From 84835e036491e99222d95a2ce730b355acf3c9b4 Mon Sep 17 00:00:00 2001
From: Nguyễn Gia Phong <mcsinyx@disroot.org>
Date: Wed, 11 May 2022 09:45:25 +0900
Subject: Enable encryption for IPFS gateway subdomains

---
 configuration.nix | 48 ++++++++++++++++++++++++++++++++++--------------
 1 file changed, 34 insertions(+), 14 deletions(-)

(limited to 'configuration.nix')

diff --git a/configuration.nix b/configuration.nix
index 6c446b1..188ec12 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -1,5 +1,6 @@
 { config, lib, pkgs, ... }:
 let
+  certs = config.security.acme.certs.${domain};
   domain = "loang.net";
   bindUserDirs = sources: target: lib.mapAttrs' (user: dir: {
     name = "${target}/~${user}";
@@ -42,6 +43,18 @@ in {
   security = {
     acme = {
       acceptTerms = true;
+      certs.${domain} = {
+        credentialsFile = pkgs.writeText "namesilo.env" ''
+          NAMESILO_API_KEY_FILE=/var/lib/acme/namesilo.key
+          NAMESILO_PROPAGATION_TIMEOUT=1800
+        '';
+        dnsProvider = "namesilo";
+        extraDomainNames = [
+          "*.ipfs.${domain}"
+          "*.ipns.${domain}"
+        ];
+        webroot = null;
+      };
       defaults.email = "mcsinyx@disroot.org";
     };
 
@@ -66,7 +79,7 @@ in {
     };
 
     molly-brown = let
-      certDir = config.security.acme.certs.${domain}.directory;
+      certDir = certs.directory;
     in {
       certPath = "${certDir}/cert.pem";
       docBase = "/var/lib/gemini/${domain}";
@@ -75,19 +88,28 @@ in {
       keyPath = "${certDir}/key.pem";
     };
 
-    nginx = {
+    nginx = let
+      ipfsGateway = "http://localhost:8080";
+      ipfsProxy = {
+        forceSSL = true;
+        locations."/".proxyPass = ipfsGateway;
+        useACMEHost = domain;
+      };
+    in {
       enable = true;
       recommendedProxySettings = true;
-      virtualHosts.${domain} = {
-        enableACME = true;
-        forceSSL = true;
-        locations = let
-          ipfsGateway = "http://localhost:8080";
-        in {
-          "/ipfs".proxyPass = ipfsGateway;
-          "/ipns".proxyPass = ipfsGateway;
+      virtualHosts = {
+        "${domain}" = {
+          enableACME = true;
+          forceSSL = true;
+          locations = {
+            "/ipfs".proxyPass = ipfsGateway;
+            "/ipns".proxyPass = ipfsGateway;
+          };
+          root = "/var/lib/www/${domain}";
         };
-        root = "/var/lib/www/${domain}";
+        "*.ipfs.${domain}" = ipfsProxy;
+        "*.ipns.${domain}" = ipfsProxy;
       };
     };
 
@@ -104,9 +126,7 @@ in {
     extraConfig = ''
       DefaultTimeoutStartSec=900s
     '';
-    services.molly-brown.serviceConfig.SupplementaryGroups = [
-      config.security.acme.certs.${domain}.group
-    ];
+    services.molly-brown.serviceConfig.SupplementaryGroups = [ certs.group ];
   };
 
   time.timeZone = "UTC";
-- 
cgit 1.4.1