william/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Switch from wildcard to per-domain SSL certificates

Browse source 
Updated mkNginxVHosts to use per-domain certificates (enableACME) instead
of shared wildcard certificates (useACMEHost). Each service now requests
its own certificate, avoiding conflicts between hosts and following the
principle of least privilege.

Removed wildcard certificate configuration from both alexandria and trantor.
Each host now only obtains certificates for domains it actually serves:
- Alexandria: pass.baduhai.dev, cloud.baduhai.dev, jellyfin.baduhai.dev
- Trantor: git.baduhai.dev
This commit is contained in:
William 2025-11-08 21:47:41 -03:00
parent 34622a05cb
commit 73db534269
5 changed files with 7 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

1
hosts/alexandria/vaultwarden.nix
View file

@ -20,7 +20,6 @@ in
};
services.nginx.virtualHosts = mkNginxVHosts {
acmeHost = "baduhai.dev";
domains."pass.baduhai.dev".locations."/".proxyPass =
"http://${config.services.vaultwarden.config.ROCKET_ADDRESS}:${toString config.services.vaultwarden.config.ROCKET_PORT}/";
};