Refactored how SSL certs are configured for nginx

Made a separate ACME module to handle requesting certs from multiple machines. Right now, the module only supports exactly one wildcard cert. It might make sense to have cache.kilonull.com use a cert specific to its subdomain rather than also requesting a wildcard cert (or maybe the nginx on its host shouldn't care about TLS and it should be node's responsibility).
2023-07-16 10:53:02 -07:00 · 2023-07-16 10:53:02 -07:00 · d5969ca923
commit d5969ca923
parent 60917107b1
9 changed files with 128 additions and 41 deletions
--- a/modules/services/adguardhome/default.nix
+++ b/modules/services/adguardhome/default.nix
@ -11,6 +11,14 @@ with lib; let
 in {
  options.aa.services.adguardhome = with types; {
    enable = mkEnableOption "adguardhome";
+    acmeCertName = mkOption {
+      type = str;
+      default = "";
+      description = ''
+        If set to a non-empty string, forces SSL with the supplied acme
+        certificate.
+      '';
+    };
  };

  config = mkIf cfg.enable {
@ -26,37 +34,16 @@ in {
    services.nginx = {
      enable = true;
      recommendedProxySettings = true;
-      virtualHosts."adguardhome.kilonull.com" = {
-        forceSSL = true;
-        useACMEHost = "kilonull.com";
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:3000";
+      virtualHosts."adguardhome.kilonull.com" =
+        {
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:3000";
+          };
+        }
+        // lib.optionalAttrs (cfg.acmeCertName != "") {
+          forceSSL = true;
+          useACMEHost = cfg.acmeCertName;
        };
-      };
-    };
-
-    # So that nginx has access to the ACME certs
-    users.users.nginx.extraGroups = ["acme"];
-
-    age.secrets.cf_dns_kilonull.file = ../../../secrets/cf_dns_kilonull.age;
-
-    security.acme = {
-      # NOTE: Uncomment line below when testing changes
-      # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
-      acceptTerms = true;
-      defaults.email = "iam@alejandr0angul0.dev";
-
-      # Wildcard cert
-      certs."kilonull.com" = {
-        dnsProvider = "cloudflare";
-        # Private network resolves *.kilonull.com to private servers but `lego`
-        # (acme client under the hood) needs to find the cloudflare nameservers
-        # to determine the correct zone to apply changes in. Use cloudflare's
-        # own DNS to make `lego` happy (will resolve names to a public IP).
-        dnsResolver = "1.1.1.1:53";
-        credentialsFile = config.age.secrets.cf_dns_kilonull.path;
-        extraDomainNames = ["*.kilonull.com"];
-      };
    };

    networking.firewall = {