Switch from Nixpkgs TLS to Nixcloud TLS fails

[erictapen]

I went from

{ config, pkgs, ...}:{
  services.nginx = {
    enable = true;
    virtualHosts = {
      "erictapen.de" = {
        locations."/" = {
          root = "/webroot/erictapen.de/";
        };
        enableACME = true;
        forceSSL = true;
      };
    };
  };
}

to

{ config, pkgs, ...}:{
  services.nginx = {
    enable = true;
    virtualHosts = {
      "erictapen.de" = {
        locations."/" = {
          root = "/webroot/erictapen.de/";
        };
        forceSSL = true;
        sslCertificate = config.nixcloud.TLS.certs."erictapen.de-ACME".tls_certificate;
        sslCertificateKey = config.nixcloud.TLS.certs."erictapen.de-ACME".tls_certificate_key;
      };
    };
  };
}

.

When deploying with NixOps this fails:

...
myhost> warning: the following units failed: acme-erictapen.de-ACME.service
...

I have not enough capacity to provide a redacted log of acme-erictapen.de-ACME.service, so I will send it to @qknight, so that he can post snippets without sensible information in it.

Nix info:

• system: "x86_64-linux"
• host os: Linux 4.14.35, NixOS, 18.03 (Impala)
• multi-user?: yes
• sandbox: yes
• version: nix-env (Nix) 2.0
• nixpkgs: /home/justin/nixpkgs

[qknight]

@erictapen can you please post your nixcloud.TLS.certs configuration.

BIG WARNING

nixcloud.TLS was designed to be used with nixcloud.reverse-proxy and you clearly don't use it as you are using services.nginx on port 80. by definition your services.nginx service has to handle the ACME requests BUT it will only do that if you configure vhost.enableACME || vhost.useACMEHost != null as pointed out here https://github.com/NixOS/nixpkgs/blob/release-18.03/nixos/modules/services/web-servers/nginx/default.nix#L180

BUT maybe you can also use nixcloud.TLS with services.nginx running on port 80 (not using nixcloud.reverse-proxy), we could try this:

1. readd enableACME = true; to your config and see https://github.com/NixOS/nixpkgs/blob/release-18.03/nixos/modules/services/web-servers/nginx/default.nix#L181

2. your generated nginx config must contain the .well-known for the respective domain.

    systemctl cat nginx.service
   

   from there search the config file and check if it contains the string .well-known

3. then reissue the acme certificate target (should be reexecuted after nixos-rebuild switch every time you make changes)

   you can restart it manually using:

    systemctl restart acme-erictapen.de-ACME.service
   

please report your results. i'm curious!

how to configure nixcloud.TLS

https://github.com/nixcloud/nixcloud-webservices/blob/master/documentation/nixcloud.TLS.md#how-to-use-nixcloudtls

should be like this:

nixcloud.TLS.certs = {
  "erictapen.de-ACME" = {
    domain = "erictapen.de";
  };
};

[qknight]

update: https://github.com/NixOS/nixpkgs/blob/release-18.03/nixos/modules/services/web-servers/nginx/default.nix#L592 is also exporting security.acme.certs which should contradict the nixcloud.TLS settings as they probably won't merge.

without major rewrites you won't be able to use services.nginx with nixcloud.TLS

that said, you can always hack your nginx.config manually by using https://nixos.org/nixos/options.html#services.nginx.config

and then it will be possible ... but not easy.

[qknight]

@aszlig this is one reason we need the stateful nginx backend feature, so ppl can just migrate to nixcloud-webservices without much change at first...

[erictapen]

Oh no, then I completely misunderstood the module, sorry. Will have a look at nixcloud.reverse-proxy asap...

[qknight]

i'll be updating the documentation ASAP. seems nixcloud.TLS breaks other assumptions as well.