gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

refactor(nginx): ssl.cert.copyFromVhost

Browse source
This commit is contained in:
arcnmx 2024-03-21 12:40:41 -07:00
parent f326a5f1f8
commit 3a8eeda006
10 changed files with 39 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

24
modules/nixos/nginx/ssl.nix
View file

@ -4,8 +4,9 @@
...
}: let
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkDefault mkOptionDefault mkOverride;
inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault mkOverride;
inherit (lib.trivial) warnIf;
inherit (config.services.nginx) virtualHosts;
mkAlmostOptionDefault = mkOverride 1250;
forceRedirectConfig = virtualHost: ''
if ($x_scheme = http) {
@ -56,6 +57,10 @@
type = nullOr path;
default = null;
};
copyFromVhost = mkOption {
type = nullOr str;
default = null;
};
};
};
locations = mkOption {
@ -69,9 +74,20 @@
ssl = {
enable = mkOptionDefault (cfg.cert.name != null || cfg.cert.keyPath != null);
forced = mkOptionDefault (cfg.force != false && cfg.force != "reject");
cert.name = mkIf cfg.cert.enable (warnIf (config.name.shortServer == null) "ssl.cert.enable set but name.shortServer is null" (
mkAlmostOptionDefault config.name.shortServer
));
cert = let
certConfig.name = mkIf cfg.cert.enable (warnIf (config.name.shortServer == null) "ssl.cert.enable set but name.shortServer is null" (
mkAlmostOptionDefault config.name.shortServer
));
copyCert = virtualHosts.${cfg.cert.copyFromVhost}.ssl.cert;
otherCertConfig = mkIf (cfg.cert.copyFromVhost != null) {
name = mkDefault copyCert.name;
keyPath = mkAlmostOptionDefault copyCert.keyPath;
path = mkAlmostOptionDefault copyCert.path;
};
in mkMerge [
certConfig
otherCertConfig
];
};
addSSL = mkIf (cfg.enable && (cfg.force == false || emitForce)) (mkDefault true);
forceSSL = mkIf (cfg.enable && cfg.force == true && !emitForce) (mkDefault true);

1
nixos/access/grocy.nix
View file

@ -19,6 +19,7 @@ in {
};
grocy'local = {
inherit name;
ssl.cert.copyFromVhost = "zigbee2mqtt";
local.enable = mkDefault true;
locations."/" = mkIf (!grocy.enable) {
proxyPass = mkDefault (if grocy.enable

1
nixos/access/home-assistant.nix
View file

@ -31,6 +31,7 @@ in {
};
home-assistant'local = {
inherit name listenPorts;
ssl.cert.copyFromVhost = "home-assistant";
local.enable = mkDefault true;
locations."/" = {
proxy = {

5
nixos/access/keycloak.nix
View file

@ -38,7 +38,10 @@ in {
};
keycloak'local = {
name.shortServer = mkDefault "sso";
ssl.force = mkDefault true;
ssl = {
force = mkDefault true;
cert.copyFromVhost = "keycloak";
};
local.enable = true;
inherit locations;
extraConfig = mkIf nginx.vouch.localSso.enable ''

1
nixos/access/kitchencam.nix
View file

@ -65,6 +65,7 @@ in {
};
kitchencam'local = {
inherit name locations listenPorts kTLS;
ssl.cert.copyFromVhost = "kitchencam";
local.enable = true;
};
};

1
nixos/access/plex.nix
View file

@ -64,6 +64,7 @@ in {
};
plex'local = {
inherit name locations extraConfig kTLS;
ssl.cert.copyFromVhost = "plex";
local.enable = true;
};
};

6
nixos/access/unifi.nix
View file

@ -45,7 +45,10 @@ in {
ssl = true;
extraParameters = [ "default_server" ];
};
ssl.force = true;
ssl = {
force = true;
cert.copyFromVhost = "unifi";
};
inherit name locations extraConfig kTLS;
};
unifi = {
@ -55,6 +58,7 @@ in {
};
unifi'local = {
inherit name locations extraConfig kTLS;
ssl.cert.copyFromVhost = "unifi";
local.enable = true;
};
};

6
nixos/access/vouch.nix
View file

@ -65,7 +65,10 @@ in {
includeTailscale = false;
};
local.enable = true;
ssl.force = true;
ssl = {
force = true;
cert.copyFromVhost = "vouch";
};
locations = mkMerge [
locations
(localLocations "sso.local.${networking.domain}")
@ -73,6 +76,7 @@ in {
};
vouch'tail = {
enable = mkDefault tailscale.enable;
ssl.cert.copyFromVhost = "vouch'local";
name = {
inherit (name) shortServer;
qualifier = mkDefault "tail";

1
nixos/access/zigbee2mqtt.nix
View file

@ -21,6 +21,7 @@ in {
};
zigbee2mqtt'local = {
inherit name;
ssl.cert.copyFromVhost = "zigbee2mqtt";
locations."/" = {
proxy.websocket.enable = true;
proxyPass = mkDefault (

11
systems/hakurei/nixos.nix
View file

@ -216,39 +216,30 @@ in {
local.denyGlobal = true;
ssl.cert.enable = true;
};
keycloak'local.ssl.cert.enable = true;
vouch.ssl.cert.enable = true;
vouch'local.ssl.cert.enable = true;
vouch'tail.ssl.cert.enable = true;
unifi = {
# we're not the real unifi record-holder, so don't respond globally..
local.denyGlobal = true;
ssl.cert.enable = true;
};
unifi'local.ssl.cert.enable = true;
home-assistant = assert home-assistant.enable; {
# not the real hass record-holder, so don't respond globally..
local.denyGlobal = true;
ssl.cert.enable = true;
locations."/".proxyPass = "http://${tei.lib.access.hostnameForNetwork.tail}:${toString home-assistant.config.http.server_port}";
};
home-assistant'local.ssl.cert.enable = true;
zigbee2mqtt = assert zigbee2mqtt.enable; {
# not the real z2m record-holder, so don't respond globally..
local.denyGlobal = true;
ssl.cert.enable = true;
locations."/".proxyPass = "http://${tei.lib.access.hostnameForNetwork.tail}:${toString zigbee2mqtt.settings.frontend.port}";
};
zigbee2mqtt'local.ssl.cert.enable = true;
grocy = {
# not the real grocy record-holder, so don't respond globally..
local.denyGlobal = true;
ssl.cert.enable = true;
locations."/".proxyPass = "http://${tei.lib.access.hostnameForNetwork.tail}";
};
grocy'local = {
ssl.cert.enable = true;
};
${access.freepbx.domain} = {
local.enable = true;
};
@ -256,9 +247,7 @@ in {
useACMEHost = access.proxmox.domain;
};
plex.ssl.cert.enable = true;
plex'local.ssl.cert.enable = true;
kitchencam.ssl.cert.enable = true;
kitchencam'local.ssl.cert.enable = true;
${access.invidious.domain} = {
useACMEHost = access.invidious.domain;
forceSSL = true;