fix: need to split wildcard definitions because the nginx module would cause infinite recursion otherwise

2025-10-10 23:00:39 +02:00 · 2024-04-09 20:38:40 +02:00 · 2024-04-09 20:38:40 +02:00 · 76d6a094dc
commit 76d6a094dc
parent c410a6b703
8 changed files with 16 additions and 19 deletions
--- a/README.md
+++ b/README.md
@ -17,7 +17,7 @@ including my homelab, external servers and my development machines.
 🖥️ | Server | sire | Threadripper 1950X | Home media server and data storage. Runs all services as microvms.
 🥔 | Server | zackbiene | ODROID N2+ | ARM SBC for home automation, isolating the sketchy stuff from my main network
 ☁️  | VPS | sentinel | Hetzner Cloud server | Proxies and protects my local services
-☁️  | VPS | envoy | Hetzner Cloud server | Mailserver (WIP, still on gentoo)
+☁️  | VPS | envoy | Hetzner Cloud server | Mailserver
 ## Overview
--- a/hosts/envoy/acme.nix
+++ b/hosts/envoy/acme.nix
@ -24,6 +24,6 @@ in {
      dnsPropagationCheck = true;
      reloadServices = ["nginx"];
    };
-    inherit (acme) certs;
+    inherit (acme) certs wildcardDomains;
  };
 }
--- a/hosts/envoy/default.nix
+++ b/hosts/envoy/default.nix
@ -14,7 +14,6 @@
  boot.mode = "bios";
  users.groups.acme.members = ["nginx"];
  wireguard.proxy-sentinel.firewallRuleForAll.allowedTCPPorts = [80 443];
  services.nginx.enable = true;
  services.nginx.recommendedSetup = true;
--- a/hosts/envoy/secrets/local.nix.age
+++ b/hosts/envoy/secrets/local.nix.age
--- a/hosts/sentinel/acme.nix
+++ b/hosts/sentinel/acme.nix
@ -24,6 +24,6 @@ in {
      dnsPropagationCheck = true;
      reloadServices = ["nginx"];
    };
-    inherit (acme) certs;
+    inherit (acme) certs wildcardDomains;
  };
 }
--- a/hosts/sentinel/secrets/local.nix.age
+++ b/hosts/sentinel/secrets/local.nix.age
--- a/modules/acme-wildcard.nix
+++ b/modules/acme-wildcard.nix
@ -6,9 +6,8 @@
  inherit
    (lib)
    assertMsg
    attrNames
    filter
-    filterAttrs
+    genAttrs
    hasInfix
    head
    mkIf
@ -16,19 +15,14 @@
    removeSuffix
    types
    ;
  wildcardDomains = attrNames (filterAttrs (_: v: v.wildcard) config.security.acme.certs);
 in {
-  options.security.acme.certs = mkOption {
+  options.security.acme.wildcardDomains = mkOption {
-    type = types.attrsOf (types.submodule (submod: {
+    type = types.listOf types.str;
-      options.wildcard = mkOption {
+    default = [];
-        default = false;
+    description = ''
-        type = types.bool;
+      List of domains to which a wilcard certificate exists under the same name in `certs`.
-        description = "If set to true, this will automatically append `*.<domain>` to `extraDomainNames`.";
+      All of these certs will automatically have `*.<domain>` appended to `extraDomainNames`.
-      };
+    '';
      config.extraDomainNames = mkIf submod.config.wildcard ["*.${submod.config._module.args.name}"];
    }));
  };
  options.services.nginx.virtualHosts = mkOption {
@ -45,7 +39,7 @@ in {
        matchingCerts =
          filter
          (x: !hasInfix "." (removeSuffix ".${x}" domain))
-          wildcardDomains;
+          config.security.acme.wildcardDomains;
      in
        mkIf submod.config.useACMEWildcardHost {
          useACMEHost = assert assertMsg (matchingCerts != []) "No wildcard certificate was defined that matches ${domain}";
@ -53,4 +47,8 @@ in {
        };
    }));
  };
  config.security.acme.certs = genAttrs config.security.acme.wildcardDomains (domain: {
    extraDomainNames = ["*.${domain}"];
  });
 }
--- a/users/myuser/secrets/user.nix.age
+++ b/users/myuser/secrets/user.nix.age