From 7373edf73a15c106d556a39ff710e3349433502a Mon Sep 17 00:00:00 2001 From: Vincent Ambo Date: Wed, 12 Feb 2020 01:08:27 +0000 Subject: feat(ops/nixos/camden): Move ACME configuration out of nginx This makes it possible to re-use the same provisioning mechanism for multiple related domains. --- ops/nixos/camden/default.nix | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/ops/nixos/camden/default.nix b/ops/nixos/camden/default.nix index 9cecbcdccf0e..e3bf8003ced6 100644 --- a/ops/nixos/camden/default.nix +++ b/ops/nixos/camden/default.nix @@ -143,14 +143,23 @@ in pkgs.lib.fix(self: { }; }; + # Provision a TLS certificate outside of nginx to avoid + # nixpkgs#38144 + security.acme.certs."camden.tazj.in" = { + user = "nginx"; + group = "nginx"; + webroot = "/var/lib/acme/acme-challenge"; + postRun = "systemctl reload nginx"; + }; + # serve my website services.nginx = { enable = true; enableReload = true; - # recommendedTlsSettings = true; - # recommendedGzipSettings = true; - # recommendedProxySettings = true; + recommendedTlsSettings = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; commonHttpConfig = '' log_format json_combined escape=json @@ -172,7 +181,7 @@ in pkgs.lib.fix(self: { virtualHosts.homepage = { serverName = "camden.tazj.in"; # TODO(tazjin): change to actual host later default = true; - enableACME = true; + useACMEHost = "camden.tazj.in"; root = pkgs.web.homepage; addSSL = true; -- cgit 1.4.1