useACMEHost for all services

2024-11-25 20:41:27 +00:00 · 2023-12-22 19:57:48 +04:00 · 2023-12-22 19:57:48 +04:00 · e6496b95a4
parent 5aba990f95
commit e6496b95a4
10 changed files with 15 additions and 21 deletions
--- a/sp-modules/bitwarden/module.nix
+++ b/sp-modules/bitwarden/module.nix
@ -78,8 +78,7 @@ in
      '';
    };
    services.nginx.virtualHosts."password.${sp.domain}" = {
-      sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
-      sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
+      useACMEHost = sp.domain;
      forceSSL = true;
      extraConfig = ''
        add_header Strict-Transport-Security $hsts_header;
--- a/sp-modules/gitea/module.nix
+++ b/sp-modules/gitea/module.nix
@ -85,8 +85,7 @@ in
      };
    };
    services.nginx.virtualHosts."git.${sp.domain}" = {
-      sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
-      sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
+      useACMEHost = sp.domain;
      forceSSL = true;
      extraConfig = ''
        add_header Strict-Transport-Security $hsts_header;
--- a/sp-modules/jitsi-meet/module.nix
+++ b/sp-modules/jitsi-meet/module.nix
@ -21,8 +21,6 @@ in
      };
    };
    services.nginx.virtualHosts."meet.${domain}" = {
-      sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
-      sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
      forceSSL = true;
      useACMEHost = domain;
      enableACME = false;
--- a/sp-modules/nextcloud/module.nix
+++ b/sp-modules/nextcloud/module.nix
@ -71,8 +71,7 @@
        };
      };
      services.nginx.virtualHosts.${hostName} = {
-        sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
+      useACMEHost = config.selfprivacy.domain;
        forceSSL = true;
        extraConfig = ''
          add_header Strict-Transport-Security $hsts_header;
--- a/sp-modules/ocserv/config-paths-needed.json
+++ b/sp-modules/ocserv/config-paths-needed.json
@ -1,4 +1,5 @@
 [
+  [ "security", "acme", "certs" ],
  [ "selfprivacy", "domain" ],
  [ "selfprivacy", "modules", "ocserv" ]
 ]
--- a/sp-modules/ocserv/module.nix
+++ b/sp-modules/ocserv/module.nix
@ -1,6 +1,8 @@
 { config, lib, ... }:
 let
  domain = config.selfprivacy.domain;
+  cert = "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
+  key = "${config.security.acme.certs.${domain}.directory}/key.pem";
 in
 {
  options.selfprivacy.modules.ocserv = {
@ -28,8 +30,8 @@ in
        tcp-port = 8443
        udp-port = 8443

-        server-cert = /var/lib/acme/${domain}/fullchain.pem
-        server-key = /var/lib/acme/${domain}/key.pem
+        server-cert = ${cert}
+        server-key = ${key}

        compression = true

@ -56,8 +58,7 @@ in
      '';
    };
    services.nginx.virtualHosts."vpn.${domain}" = {
-      sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
-      sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
+      useACMEHost = domain;
      forceSSL = true;
      extraConfig = ''
        add_header Strict-Transport-Security $hsts_header;
@ -70,5 +71,6 @@ in
        expires 10m;
      '';
    };
+    systemd.services.ocserv.unitConfig.ConditionPathExists = [ cert key ];
  };
 }
--- a/sp-modules/pleroma/module.nix
+++ b/sp-modules/pleroma/module.nix
@ -104,8 +104,7 @@ in
    # seems to be an upstream nixpkgs/nixos bug (missing hexdump)
    systemd.services.pleroma.path = [ pkgs.util-linux ];
    services.nginx.virtualHosts."social.${sp.domain}" = {
-      sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
-      sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
+      useACMEHost = config.selfprivacy.domain;
      root = "/var/www/social.${sp.domain}";
      forceSSL = true;
      extraConfig = ''
--- a/sp-modules/simple-nixos-mailserver/config-paths-needed.json
+++ b/sp-modules/simple-nixos-mailserver/config-paths-needed.json
@ -1,5 +1,6 @@
 [
  [ "mailserver" ],
+  [ "security", "acme", "certs" ],
  [ "selfprivacy", "domain" ],
  [ "selfprivacy", "hashedMasterPassword" ],
  [ "selfprivacy", "useBinds" ],
--- a/sp-modules/simple-nixos-mailserver/config.nix
+++ b/sp-modules/simple-nixos-mailserver/config.nix
@ -75,9 +75,7 @@ lib.mkIf sp.modules.simple-nixos-mailserver.enable
      "admin@${sp.domain}" = "${sp.username}@${sp.domain}";
    };

-    certificateScheme = "manual";
-    certificateFile = "/var/lib/acme/${sp.domain}/fullchain.pem";
-    keyFile = "/var/lib/acme/${sp.domain}/key.pem";
+    certificateScheme = "acme";

    # Enable IMAP and POP3
    enableImap = true;
--- a/webserver/nginx.nix
+++ b/webserver/nginx.nix
@ -21,8 +21,7 @@ in
    '';
    virtualHosts = {
      "${domain}" = {
-        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
+        useACMEHost = domain;
        forceSSL = true;
        extraConfig = ''
          add_header Strict-Transport-Security $hsts_header;
@ -41,8 +40,7 @@ in
        };
      };
      "api.${domain}" = {
-        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
+        useACMEHost = domain;
        forceSSL = true;
        extraConfig = ''
          add_header Strict-Transport-Security $hsts_header;