enable acme http challenge

2025-12-04 15:14:37 +01:00 · 2025-12-04 15:14:37 +01:00 · ea94303f03
commit ea94303f03
parent 0c71452bb8
2 changed files with 7 additions and 2 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -146,7 +146,7 @@
        renewInterval = "daily";
        email = "acme@xengi.de";
        group = "nginx";
-        webroot = "/var/lib/acme/acme-challenge";
+        webroot = "/var/lib/acme/acme-challenges";
      };
    };
  };
--- a/services/nginx.nix
+++ b/services/nginx.nix
@ -4,6 +4,8 @@ let
  fqdn = "matrix.berlin.ccc.de";
 in
 {
+  users.users.nginx.extraGroups = [ "acme" ];
+
  services.nginx = {
    enable = true;
    resolver.addresses = [
@ -46,6 +48,7 @@ in
        }
      ];
      locations = {
+        "/.well-known/acme-challenge".root = config.security.acme.defaults.webroot;
        "/".return = "418 \"I'm a Teapot!\"";
        "= /.well-known/matrix/client" = {
          return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.berlin.ccc.de\"}}'";
@ -67,5 +70,7 @@ in
    };
  };

-  security.acme.certs."${fqdn}".reloadServices = [ "nginx" ];
+  security.acme.certs."${fqdn}" = {
+    reloadServices = [ "nginx" ];
+  };
 }