a

hosts/picard/default.nix

@@ -48,14 +48,15 @@
   ragon.agenix.secrets."picardSlidingSyncSecret" = { };
 
   services.nginx.recommendedOptimisation = true;
+
   services.nginx.virtualHosts."xyno.space" = {
-    enableACME = true;
-    forceSSL = true;
     locations."/".proxyPass = "http://[::1]${config.services.xynoblog.listen}";
     locations."/gyakapyukawfyuokfgwtyutf.js".proxyPass = "http://127.0.0.1:${toString config.services.plausible.server.port}/js/plausible.outbound-links.js";
     locations."/api/event".proxyPass = "http://127.0.0.1:${toString config.services.plausible.server.port}";
-  };
+  } // (lib.my.findOutTlsConfig "xyno.space" config);
+
   services.lolpizza2.enable = true;
+
   services.nginx.virtualHosts."lolpizza.ragon.xyz" = {
     useACMEHost = "ragon.xyz";
     forceSSL = true;
@@ -63,11 +64,18 @@
   };
 
   services.nginx.virtualHosts."xyno.systems" = {
-    enableACME = true;
-    forceSSL = true;
     locations."/".return = "307 https://xyno.space$request_uri";
-  } // (lib.findOutTlsConfig "xyno.systems" config);
+  } // (lib.my.findOutTlsConfig "xyno.systems" config);
 
+  security.acme.certs."xyno.space" = {
+    dnsProvider = "ionos";
+    dnsResolver = "1.1.1.1:53";
+    group = "nginx";
+    extraDomainNames = [
+      "*.xyno.systems"
+    ];
+    credentialsFile = "${config.age.secrets.cloudflareAcme.path}";
+  };
   security.acme.certs."xyno.systems" = {
     dnsProvider = "ionos";
     dnsResolver = "1.1.1.1:53";
@@ -76,7 +84,6 @@
       "*.xyno.systems"
     ];
     credentialsFile = "${config.age.secrets.cloudflareAcme.path}";
-
   };
 
   services.nginx.appendHttpConfig = ''
@@ -160,6 +167,7 @@
       ts3.enable = true;
       nginx.enable = true;
       nginx.domain = "ragon.xyz";
+      nginx.domains = [ "xyno.space" "xyno.systems" ];
     };
 
   };

hosts/picard/xynospace-matrix.nix

@@ -94,7 +94,6 @@ in
   services.nginx.virtualHosts = {
     "${serverName}" = {
       forceSSL = true;
-      enableACME = true;
 
       locations."= /.well-known/matrix/server".extraConfig =
         let

lib/options.nix

@@ -17,18 +17,19 @@ rec {
   };
   findOutTlsConfig = domain: config:
     let
-      spl = builtins.splitString "." domain;
+      spl = lib.splitString "." domain;
-      outerDomain = builtins.concatStringsSep "." (builtins.take (builtins.length spl - 1) spl);
+      len = builtins.length spl;
+      outerDomain = lib.traceVal (lib.concatStringsSep "." (lib.sublist (len - 2) len spl));
+      domains = config.ragon.services.nginx.domains;
+      hasDomain = lib.any (d: d == outerDomain) domains;
     in
-    lib.mkMerge [
+    if hasDomain then {
-      ((lib.hasAttr outerDomain config.acme.certs) && {
       forceSSL = true;
       useACMEHost = "${domain}";
-      })
+    } else
-      (!(lib.hasAttr outerDomain config.acme.certs) && {
+      {
         forceSSL = true;
         enableACME = true;
-      })
+      };
-    ];
 
 }

nixos-modules/services/authelia.nix

@@ -13,12 +13,12 @@ in
     };
   config = lib.mkIf cfg.enable {
 
-    ragon.secrets.autheliaStorageEncryption = { };
+    ragon.agenix.secrets.autheliaStorageEncryption = { };
-    ragon.secrets.autheliaSessionSecret = { };
+    ragon.agenix.secrets.autheliaSessionSecret = { };
-    ragon.secrets.autheliaOidcIssuerPrivateKey = { };
+    ragon.agenix.secrets.autheliaOidcIssuerPrivateKey = { };
-    ragon.secrets.autheliaOidcHmacSecret = { };
+    ragon.agenix.secrets.autheliaOidcHmacSecret = { };
-    ragon.secrets.autheliaJwtSecret = { };
+    ragon.agenix.secrets.autheliaJwtSecret = { };
-    ragon.secrets.autheliaEmail = { user = "authelia"; };
+    ragon.agenix.secrets.autheliaEmail = { user = "authelia"; };
     services.authelia.instances.${instanceName} = {
       enable = true;
       secrets = {

nixos-modules/services/hedgedoc.nix

@@ -11,7 +11,7 @@ in
       default = "md.xyno.systems";
     };
   config = lib.mkIf cfg.enable {
-    ragon.secrets.autheliaHedgedoc = { user = "authelia"; };
+    ragon.agenix.secrets.autheliaHedgedoc = { user = "authelia"; };
     services.authelia.instances.main.settingsFiles = [
       config.age.secrets.autheliaHedgedoc.path
     ];

nixos-modules/services/nginx.nix

@@ -9,6 +9,11 @@ in
       type = lib.types.str;
       default = "hailsatan.eu";
     };
+  options.ragon.services.nginx.domains =
+    lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
+    };
   config = lib.mkIf cfg.enable {
     networking.firewall.allowedTCPPorts = [ 80 443 ];
     services.nginx = {