a

2023-09-14 15:43:01 +02:00 · 2023-09-14 15:43:01 +02:00 · 38ca2ee874
commit 38ca2ee874
parent 1233b1afde
6 changed files with 38 additions and 25 deletions
--- a/hosts/picard/default.nix
+++ b/hosts/picard/default.nix
@ -48,14 +48,15 @@
  ragon.agenix.secrets."picardSlidingSyncSecret" = { };

  services.nginx.recommendedOptimisation = true;
+
  services.nginx.virtualHosts."xyno.space" = {
-    enableACME = true;
-    forceSSL = true;
    locations."/".proxyPass = "http://[::1]${config.services.xynoblog.listen}";
    locations."/gyakapyukawfyuokfgwtyutf.js".proxyPass = "http://127.0.0.1:${toString config.services.plausible.server.port}/js/plausible.outbound-links.js";
    locations."/api/event".proxyPass = "http://127.0.0.1:${toString config.services.plausible.server.port}";
-  };
+  } // (lib.my.findOutTlsConfig "xyno.space" config);
+
  services.lolpizza2.enable = true;
+
  services.nginx.virtualHosts."lolpizza.ragon.xyz" = {
    useACMEHost = "ragon.xyz";
    forceSSL = true;
@ -63,11 +64,18 @@
  };

  services.nginx.virtualHosts."xyno.systems" = {
-    enableACME = true;
-    forceSSL = true;
    locations."/".return = "307 https://xyno.space$request_uri";
-  } // (lib.findOutTlsConfig "xyno.systems" config);
+  } // (lib.my.findOutTlsConfig "xyno.systems" config);

+  security.acme.certs."xyno.space" = {
+    dnsProvider = "ionos";
+    dnsResolver = "1.1.1.1:53";
+    group = "nginx";
+    extraDomainNames = [
+      "*.xyno.systems"
+    ];
+    credentialsFile = "${config.age.secrets.cloudflareAcme.path}";
+  };
  security.acme.certs."xyno.systems" = {
    dnsProvider = "ionos";
    dnsResolver = "1.1.1.1:53";
@ -76,7 +84,6 @@
      "*.xyno.systems"
    ];
    credentialsFile = "${config.age.secrets.cloudflareAcme.path}";
-
  };

  services.nginx.appendHttpConfig = ''
@ -160,6 +167,7 @@
      ts3.enable = true;
      nginx.enable = true;
      nginx.domain = "ragon.xyz";
+      nginx.domains = [ "xyno.space" "xyno.systems" ];
    };

  };
--- a/hosts/picard/xynospace-matrix.nix
+++ b/hosts/picard/xynospace-matrix.nix
@ -94,7 +94,6 @@ in
  services.nginx.virtualHosts = {
    "${serverName}" = {
      forceSSL = true;
-      enableACME = true;

      locations."= /.well-known/matrix/server".extraConfig =
        let
--- a/lib/options.nix
+++ b/lib/options.nix
@ -17,18 +17,19 @@ rec {
  };
  findOutTlsConfig = domain: config:
    let
-      spl = builtins.splitString "." domain;
-      outerDomain = builtins.concatStringsSep "." (builtins.take (builtins.length spl - 1) spl);
+      spl = lib.splitString "." domain;
+      len = builtins.length spl;
+      outerDomain = lib.traceVal (lib.concatStringsSep "." (lib.sublist (len - 2) len spl));
+      domains = config.ragon.services.nginx.domains;
+      hasDomain = lib.any (d: d == outerDomain) domains;
    in
-    lib.mkMerge [
-      ((lib.hasAttr outerDomain config.acme.certs) && {
-        forceSSL = true;
-        useACMEHost = "${domain}";
-      })
-      (!(lib.hasAttr outerDomain config.acme.certs) && {
+    if hasDomain then {
+      forceSSL = true;
+      useACMEHost = "${domain}";
+    } else
+      {
        forceSSL = true;
        enableACME = true;
-      })
-    ];
+      };

 }
--- a/nixos-modules/services/authelia.nix
+++ b/nixos-modules/services/authelia.nix
@ -13,12 +13,12 @@ in
    };
  config = lib.mkIf cfg.enable {

-    ragon.secrets.autheliaStorageEncryption = { };
-    ragon.secrets.autheliaSessionSecret = { };
-    ragon.secrets.autheliaOidcIssuerPrivateKey = { };
-    ragon.secrets.autheliaOidcHmacSecret = { };
-    ragon.secrets.autheliaJwtSecret = { };
-    ragon.secrets.autheliaEmail = { user = "authelia"; };
+    ragon.agenix.secrets.autheliaStorageEncryption = { };
+    ragon.agenix.secrets.autheliaSessionSecret = { };
+    ragon.agenix.secrets.autheliaOidcIssuerPrivateKey = { };
+    ragon.agenix.secrets.autheliaOidcHmacSecret = { };
+    ragon.agenix.secrets.autheliaJwtSecret = { };
+    ragon.agenix.secrets.autheliaEmail = { user = "authelia"; };
    services.authelia.instances.${instanceName} = {
      enable = true;
      secrets = {
--- a/nixos-modules/services/hedgedoc.nix
+++ b/nixos-modules/services/hedgedoc.nix
@ -11,7 +11,7 @@ in
      default = "md.xyno.systems";
    };
  config = lib.mkIf cfg.enable {
-    ragon.secrets.autheliaHedgedoc = { user = "authelia"; };
+    ragon.agenix.secrets.autheliaHedgedoc = { user = "authelia"; };
    services.authelia.instances.main.settingsFiles = [
      config.age.secrets.autheliaHedgedoc.path
    ];
--- a/nixos-modules/services/nginx.nix
+++ b/nixos-modules/services/nginx.nix
@ -9,6 +9,11 @@ in
      type = lib.types.str;
      default = "hailsatan.eu";
    };
+  options.ragon.services.nginx.domains =
+    lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
+    };
  config = lib.mkIf cfg.enable {
    networking.firewall.allowedTCPPorts = [ 80 443 ];
    services.nginx = {