diff options
| author | EuAndreh <eu@euandre.org> | 2020-08-15 20:07:53 -0300 |
|---|---|---|
| committer | EuAndreh <eu@euandre.org> | 2020-08-16 06:13:21 -0300 |
| commit | ceccb9946e2487468135ce673235aa079780a943 (patch) | |
| tree | a969c63e7fd0f555a88b13328251602ae9bded72 /vps-configuration.env.nix | |
| parent | Use letsencrypt to generate the TLS certificate (diff) | |
| download | server-ceccb9946e2487468135ce673235aa079780a943.tar.gz server-ceccb9946e2487468135ce673235aa079780a943.tar.xz | |
Use NGINX to handle the creation of certificates for prosody
After a terraform state rm '...' of the server and domain configuration, and
recreating the instance again while leaving the dettached one running.
I had to do this because I was experimenting too much with the domain and I hit
the Let's Encrypt rate limit[0].
Because of that I'll recreate certificates less often so that doesn't happen in
the new domain during development of the VPS.
I'm not shure if this solution works, but I'll commit just as a checkpoint. I
had to change the custom DNS nameservers from Digital Ocean to Vultr and that
may take a while, so it's worth having this as a checkpoint in time while I'm
off to other things.
[0]: https://letsencrypt.org/docs/rate-limits/
Diffstat (limited to 'vps-configuration.env.nix')
| -rw-r--r-- | vps-configuration.env.nix | 35 |
1 files changed, 26 insertions, 9 deletions
diff --git a/vps-configuration.env.nix b/vps-configuration.env.nix index a521bc7..d72d7f8 100644 --- a/vps-configuration.env.nix +++ b/vps-configuration.env.nix @@ -73,6 +73,17 @@ in { security.acme = { acceptTerms = true; email = envsubstConfiguration.letsencryptEmail; + certs = { + "${envsubstConfiguration.prosodyTLD}" = { + webroot = "/var/lib/acme/.challenges"; + user = "prosody"; + group = "prosody"; + extraDomains = { + "${envsubstConfiguration.prosodyMUCTLD}" = null; + "${envsubstConfiguration.prosodyHTTPUploadTLD}" = null; + }; + }; + }; }; services = { @@ -106,8 +117,12 @@ in { root = boneco; }; "${envsubstConfiguration.prosodyTLD}" = { - forceSSL = true; - enableACME = true; + locations = { + "/.well-known/acme-challenge" = { + root = "/var/lib/acme/.challenges"; + }; + "/" = { return = "301 https://${DOLLAR}host${DOLLAR}request_uri"; }; + }; }; }; }; @@ -142,23 +157,25 @@ in { }; }; - prosody = { + prosody = let + fullchainPEM = + "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/fullchain.pem"; + keyPEM = "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/key.pem"; + in { enable = true; admins = [ envsubstConfiguration.prosodyAdminUser ]; allowRegistration = true; ssl = { - cert = - "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/fullchain.pem"; - key = "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/key.pem"; + cert = fullchainPEM; + key = keyPEM; }; virtualHosts = { "${envsubstConfiguration.prosodyTLD}" = { enabled = true; domain = "${envsubstConfiguration.prosodyTLD}"; ssl = { - cert = - "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/fullchain.pem"; - key = "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/key.pem"; + cert = fullchainPEM; + key = keyPEM; }; }; }; |