hosts/rx4/services/nginx.nix

@@ -13,6 +13,18 @@ in
     inputs.synix.nixosModules.nginx
   ];
 
+  security.acme = {
+    certs."sid-internal" = {
+      domain = constants.services.vaultwarden.fqdn;
+      extraDomainNames = [
+        constants.services.netdata.fqdn
+        constants.services.webdav.fqdn
+      ];
+      server = "https://${constants.ca-fqdn}:8443/acme/acme/directory";
+      group = "nginx";
+    };
+  };
+
   systemd.tmpfiles.rules = [
     "d /var/www 0755 gitea-runner ${cfg.group} -"
   ];
@@ -23,8 +35,8 @@ in
 
   services.nginx = {
     enable = true;
-    openFirewall = false;
-    forceSSL = false;
+    openFirewall = true;
+    forceSSL = true;
 
     virtualHosts = {
       "${constants.services.docs.fqdn}" = {
@@ -32,6 +44,31 @@ in
           root = "/var/www/doc";
         };
       };
+      "${constants.services.netdata.fqdn}" = {
+        forceSSL = true;
+        useACMEHost = "sid-internal";
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:${toString constants.services.netdata.port}";
+          proxyWebsockets = true;
+        };
+      };
+
+      "${constants.services.vaultwarden.fqdn}" = {
+        forceSSL = true;
+        useACMEHost = "sid-internal";
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:${toString constants.services.vaultwarden.port}";
+        };
+      };
+
+      "${constants.services.webdav.fqdn}" = {
+        forceSSL = true;
+        useACMEHost = "sid-internal";
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:${toString constants.services.webdav.port}";
+          proxyWebsockets = true;
+        };
+      };
     };
   };
 }

hosts/sid/services/step-ca.nix

@@ -26,6 +26,7 @@ in
       key = config.sops.secrets."step-ca/intermediate-key".path;
       dnsNames = [
         constants.ca-fqdn
+        constants.hosts.rx4.ip
         constants.hosts.sid.ip
       ];
       logger = {