From 2abdb9e5a7e71cb0786d06cd7a94c296d98abbf0 Mon Sep 17 00:00:00 2001
From: coolneng <akasroua@gmail.com>
Date: Sat, 13 Jan 2024 18:55:16 +0100
Subject: [PATCH] Use one SSL certificate for all subdomains

---
 modules/webstack.nix | 34 +++++++++++++++++++++++-----------
 1 file changed, 23 insertions(+), 11 deletions(-)

diff --git a/modules/webstack.nix b/modules/webstack.nix
index 4801e62..448983b 100644
--- a/modules/webstack.nix
+++ b/modules/webstack.nix
@@ -31,7 +31,7 @@
     '';
     virtualHosts = {
       "coolneng.duckdns.org" = {
-        enableACME = true;
+        useACMEHost = "coolneng.duckdns.org";
         forceSSL = true;
         # Redirect from legacy subdirectory URL to subdomain
         locations = {
@@ -53,7 +53,7 @@
         };
       };
       "radicale.coolneng.duckdns.org" = {
-        enableACME = true;
+        useACMEHost = "coolneng.duckdns.org";
         forceSSL = true;
         locations."/" = {
           proxyPass = "http://localhost:5232/";
@@ -64,12 +64,12 @@
         };
       };
       "sync.coolneng.duckdns.org" = {
-        enableACME = true;
+        useACMEHost = "coolneng.duckdns.org";
         forceSSL = true;
         locations."/".proxyPass = "http://localhost:8384/";
       };
       "git.coolneng.duckdns.org" = {
-        enableACME = true;
+        useACMEHost = "coolneng.duckdns.org";
         forceSSL = true;
         locations."/" = {
           proxyPass = "http://localhost:3000/";
@@ -81,12 +81,12 @@
         };
       };
       "rss.coolneng.duckdns.org" = {
-        enableACME = true;
+        useACMEHost = "coolneng.duckdns.org";
         forceSSL = true;
         locations."/".proxyPass = "http://localhost:8080/";
       };
       "matrix.coolneng.duckdns.org" = {
-        enableACME = true;
+        useACMEHost = "coolneng.duckdns.org";
         forceSSL = true;
         listen = [
           {
@@ -109,7 +109,7 @@
         };
       };
       "element.coolneng.duckdns.org" = {
-        enableACME = true;
+        useACMEHost = "coolneng.duckdns.org";
         forceSSL = true;
         locations."/".root = pkgs.element-web.override {
           conf.default_server_config = {
@@ -119,7 +119,7 @@
         };
       };
       "wallabag.coolneng.duckdns.org" = {
-        enableACME = true;
+        useACMEHost = "coolneng.duckdns.org";
         forceSSL = true;
         root = "${pkgs.wallabag}/web";
         locations = {
@@ -140,7 +140,7 @@
         };
       };
       "books.coolneng.duckdns.org" = {
-        enableACME = true;
+        useACMEHost = "coolneng.duckdns.org";
         forceSSL = true;
         locations."/" = {
           proxyPass = "http://localhost:9000/";
@@ -152,7 +152,7 @@
         };
       };
       "grafana.coolneng.duckdns.org" = {
-        enableACME = true;
+        useACMEHost = "coolneng.duckdns.org";
         forceSSL = true;
         locations."/" = {
           proxyPass = "http://localhost:9009/";
@@ -160,7 +160,7 @@
         };
       };
       "nightscout.coolneng.duckdns.org" = {
-        enableACME = true;
+        useACMEHost = "coolneng.duckdns.org";
         forceSSL = true;
         locations."/" = {
           proxyPass = "http://localhost:1337";
@@ -178,7 +178,19 @@
     defaults = {
       email = "akasroua@disroot.org";
       dnsResolver = "127.0.0.1:53";
+      group = "nginx";
+      webroot = "/var/lib/acme/acme-challenge";
     };
+    certs."coolneng.duckdns.org".extraDomainNames = [
+      "radicale.coolneng.duckdns.org"
+      "sync.coolneng.duckdns.org"
+      "git.coolneng.duckdns.org"
+      "rss.coolneng.duckdns.org"
+      "matrix.coolneng.duckdns.org"
+      "element.coolneng.duckdns.org"
+      "wallabag.coolneng.duckdns.org"
+      "books.coolneng.duckdns.org"
+    ];
   };
 
   # Generate dhparams