From 40f526ce6215da36ad503bbb7c7f6dca6a518dcc Mon Sep 17 00:00:00 2001
From: Mohammad Rafiq <rafiq@rrv.sh>
Date: Fri, 13 Jun 2025 04:46:11 +0800
Subject: [PATCH] feat(web-servers/nginx): allow wildcard subdomains for
 letsencrypt certs

---
 modules/nixos/server/web-servers/default.nix  | 13 ++++++-
 .../server/web-servers/nginx/default.nix      | 37 ++++++++++---------
 2 files changed, 31 insertions(+), 19 deletions(-)

diff --git a/modules/nixos/server/web-servers/default.nix b/modules/nixos/server/web-servers/default.nix
index 6225676..c9833d7 100644
--- a/modules/nixos/server/web-servers/default.nix
+++ b/modules/nixos/server/web-servers/default.nix
@@ -1,6 +1,11 @@
 { config, lib, ... }:
 let
-  inherit (lib) mkMerge mkIf mkEnableOption;
+  inherit (lib)
+    mkMerge
+    mkIf
+    mkEnableOption
+    singleton
+    ;
   cfg = config.server.web-servers;
 in
 {
@@ -19,6 +24,12 @@ in
           dnsProvider = "cloudflare";
           credentialFiles."CLOUDFLARE_DNS_API_TOKEN_FILE" = config.sops.secrets."keys/cloudflare".path;
         };
+        certs = {
+          "rrv.sh".extraDomainNames = singleton "*.rrv.sh";
+          "bwfiq.com".extraDomainNames = singleton "*.bwfiq.com";
+          "slayment.com".extraDomainNames = singleton "*.slayment.com";
+          "aenyrathia.wiki".extraDomainNames = singleton "*.aenyrathia.wiki";
+        };
       };
     })
   ];
diff --git a/modules/nixos/server/web-servers/nginx/default.nix b/modules/nixos/server/web-servers/nginx/default.nix
index f5f36cc..339cd86 100644
--- a/modules/nixos/server/web-servers/nginx/default.nix
+++ b/modules/nixos/server/web-servers/nginx/default.nix
@@ -5,15 +5,17 @@ let
     mkOption
     mkEnableOption
     mkIf
+    singleton
     ;
-  inherit (lib.pantheon) mkStrOption;
+  inherit (lib.types) listOf submodule attrs;
+  inherit (lib.pantheon) mkStrOption mkRootDomain;
   inherit (builtins) listToAttrs map;
   cfg = config.server.web-servers.nginx;
-  sslCheck = if config.server.web-servers.enableSSL then true else false;
+  sslCheck = good: bad: if config.server.web-servers.enableSSL then good else bad;
   defaultSink = mkIf cfg.enableDefaultSink {
     "_" = {
       default = true;
-      rejectSSL = sslCheck;
+      rejectSSL = sslCheck true false;
       locations."/" = {
         return = "444";
       };
@@ -23,9 +25,9 @@ let
     map (proxy: {
       name = proxy.source;
       value = {
-        addSSL = sslCheck;
-        enableACME = sslCheck;
-        acmeRoot = null;
+        addSSL = sslCheck true false;
+        useACMEHost = sslCheck (mkRootDomain proxy.source) null;
+        acmeRoot = null; # needed for DNS validation
         locations."/" = {
           proxyPass = proxy.target;
         } // proxy.extraConfig;
@@ -43,19 +45,17 @@ in
       default = true;
     };
     proxies = mkOption {
-      type =
-        with lib.types;
-        listOf (submodule {
-          options = {
-            source = mkStrOption;
-            target = mkStrOption;
-            extraConfig = lib.mkOption {
-              type = attrs;
-              default = { };
-            };
-          };
-        });
       default = [ ];
+      type = listOf (submodule {
+        options = {
+          source = mkStrOption;
+          target = mkStrOption;
+          extraConfig = lib.mkOption {
+            type = attrs;
+            default = { };
+          };
+        };
+      });
     };
   };
 
@@ -64,6 +64,7 @@ in
       443
       80
     ];
+    users.users.nginx.extraGroups = singleton "acme";
     services.nginx = {
       enable = true;
       virtualHosts = mkMerge [