Infini-DL360: use wildcard certificate

2025-02-15 03:53:42 -05:00 · 2025-02-15 03:53:42 -05:00 · 8ab1fe878b
commit 8ab1fe878b
parent 2203788b2d
13 changed files with 34 additions and 21 deletions
--- a/hosts/Infini-DL360/conduwuit.nix
+++ b/hosts/Infini-DL360/conduwuit.nix
@ -31,7 +31,7 @@ in
  networking.firewall.allowedTCPPorts = [ 8448 ];

  services.nginx.virtualHosts = {
-    ${domain} = common.nginx.ssl // {
+    ${domain} = common.nginx.ssl-inx // {
      locations."^~ /_matrix" = {
        proxyPass = host;
        recommendedProxySettings = false;
--- a/hosts/Infini-DL360/forgejo.nix
+++ b/hosts/Infini-DL360/forgejo.nix
@ -102,7 +102,7 @@ in
    };
  };

-  services.nginx.virtualHosts.${domain} = common.nginx.ssl // {
+  services.nginx.virtualHosts.${domain} = common.nginx.ssl-inx // {
    locations."/" = {
      proxyPass = "http://${cfg.settings.server.DOMAIN}:${toString cfg.settings.server.HTTP_PORT}";
      extraConfig = ''
--- a/hosts/Infini-DL360/freshrss.nix
+++ b/hosts/Infini-DL360/freshrss.nix
@ -4,7 +4,7 @@ let
  domain = "freshrss.inx.moe";
 in
 {
-  services.nginx.virtualHosts.${domain} = common.nginx.ssl;
+  services.nginx.virtualHosts.${domain} = common.nginx.ssl-inx;

  services.freshrss = {
    enable = true;
--- a/hosts/Infini-DL360/hedgedoc.nix
+++ b/hosts/Infini-DL360/hedgedoc.nix
@ -28,7 +28,7 @@ in
    };
  };

-  services.nginx.virtualHosts.${domain} = common.nginx.ssl // {
+  services.nginx.virtualHosts.${domain} = common.nginx.ssl-inx // {
    locations."/" = {
      proxyPass = "http://${cfg.settings.host}:${toString cfg.settings.port}";
    };
--- a/hosts/Infini-DL360/hydra.nix
+++ b/hosts/Infini-DL360/hydra.nix
@ -9,7 +9,7 @@ let
  domain = common.subdomain "hydra";
 in
 {
-  services.nginx.virtualHosts.${domain} = common.nginx.ssl // {
+  services.nginx.virtualHosts.${domain} = common.nginx.ssl-inx // {
    locations."/" = {
      proxyPass = "http://localhost:${toString config.services.hydra.port}";
    };
--- a/hosts/Infini-DL360/immich.nix
+++ b/hosts/Infini-DL360/immich.nix
@ -9,7 +9,7 @@ let
  cfg = config.services.immich;
 in
 {
-  services.nginx.virtualHosts.${domain} = common.nginx.ssl // {
+  services.nginx.virtualHosts.${domain} = common.nginx.ssl-inx // {
    extraConfig = ''
      client_max_body_size 5000M;

--- a/hosts/Infini-DL360/jellyfin.nix
+++ b/hosts/Infini-DL360/jellyfin.nix
@ -13,7 +13,7 @@ let
  '';
 in
 {
-  services.nginx.virtualHosts."jellyfin.inx.moe" = common.nginx.ssl // {
+  services.nginx.virtualHosts."jellyfin.inx.moe" = common.nginx.ssl-inx // {
    extraConfig = ''
      client_max_body_size 20M;
    '';
--- a/hosts/Infini-DL360/radicale.nix
+++ b/hosts/Infini-DL360/radicale.nix
@ -27,7 +27,7 @@ in
    };
  };

-  services.nginx.virtualHosts.${domain} = common.nginx.ssl // {
+  services.nginx.virtualHosts.${domain} = common.nginx.ssl-inx // {
    locations."/".proxyPass = "http://localhost:5232";
  };
 }
--- a/hosts/Infini-DL360/searx.nix
+++ b/hosts/Infini-DL360/searx.nix
@ -43,7 +43,7 @@ in

  users.users.nginx.extraGroups = [ "searx" ];

-  services.nginx.virtualHosts.${domain} = common.nginx.ssl // {
+  services.nginx.virtualHosts.${domain} = common.nginx.ssl-inx // {
    locations."/" = {
      extraConfig = ''
        include ${config.services.nginx.package}/conf/uwsgi_params;
--- a/hosts/Infini-DL360/thelounge.nix
+++ b/hosts/Infini-DL360/thelounge.nix
@ -6,7 +6,7 @@
 }:

 {
-  services.nginx.virtualHosts."thelounge.inx.moe" = common.nginx.ssl // {
+  services.nginx.virtualHosts."thelounge.inx.moe" = common.nginx.ssl-inx // {
    locations."/" = {
      proxyPass = "http://localhost:${toString config.services.thelounge.port}";
    };
--- a/hosts/Infini-DL360/vaultwarden.nix
+++ b/hosts/Infini-DL360/vaultwarden.nix
@ -12,7 +12,7 @@ in
 {
  persist.directories = [ config.services.vaultwarden.dataDir ];

-  services.nginx.virtualHosts.${domain} = common.nginx.ssl // {
+  services.nginx.virtualHosts.${domain} = common.nginx.ssl-inx // {
    locations."/" = {
      proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
    };
--- a/hosts/Infini-DL360/web.nix
+++ b/hosts/Infini-DL360/web.nix
@ -6,7 +6,12 @@
  ...
 }:
 let
-  inherit (common.nginx) ssl ssl-optional;
+  inherit (common.nginx)
+    ssl
+    ssl-optional
+    ssl-inx
+    ssl-inx-optional
+    ;

  tryFiles = "$uri $uri.html $uri/ =404";
  websiteConfig = ''
@ -56,12 +61,12 @@ in
    websites
    // redirects
    // {
-      "j.inx.moe" = ssl-optional // {
+      "j.inx.moe" = ssl-inx-optional // {
        locations."/" = {
          return = "302 $jump_link";
        };
      };
-      "blahaj.inx.moe" = ssl-optional // {
+      "blahaj.inx.moe" = ssl-inx-optional // {
        locations."/" = {
          tryFiles = "/Blahaj.png =404";
          root = ./static;
@ -79,7 +84,7 @@ in
          return = "301 https://www.ikea.com/us/en/p/blahaj-soft-toy-shark-90373590/";
        };
      };
-      "files.inx.moe" = ssl // {
+      "files.inx.moe" = ssl-inx // {
        locations."/" = {
          root = "/srv/web/files.inx.moe";
          extraConfig = ''
@ -90,7 +95,7 @@ in
          root = "/srv/web/files.inx.moe";
        };
      };
-      "old.inx.moe" = ssl-optional // {
+      "old.inx.moe" = ssl-inx-optional // {
        locations."/" = {
          root = "/srv/web/inx.moe";
          inherit tryFiles;
--- a/modules/global/common.nix
+++ b/modules/global/common.nix
@ -6,17 +6,25 @@
    domain = "inx.moe";
    subdomain = subdomain: "${subdomain}.${domain}";

-    nginx = rec {
-      ssl-cert = {
+    nginx = {
+      ssl-optional = {
        enableACME = true;
        acmeRoot = null;
-      };
-      ssl-optional = ssl-cert // {
        addSSL = true;
      };
-      ssl = ssl-cert // {
+      ssl = {
+        enableACME = true;
+        acmeRoot = null;
        forceSSL = true;
      };
+      ssl-inx = {
+        useACMEHost = domain;
+        forceSSL = true;
+      };
+      ssl-inx-optional = {
+        useACMEHost = domain;
+        addSSL = true;
+      };
    };

    rsyncnet = rec {