commit 4123759130ad663a3409048bbc93f3c47ae7af35
author Skyler Grey <sky@a.starrysky.fyi> Thu Aug 08 22:07:15 2024 +0000
committer Skyler Grey <minion@clicks.codes> Thu Aug 08 22:25:17 2024 +0000
tree dfd08b367283eeaf17ea5f479fab818e6a9748c2
parent 7e63dd5daa4dce8cc5ceb5d2f130681f0186834c

fix(nginx): Solve missing acmeRoot evaluation fail

Previously we read from the wrong property, using our in-processing host
rather than the nginx acmeRoot. While, again, this works fine for us,
it's possibly an even worse situation than before if you're not using
ACME DNS challenges and are instead trying to use HTTP

Change-Id: Id4fad368ec74cc8a7e8ee3148a81161f60e8755d
Reviewed-on: https://git.clicks.codes/c/Infra/NixFiles/+/815
Tested-by: Skyler Grey <minion@clicks.codes>
Reviewed-by: Skyler Grey <minion@clicks.codes>

modules/nixos/clicks/services/nginx/default.nix

diff --git a/modules/nixos/clicks/services/nginx/default.nix b/modules/nixos/clicks/services/nginx/default.nix
index d195f58..d90f4dd 100644
--- a/modules/nixos/clicks/services/nginx/default.nix
+++ b/modules/nixos/clicks/services/nginx/default.nix
@@ -25,12 +25,12 @@
     processedHosts = lib.clicks.nginx.http.internal.serviceTranslation cfg.hosts;
     hostsList = lib.attrsets.attrsToList processedHosts;
     nginxHosts = lib.attrsets.mapAttrs (_: host: lib.attrsets.removeAttrs host [ "authWith" "dnsProvider" ]) processedHosts;
-    acmeCerts = lib.attrsets.mapAttrs (_: host: {
+    acmeCerts = lib.attrsets.mapAttrs (name: host: {
       inherit (host) dnsProvider;
       webroot = if host.dnsProvider != null
                   then null
-                else if host.acmeRoot != null
-                  then host.acmeRoot
+                else if (config.services.nginx.virtualHosts.${name}.acmeRoot or null) != null
+                  then config.services.nginx.virtualHosts.${name}.acmeRoot
                 else config.security.acme.defaults.webroot;
     }) processedHosts;
     tailscaleAuthHosts = lib.pipe hostsList [