From d6da06416338ff7953d4e3494fec5e035b7e4498 Mon Sep 17 00:00:00 2001
From: Mohammad Rafiq <rafiq@rrv.sh>
Date: Fri, 13 Jun 2025 00:02:29 +0800
Subject: [PATCH] refactor(modules/nginx): simplify ssl conditional logic and
 merge virtual hosts

---
 .../server/web-servers/nginx/default.nix      | 21 ++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/modules/nixos/server/web-servers/nginx/default.nix b/modules/nixos/server/web-servers/nginx/default.nix
index 0facd6c..6fc74ef 100644
--- a/modules/nixos/server/web-servers/nginx/default.nix
+++ b/modules/nixos/server/web-servers/nginx/default.nix
@@ -1,26 +1,30 @@
 { config, lib, ... }:
 let
-  inherit (lib) mkOption mkEnableOption mkIf;
+  inherit (lib)
+    mkMerge
+    mkOption
+    mkEnableOption
+    mkIf
+    ;
   inherit (lib.pantheon) mkStrOption;
   inherit (builtins) listToAttrs map;
-  inherit (config.server.web-servers) enableSSL;
   cfg = config.server.web-servers.nginx;
   defaultSink = mkIf cfg.enableDefaultSink {
     "_" = {
       default = true;
-      rejectSSL = mkIf enableSSL true;
+      rejectSSL = true;
       locations."/" = {
         return = "444";
       };
     };
   };
+  sslCheck = if config.server.web-servers.enableSSL then true else false;
   proxyPasses = listToAttrs (
     map (proxy: {
       name = proxy.source;
       value = {
-        forceSSL = mkIf enableSSL true;
-        enableACME = mkIf enableSSL true;
-        acmeRoot = mkIf enableSSL null;
+        enableACME = sslCheck;
+        acmeRoot = null;
         locations."/" = {
           proxyPass = proxy.target;
         } // proxy.extraConfig;
@@ -69,7 +73,10 @@ in
     ];
     services.nginx = {
       enable = true;
-      virtualHosts = defaultSink // proxyPasses;
+      virtualHosts = mkMerge [
+        defaultSink
+        proxyPasses
+      ];
     };
   };
 }