fix: need to split wildcard definitions because the nginx module would cause infinite recursion otherwise

2025-10-10 14:50:40 +02:00 · 2024-04-09 20:38:40 +02:00 · 2024-04-09 20:38:40 +02:00 · 76d6a094dc
commit 76d6a094dc
parent c410a6b703
8 changed files with 16 additions and 19 deletions
--- a/README.md
+++ b/README.md
@ -17,7 +17,7 @@ including my homelab, external servers and my development machines.
 🖥️ | Server | sire | Threadripper 1950X | Home media server and data storage. Runs all services as microvms.
 🥔 | Server | zackbiene | ODROID N2+ | ARM SBC for home automation, isolating the sketchy stuff from my main network
 ☁️  | VPS | sentinel | Hetzner Cloud server | Proxies and protects my local services
-☁️  | VPS | envoy | Hetzner Cloud server | Mailserver (WIP, still on gentoo)
+☁️  | VPS | envoy | Hetzner Cloud server | Mailserver

 ## Overview

--- a/hosts/envoy/acme.nix
+++ b/hosts/envoy/acme.nix
@ -24,6 +24,6 @@ in {
      dnsPropagationCheck = true;
      reloadServices = ["nginx"];
    };
-    inherit (acme) certs;
+    inherit (acme) certs wildcardDomains;
  };
 }
--- a/hosts/envoy/default.nix
+++ b/hosts/envoy/default.nix
@ -14,7 +14,6 @@
  boot.mode = "bios";

  users.groups.acme.members = ["nginx"];
-  wireguard.proxy-sentinel.firewallRuleForAll.allowedTCPPorts = [80 443];
  services.nginx.enable = true;
  services.nginx.recommendedSetup = true;

--- a/hosts/envoy/secrets/local.nix.age
+++ b/hosts/envoy/secrets/local.nix.age
--- a/hosts/sentinel/acme.nix
+++ b/hosts/sentinel/acme.nix
@ -24,6 +24,6 @@ in {
      dnsPropagationCheck = true;
      reloadServices = ["nginx"];
    };
-    inherit (acme) certs;
+    inherit (acme) certs wildcardDomains;
  };
 }
--- a/hosts/sentinel/secrets/local.nix.age
+++ b/hosts/sentinel/secrets/local.nix.age
--- a/modules/acme-wildcard.nix
+++ b/modules/acme-wildcard.nix
@ -6,9 +6,8 @@
  inherit
    (lib)
    assertMsg
-    attrNames
    filter
-    filterAttrs
+    genAttrs
    hasInfix
    head
    mkIf
@ -16,19 +15,14 @@
    removeSuffix
    types
    ;
-
-  wildcardDomains = attrNames (filterAttrs (_: v: v.wildcard) config.security.acme.certs);
 in {
-  options.security.acme.certs = mkOption {
-    type = types.attrsOf (types.submodule (submod: {
-      options.wildcard = mkOption {
-        default = false;
-        type = types.bool;
-        description = "If set to true, this will automatically append `*.<domain>` to `extraDomainNames`.";
-      };
-
-      config.extraDomainNames = mkIf submod.config.wildcard ["*.${submod.config._module.args.name}"];
-    }));
+  options.security.acme.wildcardDomains = mkOption {
+    type = types.listOf types.str;
+    default = [];
+    description = ''
+      List of domains to which a wilcard certificate exists under the same name in `certs`.
+      All of these certs will automatically have `*.<domain>` appended to `extraDomainNames`.
+    '';
  };

  options.services.nginx.virtualHosts = mkOption {
@ -45,7 +39,7 @@ in {
        matchingCerts =
          filter
          (x: !hasInfix "." (removeSuffix ".${x}" domain))
-          wildcardDomains;
+          config.security.acme.wildcardDomains;
      in
        mkIf submod.config.useACMEWildcardHost {
          useACMEHost = assert assertMsg (matchingCerts != []) "No wildcard certificate was defined that matches ${domain}";
@ -53,4 +47,8 @@ in {
        };
    }));
  };
+
+  config.security.acme.certs = genAttrs config.security.acme.wildcardDomains (domain: {
+    extraDomainNames = ["*.${domain}"];
+  });
 }
--- a/users/myuser/secrets/user.nix.age
+++ b/users/myuser/secrets/user.nix.age