2025-05-22 09:44:38 +02:00
|
|
|
{
|
|
|
|
|
config,
|
|
|
|
|
lib,
|
|
|
|
|
pkgs,
|
|
|
|
|
...
|
|
|
|
|
}: let
|
|
|
|
|
mkAcmeCert = domain: {
|
|
|
|
|
# An acme system user is created. This user belongs to the acme group
|
|
|
|
|
# and the home directory is /var/lib/acme. This user will try to make the directory
|
|
|
|
|
# .well-known/acme-challenge/ under the webroot directory.
|
2025-05-22 18:51:52 +02:00
|
|
|
webroot = "/var/lib/acme";
|
2025-05-22 09:44:38 +02:00
|
|
|
|
|
|
|
|
# email to send updates to, we prefix "acme" and the
|
|
|
|
|
# name of the domain the certificate is for to it.
|
2025-05-22 18:32:26 +02:00
|
|
|
email = "charlie@charlieroot.dev";
|
2025-05-22 09:44:38 +02:00
|
|
|
group = "nginx";
|
|
|
|
|
};
|
|
|
|
|
in {
|
|
|
|
|
security.acme = {
|
|
|
|
|
acceptTerms = true;
|
|
|
|
|
defaults = {
|
|
|
|
|
email = "charlie@charlieroot.dev";
|
|
|
|
|
# testing server, do not use in production, but DO use it for setting things up.
|
|
|
|
|
# it has much higher rate limits.
|
|
|
|
|
# server = "https://acme-staging-v02.api.letsencrypt.org/directory";
|
|
|
|
|
};
|
2025-05-22 18:26:31 +02:00
|
|
|
certs = {
|
|
|
|
|
"copeberg.org" = mkAcmeCert "copeberg.org";
|
|
|
|
|
"info.copeberg.org" = mkAcmeCert "info.copeberg.org";
|
|
|
|
|
"mail.charlieroot.dev" = mkAcmeCert "mail.charlieroot.dev";
|
|
|
|
|
};
|
2025-05-22 09:44:38 +02:00
|
|
|
};
|
2025-05-22 18:32:26 +02:00
|
|
|
|
|
|
|
|
services.nginx.appendConfig = ''
|
|
|
|
|
location /.well-known/acme-challenge/ {
|
|
|
|
|
rewrite /.well-known/acme-challenge/(.*) /$1 break;
|
|
|
|
|
root /var/lib/acme/.well-known/acme-challenge;
|
|
|
|
|
}
|
|
|
|
|
'';
|
2025-05-22 09:44:38 +02:00
|
|
|
}
|
