acme settings

hosts/vps1/configuration.nix

@@ -1,4 +1,11 @@
-{ pkgs, ... }: {
+{ pkgs, ... }:
+let
+  rootDomain = "lgm.6dcdb488.nip.io";
+  gtnhDomain = "gtnh.${rootDomain}";
+  akkoDomain = "akko.testdrive.${rootDomain}";
+  iceDomain = "ice.testdrive.${rootDomain}";
+in
+{
   imports = [
     ./hardware-configuration.nix
     
@@ -27,31 +34,55 @@
     port = 22;
   };
 
+  users.users.nginx.extraGroups = [ "acme" ];
+
   services.nginx = {
     enable = true;
-    virtualHosts."gtnh.lgm.6dcdb488.nip.io" = {
+    virtualHosts.${gtnhDomain} = {
       # addSSL = true;
       forceSSL = true;
-      enableACME = true;
+      # enableACME = true;
+      useACMEHost = "lgm.6dcdb488.nip.io";
       root = "/var/www/gtnh";
     };
-    virtualHosts."akko.testdrive.lgm.6dcdb488.nip.io" = {
+    virtualHosts.${akkoDomain} = {
       # addSSL = true;
       forceSSL = true;
-      enableACME = true;
+      # enableACME = true;
+      useACMEHost = "lgm.6dcdb488.nip.io";
       root = "/var/www/todo";
     };
-    virtualHosts."ice.testdrive.lgm.6dcdb488.nip.io" = {
+    virtualHosts.${iceDomain} = {
       # addSSL = true;
       forceSSL = true;
-      enableACME = true;
+      # enableACME = true;
+      useACMEHost = "lgm.6dcdb488.nip.io";
       root = "/var/www/todo";
     };
+    virtualHosts."acmechallenge.${rootDomain}" = {
+      # Catchall vhost, will redirect users to HTTPS for all vhosts
+      serverAliases = [ "*.${rootDomain}" ];
+      locations."/.well-known/acme-challenge" = {
+        root = "/var/lib/acme/.challenges";
+      };
+      locations."/" = {
+        return = "301 https://$host$request_uri";
+      };
+    };
   };
 
   security.acme = {
     acceptTerms = true;
     defaults.email = "lgmrszd@disroot.org";
+    certs.${rootDomain} = {
+      group = "nginx";
+      webroot = "/var/lib/acme/.challenges";
+      extraDomainNames = [
+        gtnhDomain
+        akkoDomain
+        iceDomain
+      ];
+    };
   };