diff options
| author | Alyssa Ross <hi@alyssa.is> | 2021-01-12 13:52:51 +0000 |
|---|---|---|
| committer | Alyssa Ross <hi@alyssa.is> | 2021-01-12 14:07:25 +0000 |
| commit | e24dc3e236719c488fe57f33375947ba9134e175 (patch) | |
| tree | f40aa5b3da36f86febdae1fc114cada6547ea187 /modules | |
| parent | 46ec819d56fc3f39ed4951edb782c755a59ed8e4 (diff) | |
| download | nixlib-e24dc3e236719c488fe57f33375947ba9134e175.tar nixlib-e24dc3e236719c488fe57f33375947ba9134e175.tar.gz nixlib-e24dc3e236719c488fe57f33375947ba9134e175.tar.bz2 nixlib-e24dc3e236719c488fe57f33375947ba9134e175.tar.lz nixlib-e24dc3e236719c488fe57f33375947ba9134e175.tar.xz nixlib-e24dc3e236719c488fe57f33375947ba9134e175.tar.zst nixlib-e24dc3e236719c488fe57f33375947ba9134e175.zip | |
sys/atuin: update for new ACME module
The new module defaults to using an "acme" group, which can replace the "tls" group I had set up before. But it will instead use the "nginx" group if using enableACME, so I have to stay away from that and only use useACMEHost, setting up the certificates manually. But that's a very good thing, because it turns out that even though I was trying to generate only two certificates (one for qyliss.net and one for spectrum-os.org), the ACME module was actually generating one per subdomain because of enableACME. Finally, now that atuin.nix is starting to be split up, and because there's less shared configuration, don't mapAttrs over Nginx virtual hosts or ACME certificates, which was confusing and forced everything to be defined at once in the same file.
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/server/ftp/default.nix | 4 | ||||
| -rw-r--r-- | modules/server/irc/znc/default.nix | 4 | ||||
| -rw-r--r-- | modules/server/spectrum/acme/default.nix | 7 | ||||
| -rw-r--r-- | modules/server/spectrum/default.nix | 2 | ||||
| -rw-r--r-- | modules/server/spectrum/nginx/default.nix | 4 | ||||
| -rw-r--r-- | modules/server/xmpp/default.nix | 2 |
6 files changed, 18 insertions, 5 deletions
diff --git a/modules/server/ftp/default.nix b/modules/server/ftp/default.nix index 78f7c794ce1f..a0e32294aeb7 100644 --- a/modules/server/ftp/default.nix +++ b/modules/server/ftp/default.nix @@ -29,7 +29,7 @@ in config = { services.nginx.virtualHosts."ftp.qyliss.net" = { forceSSL = true; - enableACME = true; + useACMEHost = "qyliss.net"; root = pkgs.runCommandNoCC "ftp.qyliss.net" {} '' mkdir $out @@ -43,5 +43,7 @@ in autoindex on; ''; }; + + security.acme.certs."qyliss.net".extraDomainNames = [ "ftp.qyliss.net" ]; }; } diff --git a/modules/server/irc/znc/default.nix b/modules/server/irc/znc/default.nix index 056419ae492b..559b59e657c2 100644 --- a/modules/server/irc/znc/default.nix +++ b/modules/server/irc/znc/default.nix @@ -7,7 +7,7 @@ services.nginx.virtualHosts."znc.${config.networking.domain}" = { forceSSL = true; - enableACME = true; + useACMEHost = "qyliss.net"; locations = { "/" = { @@ -27,5 +27,7 @@ } ''; + security.acme.certs."qyliss.net".extraDomainNames = [ "znc.qyliss.net" ]; + networking.firewall.allowedTCPPorts = [ 6697 ]; } diff --git a/modules/server/spectrum/acme/default.nix b/modules/server/spectrum/acme/default.nix new file mode 100644 index 000000000000..6a60f52d2456 --- /dev/null +++ b/modules/server/spectrum/acme/default.nix @@ -0,0 +1,7 @@ +{ ... }: + +{ + security.acme.certs."spectrum-os.org" = { + webroot = "/var/lib/acme/acme-challenge"; + }; +} diff --git a/modules/server/spectrum/default.nix b/modules/server/spectrum/default.nix index d8f096c2d820..c18355a4946a 100644 --- a/modules/server/spectrum/default.nix +++ b/modules/server/spectrum/default.nix @@ -1,5 +1,5 @@ { ... }: { - imports = [ ./cgit ./git-http-backend ./nginx ./public-inbox ]; + imports = [ ./acme ./cgit ./git-http-backend ./nginx ./public-inbox ]; } diff --git a/modules/server/spectrum/nginx/default.nix b/modules/server/spectrum/nginx/default.nix index f4fca7ca1676..5067595698c5 100644 --- a/modules/server/spectrum/nginx/default.nix +++ b/modules/server/spectrum/nginx/default.nix @@ -17,7 +17,7 @@ in serverName = head redirectDomains; serverAliases = tail redirectDomains; addSSL = true; - enableACME = true; + useACMEHost = "spectrum-os.org"; globalRedirect = "spectrum-os.org"; }; @@ -26,6 +26,8 @@ in alias = ./robots.txt; }; + security.acme.certs."spectrum-os.org".extraDomainNames = redirectDomains; + # The Spectrum website lives in /home/spectrum/www systemd.services.nginx.serviceConfig.ProtectHome = false; } diff --git a/modules/server/xmpp/default.nix b/modules/server/xmpp/default.nix index f1540e0c569f..3771872741aa 100644 --- a/modules/server/xmpp/default.nix +++ b/modules/server/xmpp/default.nix @@ -23,5 +23,5 @@ ssl.cert = "/var/lib/acme/qyliss.net/fullchain.pem"; }; - users.users.prosody.extraGroups = [ "tls" ]; + users.users.prosody.extraGroups = [ "acme" ]; } |