diff --git a/hosts/vps1/configuration.nix b/hosts/vps1/configuration.nix index aa668c7..3e78b6c 100644 --- a/hosts/vps1/configuration.nix +++ b/hosts/vps1/configuration.nix @@ -1,4 +1,11 @@ -{ pkgs, ... }: { +{ pkgs, ... }: +let + rootDomain = "lgm.6dcdb488.nip.io"; + gtnhDomain = "gtnh.${rootDomain}"; + akkoDomain = "akko.testdrive.${rootDomain}"; + iceDomain = "ice.testdrive.${rootDomain}"; +in +{ imports = [ ./hardware-configuration.nix @@ -27,31 +34,55 @@ port = 22; }; + users.users.nginx.extraGroups = [ "acme" ]; + services.nginx = { enable = true; - virtualHosts."gtnh.lgm.6dcdb488.nip.io" = { + virtualHosts.${gtnhDomain} = { # addSSL = true; forceSSL = true; - enableACME = true; + # enableACME = true; + useACMEHost = "lgm.6dcdb488.nip.io"; root = "/var/www/gtnh"; }; - virtualHosts."akko.testdrive.lgm.6dcdb488.nip.io" = { + virtualHosts.${akkoDomain} = { # addSSL = true; forceSSL = true; - enableACME = true; + # enableACME = true; + useACMEHost = "lgm.6dcdb488.nip.io"; root = "/var/www/todo"; }; - virtualHosts."ice.testdrive.lgm.6dcdb488.nip.io" = { + virtualHosts.${iceDomain} = { # addSSL = true; forceSSL = true; - enableACME = true; + # enableACME = true; + useACMEHost = "lgm.6dcdb488.nip.io"; root = "/var/www/todo"; }; + virtualHosts."acmechallenge.${rootDomain}" = { + # Catchall vhost, will redirect users to HTTPS for all vhosts + serverAliases = [ "*.${rootDomain}" ]; + locations."/.well-known/acme-challenge" = { + root = "/var/lib/acme/.challenges"; + }; + locations."/" = { + return = "301 https://$host$request_uri"; + }; + }; }; security.acme = { acceptTerms = true; defaults.email = "lgmrszd@disroot.org"; + certs.${rootDomain} = { + group = "nginx"; + webroot = "/var/lib/acme/.challenges"; + extraDomainNames = [ + gtnhDomain + akkoDomain + iceDomain + ]; + }; };