From ceccb9946e2487468135ce673235aa079780a943 Mon Sep 17 00:00:00 2001
From: EuAndreh <eu@euandre.org>
Date: Sat, 15 Aug 2020 20:07:53 -0300
Subject: Use NGINX to handle the creation of certificates for prosody

After a terraform state rm '...' of the server and domain configuration, and
recreating the instance again while leaving the dettached one running.

I had to do this because I was experimenting too much with the domain and I hit
the Let's Encrypt rate limit[0].

Because of that I'll recreate certificates less often so that doesn't happen in
the new domain during development of the VPS.

I'm not shure if this solution works, but I'll commit just as a checkpoint. I
had to change the custom DNS nameservers from Digital Ocean to Vultr and that
may take a while, so it's worth having this as a checkpoint in time while I'm
off to other things.

[0]: https://letsencrypt.org/docs/rate-limits/
---
 vps-configuration.env.nix | 35 ++++++++++++++++++++++++++---------
 1 file changed, 26 insertions(+), 9 deletions(-)

(limited to 'vps-configuration.env.nix')

diff --git a/vps-configuration.env.nix b/vps-configuration.env.nix
index a521bc7..d72d7f8 100644
--- a/vps-configuration.env.nix
+++ b/vps-configuration.env.nix
@@ -73,6 +73,17 @@ in {
   security.acme = {
     acceptTerms = true;
     email = envsubstConfiguration.letsencryptEmail;
+    certs = {
+      "${envsubstConfiguration.prosodyTLD}" = {
+        webroot = "/var/lib/acme/.challenges";
+        user = "prosody";
+        group = "prosody";
+        extraDomains = {
+          "${envsubstConfiguration.prosodyMUCTLD}" = null;
+          "${envsubstConfiguration.prosodyHTTPUploadTLD}" = null;
+        };
+      };
+    };
   };
 
   services = {
@@ -106,8 +117,12 @@ in {
           root = boneco;
         };
         "${envsubstConfiguration.prosodyTLD}" = {
-          forceSSL = true;
-          enableACME = true;
+          locations = {
+            "/.well-known/acme-challenge" = {
+              root = "/var/lib/acme/.challenges";
+            };
+            "/" = { return = "301 https://${DOLLAR}host${DOLLAR}request_uri"; };
+          };
         };
       };
     };
@@ -142,23 +157,25 @@ in {
       };
     };
 
-    prosody = {
+    prosody = let
+      fullchainPEM =
+        "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/fullchain.pem";
+      keyPEM = "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/key.pem";
+    in {
       enable = true;
       admins = [ envsubstConfiguration.prosodyAdminUser ];
       allowRegistration = true;
       ssl = {
-        cert =
-          "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/fullchain.pem";
-        key = "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/key.pem";
+        cert = fullchainPEM;
+        key = keyPEM;
       };
       virtualHosts = {
         "${envsubstConfiguration.prosodyTLD}" = {
           enabled = true;
           domain = "${envsubstConfiguration.prosodyTLD}";
           ssl = {
-            cert =
-              "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/fullchain.pem";
-            key = "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/key.pem";
+            cert = fullchainPEM;
+            key = keyPEM;
           };
         };
       };
-- 
cgit v1.2.3