add(acme,nginx): add certificate generation and nginx for the services

This replaces caddy and the port exposure, this is more efficent and easier to manage in the future.
2025-05-25 00:32:54 +02:00 · 2025-05-25 00:32:54 +02:00 · 5792e478af
commit 5792e478af
parent 7dd87536aa
9 changed files with 244 additions and 74 deletions
--- a/modules/nixos/services/ente-auth/default.nix
+++ b/modules/nixos/services/ente-auth/default.nix
@ -20,28 +20,41 @@ in
      default = pkgs.awesome-flake.ente-web-auth;
    };

-    port = mkOption {
-      description = "The port to serve Ente-Auth on.";
-      type = types.nullOr types.int;
-      default = 1338;
+    domain = mkOption {
+      description = "The domain to serve ente-auth on.";
+      type = types.nullOr types.str;
+      default = "ente.stahl.sh";
    };
+
+    nginx = {
+      enable = mkEnableOption {
+        description = "Enable nginx for this service.";
+        type = types.bool;
+        default = true;
+      };
+    };
+
  };

  config = mkIf cfg.enable {
-    networking.firewall.allowedTCPPorts = [
-      cfg.port
+    networking.firewall.allowedTCPPorts = mkIf cfg.nginx.enable [
+      80
+      443
    ];

-    services.caddy = {
+    awesome-flake.services.acme.enable = mkIf cfg.nginx.enable true;
+
+    services.nginx = mkIf cfg.nginx.enable {
      enable = true;
-      virtualHosts = {
-        ":${builtins.toString cfg.port}" = {
-          extraConfig = ''
-            root * ${cfg.package}
-            file_server
-          '';
+
+      virtualHosts."${cfg.domain}" = {
+        forceSSL = true;
+        useACMEHost = "stahl.sh";
+        locations."/" = {
+          root = "${cfg.package}";
        };
      };
    };
  };
+
 }