From c3892e11f45ccdc54df01e28222ce09271801d8f Mon Sep 17 00:00:00 2001
From: arcnmx <git@git.arcn.mx>
Date: Thu, 21 Mar 2024 17:18:32 -0700
Subject: [PATCH] refactor(idp): access updates

---
 modules/nixos/nginx/name.nix |  18 +++++-
 nixos/access/freeipa.nix     | 106 ++++++++++++++---------------------
 systems/hakurei/nixos.nix    |  30 +++++-----
 3 files changed, 73 insertions(+), 81 deletions(-)

diff --git a/modules/nixos/nginx/name.nix b/modules/nixos/nginx/name.nix
index 05603122..01eb5cc3 100644
--- a/modules/nixos/nginx/name.nix
+++ b/modules/nixos/nginx/name.nix
@@ -27,6 +27,12 @@
         includeTailscale = mkOption {
           type = bool;
         };
+        localName = mkOption {
+          type = nullOr str;
+        };
+        tailscaleName = mkOption {
+          type = nullOr str;
+        };
       };
       allServerNames = mkOption {
         type = listOf str;
@@ -42,6 +48,14 @@
         includeTailscale = mkOptionDefault (
           config.local.enable && tailscale.enable && cfg.qualifier != "tail"
         );
+        localName = mkOptionDefault (
+          if cfg.includeLocal then "${cfg.shortServer}.local.${networking.domain}"
+          else null
+        );
+        tailscaleName = mkOptionDefault (
+          if cfg.includeTailscale then "${cfg.shortServer}.tail.${networking.domain}"
+          else null
+        );
       };
       serverName = mkIf (cfg.shortServer != null) (mkDefault (
         cfg.shortServer
@@ -49,8 +63,8 @@
         + ".${networking.domain}"
       ));
       serverAliases = mkIf (cfg.shortServer != null) (mkDefault [
-        (mkIf cfg.includeLocal "${cfg.shortServer}.local.${networking.domain}")
-        (mkIf cfg.includeTailscale "${cfg.shortServer}.tail.${networking.domain}")
+        (mkIf (cfg.localName != null) cfg.localName)
+        (mkIf (cfg.tailscaleName != null) cfg.tailscaleName)
       ]);
       allServerNames = mkOptionDefault (
         [ config.serverName ] ++ config.serverAliases
diff --git a/nixos/access/freeipa.nix b/nixos/access/freeipa.nix
index b4f37c58..f4f3ed0a 100644
--- a/nixos/access/freeipa.nix
+++ b/nixos/access/freeipa.nix
@@ -45,8 +45,9 @@ let
       '';
     };
   };
-  locations = locations' access.domain;
-  caLocations = locations' access.caDomain;
+  locations = locations' virtualHosts.freeipa.serverName;
+  caLocations = locations' virtualHosts.freeipa'ca.serverName;
+  kTLS = mkDefault true;
 in {
   imports = let
     inherit (meta) nixos;
@@ -96,26 +97,6 @@ in {
         scheme = if access.port == 443 then "https" else "http";
       in "${scheme}://${access.host}:${toString access.port}";
     };
-    domain = mkOption {
-      type = str;
-      default = "idp.${config.networking.domain}";
-    };
-    caDomain = mkOption {
-      type = str;
-      default = "idp-ca.${config.networking.domain}";
-    };
-    globalDomain = mkOption {
-      type = str;
-      default = "freeipa.${config.networking.domain}";
-    };
-    localDomain = mkOption {
-      type = str;
-      default = "freeipa.local.${config.networking.domain}";
-    };
-    tailDomain = mkOption {
-      type = str;
-      default = "freeipa.tail.${config.networking.domain}";
-    };
     port = mkOption {
       type = port;
       default = 443;
@@ -124,10 +105,6 @@ in {
       type = port;
       default = 636;
     };
-    useACMEHost = mkOption {
-      type = nullOr str;
-      default = virtualHosts.${access.domain}.useACMEHost;
-    };
   };
   config = {
     services.nginx = {
@@ -136,7 +113,7 @@ in {
         host = mkDefault access.host;
         port = mkDefault 389;
         sslPort = mkDefault access.ldapPort;
-        useACMEHost = mkDefault access.useACMEHost;
+        useACMEHost = mkDefault virtualHosts.freeipa.ssl.cert.name;
         bind.sslPort = mkIf access.preread.enable (mkDefault access.preread.ldapPort);
       };
       resolver.addresses = mkIf access.preread.enable (mkMerge [
@@ -173,8 +150,8 @@ in {
           }
           map $ssl_preread_server_name $ssl_server_name {
             hostnames;
-            ${access.domain} ${upstreams.freeipa};
-            ${access.caDomain} ${upstreams.freeipa};
+            ${virtualHosts.freeipa.serverName} ${upstreams.freeipa};
+            ${virtualHosts.freeipa'ca.serverName} ${upstreams.freeipa};
             ${nginx.access.ldap.domain} ${upstreams.ldap};
             ${nginx.access.ldap.localDomain} ${upstreams.ldap};
             ${nginx.access.ldap.tailDomain} ${upstreams.ldap};
@@ -195,7 +172,7 @@ in {
 
           map $ssl_preread_server_name $ldap_upstream {
             hostnames;
-            ${access.domain} ${upstreams.ldap_freeipa};
+            ${virtualHosts.freeipa.serverName} ${upstreams.ldap_freeipa};
             default ${upstreams.ldap};
           }
 
@@ -231,48 +208,51 @@ in {
         (mkIf access.preread.enable preread)
         (mkIf access.kerberos.enable kerberos)
       ];
-      virtualHosts = {
-        ${access.domain} = {
-          inherit locations extraConfig;
-          inherit (access) useACMEHost;
-          forceSSL = mkDefault (access.useACMEHost != null);
+      virtualHosts = let
+        name.shortServer = mkDefault "freeipa";
+      in {
+        freeipa = {
+          name.shortServer = mkDefault "idp";
+          inherit locations extraConfig kTLS;
+          ssl.force = mkDefault true;
         };
-        ${access.globalDomain} = {
-          inherit locations extraConfig;
-          inherit (access) useACMEHost;
-          forceSSL = mkDefault (access.useACMEHost != null || virtualHosts.${access.domain}.forceSSL);
+        freeipa'web = {
+          ssl = {
+            force = mkDefault virtualHosts.freeipa.ssl.force;
+            cert.copyFromVhost = "freeipa";
+          };
+          inherit name locations extraConfig kTLS;
         };
-        ${access.caDomain} = {
+        freeipa'ca = {
+          name.shortServer = mkDefault "idp-ca";
           locations = caLocations;
-          inherit extraConfig;
-          inherit (access) useACMEHost;
-          forceSSL = mkDefault (access.useACMEHost != null || virtualHosts.${access.domain}.forceSSL);
+          ssl = {
+            force = mkDefault virtualHosts.freeipa.ssl.force;
+            cert.copyFromVhost = "freeipa";
+          };
+          inherit extraConfig kTLS;
         };
-        ${access.localDomain} = {
-          inherit (virtualHosts.${access.domain}) useACMEHost;
-          addSSL = mkDefault (access.useACMEHost != null || virtualHosts.${access.domain}.forceSSL);
+        freeipa'web'local = {
+          ssl.cert.copyFromVhost = "freeipa'web";
           local.enable = true;
-          inherit locations;
+          inherit name locations kTLS;
         };
-        ${access.tailDomain} = mkIf tailscale.enable {
-          inherit (virtualHosts.${access.domain}) useACMEHost;
-          addSSL = mkDefault (access.useACMEHost != null || virtualHosts.${access.domain}.forceSSL);
-          local.enable = true;
-          inherit locations;
+        freeipa'ldap = {
+          serverName = mkDefault ldap.domain;
+          ssl.cert.copyFromVhost = "freeipa";
+          globalRedirect = virtualHosts.freeipa'web.serverName;
         };
-        ${ldap.domain} = { config, ... }: {
-          useACMEHost = mkDefault virtualHosts.${access.domain}.useACMEHost;
-          addSSL = mkDefault (config.useACMEHost != null);
-          globalRedirect = access.domain;
-        };
-        ${ldap.localDomain} = {
-          inherit (virtualHosts.${ldap.domain}) useACMEHost addSSL;
-          globalRedirect = access.localDomain;
+        freeipa'ldap'local = {
+          serverName = mkDefault ldap.localDomain;
+          ssl.cert.copyFromVhost = "freeipa'ldap";
+          globalRedirect = virtualHosts.freeipa'web'local.serverName;
           local.enable = true;
         };
-        ${ldap.tailDomain} = mkIf tailscale.enable {
-          inherit (virtualHosts.${ldap.domain}) useACMEHost addSSL;
-          globalRedirect = access.tailDomain;
+        freeipa'ldap'tail = {
+          enable = mkDefault tailscale.enable;
+          serverName = mkDefault ldap.tailDomain;
+          ssl.cert.copyFromVhost = "freeipa'ldap'local";
+          globalRedirect = virtualHosts.freeipa'web'local.name.tailscaleName;
           local.enable = true;
         };
       };
diff --git a/systems/hakurei/nixos.nix b/systems/hakurei/nixos.nix
index 74fc15c0..5946afed 100644
--- a/systems/hakurei/nixos.nix
+++ b/systems/hakurei/nixos.nix
@@ -67,14 +67,14 @@ in {
   };
 
   security.acme.certs = let
-    inherit (nginx) access virtualHosts;
+    inherit (nginx) virtualHosts;
   in {
     hakurei = {
       inherit (nginx) group;
       domain = config.networking.fqdn;
       extraDomainNames = [
-        config.lib.access.hostnameForNetwork.local
-        (mkIf config.services.tailscale.enable config.lib.access.hostnameForNetwork.tail)
+        access.hostnameForNetwork.local
+        (mkIf config.services.tailscale.enable access.hostnameForNetwork.tail)
       ];
     };
     sso = {
@@ -126,20 +126,16 @@ in {
         virtualHosts.unifi'local.allServerNames
       ];
     };
-    ${access.freeipa.domain} = {
+    idp = {
       inherit (nginx) group;
+      domain = virtualHosts.freeipa.serverName;
       extraDomainNames = mkMerge [
-        [
-          access.freeipa.localDomain
-          access.freeipa.caDomain
-          access.freeipa.globalDomain
-          access.ldap.domain
-          access.ldap.localDomain
-        ]
-        (mkIf tailscale.enable [
-          access.freeipa.tailDomain
-          access.ldap.tailDomain
-        ])
+        virtualHosts.freeipa.serverAliases
+        virtualHosts.freeipa'web.allServerNames
+        virtualHosts.freeipa'web'local.allServerNames
+        virtualHosts.freeipa'ldap.allServerNames
+        virtualHosts.freeipa'ldap'local.allServerNames
+        (mkIf virtualHosts.freeipa'ldap'tail.enable virtualHosts.freeipa'ldap'tail.allServerNames)
       ];
     };
     pbx = {
@@ -199,7 +195,6 @@ in {
       host = tei.lib.access.hostnameForNetwork.local;
     };
     access.freeipa = {
-      useACMEHost = access.freeipa.domain;
       host = "idp.local.${config.networking.domain}";
       kerberos.ports.kpasswd = 464;
     };
@@ -209,6 +204,9 @@ in {
     virtualHosts = {
       fallback.ssl.cert.name = "hakurei";
       gensokyoZone.proxied.enable = "cloudflared";
+      freeipa = {
+        ssl.cert.enable = true;
+      };
       keycloak = {
         # we're not the real sso record-holder, so don't respond globally..
         local.denyGlobal = true;