rrvsh/pantheon
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(web-servers/nginx): allow wildcard subdomains for letsencrypt certs

Browse source
This commit is contained in:
Mohammad Rafiq 2025-06-13 04:46:11 +08:00
parent d539849088
commit 40f526ce62
No known key found for this signature in database
2 changed files with 31 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

13
modules/nixos/server/web-servers/default.nix
View file

@ -1,6 +1,11 @@
{ config, lib, ... }: { config, lib, ... }:
let let
inherit (lib) mkMerge mkIf mkEnableOption; inherit (lib)
mkMerge
mkIf
mkEnableOption
singleton
;
cfg = config.server.web-servers; cfg = config.server.web-servers;
in in
{ {
@ -19,6 +24,12 @@ in
dnsProvider = "cloudflare"; dnsProvider = "cloudflare";
credentialFiles."CLOUDFLARE_DNS_API_TOKEN_FILE" = config.sops.secrets."keys/cloudflare".path; credentialFiles."CLOUDFLARE_DNS_API_TOKEN_FILE" = config.sops.secrets."keys/cloudflare".path;
}; };
certs = {
"rrv.sh".extraDomainNames = singleton "*.rrv.sh";
"bwfiq.com".extraDomainNames = singleton "*.bwfiq.com";
"slayment.com".extraDomainNames = singleton "*.slayment.com";
"aenyrathia.wiki".extraDomainNames = singleton "*.aenyrathia.wiki";
};
}; };
}) })
]; ];

37
modules/nixos/server/web-servers/nginx/default.nix
View file

@ -5,15 +5,17 @@ let
mkOption mkOption
mkEnableOption mkEnableOption
mkIf mkIf
singleton
; ;
inherit (lib.pantheon) mkStrOption; inherit (lib.types) listOf submodule attrs;
inherit (lib.pantheon) mkStrOption mkRootDomain;
inherit (builtins) listToAttrs map; inherit (builtins) listToAttrs map;
cfg = config.server.web-servers.nginx; cfg = config.server.web-servers.nginx;
sslCheck = if config.server.web-servers.enableSSL then true else false; sslCheck = good: bad: if config.server.web-servers.enableSSL then good else bad;
defaultSink = mkIf cfg.enableDefaultSink { defaultSink = mkIf cfg.enableDefaultSink {
"_" = { "_" = {
default = true; default = true;
rejectSSL = sslCheck; rejectSSL = sslCheck true false;
locations."/" = { locations."/" = {
return = "444"; return = "444";
}; };
@ -23,9 +25,9 @@ let
map (proxy: { map (proxy: {
name = proxy.source; name = proxy.source;
value = { value = {
addSSL = sslCheck; addSSL = sslCheck true false;
enableACME = sslCheck; useACMEHost = sslCheck (mkRootDomain proxy.source) null;
acmeRoot = null; acmeRoot = null; # needed for DNS validation
locations."/" = { locations."/" = {
proxyPass = proxy.target; proxyPass = proxy.target;
} // proxy.extraConfig; } // proxy.extraConfig;
@ -43,19 +45,17 @@ in
default = true; default = true;
}; };
proxies = mkOption { proxies = mkOption {
type =
with lib.types;
listOf (submodule {
options = {
source = mkStrOption;
target = mkStrOption;
extraConfig = lib.mkOption {
type = attrs;
default = { };
};
};
});
default = [ ]; default = [ ];
type = listOf (submodule {
options = {
source = mkStrOption;
target = mkStrOption;
extraConfig = lib.mkOption {
type = attrs;
default = { };
};
};
});
}; };
}; };
@ -64,6 +64,7 @@ in
443 443
80 80
]; ];
users.users.nginx.extraGroups = singleton "acme";
services.nginx = { services.nginx = {
enable = true; enable = true;
virtualHosts = mkMerge [ virtualHosts = mkMerge [