fix(hakurei): access

modules/nixos/kanidm.nix

@@ -56,18 +56,10 @@ in {
 
     services.kanidm = {
       server.unencrypted.package = let
-        cert = pkgs.runCommand "kanidm-cert" {
+        cert = pkgs.mkSnakeOil {
+          name = "kanidm-cert";
           inherit (cfg.server.unencrypted) domain;
-          nativeBuildInputs = [ pkgs.buildPackages.minica ];
-        } ''
-          install -d $out
-          cd $out
-          minica \
-            --ca-key ca.key.pem \
-            --ca-cert ca.cert.pem \
-            --domains $domain
-          cat $domain/cert.pem ca.cert.pem > $domain.pem
-        '';
+        };
       in mkOptionDefault cert;
       clientSettings = mkIf cfg.enableServer {
         uri = mkDefault cfg.serverSettings.origin;
@@ -82,8 +74,8 @@ in {
           );
         }
         (mkIf cfg.server.unencrypted.enable {
-          tls_chain = "${cfg.server.unencrypted.package}/${cfg.server.unencrypted.domain}.pem";
-          tls_key = "${cfg.server.unencrypted.package}/${cfg.server.unencrypted.domain}/key.pem";
+          tls_chain = "${cfg.server.unencrypted.package}/fullchain.pem";
+          tls_key = "${cfg.server.unencrypted.package.key}/key.pem";
         })
       ];
     };

nixos/access/proxmox.nix

@@ -1,15 +1,29 @@
 {
   config,
   lib,
+  pkgs,
   ...
 }: let
   inherit (lib.modules) mkIf mkDefault;
   inherit (lib.strings) escapeRegex;
+  inherit (lib.lists) singleton optional;
+  inherit (config.services) tailscale;
   proxyPass = "https://reisen.local.gensokyo.zone:8006/";
+  unencrypted = pkgs.mkSnakeOil {
+    name = "prox-local-cert";
+    domain = singleton "prox.local.${config.networking.domain}"
+      ++ optional tailscale.enable "prox.tail.${config.networking.domain}";
+  };
+  sslCertificate = unencrypted.fullchain;
+  sslCertificateKey = unencrypted.key;
 in {
   services.nginx.virtualHosts."prox.${config.networking.domain}" = {
     locations."/" = {
       extraConfig = ''
+        if ($http_x_forwarded_proto = http) {
+          return 302 https://$host$request_uri;
+        }
+
         set $prox_prefix ''';
         include ${config.sops.secrets.access-proxmox.path};
         if ($request_uri ~ "^/([^/]+).*") {
@@ -24,7 +38,7 @@ in {
         if ($prox_prefix != $prox_expected) {
           return 501;
         }
-        if ($request_uri ~ "^/([^/]+)") {
+        if ($request_uri ~ "^/([^/]+)$") {
           rewrite /(.*) /prox/$1 last;
         }
         rewrite /[^/]+/(.*) /prox/$1;
@@ -49,12 +63,15 @@ in {
   };
   services.nginx.virtualHosts."prox.local.${config.networking.domain}" = {
     local.enable = mkDefault true;
+    forceSSL = mkDefault true;
+    inherit sslCertificate sslCertificateKey;
     locations."/" = {
       inherit proxyPass;
     };
   };
-  services.nginx.virtualHosts."prox.tail.${config.networking.domain}" = mkIf config.services.tailscale.enable {
+  services.nginx.virtualHosts."prox.tail.${config.networking.domain}" = mkIf tailscale.enable {
     local.enable = mkDefault true;
+    inherit sslCertificate sslCertificateKey;
     locations."/" = {
       inherit proxyPass;
     };

nixos/access/zigbee2mqtt.nix

@@ -5,7 +5,7 @@
 }:
 let
   inherit (lib.options) mkOption;
-  inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault;
+  inherit (lib.modules) mkIf mkDefault mkOptionDefault;
   cfg = config.services.zigbee2mqtt;
   access = config.services.nginx.access.zigbee2mqtt;
   proxyPass = mkDefault "http://${access.host}:${toString access.port}";
@@ -51,6 +51,12 @@ in {
           inherit proxyPass extraConfig;
         };
       };
+      "z2m.tail.${config.networking.domain}" = mkIf config.services.tailscale.enable {
+        local.enable = true;
+        locations."/" = {
+          inherit proxyPass extraConfig;
+        };
+      };
     };
   };
 }

overlays/local/default.nix

@@ -17,6 +17,7 @@ final: prev: {
   wezterm = final.callPackage ./wezterm {
     inherit (final.darwin.apple_sdk.frameworks) Cocoa CoreGraphics Foundation UserNotifications;
   };
+  mkSnakeOil = final.callPackage ./snakeoil.nix { };
   terraform-providers =
     prev.terraform-providers
     // {

overlays/local/snakeoil.nix

@@ -0,0 +1,30 @@
+{
+  runCommand,
+  buildPackages,
+  lib,
+}: let
+  inherit (lib.strings) concatStringsSep;
+  inherit (lib.lists) toList head;
+in { domain, name }: runCommand name {
+  domains = concatStringsSep "," (toList domain);
+  domain = head (toList domain);
+  nativeBuildInputs = [ buildPackages.minica ];
+  outputs = [ "out" "key" "cakey" "ca" "cert" "fullchain" ];
+} ''
+  install -d $out
+  minica \
+    --ca-key ca.key.pem \
+    --ca-cert ca.pem \
+    --domains "$domains"
+  mv ca.pem $ca
+  mv ca.key.pem $cakey
+  mv $domain/cert.pem $cert
+  mv $domain/key.pem $key
+  cat $cert $ca > $fullchain
+
+  ln -s $fullchain $out/fullchain.pem
+  ln -s $key $out/key.pem
+  ln -s $cakey $out/ca.key.pem
+  ln -s $cert $out/cert.pem
+  ln -s $ca $out/ca.pem
+''