From abd82c4faf8a882c72f4f19125a280d8d14f852f Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Thu, 9 Dec 2021 14:52:35 +0100
Subject: ca.r: serve ca.crt via nginx

---
 krebs/2configs/acme.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'krebs/2configs')

diff --git a/krebs/2configs/acme.nix b/krebs/2configs/acme.nix
index b5e51a1a..056aa7ae 100644
--- a/krebs/2configs/acme.nix
+++ b/krebs/2configs/acme.nix
@@ -7,15 +7,17 @@ in {
     email = "spam@krebsco.de";
     certs.${domain}.server = "https://${domain}:1443/acme/acme/directory"; # use 1443 here cause bootstrapping loop
   };
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
   services.nginx = {
     enable = true;
     recommendedProxySettings = true;
     virtualHosts.${domain} = {
-      forceSSL = true;
+      addSSL = true;
       enableACME = true;
       locations."/" = {
         proxyPass = "https://localhost:1443";
       };
+      locations."= /ca.crt".alias = ../6assets/krebsAcmeCA.crt;
     };
   };
   krebs.secret.files.krebsAcme = {
-- 
cgit v1.2.3