

@ -21,8 +21,11 @@ in
}; };
}; };
services.nginx.virtualHosts."meet.${domain}" = { services.nginx.virtualHosts."meet.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true; forceSSL = true;
enableACME = true; useACMEHost = domain;
enableACME = false;
}; };
}; };
} }

3
sp-modules/nextcloud/module.nix
View file

@ -69,8 +69,9 @@
}; };
}; };
services.nginx.virtualHosts.${hostName} = { services.nginx.virtualHosts.${hostName} = {
sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
forceSSL = true; forceSSL = true;
enableACME = true;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;

3
sp-modules/ocserv/module.nix
View file

@ -56,8 +56,9 @@ in
''; '';
}; };
services.nginx.virtualHosts."vpn.${domain}" = { services.nginx.virtualHosts."vpn.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true; forceSSL = true;
enableACME = true;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;

3
sp-modules/pleroma/module.nix
View file

@ -100,9 +100,10 @@ in
# seems to be an upstream nixpkgs/nixos bug (missing hexdump) # seems to be an upstream nixpkgs/nixos bug (missing hexdump)
systemd.services.pleroma.path = [ pkgs.util-linux ]; systemd.services.pleroma.path = [ pkgs.util-linux ];
services.nginx.virtualHosts."social.${sp.domain}" = { services.nginx.virtualHosts."social.${sp.domain}" = {
sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
root = "/var/www/social.${sp.domain}"; root = "/var/www/social.${sp.domain}";
forceSSL = true; forceSSL = true;
enableACME = true;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;

1
sp-modules/simple-nixos-mailserver/config-paths-needed.json
View file

@ -11,6 +11,5 @@
[ "services", "postfix", "user" ], [ "services", "postfix", "user" ],
[ "services", "redis" ], [ "services", "redis" ],
[ "services", "rspamd" ], [ "services", "rspamd" ],
[ "security", "acme", "certs" ],
[ "selfprivacy", "modules", "simple-nixos-mailserver" ] [ "selfprivacy", "modules", "simple-nixos-mailserver" ]
] ]

4
sp-modules/simple-nixos-mailserver/config.nix
View file

@ -66,7 +66,9 @@ lib.mkIf sp.modules.simple-nixos-mailserver.enable
"admin@${sp.domain}" = "${sp.username}@${sp.domain}"; "admin@${sp.domain}" = "${sp.username}@${sp.domain}";
}; };
certificateScheme = "acme"; certificateScheme = "manual";
certificateFile = "/var/lib/acme/${sp.domain}/fullchain.pem";
keyFile = "/var/lib/acme/${sp.domain}/key.pem";
# Enable IMAP and POP3 # Enable IMAP and POP3
enableImap = true; enableImap = true;

6
webserver/nginx.nix
View file

@ -21,8 +21,9 @@ in
''; '';
virtualHosts = { virtualHosts = {
"${domain}" = { "${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true; forceSSL = true;
enableACME = true;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
@ -40,8 +41,9 @@ in
}; };
}; };
"api.${domain}" = { "api.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true; forceSSL = true;
enableACME = true;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;