fix ACME validation

2023-09-11 15:09:10 +02:00 · 2023-09-11 15:09:10 +02:00 · bdbfca3642
commit bdbfca3642
parent b6818d156c
4 changed files with 20 additions and 13 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -341,6 +341,8 @@
      enableSTS = ''
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
      '';
+      listenTLS   = [ { addr = "localhost"; port = 443; ssl = true; } ];
+      listenPlain = [ { addr = "[::]"; port = 80; } { addr = "0.0.0.0"; port = 80; } ];
    in
  rec {
    enable = true;
@ -356,10 +358,10 @@

    # Maxwell
    virtualHosts."${hostname}" = {
-      enableACME = true;
-      forceSSL   = true;
-      default    = true;
-
+      enableACME  = true;
+      forceSSL    = true;
+      default     = true;
+      listen      = listenTLS ++ listenPlain;
      extraConfig = disableLog + enableSTS;

      # Returns IP address
@ -402,6 +404,7 @@
    # Breve URL shortner
    virtualHosts."brve.bit" = with config.secrets; {
      forceSSL = true;
+      listen   = listenTLS ++ listenPlain;
      sslCertificate    = certs.breve.crt;
      sslCertificateKey = certs.breve.key;

@ -415,6 +418,7 @@
    # The Cactalogue
    virtualHosts."cacta.bit" = {
      root = "/run/nginx/static/cactalogue";
+      listen = listenPlain;
      extraConfig = disableLog;
    };
    virtualHosts."cacta.eurofusion.eu" = virtualHosts."cacta.bit";
--- a/email.nix
+++ b/email.nix
@ -58,6 +58,13 @@
  # Keep the key stable across renewals (for DANE)
  security.acme.certs.${config.mailserver.fqdn}.extraLegoRenewFlags = [ "--reuse-key" ];

+  # Listen on localhost:443 for sslh
+  services.nginx.virtualHosts.${config.mailserver.fqdn}.listen =
+    [ { addr = "localhost"; port = 443; ssl = true; }
+      { addr = "[::]";      port = 80; }
+      { addr = "0.0.0.0";   port = 80; }
+    ];
+
  # Utilities
  environment.systemPackages = [
    # computes the DANE records
--- a/matrix.nix
+++ b/matrix.nix
@ -58,7 +58,11 @@ in
  services.nginx.virtualHosts."riot.${config.var.hostname}" =
  { enableACME = true;
    forceSSL   = true;
-
+    listen =
+      [ { addr = "localhost"; port = 443; ssl = true; }
+        { addr = "[::]";      port = 80; }
+        { addr = "0.0.0.0";   port = 80; }
+      ];
    locations."/" =
      { index = "index.html";
        alias = (pkgs.element-web.override { inherit conf; }) + "/";
--- a/nameserver.nix
+++ b/nameserver.nix
@ -46,14 +46,6 @@
        ];
    };

-  # Prevent collision between sslh and nginx
-  services.nginx.virtualHosts = with config.var;
-    { "brve.bit"          .listenAddresses = [ "localhost" ];
-      "mail.eurofusion.eu".listenAddresses = [ "localhost" ];
-      ${hostname}         .listenAddresses = [ "localhost" ];
-      "riot.${hostname}"  .listenAddresses = [ "localhost" ];
-    };
-
  # This is needed for the rotation of DNSCrypt keys
  security.polkit.enable = true;