services: use wildcard certificate

Should have done this a long time ago

hosts/poseidon/default.nix

@@ -108,7 +108,6 @@ in
 
     monitoring = {
       enable = true;
-      useACME = true;
       domain = "monitoring.${config.networking.domain}";
     };
 
@@ -157,9 +156,6 @@ in
     };
   };
 
-  security.acme.acceptTerms = true;
-  security.acme.email = "antoine97.martin@gmail.com";
-
   # Enable the OpenSSH daemon.
   services.openssh.enable = true;
   services.openssh.permitRootLogin = "no";

secrets/default.nix

@@ -14,6 +14,7 @@ with lib;
     nextcloud-admin-pass = lib.fileContents ./nextcloud-admin-pass.secret;
     nextcloud-admin-user = lib.fileContents ./nextcloud-admin-user.secret;
     lohr-shared-secret = lib.fileContents ./lohr-shared-secret.secret;
+    gandiKey = lib.fileContents ./gandi-api-key.secret;
 
     borg-backup = import ./borg-backup { inherit lib; };
 

services/bitwarden_rs.nix

@@ -60,7 +60,7 @@ in {
       virtualHosts = {
         "pass.${domain}" = {
           forceSSL = true;
-          enableACME = true;
+          useACMEHost = domain;
 
           locations."/" = {
             proxyPass = "http://127.0.0.1:${toString cfg.privatePort}";

services/gitea/default.nix

@@ -91,7 +91,7 @@ in {
       virtualHosts = {
         "git.${domain}" = {
           forceSSL = true;
-          enableACME = true;
+          useACMEHost = domain;
 
           locations."/" = {
             proxyPass = "http://127.0.0.1:${toString cfg.privatePort}";

services/jellyfin.nix

@@ -24,7 +24,7 @@ in {
     # Proxy to Jellyfin
     services.nginx.virtualHosts."jellyfin.${domain}" = {
       forceSSL = true;
-      enableACME = true;
+      useACMEHost = domain;
 
       locations."/" = {
         proxyPass = "http://localhost:${toString jellyfinPort}/";

services/lohr.nix

@@ -65,7 +65,7 @@ in
     services.nginx.virtualHosts = {
       "lohr.${domain}" = {
         forceSSL = true;
-        enableACME = true;
+        useACMEHost = domain;
 
         locations."/" = {
           proxyPass = "http://127.0.0.1:${toString cfg.port}";

services/matrix.nix

@@ -171,7 +171,7 @@ in {
       virtualHosts = {
         "matrix.${domain}" = {
           forceSSL = true;
-          enableACME = true;
+          useACMEHost = domain;
 
           locations =
             let
@@ -199,7 +199,7 @@ in {
         "matrix.${domain}_federation" = rec {
           forceSSL = true;
           serverName = "matrix.${domain}";
-          useACMEHost = serverName;
+          useACMEHost = domain;
 
           locations."/".return = "404";
 
@@ -216,7 +216,7 @@ in {
 
         "${domain}" = {
           forceSSL = true;
-          enableACME = true;
+          useACMEHost = domain;
 
           locations."= /.well-known/matrix/server".extraConfig =
             let
@@ -243,7 +243,7 @@ in {
         # Element Web app deployment
         #
         "chat.${domain}" = {
-          enableACME = true;
+          useACMEHost = domain;
           forceSSL = true;
 
           root = pkgs.element-web.override {

services/miniflux.nix

@@ -50,7 +50,7 @@ in {
       virtualHosts = {
         "reader.${domain}" = {
           forceSSL = true;
-          enableACME = true;
+          useACMEHost = domain;
 
           locations."/" = {
             proxyPass = "http://127.0.0.1:${toString cfg.privatePort}";

services/monitoring.nix

@@ -2,11 +2,12 @@
 
 with lib;
 
-let cfg = config.my.services.monitoring;
+let
+  cfg = config.my.services.monitoring;
+  domain = config.networking.domain;
 in {
   options.my.services.monitoring = {
     enable = mkEnableOption "Enable monitoring";
-    useACME = mkEnableOption "Get HTTPS certs";
 
     domain = mkOption {
       type = types.str;
@@ -76,8 +77,8 @@ in {
           proxyWebsockets = true;
         };
 
-        forceSSL = cfg.useACME;
-        enableACME = cfg.useACME;
+        forceSSL = true;
+        useACMEHost = domain;
       };
     };
   };

services/nextcloud.nix

@@ -66,7 +66,7 @@ in
       virtualHosts = {
         "cloud.${domain}" = {
           forceSSL = true;
-          enableACME = true;
+          useACMEHost = domain;
         };
       };
     };

services/nginx.nix

@@ -1,7 +1,7 @@
 # Part of config shamelessly stolen from:
 #
 # https://github.com/delroth/infra.delroth.net
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 {
   # Whenever something defines an nginx vhost, ensure that nginx defaults are
   # properly set.
@@ -17,5 +17,23 @@
     };
 
     networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+    security.acme = {
+      acceptTerms = true;
+      email = "antoine97.martin@gmail.com";
+
+      certs =
+        let
+          domain = config.networking.domain;
+          gandiKey = config.my.secrets.gandiKey;
+        in {
+          "${domain}" = {
+            extraDomainNames = [ "*.${domain}" ];
+            dnsProvider = "gandiv5";
+            credentialsFile = pkgs.writeText "gandi-creds.env" gandiKey;
+            group = "nginx";
+          };
+        };
+    };
   };
 }

services/paperless.nix

@@ -23,7 +23,7 @@ in
     services.nginx.virtualHosts = {
       "paperless.${domain}" = {
         forceSSL = true;
-        enableACME = true;
+        useACMEHost = domain;
 
         locations."/" = {
           proxyPass = "http://127.0.0.1:${toString cfg.port}";

services/transmission.nix

@@ -56,7 +56,7 @@ in
 
     services.nginx.virtualHosts."${webuiDomain}" = {
       forceSSL = true;
-      enableACME = true;
+      useACMEHost = domain;
 
       locations."/".proxyPass = "http://127.0.0.1:${toString transmissionRpcPort}";
     };