nginx: more ssl tinkering

modules/forgejo.nix

@@ -16,7 +16,7 @@ in
       # TODO: Force ssl
       # addSSL = true;
       serverName = "git.zynh.me";
-      useACMEHost = lib.mkIf ACMEEnabled "scarlet.zynh.me";
+      useACMEHost = lib.mkIf ACMEEnabled "permafrost";
       locations."/" = {
         proxyPass = "http://localhost:3032";
       };

modules/foundry.nix

@@ -9,34 +9,44 @@ in
     enable = lib.mkEnableOption "foundry nixos module";
   };
 
-  config = lib.mkIf cfg.enable {
+  config = lib.mkIf cfg.enable (lib.mkMerge [
-    permafrost.nginx.enable = lib.mkDefault true;
+    {
-    permafrost.nginx.certDomains = lib.mkIf ACMEEnabled [ "scarlet.zynh.me" ];
+      permafrost.nginx.enable = lib.mkDefault true;
-    services.nginx.virtualHosts."scarlet.zynh.me" = {
+    }
-      # TODO: Force ssl
+    {
-      # addSSL = true;
+      # permafrost.nginx.certDomains = lib.mkIf ACMEEnabled [ "scarlet.zynh.me" ];
-      serverName = "scarlet.zynh.me";
+      services.nginx.virtualHosts."scarlet.zynh.me" = {
-      useACMEHost = lib.mkIf ACMEEnabled "scarlet.zynh.me";
+        # TODO: Force ssl
-      locations."/" = {
+        # addSSL = true;
-        extraConfig = /* nginx */ ''
+        serverName = "scarlet.zynh.me";
-          # Set proxy headers
+        useACMEHost = lib.mkIf ACMEEnabled "permafrost";
-          proxy_set_header Host              $host;
+        locations."/.well-known/acme-challenge" = {
-          proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+          root = "/var/lib/acme/.challenges";
-          proxy_set_header X-Forwarded-Proto $scheme;
+        };
+        locations."/" = {
+          extraConfig = /* nginx */ ''
+            # Set proxy headers
+            proxy_set_header Host              $host;
+            proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
 
-          # These are important to support WebSockets
+            # These are important to support WebSockets
-          proxy_set_header Upgrade    $http_upgrade;
+            proxy_set_header Upgrade    $http_upgrade;
-          proxy_set_header Connection "Upgrade";
+            proxy_set_header Connection "Upgrade";
-        '';
+          '';
-        proxyPass = "http://localhost:30000";
+          proxyPass = "http://localhost:30000";
+        };
       };
-    };
+    }
-
+    {
-    services.nginx.virtualHosts."ddbimporter.zynh.me" = {
+      permafrost.nginx.certDomains = lib.mkIf ACMEEnabled [ "ddbimporter.zynh.me" ];
-      # TODO: Force ssl
+      services.nginx.virtualHosts."ddbimporter.zynh.me" = {
-      # addSSL = true;
+        # TODO: Force ssl
-      serverName = "ddbimporter.zynh.me";
+        # addSSL = true;
-      locations."/".proxyPass = "http://localhost:3232";
+        useACMEHost = lib.mkIf ACMEEnabled "permafrost";
-    };
+        serverName = "ddbimporter.zynh.me";
-  };
+        locations."/".proxyPass = "http://localhost:3232";
+      };
+    }
+  ]);
 }

modules/nginx.nix

@@ -28,6 +28,7 @@ in
     security.acme.certs.permafrost = lib.mkIf cfg.enableACME {
       email = "Zynh0722@gmail.com";
       domain = "scarlet.zynh.me";
+      group = config.services.nginx.group;
       renewInterval = "weekly";
       server =
         if cfg.useStagingServer

modules/nyazoom.nix

@@ -29,7 +29,7 @@ in
       # TODO: Force ssl
       # addSSL = true;
       serverName = "nyazoom.zynh.me";
-      useACMEHost = lib.mkIf ACMEEnabled "scarlet.zynh.me";
+      useACMEHost = lib.mkIf ACMEEnabled "permafrost";
       locations."/" = {
         proxyPass = "http://localhost:3000";
         extraConfig = /* nginx */ ''