From 7df420c27ebe7daaa4fd099c457ce9a9075b840e Mon Sep 17 00:00:00 2001 From: =?utf8?q?Isma=C3=ABl=20Bouya?= Date: Thu, 16 May 2019 23:23:05 +0200 Subject: [PATCH] Add certificate creation and handling to websites --- modules/websites/default.nix | 51 +++++++++++++++++++ nixops/modules/certificates.nix | 2 + nixops/modules/task/default.nix | 2 +- nixops/modules/websites/aten/default.nix | 18 +++---- .../modules/websites/capitaines/default.nix | 20 ++++---- nixops/modules/websites/chloe/default.nix | 18 +++---- .../websites/connexionswing/default.nix | 21 +++----- nixops/modules/websites/emilia/default.nix | 16 ++---- nixops/modules/websites/ftp/denisejerome.nix | 13 ++--- nixops/modules/websites/ftp/florian.nix | 17 +++---- nixops/modules/websites/ftp/immae.nix | 6 +-- nixops/modules/websites/ftp/jerome.nix | 12 ++--- nixops/modules/websites/ftp/leila.nix | 19 +++---- nixops/modules/websites/ftp/nassime.nix | 12 ++--- nixops/modules/websites/ftp/papa.nix | 12 ++--- nixops/modules/websites/ftp/release.nix | 3 +- nixops/modules/websites/ftp/temp.nix | 3 +- nixops/modules/websites/ludivine/default.nix | 18 +++---- .../modules/websites/piedsjaloux/default.nix | 18 +++---- .../websites/tellesflorian/default.nix | 2 +- nixops/modules/websites/tools/cloud.nix | 3 +- nixops/modules/websites/tools/dav/default.nix | 3 +- nixops/modules/websites/tools/db.nix | 3 +- nixops/modules/websites/tools/diaspora.nix | 2 +- nixops/modules/websites/tools/ether.nix | 2 +- nixops/modules/websites/tools/git/default.nix | 3 +- nixops/modules/websites/tools/mastodon.nix | 2 +- nixops/modules/websites/tools/mediagoblin.nix | 2 +- nixops/modules/websites/tools/peertube.nix | 2 +- .../modules/websites/tools/tools/default.nix | 13 +++-- 30 files changed, 150 insertions(+), 168 deletions(-) diff --git a/modules/websites/default.nix b/modules/websites/default.nix index 6a18c8a..b76aeea 100644 --- a/modules/websites/default.nix +++ b/modules/websites/default.nix @@ -3,6 +3,9 @@ let cfg = config.services.websites; in { + options.services.websitesCerts = mkOption { + description = "Default websites configuration for certificates as accepted by acme"; + }; options.services.websites = with types; mkOption { default = {}; description = "Each type of website to enable will target a distinct httpd server"; @@ -72,6 +75,16 @@ in type = attrsOf (submodule { options = { certName = mkOption { type = string; }; + addToCerts = mkOption { + type = bool; + default = false; + description = "Use these to certificates. Is ignored (considered true) if certMainHost is not null"; + }; + certMainHost = mkOption { + type = nullOr string; + description = "Use that host as 'main host' for acme certs"; + default = null; + }; hosts = mkOption { type = listOf string; }; root = mkOption { type = nullOr path; }; extraConfig = mkOption { type = listOf lines; default = []; }; @@ -145,4 +158,42 @@ in ++ [ (redirectVhost icfg.ips) ]; }) ) cfg; + + config.security.acme.certs = let + typesToManage = attrsets.filterAttrs (k: v: v.enable) cfg; + flatVhosts = lists.flatten (attrsets.mapAttrsToList (k: v: + attrValues v.vhostConfs + ) typesToManage); + groupedCerts = attrsets.filterAttrs + (_: group: builtins.any (v: v.addToCerts || !isNull v.certMainHost) group) + (lists.groupBy (v: v.certName) flatVhosts); + groupToDomain = group: + let + nonNull = builtins.filter (v: !isNull v.certMainHost) group; + domains = lists.unique (map (v: v.certMainHost) nonNull); + in + if builtins.length domains == 0 + then null + else assert (builtins.length domains == 1); (elemAt domains 0); + extraDomains = group: + let + mainDomain = groupToDomain group; + in + lists.remove mainDomain ( + lists.unique ( + lists.flatten (map (c: optionals (c.addToCerts || !isNull c.certMainHost) c.hosts) group) + ) + ); + in attrsets.mapAttrs (k: g: + if (!isNull (groupToDomain g)) + then config.services.websitesCerts // { + domain = groupToDomain g; + extraDomains = builtins.listToAttrs ( + map (d: attrsets.nameValuePair d null) (extraDomains g)); + } + else { + extraDomains = builtins.listToAttrs ( + map (d: attrsets.nameValuePair d null) (extraDomains g)); + } + ) groupedCerts; } diff --git a/nixops/modules/certificates.nix b/nixops/modules/certificates.nix index 08f84fd..d648ff7 100644 --- a/nixops/modules/certificates.nix +++ b/nixops/modules/certificates.nix @@ -15,6 +15,8 @@ }; config = { + services.websitesCerts = config.services.myCertificates.certConfig; + security.acme.preliminarySelfsigned = true; security.acme.certs = { diff --git a/nixops/modules/task/default.nix b/nixops/modules/task/default.nix index feb3be8..426aa68 100644 --- a/nixops/modules/task/default.nix +++ b/nixops/modules/task/default.nix @@ -101,10 +101,10 @@ in { SetEnv TASKD_LDAP_FILTER "${env.ldap.search}" ''; }]; - security.acme.certs."eldiron".extraDomains.${fqdn} = null; services.websites.tools.modules = [ "proxy_fcgi" "sed" ]; services.websites.tools.vhostConfs.task = { certName = "eldiron"; + addToCerts = true; hosts = [ "task.immae.eu" ]; root = "/run/current-system/webapps/_task"; extraConfig = [ '' diff --git a/nixops/modules/websites/aten/default.nix b/nixops/modules/websites/aten/default.nix index fd002a5..a9e75b6 100644 --- a/nixops/modules/websites/aten/default.nix +++ b/nixops/modules/websites/aten/default.nix @@ -25,13 +25,6 @@ in { secrets.keys = aten_prod.keys; services.webstats.sites = [ { name = "aten.pro"; } ]; - security.acme.certs."aten" = config.services.myCertificates.certConfig // { - domain = "aten.pro"; - extraDomains = { - "www.aten.pro" = null; - }; - }; - services.myPhpfpm.preStart.aten_prod = aten_prod.phpFpm.preStart; services.myPhpfpm.serviceDependencies.aten_prod = aten_prod.phpFpm.serviceDeps; services.myPhpfpm.poolConfigs.aten_prod = aten_prod.phpFpm.pool; @@ -42,15 +35,15 @@ in { ''; services.websites.production.modules = aten_prod.apache.modules; services.websites.production.vhostConfs.aten = { - certName = "aten"; - hosts = [ "aten.pro" "www.aten.pro" ]; - root = aten_prod.apache.root; - extraConfig = [ aten_prod.apache.vhostConf ]; + certName = "aten"; + certMainHost = "aten.pro"; + hosts = [ "aten.pro" "www.aten.pro" ]; + root = aten_prod.apache.root; + extraConfig = [ aten_prod.apache.vhostConf ]; }; }) (lib.mkIf cfg.integration.enable { secrets.keys = aten_dev.keys; - security.acme.certs."eldiron".extraDomains."dev.aten.pro" = null; services.myPhpfpm.preStart.aten_dev = aten_dev.phpFpm.preStart; services.myPhpfpm.serviceDependencies.aten_dev = aten_dev.phpFpm.serviceDeps; services.myPhpfpm.poolConfigs.aten_dev = aten_dev.phpFpm.pool; @@ -62,6 +55,7 @@ in { services.websites.integration.modules = aten_dev.apache.modules; services.websites.integration.vhostConfs.aten = { certName = "eldiron"; + addToCerts = true; hosts = [ "dev.aten.pro" ]; root = aten_dev.apache.root; extraConfig = [ aten_dev.apache.vhostConf ]; diff --git a/nixops/modules/websites/capitaines/default.nix b/nixops/modules/websites/capitaines/default.nix index 0d85266..4bbf488 100644 --- a/nixops/modules/websites/capitaines/default.nix +++ b/nixops/modules/websites/capitaines/default.nix @@ -13,20 +13,17 @@ in { }; config = lib.mkIf cfg.production.enable { - security.acme.certs."capitaines" = config.services.myCertificates.certConfig // { - domain = "mastodon.capitaines.fr"; - extraDomains = { "capitaines.fr" = null; }; - }; system.extraSystemBuilderCmds = '' mkdir -p $out/webapps ln -s ${siteDir} $out/webapps/${webappName} ''; services.websites.production.vhostConfs.capitaines_mastodon = { - certName = "capitaines"; - hosts = [ "mastodon.capitaines.fr" ]; - root = root; - extraConfig = [ + certName = "capitaines"; + certMainHost = "mastodon.capitaines.fr"; + hosts = [ "mastodon.capitaines.fr" ]; + root = root; + extraConfig = [ '' ErrorDocument 404 /index.html @@ -39,9 +36,10 @@ in { }; services.websites.production.vhostConfs.capitaines = { - certName = "capitaines"; - hosts = [ "capitaines.fr" ]; - root = "/run/current-system/webapps/_www"; + certName = "capitaines"; + addToCerts = true; + hosts = [ "capitaines.fr" ]; + root = "/run/current-system/webapps/_www"; extraConfig = [ '' DirectoryIndex index.htm diff --git a/nixops/modules/websites/chloe/default.nix b/nixops/modules/websites/chloe/default.nix index ba72d92..8e801b5 100644 --- a/nixops/modules/websites/chloe/default.nix +++ b/nixops/modules/websites/chloe/default.nix @@ -25,13 +25,6 @@ in { secrets.keys = chloe_prod.keys; services.webstats.sites = [ { name = "osteopathe-cc.fr"; } ]; - security.acme.certs."chloe" = config.services.myCertificates.certConfig // { - domain = "osteopathe-cc.fr"; - extraDomains = { - "www.osteopathe-cc.fr" = null; - }; - }; - services.myPhpfpm.serviceDependencies.chloe_prod = chloe_prod.phpFpm.serviceDeps; services.myPhpfpm.poolConfigs.chloe_prod = chloe_prod.phpFpm.pool; services.myPhpfpm.poolPhpConfigs.chloe_prod = '' @@ -44,15 +37,15 @@ in { ''; services.websites.production.modules = chloe_prod.apache.modules; services.websites.production.vhostConfs.chloe = { - certName = "chloe"; - hosts = ["osteopathe-cc.fr" "www.osteopathe-cc.fr" ]; - root = chloe_prod.apache.root; - extraConfig = [ chloe_prod.apache.vhostConf ]; + certName = "chloe"; + certMainHost = "osteopathe-cc.fr"; + hosts = ["osteopathe-cc.fr" "www.osteopathe-cc.fr" ]; + root = chloe_prod.apache.root; + extraConfig = [ chloe_prod.apache.vhostConf ]; }; }) (lib.mkIf cfg.integration.enable { secrets.keys = chloe_dev.keys; - security.acme.certs."eldiron".extraDomains."chloe.immae.eu" = null; services.myPhpfpm.serviceDependencies.chloe_dev = chloe_dev.phpFpm.serviceDeps; services.myPhpfpm.poolConfigs.chloe_dev = chloe_dev.phpFpm.pool; services.myPhpfpm.poolPhpConfigs.chloe_dev = '' @@ -66,6 +59,7 @@ in { services.websites.integration.modules = chloe_dev.apache.modules; services.websites.integration.vhostConfs.chloe = { certName = "eldiron"; + addToCerts = true; hosts = ["chloe.immae.eu" ]; root = chloe_dev.apache.root; extraConfig = [ chloe_dev.apache.vhostConf ]; diff --git a/nixops/modules/websites/connexionswing/default.nix b/nixops/modules/websites/connexionswing/default.nix index 3643e19..20c5166 100644 --- a/nixops/modules/websites/connexionswing/default.nix +++ b/nixops/modules/websites/connexionswing/default.nix @@ -25,15 +25,6 @@ in { secrets.keys = connexionswing_prod.keys; services.webstats.sites = [ { name = "connexionswing.com"; } ]; - security.acme.certs."connexionswing" = config.services.myCertificates.certConfig // { - domain = "connexionswing.com"; - extraDomains = { - "www.connexionswing.com" = null; - "sandetludo.com" = null; - "www.sandetludo.com" = null; - }; - }; - services.myPhpfpm.preStart.connexionswing_prod = connexionswing_prod.phpFpm.preStart; services.myPhpfpm.serviceDependencies.connexionswing_prod = connexionswing_prod.phpFpm.serviceDeps; services.myPhpfpm.poolConfigs.connexionswing_prod = connexionswing_prod.phpFpm.pool; @@ -45,16 +36,15 @@ in { ''; services.websites.production.modules = connexionswing_prod.apache.modules; services.websites.production.vhostConfs.connexionswing = { - certName = "connexionswing"; - hosts = ["connexionswing.com" "sandetludo.com" "www.connexionswing.com" "www.sandetludo.com" ]; - root = connexionswing_prod.apache.root; - extraConfig = [ connexionswing_prod.apache.vhostConf ]; + certName = "connexionswing"; + certMainHost = "connexionswing.com"; + hosts = ["connexionswing.com" "sandetludo.com" "www.connexionswing.com" "www.sandetludo.com" ]; + root = connexionswing_prod.apache.root; + extraConfig = [ connexionswing_prod.apache.vhostConf ]; }; }) (lib.mkIf cfg.integration.enable { secrets.keys = connexionswing_dev.keys; - security.acme.certs."eldiron".extraDomains."sandetludo.immae.eu" = null; - security.acme.certs."eldiron".extraDomains."connexionswing.immae.eu" = null; services.myPhpfpm.preStart.connexionswing_dev = connexionswing_dev.phpFpm.preStart; services.myPhpfpm.serviceDependencies.connexionswing_dev = connexionswing_dev.phpFpm.serviceDeps; services.myPhpfpm.poolConfigs.connexionswing_dev = connexionswing_dev.phpFpm.pool; @@ -67,6 +57,7 @@ in { services.websites.integration.modules = connexionswing_dev.apache.modules; services.websites.integration.vhostConfs.connexionswing = { certName = "eldiron"; + addToCerts = true; hosts = ["connexionswing.immae.eu" "sandetludo.immae.eu" ]; root = connexionswing_dev.apache.root; extraConfig = [ connexionswing_dev.apache.vhostConf ]; diff --git a/nixops/modules/websites/emilia/default.nix b/nixops/modules/websites/emilia/default.nix index 4e32bec..47257b7 100644 --- a/nixops/modules/websites/emilia/default.nix +++ b/nixops/modules/websites/emilia/default.nix @@ -47,13 +47,6 @@ in { }; config = lib.mkIf cfg.production.enable { - security.acme.certs."emilia" = config.services.myCertificates.certConfig // { - domain = "saison-photo.org"; - extraDomains = { - "www.saison-photo.org" = null; - }; - }; - system.activationScripts.emilia = '' install -m 0755 -o wwwrun -g wwwrun -d ${varDir} ''; @@ -62,10 +55,11 @@ in { ln -s ${siteDir} $out/webapps/${webappName} ''; services.websites.production.vhostConfs.emilia = { - certName = "emilia"; - hosts = [ "saison-photo.org" "www.saison-photo.org" ]; - root = root; - extraConfig = [ + certName = "emilia"; + certMainHost = "saison-photo.org"; + hosts = [ "saison-photo.org" "www.saison-photo.org" ]; + root = root; + extraConfig = [ '' DirectoryIndex pause.html diff --git a/nixops/modules/websites/ftp/denisejerome.nix b/nixops/modules/websites/ftp/denisejerome.nix index fa31430..884fb62 100644 --- a/nixops/modules/websites/ftp/denisejerome.nix +++ b/nixops/modules/websites/ftp/denisejerome.nix @@ -13,15 +13,12 @@ in { config = lib.mkIf cfg.production.enable { services.webstats.sites = [ { name = "denisejerome.piedsjaloux.fr"; } ]; - security.acme.certs."denisejerome" = config.services.myCertificates.certConfig // { - domain = "denisejerome.piedsjaloux.fr"; - }; - services.websites.production.vhostConfs.denisejerome = { - certName = "denisejerome"; - hosts = ["denisejerome.piedsjaloux.fr" ]; - root = varDir; - extraConfig = [ + certName = "denisejerome"; + certMainHost = "denisejerome.piedsjaloux.fr"; + hosts = ["denisejerome.piedsjaloux.fr" ]; + root = varDir; + extraConfig = [ '' Use Stats denisejerome.piedsjaloux.fr diff --git a/nixops/modules/websites/ftp/florian.nix b/nixops/modules/websites/ftp/florian.nix index 8097507..ebd461e 100644 --- a/nixops/modules/websites/ftp/florian.nix +++ b/nixops/modules/websites/ftp/florian.nix @@ -17,19 +17,14 @@ in { config = lib.mkMerge [ (lib.mkIf cfg.production.enable { security.acme.certs."ftp".extraDomains."tellesflorian.com" = null; - security.acme.certs."florian" = config.services.myCertificates.certConfig // { - domain = "tellesflorian.com"; - extraDomains = { - "www.tellesflorian.com" = null; - }; - }; services.websites.production.modules = adminer.apache.modules; services.websites.production.vhostConfs.florian = { - certName = "florian"; - hosts = [ "tellesflorian.com" "www.tellesflorian.com" ]; - root = "${varDir}/tellesflorian.com"; - extraConfig = [ + certName = "florian"; + certMainHost = "tellesflorian.com"; + hosts = [ "tellesflorian.com" "www.tellesflorian.com" ]; + root = "${varDir}/tellesflorian.com"; + extraConfig = [ adminer.apache.vhostConf '' ServerAdmin ${env.server_admin} @@ -47,11 +42,11 @@ in { (lib.mkIf cfg.integration.enable { security.acme.certs."ftp".extraDomains."florian.immae.eu" = null; - security.acme.certs."eldiron".extraDomains."florian.immae.eu" = null; services.websites.integration.modules = adminer.apache.modules; services.websites.integration.vhostConfs.florian = { certName = "eldiron"; + addToCerts = true; hosts = [ "florian.immae.eu" ]; root = "${varDir}/florian.immae.eu"; extraConfig = [ diff --git a/nixops/modules/websites/ftp/immae.nix b/nixops/modules/websites/ftp/immae.nix index e188d95..2ba30a1 100644 --- a/nixops/modules/websites/ftp/immae.nix +++ b/nixops/modules/websites/ftp/immae.nix @@ -13,8 +13,6 @@ in { config = lib.mkIf cfg.production.enable { services.webstats.sites = [ { name = "www.immae.eu"; } ]; - security.acme.certs."eldiron".extraDomains."www.immae.eu" = null; - services.myPhpfpm.poolConfigs.immae = '' listen = /run/phpfpm/immae.sock user = wwwrun @@ -31,6 +29,7 @@ in { services.websites.production.modules = [ "proxy_fcgi" ]; services.websites.production.vhostConfs.immae = { certName = "eldiron"; + addToCerts = true; hosts = [ "www.immae.eu" ]; root = varDir; extraConfig = [ @@ -56,10 +55,9 @@ in { ]; }; - security.acme.certs."eldiron".extraDomains."bouya.org" = null; - security.acme.certs."eldiron".extraDomains."www.bouya.org" = null; services.websites.production.vhostConfs.bouya = { certName = "eldiron"; + addToCerts = true; hosts = [ "bouya.org" "www.bouya.org" ]; root = null; extraConfig = [ '' diff --git a/nixops/modules/websites/ftp/jerome.nix b/nixops/modules/websites/ftp/jerome.nix index a340644..d00c42d 100644 --- a/nixops/modules/websites/ftp/jerome.nix +++ b/nixops/modules/websites/ftp/jerome.nix @@ -15,9 +15,6 @@ in { services.webstats.sites = [ { name = "naturaloutil.immae.eu"; } ]; security.acme.certs."ftp".extraDomains."naturaloutil.immae.eu" = null; - security.acme.certs."naturaloutil" = config.services.myCertificates.certConfig // { - domain = "naturaloutil.immae.eu"; - }; secrets.keys = [{ dest = "webapps/prod-naturaloutil"; @@ -60,10 +57,11 @@ in { ''; services.websites.production.modules = adminer.apache.modules ++ [ "proxy_fcgi" ]; services.websites.production.vhostConfs.naturaloutil = { - certName = "naturaloutil"; - hosts = ["naturaloutil.immae.eu" ]; - root = varDir; - extraConfig = [ + certName = "naturaloutil"; + certMainHost = "naturaloutil.immae.eu"; + hosts = ["naturaloutil.immae.eu" ]; + root = varDir; + extraConfig = [ adminer.apache.vhostConf '' Use Stats naturaloutil.immae.eu diff --git a/nixops/modules/websites/ftp/leila.nix b/nixops/modules/websites/ftp/leila.nix index 5185372..14bfa20 100644 --- a/nixops/modules/websites/ftp/leila.nix +++ b/nixops/modules/websites/ftp/leila.nix @@ -10,15 +10,6 @@ in { }; config = (lib.mkIf cfg.production.enable { - security.acme.certs."leila" = config.services.myCertificates.certConfig // { - domain = "leila.bouya.org"; - extraDomains = { - "chorale.leila.bouya.org" = null; - "chorale-vocanta.fr.nf" = null; - "www.chorale-vocanta.fr.nf" = null; - }; - }; - services.myPhpfpm.poolConfigs.leila = '' listen = /run/phpfpm/leila.sock user = wwwrun @@ -41,6 +32,7 @@ in { services.websites.production.modules = [ "proxy_fcgi" ]; services.websites.production.vhostConfs.leila_chorale = { certName = "leila"; + addToCerts = true; hosts = [ "chorale.leila.bouya.org" "chorale-vocanta.fr.nf" "www.chorale-vocanta.fr.nf" ]; root = "${varDir}/Chorale"; extraConfig = [ @@ -62,10 +54,11 @@ in { ]; }; services.websites.production.vhostConfs.leila = { - certName = "leila"; - hosts = [ "leila.bouya.org" ]; - root = varDir; - extraConfig = [ + certName = "leila"; + certMainHost = "leila.bouya.org"; + hosts = [ "leila.bouya.org" ]; + root = varDir; + extraConfig = [ '' Use Stats leila.bouya.org diff --git a/nixops/modules/websites/ftp/nassime.nix b/nixops/modules/websites/ftp/nassime.nix index 9ed8a80..3c982d3 100644 --- a/nixops/modules/websites/ftp/nassime.nix +++ b/nixops/modules/websites/ftp/nassime.nix @@ -14,15 +14,13 @@ in { services.webstats.sites = [ { name = "nassime.bouya.org"; } ]; security.acme.certs."ftp".extraDomains."nassime.bouya.org" = null; - security.acme.certs."nassime" = config.services.myCertificates.certConfig // { - domain = "nassime.bouya.org"; - }; services.websites.production.vhostConfs.nassime = { - certName = "nassime"; - hosts = ["nassime.bouya.org" ]; - root = varDir; - extraConfig = [ + certName = "nassime"; + certMainHost = "nassime.bouya.org"; + hosts = ["nassime.bouya.org" ]; + root = varDir; + extraConfig = [ '' Use Stats nassime.bouya.org ServerAdmin ${env.server_admin} diff --git a/nixops/modules/websites/ftp/papa.nix b/nixops/modules/websites/ftp/papa.nix index cdbc1b0..c8d05ef 100644 --- a/nixops/modules/websites/ftp/papa.nix +++ b/nixops/modules/websites/ftp/papa.nix @@ -11,9 +11,6 @@ in { config = lib.mkIf cfg.production.enable { security.acme.certs."ftp".extraDomains."surveillance.maison.bbc.bouya.org" = null; - security.acme.certs."papa" = config.services.myCertificates.certConfig // { - domain = "surveillance.maison.bbc.bouya.org"; - }; services.cron = { systemCronJobs = let @@ -35,10 +32,11 @@ in { }; services.websites.production.vhostConfs.papa = { - certName = "papa"; - hosts = [ "surveillance.maison.bbc.bouya.org" ]; - root = varDir; - extraConfig = [ + certName = "papa"; + certMainHost = "surveillance.maison.bbc.bouya.org"; + hosts = [ "surveillance.maison.bbc.bouya.org" ]; + root = varDir; + extraConfig = [ '' Use Apaxy "${varDir}" "title .duplicity-ignore" diff --git a/nixops/modules/websites/ftp/release.nix b/nixops/modules/websites/ftp/release.nix index 2ddd8bc..db3487f 100644 --- a/nixops/modules/websites/ftp/release.nix +++ b/nixops/modules/websites/ftp/release.nix @@ -13,10 +13,9 @@ in { config = lib.mkIf cfg.production.enable { services.webstats.sites = [ { name = "release.immae.eu"; } ]; - security.acme.certs."eldiron".extraDomains."release.immae.eu" = null; - services.websites.production.vhostConfs.release = { certName = "eldiron"; + addToCerts = true; hosts = [ "release.immae.eu" ]; root = varDir; extraConfig = [ diff --git a/nixops/modules/websites/ftp/temp.nix b/nixops/modules/websites/ftp/temp.nix index bdd80c0..86dfde3 100644 --- a/nixops/modules/websites/ftp/temp.nix +++ b/nixops/modules/websites/ftp/temp.nix @@ -11,11 +11,10 @@ in { }; config = lib.mkIf cfg.production.enable { - security.acme.certs."eldiron".extraDomains."temp.immae.eu" = null; - services.websites.production.modules = [ "headers" ]; services.websites.production.vhostConfs.temp = { certName = "eldiron"; + addToCerts = true; hosts = [ "temp.immae.eu" ]; root = varDir; extraConfig = [ diff --git a/nixops/modules/websites/ludivine/default.nix b/nixops/modules/websites/ludivine/default.nix index dfeff0a..70d5199 100644 --- a/nixops/modules/websites/ludivine/default.nix +++ b/nixops/modules/websites/ludivine/default.nix @@ -25,13 +25,6 @@ in { secrets.keys = ludivinecassal_prod.keys; services.webstats.sites = [ { name = "ludivinecassal.com"; } ]; - security.acme.certs."ludivinecassal" = config.services.myCertificates.certConfig // { - domain = "ludivinecassal.com"; - extraDomains = { - "www.ludivinecassal.com" = null; - }; - }; - services.myPhpfpm.preStart.ludivinecassal_prod = ludivinecassal_prod.phpFpm.preStart; services.myPhpfpm.serviceDependencies.ludivinecassal_prod = ludivinecassal_prod.phpFpm.serviceDeps; services.myPhpfpm.poolConfigs.ludivinecassal_prod = ludivinecassal_prod.phpFpm.pool; @@ -42,15 +35,15 @@ in { ''; services.websites.production.modules = ludivinecassal_prod.apache.modules; services.websites.production.vhostConfs.ludivine = { - certName = "ludivinecassal"; - hosts = ["ludivinecassal.com" "www.ludivinecassal.com" ]; - root = ludivinecassal_prod.apache.root; - extraConfig = [ ludivinecassal_prod.apache.vhostConf ]; + certName = "ludivinecassal"; + certMainHost = "ludivinecassal.com"; + hosts = ["ludivinecassal.com" "www.ludivinecassal.com" ]; + root = ludivinecassal_prod.apache.root; + extraConfig = [ ludivinecassal_prod.apache.vhostConf ]; }; }) (lib.mkIf cfg.integration.enable { secrets.keys = ludivinecassal_dev.keys; - security.acme.certs."eldiron".extraDomains."ludivine.immae.eu" = null; services.myPhpfpm.preStart.ludivinecassal_dev = ludivinecassal_dev.phpFpm.preStart; services.myPhpfpm.serviceDependencies.ludivinecassal_dev = ludivinecassal_dev.phpFpm.serviceDeps; @@ -63,6 +56,7 @@ in { services.websites.integration.modules = ludivinecassal_dev.apache.modules; services.websites.integration.vhostConfs.ludivine = { certName = "eldiron"; + addToCerts = true; hosts = [ "ludivine.immae.eu" ]; root = ludivinecassal_dev.apache.root; extraConfig = [ ludivinecassal_dev.apache.vhostConf ]; diff --git a/nixops/modules/websites/piedsjaloux/default.nix b/nixops/modules/websites/piedsjaloux/default.nix index 6ffb19c..a5ee24f 100644 --- a/nixops/modules/websites/piedsjaloux/default.nix +++ b/nixops/modules/websites/piedsjaloux/default.nix @@ -25,13 +25,6 @@ in { secrets.keys = piedsjaloux_prod.keys; services.webstats.sites = [ { name = "piedsjaloux.fr"; } ]; - security.acme.certs."piedsjaloux" = config.services.myCertificates.certConfig // { - domain = "piedsjaloux.fr"; - extraDomains = { - "www.piedsjaloux.fr" = null; - }; - }; - services.myPhpfpm.preStart.piedsjaloux_prod = piedsjaloux_prod.phpFpm.preStart; services.myPhpfpm.serviceDependencies.piedsjaloux_prod = piedsjaloux_prod.phpFpm.serviceDeps; services.myPhpfpm.poolConfigs.piedsjaloux_prod = piedsjaloux_prod.phpFpm.pool; @@ -42,15 +35,15 @@ in { ''; services.websites.production.modules = piedsjaloux_prod.apache.modules; services.websites.production.vhostConfs.piedsjaloux = { - certName = "piedsjaloux"; - hosts = [ "piedsjaloux.fr" "www.piedsjaloux.fr" ]; - root = piedsjaloux_prod.apache.root; - extraConfig = [ piedsjaloux_prod.apache.vhostConf ]; + certName = "piedsjaloux"; + certMainHost = "piedsjaloux.fr"; + hosts = [ "piedsjaloux.fr" "www.piedsjaloux.fr" ]; + root = piedsjaloux_prod.apache.root; + extraConfig = [ piedsjaloux_prod.apache.vhostConf ]; }; }) (lib.mkIf cfg.integration.enable { secrets.keys = piedsjaloux_dev.keys; - security.acme.certs."eldiron".extraDomains."piedsjaloux.immae.eu" = null; services.myPhpfpm.preStart.piedsjaloux_dev = piedsjaloux_dev.phpFpm.preStart; services.myPhpfpm.serviceDependencies.piedsjaloux_dev = piedsjaloux_dev.phpFpm.serviceDeps; services.myPhpfpm.poolConfigs.piedsjaloux_dev = piedsjaloux_dev.phpFpm.pool; @@ -62,6 +55,7 @@ in { services.websites.integration.modules = piedsjaloux_dev.apache.modules; services.websites.integration.vhostConfs.piedsjaloux = { certName = "eldiron"; + addToCerts = true; hosts = [ "piedsjaloux.immae.eu" ]; root = piedsjaloux_dev.apache.root; extraConfig = [ piedsjaloux_dev.apache.vhostConf ]; diff --git a/nixops/modules/websites/tellesflorian/default.nix b/nixops/modules/websites/tellesflorian/default.nix index eb02174..bbbde07 100644 --- a/nixops/modules/websites/tellesflorian/default.nix +++ b/nixops/modules/websites/tellesflorian/default.nix @@ -17,7 +17,6 @@ in { config = lib.mkIf cfg.integration.enable { secrets.keys = tellesflorian_dev.keys; - security.acme.certs."eldiron".extraDomains."app.tellesflorian.com" = null; services.myPhpfpm.preStart.tellesflorian_dev = tellesflorian_dev.phpFpm.preStart; services.myPhpfpm.serviceDependencies.tellesflorian_dev = tellesflorian_dev.phpFpm.serviceDeps; services.myPhpfpm.poolConfigs.tellesflorian_dev = tellesflorian_dev.phpFpm.pool; @@ -29,6 +28,7 @@ in { services.websites.integration.modules = adminer.apache.modules ++ tellesflorian_dev.apache.modules; services.websites.integration.vhostConfs.tellesflorian = { certName = "eldiron"; + addToCerts = true; hosts = ["app.tellesflorian.com" ]; root = tellesflorian_dev.apache.root; extraConfig = [ diff --git a/nixops/modules/websites/tools/cloud.nix b/nixops/modules/websites/tools/cloud.nix index 69b5fb0..5e010f4 100644 --- a/nixops/modules/websites/tools/cloud.nix +++ b/nixops/modules/websites/tools/cloud.nix @@ -49,12 +49,11 @@ in { }; config = lib.mkIf cfg.enable { - security.acme.certs."eldiron".extraDomains."cloud.immae.eu" = null; - services.websites.tools.modules = [ "proxy_fcgi" ]; services.websites.tools.vhostConfs.cloud = { certName = "eldiron"; + addToCerts = true; hosts = ["cloud.immae.eu" ]; root = apacheRoot; extraConfig = [ diff --git a/nixops/modules/websites/tools/dav/default.nix b/nixops/modules/websites/tools/dav/default.nix index ea2105b..075cf48 100644 --- a/nixops/modules/websites/tools/dav/default.nix +++ b/nixops/modules/websites/tools/dav/default.nix @@ -27,13 +27,12 @@ in { }; config = lib.mkIf cfg.enable { - security.acme.certs."eldiron".extraDomains."dav.immae.eu" = null; - secrets.keys = davical.keys; services.websites.tools.modules = davical.apache.modules; services.websites.tools.vhostConfs.dav = { certName = "eldiron"; + addToCerts = true; hosts = ["dav.immae.eu" ]; root = null; extraConfig = [ diff --git a/nixops/modules/websites/tools/db.nix b/nixops/modules/websites/tools/db.nix index 70650fa..7c15c23 100644 --- a/nixops/modules/websites/tools/db.nix +++ b/nixops/modules/websites/tools/db.nix @@ -9,11 +9,10 @@ in { }; config = lib.mkIf cfg.enable { - security.acme.certs."eldiron".extraDomains."db-1.immae.eu" = null; - services.websites.tools.modules = adminer.apache.modules; services.websites.tools.vhostConfs.db-1 = { certName = "eldiron"; + addToCerts = true; hosts = ["db-1.immae.eu" ]; root = null; extraConfig = [ adminer.apache.vhostConf ]; diff --git a/nixops/modules/websites/tools/diaspora.nix b/nixops/modules/websites/tools/diaspora.nix index 221e01c..ee5507d 100644 --- a/nixops/modules/websites/tools/diaspora.nix +++ b/nixops/modules/websites/tools/diaspora.nix @@ -148,13 +148,13 @@ in { services.websites.tools.modules = [ "headers" "proxy" "proxy_http" ]; - security.acme.certs."eldiron".extraDomains."diaspora.immae.eu" = null; system.extraSystemBuilderCmds = '' mkdir -p $out/webapps ln -s ${dcfg.workdir}/public/ $out/webapps/tools_diaspora ''; services.websites.tools.vhostConfs.diaspora = { certName = "eldiron"; + addToCerts = true; hosts = [ "diaspora.immae.eu" ]; root = root; extraConfig = [ '' diff --git a/nixops/modules/websites/tools/ether.nix b/nixops/modules/websites/tools/ether.nix index 6222b22..8c9bbb1 100644 --- a/nixops/modules/websites/tools/ether.nix +++ b/nixops/modules/websites/tools/ether.nix @@ -136,9 +136,9 @@ in { services.websites.tools.modules = [ "headers" "proxy" "proxy_http" "proxy_wstunnel" ]; - security.acme.certs."eldiron".extraDomains."ether.immae.eu" = null; services.websites.tools.vhostConfs.etherpad-lite = { certName = "eldiron"; + addToCerts = true; hosts = [ "ether.immae.eu" ]; root = null; extraConfig = [ '' diff --git a/nixops/modules/websites/tools/git/default.nix b/nixops/modules/websites/tools/git/default.nix index ea0d971..064d3dd 100644 --- a/nixops/modules/websites/tools/git/default.nix +++ b/nixops/modules/websites/tools/git/default.nix @@ -13,8 +13,6 @@ in { }; config = lib.mkIf cfg.enable { - security.acme.certs."eldiron".extraDomains."git.immae.eu" = null; - secrets.keys = mantisbt.keys; services.websites.tools.modules = gitweb.apache.modules ++ @@ -27,6 +25,7 @@ in { services.websites.tools.vhostConfs.git = { certName = "eldiron"; + addToCerts = true; hosts = ["git.immae.eu" ]; root = gitweb.apache.root; extraConfig = [ diff --git a/nixops/modules/websites/tools/mastodon.nix b/nixops/modules/websites/tools/mastodon.nix index 38b2107..ffd59dd 100644 --- a/nixops/modules/websites/tools/mastodon.nix +++ b/nixops/modules/websites/tools/mastodon.nix @@ -67,13 +67,13 @@ in { services.websites.tools.modules = [ "headers" "proxy" "proxy_wstunnel" "proxy_http" ]; - security.acme.certs."eldiron".extraDomains."mastodon.immae.eu" = null; system.extraSystemBuilderCmds = '' mkdir -p $out/webapps ln -s ${mcfg.workdir}/public/ $out/webapps/tools_mastodon ''; services.websites.tools.vhostConfs.mastodon = { certName = "eldiron"; + addToCerts = true; hosts = ["mastodon.immae.eu" ]; root = root; extraConfig = [ '' diff --git a/nixops/modules/websites/tools/mediagoblin.nix b/nixops/modules/websites/tools/mediagoblin.nix index 8a6f03f..eb56b35 100644 --- a/nixops/modules/websites/tools/mediagoblin.nix +++ b/nixops/modules/websites/tools/mediagoblin.nix @@ -83,9 +83,9 @@ in { "proxy" "proxy_http" ]; users.users.wwwrun.extraGroups = [ "mediagoblin" ]; - security.acme.certs."eldiron".extraDomains."mgoblin.immae.eu" = null; services.websites.tools.vhostConfs.mgoblin = { certName = "eldiron"; + addToCerts = true; hosts = ["mgoblin.immae.eu" ]; root = null; extraConfig = [ '' diff --git a/nixops/modules/websites/tools/peertube.nix b/nixops/modules/websites/tools/peertube.nix index 6cc6d38..12ab3c4 100644 --- a/nixops/modules/websites/tools/peertube.nix +++ b/nixops/modules/websites/tools/peertube.nix @@ -153,9 +153,9 @@ in { services.websites.tools.modules = [ "headers" "proxy" "proxy_http" "proxy_wstunnel" ]; - security.acme.certs."eldiron".extraDomains."peertube.immae.eu" = null; services.websites.tools.vhostConfs.peertube = { certName = "eldiron"; + addToCerts = true; hosts = [ "peertube.immae.eu" ]; root = null; extraConfig = [ '' diff --git a/nixops/modules/websites/tools/tools/default.nix b/nixops/modules/websites/tools/tools/default.nix index 5e84f45..061c004 100644 --- a/nixops/modules/websites/tools/tools/default.nix +++ b/nixops/modules/websites/tools/tools/default.nix @@ -46,9 +46,6 @@ in { }; config = lib.mkIf cfg.enable { - security.acme.certs."eldiron".extraDomains."tools.immae.eu" = null; - security.acme.certs."eldiron".extraDomains."devtools.immae.eu" = null; - secrets.keys = kanboard.keys ++ ldap.keys @@ -86,6 +83,7 @@ in { services.websites.integration.vhostConfs.devtools = { certName = "eldiron"; + addToCerts = true; hosts = ["devtools.immae.eu" ]; root = "/var/lib/ftp/devtools.immae.eu"; extraConfig = [ @@ -105,6 +103,7 @@ in { services.websites.tools.vhostConfs.tools = { certName = "eldiron"; + addToCerts = true; hosts = ["tools.immae.eu" ]; root = "/var/lib/ftp/tools.immae.eu"; extraConfig = [ @@ -132,11 +131,11 @@ in { ]; }; - security.acme.certs."eldiron".extraDomains."outils.immae.eu" = null; services.websites.tools.vhostConfs.outils = { - certName = "eldiron"; - hosts = [ "outils.immae.eu" ]; - root = null; + certName = "eldiron"; + addToCerts = true; + hosts = [ "outils.immae.eu" ]; + root = null; extraConfig = [ '' RedirectMatch 301 ^/mediagoblin(.*)$ https://mgoblin.immae.eu$1 -- 2.41.0