add certificate to invidious

2023-12-08 16:32:16 +01:00
parent caff696994
commit ca39656b23
3 changed files with 24 additions and 3 deletions
--- a/modules/invidious.nix
+++ b/modules/invidious.nix
@@ -1,12 +1,16 @@
 { config, vars, ...} :
 let
  fqdn = "yt.local";
+  useHttps = config.services.step-ca.enable;
 in
 {
  age.secrets.invidious-extra-settings = {
    file = ../secrets/invidious-extra-settings.age;
    mode = "444";
  };
+
+  security.acme.certs."yt.local".server = "https://127.0.0.1:8443/acme/acme/directory";
+
  services.invidious = {
    enable = true;

@@ -24,10 +28,10 @@ in
      };

      host_binding = "127.0.0.1";
-      external_port = 80;
-      https_only = false;
+      external_port = if useHttps then 443 else 80;
+      https_only = useHttps;

-      use_quic = false;
+      use_quic = useHttps;

      statistics_enabled = false;

@@ -48,6 +52,8 @@ in
  };

  services.nginx.virtualHosts."${fqdn}" = {
+    forceSSL = useHttps;
+    enableACME = useHttps;
    locations."/" = {
      recommendedProxySettings = true;
      proxyPass = "http://127.0.0.1:8007";
--- a/modules/step-ca.nix
+++ b/modules/step-ca.nix
@@ -32,6 +32,7 @@ AgN9qNc3Jbo=

 in
 {
+  security.pki.certificates = [ root_ca ];
  age.secrets.step-ca-pw = {
    file = ../secrets/step-ca-pw.age;
    owner = "step-ca";