ca.r: serve ca.crt via nginx

author: lassulus <lassulus@lassul.us> 2021-12-09 14:52:35 +0100
committer: lassulus <lassulus@lassul.us> 2021-12-09 14:52:35 +0100
commit: abd82c4faf8a882c72f4f19125a280d8d14f852f (patch)
tree: 6bccc24c243c1e66c18d8a99f883bdd59b347ab8 /krebs/2configs/acme.nix
parent: fba330ab36ed3f0c5f5b01a1c434ed9e8281846a (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/krebs/2configs/acme.nix b/krebs/2configs/acme.nix
index b5e51a1a2..056aa7ae4 100644
--- a/krebs/2configs/acme.nix
+++ b/krebs/2configs/acme.nix
@@ -7,15 +7,17 @@ in {
     email = "spam@krebsco.de";
     certs.${domain}.server = "https://${domain}:1443/acme/acme/directory"; # use 1443 here cause bootstrapping loop
   };
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
   services.nginx = {
     enable = true;
     recommendedProxySettings = true;
     virtualHosts.${domain} = {
-      forceSSL = true;
+      addSSL = true;
       enableACME = true;
       locations."/" = {
         proxyPass = "https://localhost:1443";
       };
+      locations."= /ca.crt".alias = ../6assets/krebsAcmeCA.crt;
     };
   };
   krebs.secret.files.krebsAcme = {
author	lassulus <lassulus@lassul.us>	2021-12-09 14:52:35 +0100
committer	lassulus <lassulus@lassul.us>	2021-12-09 14:52:35 +0100
commit	abd82c4faf8a882c72f4f19125a280d8d14f852f (patch)
tree	6bccc24c243c1e66c18d8a99f883bdd59b347ab8 /krebs/2configs/acme.nix
parent	fba330ab36ed3f0c5f5b01a1c434ed9e8281846a (diff)