srv0,webserver: expose port 80 so ACME can verify the certificate

2021-02-07 17:01:17 +01:00 · 2021-02-07 17:01:17 +01:00 · 8bff26c5e8
commit 8bff26c5e8
parent ffc9bb9fec
2 changed files with 29 additions and 4 deletions
--- a/nix/os/containers/webserver.nix
+++ b/nix/os/containers/webserver.nix
@ -1,5 +1,6 @@
 { hostAddress
 , localAddress
+, httpPort ? 80
 , httpsPort ? 443
 }: {
  config = { config, pkgs, lib, ... }: {
@ -17,18 +18,35 @@
    security.acme = {
      acceptTerms = true;
      certs."www.stefanjunker.de".email = "mail@stefanjunker.de";
+      preliminarySelfsigned = true;
+
+      # can be used for debugging
+      # server = "https://acme-staging-v02.api.letsencrypt.org/directory";
    };

    services.nginx.enable = true;
    services.nginx.virtualHosts."www.stefanjunker.de" = {
      default = true;
-      onlySSL = true;
+      addSSL = true;
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = httpPort;
+          ssl = false;
+        }
+        {
+          addr = "0.0.0.0";
+          port = httpsPort;
+          ssl = true;
+        }
+      ];
+
      root = "/var/www/stefanjunker.de/htdocs";

      enableACME = true;
-      serverAliases = [
-        "stefanjunker.de"
-      ];
+      # serverAliases = [
+      #   "www.stefanjunker.de"
+      # ];
      # sslCertificate = "/etc/secrets/stefanjunker.de/nginx/nginx.crt";
      # sslCertificateKey = "/etc/secrets/stefanjunker.de/nginx/nginx.key";

@ -94,6 +112,12 @@

  privateNetwork = true;
  forwardPorts = [
+    {
+      # http
+      containerPort = 80;
+      hostPort = httpPort;
+      protocol = "tcp";
+    }
    {
      # https
      containerPort = 443;
--- a/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix
+++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix
@ -61,6 +61,7 @@ in {
      hostAddress = "192.168.100.12";
      localAddress = "192.168.100.13";

+      httpPort = 80;
      httpsPort = 443;
    };