commit 4259e931486c9d626d5ac83a2f5ce4ae46022d6c
author Skyler Grey <minion@clicks.codes> Sat Oct 21 21:37:03 2023 +0000
committer Skyler Grey <minion@clicks.codes> Sat Oct 21 21:41:54 2023 +0000
tree 06f46e36a002cddedca09d1aa924fd2ed1eea966
parent fe1740cc76af3fa3b69df4d588a3112384700003

Fix nextcloud and privatebin SSL config

Both of these were not properly configured for https+muitiple hosts. This commit
fixes that
- Enable SSL for privatebin
- Enable SSL for nextcloud
- Replace extra erroneous nextcloud.clicks.codes hostname with
  cloud.clicks.codes
- Repair missing SSL certificate generation options bug
  - This was impacting our ability to issue certifiates for our secondary
    hostnames

Change-Id: Ic9e7d4b0b5c83615f18c1e50579d9148ced71ba9

modules/nextcloud.nix

diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix
index 197ad89..d7d2490 100644
--- a/modules/nextcloud.nix
+++ b/modules/nextcloud.nix
@@ -14,9 +14,14 @@
   users.groups.nextcloud = { };
 
   services.nextcloud.enable = true;
+  services.nextcloud.https = true;
   services.nextcloud.config.adminpassFile =
     config.sops.secrets.nextcloud_admin_password.path;
   services.nextcloud.hostName = "nextcloud.clicks.codes";
+  services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
+    enableACME = true;
+    forceSSL = true;
+  };
   services.nextcloud.package = pkgs.nextcloud27;
   services.nextcloud.poolSettings = {
     pm = "dynamic";
@@ -35,7 +40,7 @@
     dbpassFile = config.sops.secrets.clicks_nextcloud_db_password.path;
     dbname = "nextcloud";
     dbhost = "localhost";
-    extraTrustedDomains = [ "nextcloud.clicks.codes" "docs.clicks.codes" ];
+    extraTrustedDomains = [ "cloud.clicks.codes" "docs.clicks.codes" ];
   };
 
   services.nextcloud.extraOptions = { social_login_auto_redirect = true; };

modules/nginx.nix

diff --git a/modules/nginx.nix b/modules/nginx.nix
index 9ccf0b2..08ae0cf 100644
--- a/modules/nginx.nix
+++ b/modules/nginx.nix
@@ -184,11 +184,14 @@
       sopsFile = ../secrets/cloudflare-cert.env.bin;
       format = "binary";
     };
+
+    users.users.nginx.extraGroups = [ config.users.users.acme.group ];
   };
 } (if base != null then {
-  config.security.acme.certs = builtins.mapAttrs (_: v: {
-    webroot = null;
-    dnsProvider = "cloudflare";
-  }) base.config.security.acme.certs;
+  config.security.acme.certs = lib.mkForce (builtins.mapAttrs (_: v:
+    (lib.filterAttrs (n: _: n != "directory") v) // {
+      webroot = null;
+      dnsProvider = "cloudflare";
+    }) base.config.security.acme.certs);
 } else
   { })

modules/privatebin.nix

diff --git a/modules/privatebin.nix b/modules/privatebin.nix
index 25e29fd..839f132 100644
--- a/modules/privatebin.nix
+++ b/modules/privatebin.nix
@@ -1,5 +1,10 @@
 { config, lib, base, ... }:
 lib.recursiveUpdate {
+  services.nginx.virtualHosts.privatebin = {
+    serverName = lib.mkForce "privatebin.clicks.codes";
+    enableACME = lib.mkForce true;
+    forceSSL = lib.mkForce true;
+  };
   services.privatebin = {
     enable = true;
     settings = {
@@ -21,13 +26,10 @@
         langaugeselection = true;
       };
 
-      nginx = {
-        serverName = "privatebin.clicks.codes";
-        enableACME = true;
-      };
-
       expire.default = "1month";
 
+      nginx.forceSSL = lib.mkForce true;
+
       expire_options = {
         "5min" =
           300; # looks bonkers, but I'm trying to keep the list ordered while also keeping the privatebin label formatter happy