diff --git a/hosts/alpha/acme.nix b/hosts/alpha/acme.nix index ea03a07..6a3832a 100644 --- a/hosts/alpha/acme.nix +++ b/hosts/alpha/acme.nix @@ -1,14 +1,16 @@ {lib, ...}: { - security.acme.certs."caspervk.net" = { - domain = "*.caspervk.net"; - reloadServices = [ - "caddy.service" - "murmur.service" - ]; - # The NixOS Caddy module is a little too clever and sets the cert's group - # to 'caddy', which means other services can't load it. This is not needed - # since we handle the group membership manually. - group = lib.mkForce "acme"; + security.acme.certs = { + "caspervk.net" = { + domain = "*.caspervk.net"; + reloadServices = [ + "caddy.service" + "murmur.service" + ]; + # The NixOS Caddy module is a little too clever and sets the cert's group + # to 'caddy', which means other services can't load it. This is not needed + # since we handle the group membership manually. + group = lib.mkForce "acme"; + }; }; users.groups.acme.members = [ "caddy" diff --git a/hosts/delta/acme.nix b/hosts/delta/acme.nix index c3b905b..07d8cb5 100644 --- a/hosts/delta/acme.nix +++ b/hosts/delta/acme.nix @@ -1,10 +1,12 @@ {...}: { - security.acme.certs."caspervk.net" = { - domain = "*.caspervk.net"; - reloadServices = [ - "kresd@1.service" - "kresd@2.service" - ]; + security.acme.certs = { + "caspervk.net" = { + domain = "*.caspervk.net"; + reloadServices = [ + "kresd@1.service" + "kresd@2.service" + ]; + }; }; users.groups.acme.members = [ "knot-resolver" diff --git a/hosts/sigma/acme.nix b/hosts/sigma/acme.nix index 9c37186..a7a3f6f 100644 --- a/hosts/sigma/acme.nix +++ b/hosts/sigma/acme.nix @@ -1,13 +1,21 @@ {lib, ...}: { - security.acme.certs."caspervk.net" = { - domain = "*.caspervk.net"; - reloadServices = [ - "caddy.service" - ]; - # The NixOS Caddy module is a little too clever and sets the cert's group - # to 'caddy', which means other services can't load it. This is not needed - # since we handle the group membership manually. - group = lib.mkForce "acme"; + security.acme.certs = { + "caspervk.net" = { + domain = "*.caspervk.net"; + reloadServices = [ + "caddy.service" + ]; + # The NixOS Caddy module is a little too clever and sets the cert's group + # to 'caddy', which means other services can't load it. This is not needed + # since we handle the group membership manually. + group = lib.mkForce "acme"; + }; + "sudomail.org" = { + reloadServices = [ + "caddy.service" + ]; + group = lib.mkForce "acme"; + }; }; users.groups.acme.members = [ "caddy" diff --git a/modules/server/caddy.nix b/modules/server/caddy.nix index 02ba4ad..a942b2e 100644 --- a/modules/server/caddy.nix +++ b/modules/server/caddy.nix @@ -20,7 +20,7 @@ lib.mkIf (config.services.caddy.virtualHosts != {}) { environment.persistence."/nix/persist" = { directories = [ { - directory = "/var/lib/caddy"; + directory = "/var/www/html"; user = "caddy"; group = "caddy"; mode = "0755";