From 15b0781beedf80ab26281210e7b8395a58ce94a5 Mon Sep 17 00:00:00 2001
From: uku <hi@uku.moe>
Date: Fri, 3 Jan 2025 11:26:54 +0100
Subject: [PATCH] feat(vesuvio): add acme certificates

---
 systems/vesuvio/certificates.nix | 25 +++++++++++++++++++++++++
 systems/vesuvio/default.nix      | 15 ++++++++++++---
 2 files changed, 37 insertions(+), 3 deletions(-)
 create mode 100644 systems/vesuvio/certificates.nix

diff --git a/systems/vesuvio/certificates.nix b/systems/vesuvio/certificates.nix
new file mode 100644
index 0000000..dce62e8
--- /dev/null
+++ b/systems/vesuvio/certificates.nix
@@ -0,0 +1,25 @@
+{ config, ... }:
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = "acme@uku.moe";
+      webroot = "/var/lib/acme/acme-challenge";
+    };
+  };
+
+  services.nginx.virtualHosts = {
+    "acme.uku3lig.net" = {
+      serverAliases = [
+        "*.uku3lig.net"
+        "*.uku.moe"
+      ];
+
+      locations."/.well-known/acme-challenge".root = config.security.acme.defaults.webroot;
+    };
+  };
+
+  # /var/lib/acme/acme-challenge must be writable by the ACME user and readable by the Nginx user.
+  # The easiest way to achieve this is to add the Nginx user to the ACME group.
+  users.users.nginx.extraGroups = [ "acme" ];
+}
diff --git a/systems/vesuvio/default.nix b/systems/vesuvio/default.nix
index 46a7b3d..7c06490 100644
--- a/systems/vesuvio/default.nix
+++ b/systems/vesuvio/default.nix
@@ -1,6 +1,7 @@
 { pkgs, ... }:
 {
   imports = [
+    ./certificates.nix
     ./frp.nix
     ./hetzner.nix
   ];
@@ -10,8 +11,16 @@
     traceroute
   ];
 
-  services.openssh = {
-    ports = [ 4269 ];
-    openFirewall = true;
+  services = {
+    nginx.enable = true;
+    openssh = {
+      ports = [ 4269 ];
+      openFirewall = true;
+    };
   };
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
 }