refactor(access): switch to ssl options

nixos/access/proxmox.nix

@@ -3,47 +3,14 @@
   lib,
   ...
 }: let
-  inherit (lib.options) mkOption;
+  inherit (lib.modules) mkMerge mkDefault;
-  inherit (lib.modules) mkIf mkMerge mkDefault;
   inherit (lib.strings) escapeRegex;
-  inherit (lib.lists) singleton optional;
-  inherit (config.lib.access) mkSnakeOil;
   inherit (config.services) nginx tailscale;
-  inherit (nginx) virtualHosts;
-  access = config.services.nginx.access.proxmox;
   proxyPass = "https://reisen.local.${config.networking.domain}:8006/";
-  unencrypted = mkSnakeOil {
-    name = "prox-local-cert";
-    domain =
-      singleton "prox.local.${config.networking.domain}"
-      ++ optional tailscale.enable "prox.tail.${config.networking.domain}";
-  };
-  sslHost = {config, ...}: {
-    sslCertificate = mkIf (!config.enableACME && config.useACMEHost == null) unencrypted.fullchain;
-    sslCertificateKey = mkIf (!config.enableACME && config.useACMEHost == null) unencrypted.key;
-  };
 in {
-  options.services.nginx.access.proxmox = with lib.types; {
-    domain = mkOption {
-      type = str;
-      default = "prox.${config.networking.domain}";
-    };
-    localDomain = mkOption {
-      type = str;
-      default = "prox.local.${config.networking.domain}";
-    };
-    tailDomain = mkOption {
-      type = str;
-      default = "prox.tail.${config.networking.domain}";
-    };
-  };
   config.services.nginx.virtualHosts = let
     locations."/" = {
       extraConfig = ''
-        if ($http_x_forwarded_proto = http) {
-          return 302 https://$host$request_uri;
-        }
-
         set $prox_prefix ''';
         include ${config.sops.secrets.access-proxmox.path};
         if ($request_uri ~ "^/([^/]+).*") {
@@ -52,7 +19,7 @@ in {
         if ($request_uri ~ "^/(pve2/.*|pwt/.*|api2/.*|xtermjs/.*|[^/]+\.js.*)") {
           rewrite /(.*) /prox/$1 last;
         }
-        if ($http_referer ~ "^https://prox\.${escapeRegex config.networking.domain}/([^/]+)/$") {
+        if ($http_referer ~ "^https://${escapeRegex nginx.virtualHosts.prox.serverName}/([^/]+)/$") {
           set $prox_prefix $1;
         }
         if ($prox_prefix != $prox_expected) {
@@ -88,39 +55,45 @@ in {
     extraConfig = ''
       client_max_body_size 16384M;
     '';
+    name.shortServer = "prox";
   in {
-    ${access.domain} = {
+    prox = {
-      inherit locations extraConfig;
+      inherit name locations extraConfig;
+      ssl.force = true;
+    };
+    prox'local = {
+      name = {
+        inherit (name) shortServer;
+        includeTailscale = false;
+      };
+      ssl = {
+        force = true;
+        cert.copyFromVhost = "prox";
+      };
+      local.enable = mkDefault true;
+      locations."/" = {
+        proxy.websocket.enable = true;
+        inherit proxyPass extraConfig;
+      };
+    };
+    prox'tail = {
+      enable = mkDefault tailscale.enable;
+      name = {
+        inherit (name) shortServer;
+        qualifier = mkDefault "tail";
+      };
+      ssl.cert.copyFromVhost = "prox'local";
+      local.enable = mkDefault true;
+      locations."/" = {
+        proxy.websocket.enable = true;
+        inherit proxyPass extraConfig;
+      };
     };
-    ${access.localDomain} = mkMerge [
-      {
-        inherit (virtualHosts.${access.domain}) useACMEHost;
-        local.enable = mkDefault true;
-        forceSSL = mkDefault true;
-        locations."/" = {
-          proxy.websocket.enable = true;
-          inherit proxyPass extraConfig;
-        };
-      }
-      sslHost
-    ];
-    ${access.tailDomain} = mkIf tailscale.enable (mkMerge [
-      {
-        inherit (virtualHosts.${access.domain}) useACMEHost;
-        addSSL = mkDefault true;
-        local.enable = mkDefault true;
-        locations."/" = {
-          proxy.websocket.enable = true;
-          inherit proxyPass extraConfig;
-        };
-      }
-      sslHost
-    ]);
   };
 
   config.sops.secrets.access-proxmox = {
     sopsFile = mkDefault ../secrets/access-proxmox.yaml;
-    owner = config.services.nginx.user;
+    owner = nginx.user;
     inherit (nginx) group;
   };
 }

nixos/access/vouch.nix

@@ -61,7 +61,6 @@ in {
       vouch'local = {
         name = {
           inherit (name) shortServer;
-          qualifier = mkDefault "local";
           includeTailscale = false;
         };
         local.enable = true;

systems/hakurei/nixos.nix

@@ -53,14 +53,15 @@ in {
   };
 
   services.cloudflared = let
+    inherit (nginx) virtualHosts;
     tunnelId = "964121e3-b3a9-4cc1-8480-954c4728b604";
   in {
     tunnels.${tunnelId} = {
       default = "http_status:404";
       credentialsFile = config.sops.secrets.cloudflared-tunnel-hakurei.path;
       ingress = {
-        "prox.${config.networking.domain}".service = "http://localhost";
+        ${virtualHosts.prox.serverName}.service = "http://localhost";
-        ${config.networking.domain}.service = "http://localhost";
+        ${virtualHosts.gensokyoZone.serverName}.service = "http://localhost";
       };
     };
   };
@@ -144,13 +145,13 @@ in {
         ])
       ];
     };
-    ${access.proxmox.domain} = {
+    prox = {
       inherit (nginx) group;
+      domain = virtualHosts.prox.serverName;
       extraDomainNames = mkMerge [
-        [access.proxmox.localDomain]
+        virtualHosts.prox.serverAliases
-        (mkIf config.services.tailscale.enable [
+        virtualHosts.prox'local.allServerNames
-          access.proxmox.tailDomain
+        (mkIf virtualHosts.prox'tail.enable virtualHosts.prox'tail.allServerNames)
-        ])
       ];
     };
     plex = {
@@ -243,8 +244,9 @@ in {
       ${access.freepbx.domain} = {
         local.enable = true;
       };
-      ${access.proxmox.domain} = {
+      prox = {
-        useACMEHost = access.proxmox.domain;
+        proxied.enable = "cloudflared";
+        ssl.cert.enable = true;
       };
       plex.ssl.cert.enable = true;
       kitchencam.ssl.cert.enable = true;