From ca39656b23d1dddd8425de79a3343f48f2fa4bc2 Mon Sep 17 00:00:00 2001
From: Kopatz <7265381+Kropatz@users.noreply.github.com>
Date: Fri, 8 Dec 2023 16:32:16 +0100
Subject: [PATCH] add certificate to invidious

---
 modules/invidious.nix        | 12 +++++++++---
 modules/step-ca.nix          |  1 +
 systems/pc/configuration.nix | 14 ++++++++++++++
 3 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/modules/invidious.nix b/modules/invidious.nix
index 4da565a..20f3449 100644
--- a/modules/invidious.nix
+++ b/modules/invidious.nix
@@ -1,12 +1,16 @@
 { config, vars, ...} :
 let
   fqdn = "yt.local";
+  useHttps = config.services.step-ca.enable;
 in
 {
   age.secrets.invidious-extra-settings = {
     file = ../secrets/invidious-extra-settings.age;
     mode = "444";
   };
+
+  security.acme.certs."yt.local".server = "https://127.0.0.1:8443/acme/acme/directory";
+
   services.invidious = {
     enable = true;
 
@@ -24,10 +28,10 @@ in
       };
 
       host_binding = "127.0.0.1";
-      external_port = 80;
-      https_only = false;
+      external_port = if useHttps then 443 else 80;
+      https_only = useHttps;
 
-      use_quic = false;
+      use_quic = useHttps;
 
       statistics_enabled = false;
 
@@ -48,6 +52,8 @@ in
   };
 
   services.nginx.virtualHosts."${fqdn}" = {
+    forceSSL = useHttps;
+    enableACME = useHttps;
     locations."/" = {
       recommendedProxySettings = true;
       proxyPass = "http://127.0.0.1:8007";
diff --git a/modules/step-ca.nix b/modules/step-ca.nix
index fbfc2d5..b2b41d2 100644
--- a/modules/step-ca.nix
+++ b/modules/step-ca.nix
@@ -32,6 +32,7 @@ AgN9qNc3Jbo=
 
 in
 {
+  security.pki.certificates = [ root_ca ];
   age.secrets.step-ca-pw = {
     file = ../secrets/step-ca-pw.age;
     owner = "step-ca";
diff --git a/systems/pc/configuration.nix b/systems/pc/configuration.nix
index 42bcbb1..e598c40 100644
--- a/systems/pc/configuration.nix
+++ b/systems/pc/configuration.nix
@@ -94,6 +94,20 @@
   #  wget
   ];
 
+  security.pki.certificates = [ ''
+-----BEGIN CERTIFICATE-----
+MIIBjTCCATKgAwIBAgIRAMVH2+JHZ3wm2fLUlKjTYDswCgYIKoZIzj0EAwIwJDEM
+MAoGA1UEChMDS29wMRQwEgYDVQQDEwtLb3AgUm9vdCBDQTAeFw0yMzEyMDgxNDUx
+MTZaFw0zMzEyMDUxNDUxMTZaMCQxDDAKBgNVBAoTA0tvcDEUMBIGA1UEAxMLS29w
+IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATdZBOkNynShXipzhuX
+f6dUByD3chNupNWsagYC5AlPRJT9fAeHEIK/bxWkFwRtLBDopWvBu9lHahBgpHc7
+y7rTo0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNV
+HQ4EFgQU9AVtwipW5HDBLfZRH1KZCnIKCfowCgYIKoZIzj0EAwIDSQAwRgIhAMHj
+AipNdhQKIYPvMt/h1uW4xP3NTkitnmshM09+rIasAiEAlSalGddXDkqJBHhPD+Fr
+gpuVkfVkA8gQCXNs5F9TnxA=
+-----END CERTIFICATE-----
+  ''];
+
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave