3 files changed, 24 insertions, 15 deletions

diff --git a/.gitattributes b/.gitattributes
index a69acc8..80f5bb9 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,2 +1,3 @@
 system/mail/users.nix filter=git-crypt diff=git-crypt
 system/services/nginx/hosts.nix filter=git-crypt diff=git-crypt
+system/services/acme/domains.nix filter=git-crypt diff=git-crypt
diff --git a/system/services/acme/default.nix b/system/services/acme/default.nix
index a163e77..0a0c4ce 100644
--- a/system/services/acme/default.nix
+++ b/system/services/acme/default.nix
@@ -1,11 +1,11 @@
-{...}: {
-  users.users.nginx.extraGroups = ["acme"];
+{lib, ...}: let
+  domains = import ./domains.nix {};
 
-  services.nginx = {
-    enable = true;
-    virtualHosts = {
-      "acmechallenge.vhack.eu" = {
-        serverAliases = ["*.vhack.eu"];
+  virtualHosts = builtins.listToAttrs (
+    builtins.map (domain_name: {
+      name = "acmechallenge.${domain_name}";
+      value = {
+        serverAliases = ["*.${domain_name}"];
         locations."/.well-known/acme-challenge" = {
           root = "/var/lib/acme/.challenges";
         };
@@ -13,18 +13,26 @@
           return = "301 https://$host$request_uri";
         };
       };
-    };
+    })
+    domains
+  );
+  certs = lib.attrsets.genAttrs domains (
+    domain_name: {
+      webroot = "/var/lib/acme/.challenges";
+      group = "nginx";
+    }
+  );
+in {
+  users.users.nginx.extraGroups = ["acme"];
+
+  services.nginx = {
+    enable = true;
+    inherit virtualHosts;
   };
 
   security.acme = {
     acceptTerms = true;
     defaults.email = "admin@vhack.eu";
-    certs = {
-      "server1.vhack.eu" = {
-        webroot = "/var/lib/acme/.challenges";
-        group = "nginx";
-        extraDomainNames = ["imap.vhack.eu" "smtp.vhack.eu"];
-      };
-    };
+    inherit certs;
   };
 }
diff --git a/system/services/acme/domains.nix b/system/services/acme/domains.nix
new file mode 100644
index 0000000..8f0930d
--- /dev/null
+++ b/system/services/acme/domains.nix