3 files changed, 18 insertions, 4 deletions

diff --git a/roles/web/default.nix b/roles/web/default.nix
index d9fc202..6797ac5 100644
--- a/roles/web/default.nix
+++ b/roles/web/default.nix
@@ -5,4 +5,9 @@
     ./personal
     ./stargazers
   ];
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "caroline@larimo.re";
+  };
 }
diff --git a/roles/web/personal/default.nix b/roles/web/personal/default.nix
index e036f98..16bf024 100644
--- a/roles/web/personal/default.nix
+++ b/roles/web/personal/default.nix
@@ -28,13 +28,17 @@ in {
   };
 
   config = mkIf cfg.enable {
-    networking.firewall.allowedTCPPorts = [ 80 ];
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
     
     services.nginx = {
       enable = true;
       virtualHosts = {
         "caroline.larimo.re" = {
-          serverAliases = [ "cxl.sh" "localhost" ];
+          serverAliases = [ "cxl.sh" ];
+
+          addSSL = true;
+          enableACME = true;
+
           locations."/" = {
             recommendedProxySettings = true;
             proxyPass = "http://localhost:8080/";
diff --git a/roles/web/stargazers/default.nix b/roles/web/stargazers/default.nix
index b7cca11..644f91f 100644
--- a/roles/web/stargazers/default.nix
+++ b/roles/web/stargazers/default.nix
@@ -7,12 +7,17 @@ let cfg = config.roles.web.stargazers; in {
   };
 
   config = mkIf cfg.enable {
-    networking.firewall.allowedTCPPorts = [ 80 ];
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
     
     services.nginx = {
       enable = true;
       virtualHosts = {
-        "stargazers.xn--6frz82g".root = "/srv/web/stargazers";
+        "stargazers.xn--6frz82g" = {
+          addSSL = true;
+          enableACME = true;
+
+          root = "/srv/web/stargazers";
+        };
       };
     };
   };