From e50f7e11118662df2da765516dc5f55871f3145d Mon Sep 17 00:00:00 2001
From: sid <sid@sid.ovh>
Date: Tue, 5 May 2026 12:30:51 +0200
Subject: [PATCH 1/2] fix intranet ip resolution

---
 hosts/sid/services/coredns.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/hosts/sid/services/coredns.nix b/hosts/sid/services/coredns.nix
index 27896a5..8a86cb5 100644
--- a/hosts/sid/services/coredns.nix
+++ b/hosts/sid/services/coredns.nix
@@ -14,10 +14,10 @@
         hosts {
           ${hosts.sid.ip} ${ca-fqdn} 
 
+          ${hosts.rx4.ip} ${services.netdata.fqdn}
+          ${hosts.rx4.ip} ${services.vaultwarden.fqdn}
+          ${hosts.rx4.ip} ${services.webdav.fqdn}
           ${hosts.rx4.ip} rx4.tail
-          ${hosts.sid.ip} ${services.netdata.fqdn}
-          ${hosts.sid.ip} ${services.vaultwarden.fqdn}
-          ${hosts.sid.ip} ${services.webdav.fqdn}
           ${hosts.sid.ip} sid.tail
           ${hosts.vde.ip} vde.tail
           fallthrough
-- 
2.51.2


From 907dcf901148d47e3ef4c781e8a10a6e4bf27413 Mon Sep 17 00:00:00 2001
From: sid <sid@sid.ovh>
Date: Tue, 5 May 2026 13:19:08 +0200
Subject: [PATCH 2/2] resolve intranet services on rx4

---
 hosts/rx4/services/nginx.nix   | 41 ++++++++++++++++++++++++++++++++--
 hosts/sid/services/step-ca.nix |  1 +
 2 files changed, 40 insertions(+), 2 deletions(-)

diff --git a/hosts/rx4/services/nginx.nix b/hosts/rx4/services/nginx.nix
index c4c24af..8af1a41 100644
--- a/hosts/rx4/services/nginx.nix
+++ b/hosts/rx4/services/nginx.nix
@@ -13,6 +13,18 @@ in
     inputs.synix.nixosModules.nginx
   ];
 
+  security.acme = {
+    certs."sid-internal" = {
+      domain = constants.services.vaultwarden.fqdn;
+      extraDomainNames = [
+        constants.services.netdata.fqdn
+        constants.services.webdav.fqdn
+      ];
+      server = "https://${constants.ca-fqdn}:8443/acme/acme/directory";
+      group = "nginx";
+    };
+  };
+
   systemd.tmpfiles.rules = [
     "d /var/www 0755 gitea-runner ${cfg.group} -"
   ];
@@ -23,8 +35,8 @@ in
 
   services.nginx = {
     enable = true;
-    openFirewall = false;
-    forceSSL = false;
+    openFirewall = true;
+    forceSSL = true;
 
     virtualHosts = {
       "${constants.services.docs.fqdn}" = {
@@ -32,6 +44,31 @@ in
           root = "/var/www/doc";
         };
       };
+      "${constants.services.netdata.fqdn}" = {
+        forceSSL = true;
+        useACMEHost = "sid-internal";
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:${toString constants.services.netdata.port}";
+          proxyWebsockets = true;
+        };
+      };
+
+      "${constants.services.vaultwarden.fqdn}" = {
+        forceSSL = true;
+        useACMEHost = "sid-internal";
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:${toString constants.services.vaultwarden.port}";
+        };
+      };
+
+      "${constants.services.webdav.fqdn}" = {
+        forceSSL = true;
+        useACMEHost = "sid-internal";
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:${toString constants.services.webdav.port}";
+          proxyWebsockets = true;
+        };
+      };
     };
   };
 }
diff --git a/hosts/sid/services/step-ca.nix b/hosts/sid/services/step-ca.nix
index d3abb11..34031a2 100644
--- a/hosts/sid/services/step-ca.nix
+++ b/hosts/sid/services/step-ca.nix
@@ -26,6 +26,7 @@ in
       key = config.sops.secrets."step-ca/intermediate-key".path;
       dnsNames = [
         constants.ca-fqdn
+        constants.hosts.rx4.ip
         constants.hosts.sid.ip
       ];
       logger = {
-- 
2.51.2