Refactored how SSL certs are configured for nginx

Made a separate ACME module to handle requesting certs from multiple machines. Right now, the module only supports exactly one wildcard cert. It might make sense to have cache.kilonull.com use a cert specific to its subdomain rather than also requesting a wildcard cert (or maybe the nginx on its host shouldn't care about TLS and it should be node's responsibility).
2023-07-16 10:53:02 -07:00 · 2023-07-16 10:53:02 -07:00 · d5969ca923
commit d5969ca923
parent 60917107b1
9 changed files with 128 additions and 41 deletions
--- a/modules/services/nix-serve/default.nix
+++ b/modules/services/nix-serve/default.nix
@ -19,6 +19,14 @@ in {
      type = str;
      description = "The subdomain to use.";
    };
+    acmeCertName = mkOption {
+      type = str;
+      default = "";
+      description = ''
+        If set to a non-empty string, forces SSL with the supplied acme
+        certificate.
+      '';
+    };
  };

  config = mkIf cfg.enable {
@ -38,8 +46,8 @@ in {

      nginx = {
        enable = true;
-        virtualHosts = {
-          "${cfg.subdomain_name}.${cfg.domain_name}" = {
+        virtualHosts."${cfg.subdomain_name}.${cfg.domain_name}" =
+          {
            serverAliases = ["${cfg.subdomain_name}"];
            locations."/".extraConfig = ''
              proxy_pass http://localhost:${toString config.services.nix-serve.port};
@ -47,13 +55,16 @@ in {
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            '';
+          }
+          // lib.optionalAttrs (cfg.acmeCertName != "") {
+            forceSSL = true;
+            useACMEHost = cfg.acmeCertName;
          };
-        };
      };
    };

    networking.firewall = {
-      allowedTCPPorts = [80];
+      allowedTCPPorts = [80 443];
    };
  };
 }