From 7e3a95f2807bec9692131e1aec167c78db0fdbe2 Mon Sep 17 00:00:00 2001
From: Sebastien Bourdeauducq <sb@m-labs.hk>
Date: Mon, 1 Apr 2019 19:47:47 +0800
Subject: [PATCH] use single ACME certificate

---
 nixbld-etc-nixos/configuration.nix | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/nixbld-etc-nixos/configuration.nix b/nixbld-etc-nixos/configuration.nix
index 06c8d88..73034d6 100644
--- a/nixbld-etc-nixos/configuration.nix
+++ b/nixbld-etc-nixos/configuration.nix
@@ -132,33 +132,44 @@ ACTION=="add", SUBSYSTEM=="tty", \
     siteUrl = "https://chat.m-labs.hk/";
   };
 
+  security.acme.certs = {
+    "nixbld.m-labs.hk" = {
+      webroot = "/var/lib/acme/acme-challenge";
+      extraDomains = {
+        "buildbot.m-labs.hk" = null;
+        "lab.m-labs.hk" = null;
+        "git.m-labs.hk" = null;
+        "chat.m-labs.hk" = null;
+      };
+    };
+  };
   services.nginx = {
     enable = true;
     recommendedProxySettings = true;
     virtualHosts = {
       "buildbot.m-labs.hk" = {
         addSSL = true;
-        enableACME = true;
+        useACMEHost = "nixbld.m-labs.hk";
         locations."/".proxyPass = "http://192.168.1.100";
       };
       "lab.m-labs.hk" = {
         addSSL = true;
-        enableACME = true;
+        useACMEHost = "nixbld.m-labs.hk";
         locations."/".proxyPass = "http://192.168.1.100";
       };
       "nixbld.m-labs.hk" = {
         forceSSL = true;
-        enableACME = true;
+        useACMEHost = "nixbld.m-labs.hk";
         locations."/".proxyPass = "http://127.0.0.1:3000";
       };
       "git.m-labs.hk" = {
         forceSSL = true;
-        enableACME = true;
+        useACMEHost = "nixbld.m-labs.hk";
         locations."/".proxyPass = "http://127.0.0.1:3001";
       };
       "chat.m-labs.hk" = {
         forceSSL = true;
-        enableACME = true;
+        useACMEHost = "nixbld.m-labs.hk";
         locations."/".proxyPass = "http://127.0.0.1:8065";
       };
     };