Refactored how SSL certs are configured for nginx

Made a separate ACME module to handle requesting certs from multiple machines. Right now, the module only supports exactly one wildcard cert. It might make sense to have cache.kilonull.com use a cert specific to its subdomain rather than also requesting a wildcard cert (or maybe the nginx on its host shouldn't care about TLS and it should be node's responsibility).
2023-07-16 10:53:02 -07:00 · 2023-07-16 10:53:02 -07:00 · d5969ca923
commit d5969ca923
parent 60917107b1
9 changed files with 128 additions and 41 deletions
--- a/modules/services/nextcloud/default.nix
+++ b/modules/services/nextcloud/default.nix
@ -11,6 +11,14 @@ with lib; let
 in {
  options.aa.services.nextcloud = with types; {
    enable = mkEnableOption "nextcloud";
+    acmeCertName = mkOption {
+      type = str;
+      default = "";
+      description = ''
+        If set to a non-empty string, forces SSL with the supplied acme
+        certificate.
+      '';
+    };
  };

  config = mkIf cfg.enable {
@ -47,9 +55,9 @@ in {
    };

    # nextcloud module configures nginx, just need to specify SSL stuffs here
-    services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
+    services.nginx.virtualHosts.${config.services.nextcloud.hostName} = mkIf (cfg.acmeCertName != "") {
      forceSSL = true;
-      useACMEHost = "kilonull.com";
+      useACMEHost = cfg.acmeCertName;
    };

    networking.firewall.allowedTCPPorts = [80 443];