X-Git-Url: https://git.immae.eu/?p=perso%2FImmae%2FConfig%2FNix.git;a=blobdiff_plain;f=modules%2Fprivate%2Fcertificates.nix;h=c68bbee5f585d4bdf69376a687180c9cf9e92e78;hp=82ff52f04ba0f437966e6fdbff7472cb2bf6e645;hb=3ffa15baf832f5b94cfd8d1b978eaa42f4102e07;hpb=ca732a83f6d298847560f66b4aa4cb53011c0c88

diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix
index 82ff52f..c68bbee 100644
--- a/modules/private/certificates.nix
+++ b/modules/private/certificates.nix
@@ -4,7 +4,7 @@
     enable = lib.mkEnableOption "enable certificates";
     certConfig = lib.mkOption {
       default = {
-        webroot = "/var/lib/acme/acme-challenge";
+        webroot = "/var/lib/acme/acme-challenges";
         email = "ismael@bouya.org";
         postRun = builtins.concatStringsSep "\n" [
           (lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service")
@@ -19,11 +19,17 @@
 
   config = lib.mkIf config.myServices.certificates.enable {
     services.duplyBackup.profiles.system.excludeFile = ''
-      + /var/lib/acme/acme-challenge
+      + /var/lib/acme/acme-challenges
       '';
     services.nginx = {
       recommendedTlsSettings = true;
-      virtualHosts = { "${config.hostEnv.fqdn}" = { useACMEHost = name; forceSSL = true; }; };
+      virtualHosts = {
+        "${config.hostEnv.fqdn}" = {
+          acmeRoot = config.security.acme.certs."${name}".webroot;
+          useACMEHost = name;
+          forceSSL = true;
+        };
+      };
     };
     services.websites.certs = config.myServices.certificates.certConfig;
     myServices.databasesCerts = config.myServices.certificates.certConfig;