6 files changed, 82 insertions, 57 deletions

diff --git a/services/acme_server.nix b/services/acme_server.nix
new file mode 100644
index 0000000..bd6961b
--- /dev/null
+++ b/services/acme_server.nix
@@ -0,0 +1,23 @@
+{ fqdn }: { pkgs, config, lib, ... }:
+let
+  inherit fqdn;
+in
+{
+  users.groups.acme = { };
+
+  /* trigger the actual certificate generation for additional hostname */
+  security.acme.certs."${fqdn}" = {
+    extraDomainNames = [ "mail.crashoverburn.com"];
+  };
+
+  secrix.system.secrets.dns01.encrypted.file = ../secrets/gandi_dns01_token;
+  # Configure ACME appropriately
+  security.acme.acceptTerms = true;
+  security.acme.defaults = {
+    dnsProvider = "gandiv5";
+    group = "acme";
+    environmentFile = config.secrix.system.secrets.dns01.decrypted.path;
+    # We don't need to wait for propagation since this is a local DNS server
+    dnsPropagationCheck = false;
+  };
+}
diff --git a/services/ejabberd.nix b/services/ejabberd.nix
index 935a409..7149a0d 100644
--- a/services/ejabberd.nix
+++ b/services/ejabberd.nix
@@ -236,12 +236,13 @@ in
     };
   };
   security.acme.certs.${fqdn} = {
-#    extraDomainNames = map (x: "${x}.${fqdn}") [
-#      "pubsub"
-#      "proxy"
-#      "upload"
-#      "conference"
-#    ];
+    #    extraDomainNames = map (x: "${x}.${fqdn}") [
+    #      "pubsub"
+    #      "proxy"
+    #      "upload"
+    #      "conference"
+    #    ];
+    #useACMEHost = "crashoverburn.com";
     group = "ejabberd-cert";
     postRun = "systemctl restart ejabberd.service";
   };
diff --git a/services/mailserver.nix b/services/mailserver.nix
index 7807e0b..015f0df 100644
--- a/services/mailserver.nix
+++ b/services/mailserver.nix
@@ -1,4 +1,4 @@
-{ hashedPasswordFile }: { pkgs, ... }:
+{ hashedPasswordFile }: { config, pkgs, ... }:
 {
   mailserver = {
     stateVersion = 3;
@@ -13,6 +13,6 @@
         aliases = [ "postmaster@mail.crashoverburn.com" "overburn@crashoverburn.com" ];
       };
     };
-    certificateScheme = "acme-nginx";
+    x509.useACMEHost = config.mailserver.fqdn;
   };
 }
diff --git a/services/movim.nix b/services/movim.nix
index 27b273b..4d9ce31 100644
--- a/services/movim.nix
+++ b/services/movim.nix
@@ -1,26 +1,26 @@
 { fqdn }: { config, lib, pkgs, inputs, ... }:
 let
-  port =2024;
+  port = 2024;
 in
 {
-# Nginx configuration
+  # Nginx configuration
   services.nginx = {
     enable = true;
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
   };
-   services.movim = {
-      enable = true;
-      domain = "${fqdn}";
-      port = 2024; # WebSocket port
-      
-      podConfig = {
-         timezone = "UTC";
-         description = "OverBurnSocial";
-         xmppdomain = fqdn;
-      };
-      nginx = 
-        {
+  services.movim = {
+    enable = true;
+    domain = "${fqdn}";
+    port = 2024; # WebSocket port
+
+    podConfig = {
+      timezone = "UTC";
+      description = "OverBurnSocial";
+      xmppdomain = fqdn;
+    };
+    nginx =
+      {
         forceSSL = true;
         useACMEHost = "crashoverburn.com";
       };
diff --git a/services/murmur.nix b/services/murmur.nix
index f40774f..6e2ed7b 100644
--- a/services/murmur.nix
+++ b/services/murmur.nix
@@ -51,23 +51,24 @@ in
     ${config.services.murmur.package}/bin/mumble-server -ini /run/murmur/murmurd.ini -supw "$(cat ${config.secrix.services.murmur.secrets.murmursupass.decrypted.path})"
   '';
   security.acme.certs.${fqdn} = {
+    #useACMEHost = "crashoverburn.com";
     group = "murmur-cert";
     postRun = "systemctl restart murmur.service";
-    webroot = "/var/lib/acme/acme-challenge/";
+    #webroot = "/var/lib/acme/acme-challenge/";
   };
   users.groups.murmur-cert.members = [ "murmur" "nginx" ];
-#  services.nginx = {
-#    enable = true;
-#    virtualHosts.${fqdn} = {
-#      listenAddresses = [
-#        "10.0.1.30"
-#      ];
-#      useACMEHost = "crashoverburn.com";
-#      #enableACME = true;
-#      forceSSL = true;
-#      locations."/".return = "301 https://crashoverburn.com/mumble";
-#    };
-#  };
+  #  services.nginx = {
+  #    enable = true;
+  #    virtualHosts.${fqdn} = {
+  #      listenAddresses = [
+  #        "10.0.1.30"
+  #      ];
+  #      useACMEHost = "crashoverburn.com";
+  #      #enableACME = true;
+  #      forceSSL = true;
+  #      locations."/".return = "301 https://crashoverburn.com/mumble";
+  #    };
+  #  };
 }
 
 
diff --git a/services/website.nix b/services/website.nix
index 784f3b3..b15ffa2 100644
--- a/services/website.nix
+++ b/services/website.nix
@@ -1,37 +1,37 @@
 { webroot }: { config, lib, pkgs, ... }:
-let 
-fqdn = "crashoverburn.com";
+let
+  fqdn = "crashoverburn.com";
 in
 {
   users.users.nginx.extraGroups = [ "acme" ];
-  security.acme.certs."${fqdn}" = 
-  {
-    extraDomainNames=  map (x: "${x}.${fqdn}") 
+  security.acme.certs."${fqdn}" =
+    {
+      extraDomainNames = map (x: "${x}.${fqdn}")
         [
-            "pubsub"
-            "proxy"
-            "upload"
-            "conference"
-            "social"
-            "pics.social"
-          ];
-    webroot = "/var/lib/acme/acme-challenge/";
-  };
+          "pubsub"
+          "proxy"
+          "upload"
+          "conference"
+          "social"
+          "pics.social"
+        ];
+      #   webroot = "/var/lib/acme/acme-challenge/";
+    };
   services.nginx = {
     enable = true;
     virtualHosts = {
       "${fqdn}" = {
         forceSSL = true;
-        enableACME = true;
-        #useACMEHost = "crashoverburn.com";
+        #enableACME = true;
+        useACMEHost = "crashoverburn.com";
         locations."/".root = webroot;
       };
-      "crashoverburn.online" = {
-        forceSSL = true;
-        #useACMEHost = "crashoverburn.com";
-        enableACME = true;
-         locations."/".root = webroot;
-      };
+      #      "crashoverburn.online" = {
+      #        forceSSL = true;
+      #        useACMEHost = "crashoverburn.com";
+      #enableACME = true;
+      #         locations."/".root = webroot;
+      #      };
     };
   };
 }