SelfPrivacy/selfprivacy-nixos-config
1
0
Fork 0
mirror of https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config.git synced 2024-11-25 20:41:27 +00:00
Code Issues Projects Releases Wiki Activity

useACMEHost for all services

Browse source
This commit is contained in:
Alexander Tomokhov 2023-12-22 19:57:48 +04:00
parent 5aba990f95
commit e6496b95a4
10 changed files with 15 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
sp-modules/bitwarden/module.nix
View file

@ -78,8 +78,7 @@ in
''; '';
}; };
services.nginx.virtualHosts."password.${sp.domain}" = { services.nginx.virtualHosts."password.${sp.domain}" = {
sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem"; useACMEHost = sp.domain;
sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;

3
sp-modules/gitea/module.nix
View file

@ -85,8 +85,7 @@ in
}; };
}; };
services.nginx.virtualHosts."git.${sp.domain}" = { services.nginx.virtualHosts."git.${sp.domain}" = {
sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem"; useACMEHost = sp.domain;
sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;

2
sp-modules/jitsi-meet/module.nix
View file

@ -21,8 +21,6 @@ in
}; };
}; };
services.nginx.virtualHosts."meet.${domain}" = { services.nginx.virtualHosts."meet.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true; forceSSL = true;
useACMEHost = domain; useACMEHost = domain;
enableACME = false; enableACME = false;

3
sp-modules/nextcloud/module.nix
View file

@ -71,8 +71,7 @@
}; };
}; };
services.nginx.virtualHosts.${hostName} = { services.nginx.virtualHosts.${hostName} = {
sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem"; useACMEHost = config.selfprivacy.domain;
sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;

1
sp-modules/ocserv/config-paths-needed.json
View file

@ -1,4 +1,5 @@
[ [
[ "security", "acme", "certs" ],
[ "selfprivacy", "domain" ], [ "selfprivacy", "domain" ],
[ "selfprivacy", "modules", "ocserv" ] [ "selfprivacy", "modules", "ocserv" ]
] ]

10
sp-modules/ocserv/module.nix
View file

@ -1,6 +1,8 @@
{ config, lib, ... }: { config, lib, ... }:
let let
domain = config.selfprivacy.domain; domain = config.selfprivacy.domain;
cert = "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
key = "${config.security.acme.certs.${domain}.directory}/key.pem";
in in
{ {
options.selfprivacy.modules.ocserv = { options.selfprivacy.modules.ocserv = {
@ -28,8 +30,8 @@ in
tcp-port = 8443 tcp-port = 8443
udp-port = 8443 udp-port = 8443
server-cert = /var/lib/acme/${domain}/fullchain.pem server-cert = ${cert}
server-key = /var/lib/acme/${domain}/key.pem server-key = ${key}
compression = true compression = true
@ -56,8 +58,7 @@ in
''; '';
}; };
services.nginx.virtualHosts."vpn.${domain}" = { services.nginx.virtualHosts."vpn.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; useACMEHost = domain;
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;
@ -70,5 +71,6 @@ in
expires 10m; expires 10m;
''; '';
}; };
systemd.services.ocserv.unitConfig.ConditionPathExists = [ cert key ];
}; };
} }

3
sp-modules/pleroma/module.nix
View file

@ -104,8 +104,7 @@ in
# seems to be an upstream nixpkgs/nixos bug (missing hexdump) # seems to be an upstream nixpkgs/nixos bug (missing hexdump)
systemd.services.pleroma.path = [ pkgs.util-linux ]; systemd.services.pleroma.path = [ pkgs.util-linux ];
services.nginx.virtualHosts."social.${sp.domain}" = { services.nginx.virtualHosts."social.${sp.domain}" = {
sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem"; useACMEHost = config.selfprivacy.domain;
sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
root = "/var/www/social.${sp.domain}"; root = "/var/www/social.${sp.domain}";
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''

1
sp-modules/simple-nixos-mailserver/config-paths-needed.json
View file

@ -1,5 +1,6 @@
[ [
[ "mailserver" ], [ "mailserver" ],
[ "security", "acme", "certs" ],
[ "selfprivacy", "domain" ], [ "selfprivacy", "domain" ],
[ "selfprivacy", "hashedMasterPassword" ], [ "selfprivacy", "hashedMasterPassword" ],
[ "selfprivacy", "useBinds" ], [ "selfprivacy", "useBinds" ],

4
sp-modules/simple-nixos-mailserver/config.nix
View file

@ -75,9 +75,7 @@ lib.mkIf sp.modules.simple-nixos-mailserver.enable
"admin@${sp.domain}" = "${sp.username}@${sp.domain}"; "admin@${sp.domain}" = "${sp.username}@${sp.domain}";
}; };
certificateScheme = "manual"; certificateScheme = "acme";
certificateFile = "/var/lib/acme/${sp.domain}/fullchain.pem";
keyFile = "/var/lib/acme/${sp.domain}/key.pem";
# Enable IMAP and POP3 # Enable IMAP and POP3
enableImap = true; enableImap = true;

6
webserver/nginx.nix
View file

@ -21,8 +21,7 @@ in
''; '';
virtualHosts = { virtualHosts = {
"${domain}" = { "${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; useACMEHost = domain;
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;
@ -41,8 +40,7 @@ in
}; };
}; };
"api.${domain}" = { "api.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; useACMEHost = domain;
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;