feat(ops/nixos/camden): Move ACME configuration out of nginx r/546

This makes it possible to re-use the same provisioning mechanism for multiple related domains.
author: Vincent Ambo <tazjin@google.com> 2020-02-12T01·08+0000
committer: Vincent Ambo <tazjin@google.com> 2020-02-12T01·08+0000
commit: 7373edf73a15c106d556a39ff710e3349433502a (patch)
tree: 830d57f3e22dd1246a479b29979ac582b1241dd8
parent: 8e52e74bd3d38e519c951aca8a5c4a4c89c609e5 (diff)
1 files changed, 13 insertions, 4 deletions
diff --git a/ops/nixos/camden/default.nix b/ops/nixos/camden/default.nix
index 9cecbcdccf..e3bf8003ce 100644
--- a/ops/nixos/camden/default.nix
+++ b/ops/nixos/camden/default.nix
@@ -143,14 +143,23 @@ in pkgs.lib.fix(self: {
     };
   };
 
+  # Provision a TLS certificate outside of nginx to avoid
+  # nixpkgs#38144
+  security.acme.certs."camden.tazj.in" = {
+    user = "nginx";
+    group = "nginx";
+    webroot = "/var/lib/acme/acme-challenge";
+    postRun = "systemctl reload nginx";
+  };
+
   # serve my website
   services.nginx = {
     enable = true;
     enableReload = true;
 
-    # recommendedTlsSettings = true;
-    # recommendedGzipSettings = true;
-    # recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
 
     commonHttpConfig = ''
       log_format json_combined escape=json
@@ -172,7 +181,7 @@ in pkgs.lib.fix(self: {
     virtualHosts.homepage = {
       serverName = "camden.tazj.in"; # TODO(tazjin): change to actual host later
       default = true;
-      enableACME = true;
+      useACMEHost = "camden.tazj.in";
       root = pkgs.web.homepage;
       addSSL = true;
author	Vincent Ambo <tazjin@google.com>	2020-02-12T01·08+0000
committer	Vincent Ambo <tazjin@google.com>	2020-02-12T01·08+0000
commit	7373edf73a15c106d556a39ff710e3349433502a (patch)
tree	830d57f3e22dd1246a479b29979ac582b1241dd8
parent	8e52e74bd3d38e519c951aca8a5c4a4c89c609e5 (diff)