From f326a5f1f8f103ee2758353125d9e47dfa6219a1 Mon Sep 17 00:00:00 2001
From: arcnmx <git@git.arcn.mx>
Date: Thu, 21 Mar 2024 12:20:56 -0700
Subject: [PATCH] refactor(nginx): ssl.cert.enable

---
 modules/nixos/nginx/ssl.nix |  5 +++++
 systems/hakurei/nixos.nix   | 44 ++++++++++++++++++-------------------
 2 files changed, 27 insertions(+), 22 deletions(-)

diff --git a/modules/nixos/nginx/ssl.nix b/modules/nixos/nginx/ssl.nix
index e396b82b..4c04a8b5 100644
--- a/modules/nixos/nginx/ssl.nix
+++ b/modules/nixos/nginx/ssl.nix
@@ -5,6 +5,7 @@
 }: let
   inherit (lib.options) mkOption mkEnableOption;
   inherit (lib.modules) mkIf mkDefault mkOptionDefault mkOverride;
+  inherit (lib.trivial) warnIf;
   mkAlmostOptionDefault = mkOverride 1250;
   forceRedirectConfig = virtualHost: ''
     if ($x_scheme = http) {
@@ -42,6 +43,7 @@
           readOnly = true;
         };
         cert = {
+          enable = mkEnableOption "ssl cert via name.shortServer";
           name = mkOption {
             type = nullOr str;
             default = null;
@@ -67,6 +69,9 @@
       ssl = {
         enable = mkOptionDefault (cfg.cert.name != null || cfg.cert.keyPath != null);
         forced = mkOptionDefault (cfg.force != false && cfg.force != "reject");
+        cert.name = mkIf cfg.cert.enable (warnIf (config.name.shortServer == null) "ssl.cert.enable set but name.shortServer is null" (
+          mkAlmostOptionDefault config.name.shortServer
+        ));
       };
       addSSL = mkIf (cfg.enable && (cfg.force == false || emitForce)) (mkDefault true);
       forceSSL = mkIf (cfg.enable && cfg.force == true && !emitForce) (mkDefault true);
diff --git a/systems/hakurei/nixos.nix b/systems/hakurei/nixos.nix
index 4df01403..3f879e9a 100644
--- a/systems/hakurei/nixos.nix
+++ b/systems/hakurei/nixos.nix
@@ -68,7 +68,7 @@ in {
   security.acme.certs = let
     inherit (nginx) access virtualHosts;
   in {
-    keycloak = {
+    sso = {
       inherit (nginx) group;
       domain = virtualHosts.keycloak.serverName;
       extraDomainNames = mkMerge [
@@ -76,7 +76,7 @@ in {
         virtualHosts.keycloak'local.allServerNames
       ];
     };
-    home-assistant = {
+    home = {
       inherit (nginx) group;
       domain = virtualHosts.home-assistant.serverName;
       extraDomainNames = mkMerge [
@@ -84,7 +84,7 @@ in {
         virtualHosts.home-assistant'local.allServerNames
       ];
     };
-    zigbee2mqtt = {
+    z2m = {
       inherit (nginx) group;
       domain = virtualHosts.zigbee2mqtt.serverName;
       extraDomainNames = mkMerge [
@@ -100,7 +100,7 @@ in {
         virtualHosts.grocy'local.allServerNames
       ];
     };
-    vouch = {
+    login = {
       inherit (nginx) group;
       domain = virtualHosts.vouch.serverName;
       extraDomainNames = mkMerge [
@@ -161,7 +161,7 @@ in {
         virtualHosts.plex'local.allServerNames
       ];
     };
-    kitchencam = {
+    kitchen = {
       inherit (nginx) group;
       domain = virtualHosts.kitchencam.serverName;
       extraDomainNames = mkMerge [
@@ -214,40 +214,40 @@ in {
       keycloak = {
         # we're not the real sso record-holder, so don't respond globally..
         local.denyGlobal = true;
-        ssl.cert.name = "keycloak";
+        ssl.cert.enable = true;
       };
-      keycloak'local.ssl.cert.name = "keycloak";
-      vouch.ssl.cert.name = "vouch";
-      vouch'local.ssl.cert.name = "vouch";
-      vouch'tail.ssl.cert.name = "vouch";
+      keycloak'local.ssl.cert.enable = true;
+      vouch.ssl.cert.enable = true;
+      vouch'local.ssl.cert.enable = true;
+      vouch'tail.ssl.cert.enable = true;
       unifi = {
         # we're not the real unifi record-holder, so don't respond globally..
         local.denyGlobal = true;
-        ssl.cert.name = "unifi";
+        ssl.cert.enable = true;
       };
-      unifi'local.ssl.cert.name = "unifi";
+      unifi'local.ssl.cert.enable = true;
       home-assistant = assert  home-assistant.enable; {
         # not the real hass record-holder, so don't respond globally..
         local.denyGlobal = true;
-        ssl.cert.name = "home-assistant";
+        ssl.cert.enable = true;
         locations."/".proxyPass = "http://${tei.lib.access.hostnameForNetwork.tail}:${toString home-assistant.config.http.server_port}";
       };
-      home-assistant'local.ssl.cert.name = "home-assistant";
+      home-assistant'local.ssl.cert.enable = true;
       zigbee2mqtt = assert zigbee2mqtt.enable; {
         # not the real z2m record-holder, so don't respond globally..
         local.denyGlobal = true;
-        ssl.cert.name = "zigbee2mqtt";
+        ssl.cert.enable = true;
         locations."/".proxyPass = "http://${tei.lib.access.hostnameForNetwork.tail}:${toString zigbee2mqtt.settings.frontend.port}";
       };
-      zigbee2mqtt'local.ssl.cert.name = "zigbee2mqtt";
+      zigbee2mqtt'local.ssl.cert.enable = true;
       grocy = {
         # not the real grocy record-holder, so don't respond globally..
         local.denyGlobal = true;
-        ssl.cert.name = "grocy";
+        ssl.cert.enable = true;
         locations."/".proxyPass = "http://${tei.lib.access.hostnameForNetwork.tail}";
       };
       grocy'local = {
-        ssl.cert.name = "grocy";
+        ssl.cert.enable = true;
       };
       ${access.freepbx.domain} = {
         local.enable = true;
@@ -255,10 +255,10 @@ in {
       ${access.proxmox.domain} = {
         useACMEHost = access.proxmox.domain;
       };
-      plex.ssl.cert.name = "plex";
-      plex'local.ssl.cert.name = "plex";
-      kitchencam.ssl.cert.name = "kitchencam";
-      kitchencam'local.ssl.cert.name = "kitchencam";
+      plex.ssl.cert.enable = true;
+      plex'local.ssl.cert.enable = true;
+      kitchencam.ssl.cert.enable = true;
+      kitchencam'local.ssl.cert.enable = true;
       ${access.invidious.domain} = {
         useACMEHost = access.invidious.domain;
         forceSSL = true;