diff --git a/nixbld-etc-nixos/configuration.nix b/nixbld-etc-nixos/configuration.nix index ce7fc292..29ed6633 100644 --- a/nixbld-etc-nixos/configuration.nix +++ b/nixbld-etc-nixos/configuration.nix @@ -543,29 +543,7 @@ in security.acme.acceptTerms = true; security.acme.defaults.email = "sb" + "@m-labs.hk"; - security.acme.certs = { - "nixbld.m-labs.hk" = { - group = "nginx"; - webroot = "/var/lib/acme/acme-challenge"; - extraDomainNames = [ - "m-labs.hk" - "www.m-labs.hk" - "conda.m-labs.hk" - "lab.m-labs.hk" - "git.m-labs.hk" - "chat.m-labs.hk" - "hooks.m-labs.hk" - "forum.m-labs.hk" - "perso.m-labs.hk" - "call.m-labs.hk" - "rt.m-labs.hk" - "nmigen.org" - "www.nmigen.org" - "m-labs.science" - "www.m-labs.science" - ]; - }; - }; + # https://github.com/NixOS/nixpkgs/issues/106862 systemd.services."acme-fixperms".wants = [ "bind.service" "dnsmasq.service" ]; systemd.services."acme-fixperms".after = [ "bind.service" "dnsmasq.service" ]; @@ -576,7 +554,7 @@ in virtualHosts = let mainWebsite = { addSSL = true; - useACMEHost = "nixbld.m-labs.hk"; + enableACME = true; root = "${hydraWwwOutputs}/web"; extraConfig = '' error_page 404 /404.html; @@ -655,7 +633,7 @@ in "www.m-labs.science" = mainWebsite; "lab.m-labs.hk" = { forceSSL = true; - useACMEHost = "nixbld.m-labs.hk"; + enableACME = true; locations."/munin/".alias = "/var/www/munin/"; locations."/munin".extraConfig = '' auth_basic "Munin"; @@ -670,12 +648,12 @@ in }; "nixbld.m-labs.hk" = { forceSSL = true; - useACMEHost = "nixbld.m-labs.hk"; + enableACME = true; locations."/".proxyPass = "http://127.0.0.1:3000"; }; "conda.m-labs.hk" = { forceSSL = true; - useACMEHost = "nixbld.m-labs.hk"; + enableACME = true; locations."/artiq-beta/" = { alias = "${hydraWwwOutputs}/artiq-conda-channel-beta/"; extraConfig = '' @@ -707,7 +685,7 @@ in }; "git.m-labs.hk" = { forceSSL = true; - useACMEHost = "nixbld.m-labs.hk"; + enableACME = true; locations."/".proxyPass = "http://127.0.0.1:3001"; extraConfig = '' client_max_body_size 300M; @@ -715,14 +693,14 @@ in }; "chat.m-labs.hk" = { forceSSL = true; - useACMEHost = "nixbld.m-labs.hk"; + enableACME = true; locations."/".proxyPass = "http://127.0.0.1:8065"; locations."~ /api/v[0-9]+/(users/)?websocket$".proxyPass = "http://127.0.0.1:8065"; locations."~ /api/v[0-9]+/(users/)?websocket$".proxyWebsockets = true; }; "hooks.m-labs.hk" = { forceSSL = true; - useACMEHost = "nixbld.m-labs.hk"; + enableACME = true; locations."/mattermost-github".extraConfig = '' include ${pkgs.nginx}/conf/uwsgi_params; uwsgi_pass unix:${config.services.uwsgi.runDir}/uwsgi-mgi.sock; @@ -734,7 +712,7 @@ in }; "forum.m-labs.hk" = { forceSSL = true; - useACMEHost = "nixbld.m-labs.hk"; + enableACME = true; root = "/var/www/flarum/public"; locations."~ \.php$".extraConfig = '' fastcgi_pass unix:${config.services.phpfpm.pools.flarum.socket}; @@ -746,18 +724,17 @@ in ''; }; "call.m-labs.hk" = { - useACMEHost = "nixbld.m-labs.hk"; - enableACME = false; forceSSL = true; + enableACME = true; }; "perso.m-labs.hk" = { addSSL = true; - useACMEHost = "nixbld.m-labs.hk"; + enableACME = true; root = "/var/www/perso"; }; "rt.m-labs.hk" = { forceSSL = true; - useACMEHost = "nixbld.m-labs.hk"; + enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:4201"; extraConfig = '' @@ -779,14 +756,14 @@ in }; "nmigen.org" = { addSSL = true; - useACMEHost = "nixbld.m-labs.hk"; + enableACME = true; locations."/".extraConfig = '' return 307 https://m-labs.hk/gateware/nmigen/; ''; }; "www.nmigen.org" = { addSSL = true; - useACMEHost = "nixbld.m-labs.hk"; + enableACME = true; locations."/".extraConfig = '' return 307 https://m-labs.hk/gateware/nmigen/; '';