mirror of
https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config.git
synced 2024-11-06 00:43:11 +00:00
Revert "Revert "Revert "add wildcard ACME certificate"""
This reverts commit 4faf8e7dda
.
This commit is contained in:
parent
3a66da49e1
commit
dcaf96c773
|
@ -27,18 +27,13 @@ in
|
|||
reloadServices = [ "nginx" ];
|
||||
};
|
||||
certs = {
|
||||
"wildcard-${cfg.domain}" = {
|
||||
"${cfg.domain}" = {
|
||||
domain = "*.${cfg.domain}";
|
||||
extraDomainNames = [ "${cfg.domain}" ];
|
||||
group = "acmereceivers";
|
||||
dnsProvider = lib.strings.toLower cfg.dns.provider;
|
||||
credentialsFile = acme-env-filepath;
|
||||
};
|
||||
"${cfg.domain}" = {
|
||||
domain = cfg.domain;
|
||||
group = "acmereceivers";
|
||||
webroot = "/var/lib/acme/acme-challenge";
|
||||
};
|
||||
};
|
||||
};
|
||||
systemd.services.acme-secrets = {
|
||||
|
|
|
@ -72,8 +72,8 @@ in
|
|||
'';
|
||||
};
|
||||
services.nginx.virtualHosts."password.${sp.domain}" = {
|
||||
sslCertificate = "/var/lib/acme/wildcard-${sp.domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/wildcard-${sp.domain}/key.pem";
|
||||
sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
add_header Strict-Transport-Security $hsts_header;
|
||||
|
|
|
@ -85,8 +85,8 @@ in
|
|||
};
|
||||
};
|
||||
services.nginx.virtualHosts."git.${sp.domain}" = {
|
||||
sslCertificate = "/var/lib/acme/wildcard-${sp.domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/wildcard-${sp.domain}/key.pem";
|
||||
sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
add_header Strict-Transport-Security $hsts_header;
|
||||
|
|
|
@ -21,8 +21,8 @@ in
|
|||
};
|
||||
};
|
||||
services.nginx.virtualHosts."meet.${domain}" = {
|
||||
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
|
||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||
forceSSL = true;
|
||||
useACMEHost = domain;
|
||||
enableACME = false;
|
||||
|
|
|
@ -69,8 +69,8 @@
|
|||
};
|
||||
};
|
||||
services.nginx.virtualHosts.${hostName} = {
|
||||
sslCertificate = "/var/lib/acme/wildcard-${sp.domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/wildcard-${sp.domain}/key.pem";
|
||||
sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
add_header Strict-Transport-Security $hsts_header;
|
||||
|
|
|
@ -28,8 +28,8 @@ in
|
|||
tcp-port = 8443
|
||||
udp-port = 8443
|
||||
|
||||
server-cert = /var/lib/acme/wildcard-${domain}/fullchain.pem
|
||||
server-key = /var/lib/acme/wildcard-${domain}/key.pem
|
||||
server-cert = /var/lib/acme/${domain}/fullchain.pem
|
||||
server-key = /var/lib/acme/${domain}/key.pem
|
||||
|
||||
compression = true
|
||||
|
||||
|
@ -56,8 +56,8 @@ in
|
|||
'';
|
||||
};
|
||||
services.nginx.virtualHosts."vpn.${domain}" = {
|
||||
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
|
||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
add_header Strict-Transport-Security $hsts_header;
|
||||
|
|
|
@ -100,8 +100,8 @@ in
|
|||
# seems to be an upstream nixpkgs/nixos bug (missing hexdump)
|
||||
systemd.services.pleroma.path = [ pkgs.util-linux ];
|
||||
services.nginx.virtualHosts."social.${sp.domain}" = {
|
||||
sslCertificate = "/var/lib/acme/wildcard-${sp.domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/wildcard-${sp.domain}/key.pem";
|
||||
sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
|
||||
root = "/var/www/social.${sp.domain}";
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
|
|
|
@ -67,8 +67,8 @@ lib.mkIf sp.modules.simple-nixos-mailserver.enable
|
|||
};
|
||||
|
||||
certificateScheme = "manual";
|
||||
certificateFile = "/var/lib/acme/wildcard-${sp.domain}/fullchain.pem";
|
||||
keyFile = "/var/lib/acme/wildcard-${sp.domain}/key.pem";
|
||||
certificateFile = "/var/lib/acme/${sp.domain}/fullchain.pem";
|
||||
keyFile = "/var/lib/acme/${sp.domain}/key.pem";
|
||||
|
||||
# Enable IMAP and POP3
|
||||
enableImap = true;
|
||||
|
|
|
@ -21,8 +21,8 @@ in
|
|||
'';
|
||||
virtualHosts = {
|
||||
"${domain}" = {
|
||||
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
|
||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
add_header Strict-Transport-Security $hsts_header;
|
||||
|
@ -41,8 +41,8 @@ in
|
|||
};
|
||||
};
|
||||
"api.${domain}" = {
|
||||
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
|
||||
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
add_header Strict-Transport-Security $hsts_header;
|
||||
|
|
Loading…
Reference in a new issue