From 38ca2ee87474b28104e3218f075395242229a4af Mon Sep 17 00:00:00 2001
From: "xyno (Philipp Hochkamp)" <git@xyno.systems>
Date: Thu, 14 Sep 2023 15:43:01 +0200
Subject: [PATCH] a

---
 hosts/picard/default.nix            | 22 +++++++++++++++-------
 hosts/picard/xynospace-matrix.nix   |  1 -
 lib/options.nix                     | 21 +++++++++++----------
 nixos-modules/services/authelia.nix | 12 ++++++------
 nixos-modules/services/hedgedoc.nix |  2 +-
 nixos-modules/services/nginx.nix    |  5 +++++
 6 files changed, 38 insertions(+), 25 deletions(-)

diff --git a/hosts/picard/default.nix b/hosts/picard/default.nix
index 32c4caa0..a458e4a6 100644
--- a/hosts/picard/default.nix
+++ b/hosts/picard/default.nix
@@ -48,14 +48,15 @@
   ragon.agenix.secrets."picardSlidingSyncSecret" = { };
 
   services.nginx.recommendedOptimisation = true;
+
   services.nginx.virtualHosts."xyno.space" = {
-    enableACME = true;
-    forceSSL = true;
     locations."/".proxyPass = "http://[::1]${config.services.xynoblog.listen}";
     locations."/gyakapyukawfyuokfgwtyutf.js".proxyPass = "http://127.0.0.1:${toString config.services.plausible.server.port}/js/plausible.outbound-links.js";
     locations."/api/event".proxyPass = "http://127.0.0.1:${toString config.services.plausible.server.port}";
-  };
+  } // (lib.my.findOutTlsConfig "xyno.space" config);
+
   services.lolpizza2.enable = true;
+
   services.nginx.virtualHosts."lolpizza.ragon.xyz" = {
     useACMEHost = "ragon.xyz";
     forceSSL = true;
@@ -63,11 +64,18 @@
   };
 
   services.nginx.virtualHosts."xyno.systems" = {
-    enableACME = true;
-    forceSSL = true;
     locations."/".return = "307 https://xyno.space$request_uri";
-  } // (lib.findOutTlsConfig "xyno.systems" config);
+  } // (lib.my.findOutTlsConfig "xyno.systems" config);
 
+  security.acme.certs."xyno.space" = {
+    dnsProvider = "ionos";
+    dnsResolver = "1.1.1.1:53";
+    group = "nginx";
+    extraDomainNames = [
+      "*.xyno.systems"
+    ];
+    credentialsFile = "${config.age.secrets.cloudflareAcme.path}";
+  };
   security.acme.certs."xyno.systems" = {
     dnsProvider = "ionos";
     dnsResolver = "1.1.1.1:53";
@@ -76,7 +84,6 @@
       "*.xyno.systems"
     ];
     credentialsFile = "${config.age.secrets.cloudflareAcme.path}";
-
   };
 
   services.nginx.appendHttpConfig = ''
@@ -160,6 +167,7 @@
       ts3.enable = true;
       nginx.enable = true;
       nginx.domain = "ragon.xyz";
+      nginx.domains = [ "xyno.space" "xyno.systems" ];
     };
 
   };
diff --git a/hosts/picard/xynospace-matrix.nix b/hosts/picard/xynospace-matrix.nix
index c6a77e4a..f75b7aaf 100644
--- a/hosts/picard/xynospace-matrix.nix
+++ b/hosts/picard/xynospace-matrix.nix
@@ -94,7 +94,6 @@ in
   services.nginx.virtualHosts = {
     "${serverName}" = {
       forceSSL = true;
-      enableACME = true;
 
       locations."= /.well-known/matrix/server".extraConfig =
         let
diff --git a/lib/options.nix b/lib/options.nix
index f4852ff8..6576b37a 100644
--- a/lib/options.nix
+++ b/lib/options.nix
@@ -17,18 +17,19 @@ rec {
   };
   findOutTlsConfig = domain: config:
     let
-      spl = builtins.splitString "." domain;
-      outerDomain = builtins.concatStringsSep "." (builtins.take (builtins.length spl - 1) spl);
+      spl = lib.splitString "." domain;
+      len = builtins.length spl;
+      outerDomain = lib.traceVal (lib.concatStringsSep "." (lib.sublist (len - 2) len spl));
+      domains = config.ragon.services.nginx.domains;
+      hasDomain = lib.any (d: d == outerDomain) domains;
     in
-    lib.mkMerge [
-      ((lib.hasAttr outerDomain config.acme.certs) && {
-        forceSSL = true;
-        useACMEHost = "${domain}";
-      })
-      (!(lib.hasAttr outerDomain config.acme.certs) && {
+    if hasDomain then {
+      forceSSL = true;
+      useACMEHost = "${domain}";
+    } else
+      {
         forceSSL = true;
         enableACME = true;
-      })
-    ];
+      };
 
 }
diff --git a/nixos-modules/services/authelia.nix b/nixos-modules/services/authelia.nix
index eb57ae6c..1b3f6a59 100644
--- a/nixos-modules/services/authelia.nix
+++ b/nixos-modules/services/authelia.nix
@@ -13,12 +13,12 @@ in
     };
   config = lib.mkIf cfg.enable {
 
-    ragon.secrets.autheliaStorageEncryption = { };
-    ragon.secrets.autheliaSessionSecret = { };
-    ragon.secrets.autheliaOidcIssuerPrivateKey = { };
-    ragon.secrets.autheliaOidcHmacSecret = { };
-    ragon.secrets.autheliaJwtSecret = { };
-    ragon.secrets.autheliaEmail = { user = "authelia"; };
+    ragon.agenix.secrets.autheliaStorageEncryption = { };
+    ragon.agenix.secrets.autheliaSessionSecret = { };
+    ragon.agenix.secrets.autheliaOidcIssuerPrivateKey = { };
+    ragon.agenix.secrets.autheliaOidcHmacSecret = { };
+    ragon.agenix.secrets.autheliaJwtSecret = { };
+    ragon.agenix.secrets.autheliaEmail = { user = "authelia"; };
     services.authelia.instances.${instanceName} = {
       enable = true;
       secrets = {
diff --git a/nixos-modules/services/hedgedoc.nix b/nixos-modules/services/hedgedoc.nix
index b796eef1..3dbae3d7 100644
--- a/nixos-modules/services/hedgedoc.nix
+++ b/nixos-modules/services/hedgedoc.nix
@@ -11,7 +11,7 @@ in
       default = "md.xyno.systems";
     };
   config = lib.mkIf cfg.enable {
-    ragon.secrets.autheliaHedgedoc = { user = "authelia"; };
+    ragon.agenix.secrets.autheliaHedgedoc = { user = "authelia"; };
     services.authelia.instances.main.settingsFiles = [
       config.age.secrets.autheliaHedgedoc.path
     ];
diff --git a/nixos-modules/services/nginx.nix b/nixos-modules/services/nginx.nix
index 894b4fe2..e034c1ab 100644
--- a/nixos-modules/services/nginx.nix
+++ b/nixos-modules/services/nginx.nix
@@ -9,6 +9,11 @@ in
       type = lib.types.str;
       default = "hailsatan.eu";
     };
+  options.ragon.services.nginx.domains =
+    lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
+    };
   config = lib.mkIf cfg.enable {
     networking.firewall.allowedTCPPorts = [ 80 443 ];
     services.nginx = {