self signed cert

2025-10-04 14:04:17 +02:00 · 2025-10-04 14:04:17 +02:00 · 4a2f900c5a
commit 4a2f900c5a
parent 0e25e7cacc
9 changed files with 100 additions and 14 deletions
--- a/mod/nginx.nix
+++ b/mod/nginx.nix
@ -3,35 +3,45 @@
  options,
  config,
  var,
+  secrets,
  ...
 }:
 with lib;
 {
-  options.services.nginx.virtualHostsPriv = mkOption {
+  options.services.nginx.privateVirtualHosts = mkOption {
    type = options.services.nginx.virtualHosts.type;
    default = { };
    description = "Declarative vhost config listening on onet";
  };

-  config = {
+  config = mkIf (config.services.nginx.privateVirtualHosts != { }) {
+    age.secrets.tlskey = {
+      file = secrets."tlskey.age";
+      mode = "440";
+      owner = config.services.nginx.user;
+      group = config.services.nginx.group;
+    };
+
    services.nginx.virtualHosts = builtins.mapAttrs (
      _: v:
      v
      // {
+        sslCertificateKey = config.age.secrets.tlskey.path;
+        sslCertificate = ../pki/server.cert;
+
+        addSSL = true;
        listen = [
          {
            addr = var.wg.ips.roam;
            port = 80;
          }
-          /*
-            { TODO: Fix certs
-              addr = var.wg.ips.roam;
-              port = 443;
-              ssl = true;
-            }
-          */
+          {
+            addr = var.wg.ips.roam;
+            port = 443;
+            ssl = true;
+          }
        ];
      }
-    ) config.services.nginx.virtualHostsPriv;
+    ) config.services.nginx.privateVirtualHosts;
  };
 }