From 3ffa15baf832f5b94cfd8d1b978eaa42f4102e07 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Isma=C3=ABl=20Bouya?= <ismael.bouya@normalesup.org>
Date: Tue, 7 Apr 2020 23:01:14 +0200
Subject: [PATCH] Fix acme challenge folders

---
 modules/private/certificates.nix      | 12 +++++++++---
 modules/private/monitoring/status.nix |  1 +
 modules/private/websites/default.nix  |  2 +-
 3 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix
index 82ff52f..c68bbee 100644
--- a/modules/private/certificates.nix
+++ b/modules/private/certificates.nix
@@ -4,7 +4,7 @@
     enable = lib.mkEnableOption "enable certificates";
     certConfig = lib.mkOption {
       default = {
-        webroot = "/var/lib/acme/acme-challenge";
+        webroot = "/var/lib/acme/acme-challenges";
         email = "ismael@bouya.org";
         postRun = builtins.concatStringsSep "\n" [
           (lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service")
@@ -19,11 +19,17 @@
 
   config = lib.mkIf config.myServices.certificates.enable {
     services.duplyBackup.profiles.system.excludeFile = ''
-      + /var/lib/acme/acme-challenge
+      + /var/lib/acme/acme-challenges
       '';
     services.nginx = {
       recommendedTlsSettings = true;
-      virtualHosts = { "${config.hostEnv.fqdn}" = { useACMEHost = name; forceSSL = true; }; };
+      virtualHosts = {
+        "${config.hostEnv.fqdn}" = {
+          acmeRoot = config.security.acme.certs."${name}".webroot;
+          useACMEHost = name;
+          forceSSL = true;
+        };
+      };
     };
     services.websites.certs = config.myServices.certificates.certConfig;
     myServices.databasesCerts = config.myServices.certificates.certConfig;
diff --git a/modules/private/monitoring/status.nix b/modules/private/monitoring/status.nix
index 7810a1f..e0bc0e1 100644
--- a/modules/private/monitoring/status.nix
+++ b/modules/private/monitoring/status.nix
@@ -29,6 +29,7 @@
       recommendedGzipSettings = true;
       recommendedProxySettings = true;
       virtualHosts."status.immae.eu" = {
+        acmeRoot = config.security.acme.certs."${name}".webroot;
         useACMEHost = name;
         forceSSL = true;
         locations."/".proxyPass = "http://unix:/run/naemon-status/socket.sock:/";
diff --git a/modules/private/websites/default.nix b/modules/private/websites/default.nix
index 529ec5c..f9689ec 100644
--- a/modules/private/websites/default.nix
+++ b/modules/private/websites/default.nix
@@ -125,7 +125,7 @@ in
 
     system.activationScripts = {
       httpd = ''
-        install -d -m 0755 /var/lib/acme/acme-challenge
+        install -d -m 0755 /var/lib/acme/acme-challenges
         install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions
         '';
     };
-- 
2.41.0