feat(sops): add certs to sops-nix

author: schererleander <leander@schererleander.de> 2026-02-03 21:18:33 +0100
committer: schererleander <leander@schererleander.de> 2026-02-03 21:18:33 +0100
commit: 3b4b7a56036ae9e05be6533da7c3741423335610 (patch)
tree: 5a4e222b1ebbf6991d0871f34d9baa99ae7ee4a2 /modules
parent: b2372a73d7a3b0a08adba03299c7980767c0f50d (diff)
4 files changed, 13 insertions, 22 deletions
diff --git a/modules/nixos/server/nextcloud/default.nix b/modules/nixos/server/nextcloud/default.nix
index 3fba5c8..695850d 100644
--- a/modules/nixos/server/nextcloud/default.nix
+++ b/modules/nixos/server/nextcloud/default.nix
@@ -56,11 +56,11 @@ in
       phpOptions."opcache.interned_strings_buffer" = "64";
     };
 
-    services.nginx.virtualHosts = mkIf ((config.nx.server.nginx or { }).enable or false) {
+    services.nginx.virtualHosts = {
       "cloud.schererleander.de" = {
         forceSSL = true;
-        sslCertificate = config.nx.server.nginx.sslCertificate;
-        sslCertificateKey = config.nx.server.nginx.sslCertificateKey;
+        sslCertificate = config.sops.secrets."cert_fullchain".path;
+        sslCertificateKey = config.sops.secrets."cert_private".path;
       };
     };
 
diff --git a/modules/nixos/server/nginx/default.nix b/modules/nixos/server/nginx/default.nix
index cf97109..d960d33 100644
--- a/modules/nixos/server/nginx/default.nix
+++ b/modules/nixos/server/nginx/default.nix
@@ -6,8 +6,6 @@
 let
   inherit (lib)
     mkEnableOption
-    mkOption
-    types
     mkIf
     ;
   cfg = config.nx.server.nginx;
@@ -17,21 +15,6 @@ in
     enable = mkEnableOption "nginx reverse proxy" // {
       default = true;
     };
-    hostName = mkOption {
-      description = "url of server";
-      type = types.str;
-      default = "schererleander.de";
-    };
-    sslCertificate = mkOption {
-      description = "ssl certificate to use";
-      type = types.nullOr types.str;
-      default = "/etc/ssl/${cfg.hostName}/fullchain.pem";
-    };
-    sslCertificateKey = mkOption {
-      description = "ssl certificate key to use";
-      type = types.nullOr types.str;
-      default = "/etc/ssl/${cfg.hostName}/privkey.key";
-    };
   };
   config = mkIf cfg.enable {
     services.nginx = {
diff --git a/modules/nixos/server/site/default.nix b/modules/nixos/server/site/default.nix
index be603c6..c1d472b 100644
--- a/modules/nixos/server/site/default.nix
+++ b/modules/nixos/server/site/default.nix
@@ -21,8 +21,8 @@ in
     services.site = {
       enable = true;
       domain = "schererleander.de";
-      sslCertificate = "/etc/ssl/schererleander.de/fullchain.pem";
-      sslCertificateKey = "/etc/ssl/schererleander.de/privkey.key";
+      sslCertificate = config.sops.secrets."cert_fullchain".path;
+      sslCertificateKey = config.sops.secrets."cert_private".path;
     };
   };
 }
diff --git a/modules/secrets/default.nix b/modules/secrets/default.nix
index 03d1bc6..682596b 100644
--- a/modules/secrets/default.nix
+++ b/modules/secrets/default.nix
@@ -29,6 +29,14 @@
         owner = "root";
         mode = "0600";
       };
+      "cert_fullchain" = {
+        owner = "nginx";
+        group = "nginx";
+      };
+      "cert_private" = {
+        owner = "nginx";
+        group = "nginx";
+      };
     };
   };
 }
author	schererleander <leander@schererleander.de>	2026-02-03 21:18:33 +0100
committer	schererleander <leander@schererleander.de>	2026-02-03 21:18:33 +0100
commit	3b4b7a56036ae9e05be6533da7c3741423335610 (patch)
tree	5a4e222b1ebbf6991d0871f34d9baa99ae7ee4a2 /modules
parent	b2372a73d7a3b0a08adba03299c7980767c0f50d (diff)