From c1d9023ce894acd3bf61d560d8a8a753beac1d0d Mon Sep 17 00:00:00 2001
From: Nickiel12 <nicholasyoungsumner@gmail.com>
Date: Fri, 7 Apr 2023 16:50:38 -0700
Subject: [PATCH] Got acme certs working, but broken port forward

---
 hosts/Alaska/containers/nextcloud.nix | 13 +++++---
 hosts/Alaska/default.nix              | 17 ++++++-----
 hosts/Alaska/modules/acme.nix         | 22 ++++++++++++++
 hosts/Alaska/modules/nginx.nix        | 43 ++++++++++++++++++++-------
 4 files changed, 74 insertions(+), 21 deletions(-)
 create mode 100644 hosts/Alaska/modules/acme.nix

diff --git a/hosts/Alaska/containers/nextcloud.nix b/hosts/Alaska/containers/nextcloud.nix
index a3a2397..dcd432b 100644
--- a/hosts/Alaska/containers/nextcloud.nix
+++ b/hosts/Alaska/containers/nextcloud.nix
@@ -6,12 +6,17 @@
   containers.nextcloud = {
     autoStart = true;
     privateNetwork = true;
+    # The host address is the address of the parent machine from inside the container
     hostAddress = "192.168.100.10";
+    # The local address field is the "inside the container" address of this machine
+    # Or what it says when you run 'ip a' inside the container
     localAddress = "192.168.100.11";
+    # These are the same as above, but for ipv6
     hostAddress6 = "fc00::1";
     localAddress6 = "fc00::2";
 
     # allowed filepaths and container-internal mount points
+    # I believe "hostPath" is the system-wide, non-conatainer path
      bindMounts = {
       "/Aurora/nextcloud" = {
         hostPath = "/Aurora/nextcloud";
@@ -30,8 +35,7 @@
         package = pkgs.nextcloud25;
         enableBrokenCiphersForSSE = false;
 
-        #nginx.enable = true;
-        #https = true;
+        https = true;
         hostName = "192.168.100.10";
         home = "/Aurora/nextcloud";
 
@@ -41,9 +45,10 @@
         };
 
         config = {
-          #overwriteProtocal = "https";
+          overwriteProtocol = "https";
           extraTrustedDomains = [
-            "10.0.0.206"
+            "10.0.0.184"
+            "files.nickiel.net"
           ];
 
           dbtype = "pgsql";
diff --git a/hosts/Alaska/default.nix b/hosts/Alaska/default.nix
index 14428c2..13b64c7 100644
--- a/hosts/Alaska/default.nix
+++ b/hosts/Alaska/default.nix
@@ -11,6 +11,7 @@
 
   environment.systemPackages = [
     pkgs.mdadm
+    pkgs.cloudflared
   ];
 
   networking = {
@@ -19,15 +20,17 @@
       internalInterfaces = ["ve-+"];
       externalInterface = "enp2s0"; # Make sure this is actually set to your  internet adapter
       # You can find a list with `ip a` and look for the first identifier after the number (e.g.: 1: enp2s0)
+
       # Lazy IPv6 connectivity for the container
       enableIPv6 = true;
-      forwardPorts = [
-        {
-          sourcePort = 80;
-          proto = "tcp";
-          destination = "192.168.100.11:80";
-        }
-      ];
+
+      #forwardPorts = [
+      #{
+       #   sourcePort = 80;
+        #  proto = "tcp";
+         # destination = "192.168.100.11:80";
+      #}
+      #];
     };
     firewall = {
         enable = true;
diff --git a/hosts/Alaska/modules/acme.nix b/hosts/Alaska/modules/acme.nix
new file mode 100644
index 0000000..d7d41ea
--- /dev/null
+++ b/hosts/Alaska/modules/acme.nix
@@ -0,0 +1,22 @@
+{ config, lib, pkgs, ... }:
+
+{
+
+    security.acme.acceptTerms = true;
+    security.acme.defaults.email = "nicholasyoungsumner@gmail.com";
+
+    # Use one configuration to to make the cert for all the sub domains
+    security.acme.certs."acmechallenge.nickiel.net" = {
+      webroot = "/var/lib/acme/.challenges";
+      email = "nicholasyoungsumner@gmail.com";
+        # Ensure that the web server you use can read the generated certs
+        # Take a look at the group option for the web server you choose.
+      group = "nginx";
+        # Since we have a wildcard vhost to handle port 80,
+        # we can generate certs for anything!
+        # Just make sure your DNS resolves them.
+      extraDomainNames = [ "files.nickiel.net" ];
+    };
+
+  users.users.nginx.extraGroups = [ "acme" ];
+}
diff --git a/hosts/Alaska/modules/nginx.nix b/hosts/Alaska/modules/nginx.nix
index 49793e1..6aa0052 100644
--- a/hosts/Alaska/modules/nginx.nix
+++ b/hosts/Alaska/modules/nginx.nix
@@ -1,23 +1,46 @@
 { config, lib, pkgs, ... }:
 
 {
-
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "nicholasyoungsumner@gmail.com";
-  };
+  imports = [
+    (import ./acme.nix)
+  ];
 
   services.nginx = {
-    enable = false;
+    enable = true;
     recommendedGzipSettings = true;
     recommendedOptimisation = true;
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
 
-    virtualHosts."10.0.0.206" = {
-      addSSL = true;
-      forceSSL = true;
-      enableACME = true;
+    virtualHosts = {
+      "nickiel.net" = {
+        locations."/" = {
+          root = "/var/lib/acme/nickiel.net";
+        };
+      };
+
+      "files.nickiel.net" = {
+            #forceSSL = true;
+            #enableACME = true;
+            locations."/.well-known/acme-challenge" = {
+              root = "/var/lib/acme/.challenges";
+            };
+            locations."/" = {
+              proxyPass = "http://192.168.100.11:80";
+              proxyWebsockets = true;
+            };
+          };
+
+      "acmechallenge.nickiel.net" = {
+        # Catchall vhost, will redirect users to HTTPS for all vhosts
+        serverAliases = [ "*.nickiel.net" ];
+        locations."/.well-known/acme-challenge" = {
+          root = "/var/lib/acme/.challenges";
+        };
+        locations."/" = {
+          return = "301 https://$host$request_uri";
+        };
+      };
     };
   };
 }