1 changed files with 24 additions and 0 deletions
--- a/hosts/sid/services/nginx.nix
+++ b/hosts/sid/services/nginx.nix
@ -1,5 +1,6 @@
 {
  inputs,
+  config,
  constants,
  lib,
  ...
@ -15,10 +16,33 @@ in
    inputs.synix.nixosModules.nginx
  ];

+  users.users.nginx.extraGroups = [ "tailscale" ];
+  systemd.services.nginx.serviceConfig = {
+    SupplementaryGroups = [ "tailscale" ];
+    Requires = [ "tailscaled.service" ];
+    After = [ "tailscaled.service" ];
+  };
+
+  systemd.services."generate-tailscale-certs-${constants.hosts.sid.domain}" = {
+    wantedBy = [ "multi-user.target" ];
+    before = [ "nginx.service" ];
+    after = [ "tailscaled.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = "${config.services.tailscale.package}/bin/tailscale cert ${constants.hosts.sid.domain}";
+      User = "root";
+    };
+  };
+
  services.nginx = {
    enable = true;
    openFirewall = true;
    forceSSL = ssl;
+    virtualHosts."${constants.hosts.sid.domain}" = {
+      sslCertificate = "/var/lib/tailscale/certs/${constants.hosts.sid.domain}.crt";
+      sslCertificateKey = "/var/lib/tailscale/certs/${constants.hosts.sid.domain}.key";
+      forceSSL = true;
+    };
    virtualHosts."${constants.services.docs.fqdn}" = mkVirtualHost {
      inherit ssl;
      address = constants.hosts.rx4.ip;