feat: add known hosts

2026-04-04 16:51:21 +02:00 · 2026-04-04 16:51:21 +02:00 · 3afb7d5cf4
commit 3afb7d5cf4
parent ecf10628c3
3 changed files with 159 additions and 46 deletions
--- a/intermediate/nginx.nix
+++ b/intermediate/nginx.nix
@ -205,6 +205,33 @@ let
          proxyWebsockets = route.content.proxyWebsockets;
        };
      }
+    else if route.type == "inline" then
+      let
+        inlineBody =
+          if builtins.isString route.content then
+            route.content
+          else
+            route.content.body;
+        inlineStatus =
+          if builtins.isAttrs route.content && route.content ? status then
+            route.content.status
+          else
+            200;
+        inlineContentType =
+          if builtins.isAttrs route.content && route.content ? contentType then
+            route.content.contentType
+          else
+            "text/plain; charset=utf-8";
+      in
+      {
+        name = "= ${route.endpoint}";
+        value = {
+          return = "${toString inlineStatus} ${builtins.toJSON inlineBody}";
+          extraConfig = ''
+            default_type ${inlineContentType};
+          '';
+        };
+      }
    else
      let
        statusValue =
@ -284,10 +311,43 @@ let
        value = base // exposureConfig // sslConfig;
      };

-  virtualHostsData = builtins.listToAttrs (lib.mapAttrsToList mkVirtualHost groupedByHost);
+  baseVirtualHostsData = builtins.listToAttrs (lib.mapAttrsToList mkVirtualHost groupedByHost);
+
+  tlsDomains =
+    lib.unique (map (route: route.domain) (lib.filter (route: route.force_ssl) mappedEndpoints));
+
+  mkRedirectVhost = domain: {
+    name = "redirect_${sanitizeHostKey domain}_80";
+    value = {
+      serverName = domain;
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 80;
+        }
+      ];
+      locations."/" = {
+        return = "301 https://$host$request_uri";
+      };
+      locations."^~ /.well-known/acme-challenge/" = {
+        root = "/var/lib/acme/acme-challenge";
+        extraConfig = ''
+          auth_basic off;
+          auth_request off;
+        '';
+      };
+    };
+  };
+
+  redirectVirtualHostsData = builtins.listToAttrs (map mkRedirectVhost tlsDomains);
+
+  virtualHostsData = baseVirtualHostsData // redirectVirtualHostsData;

  nginxUsedPorts =
-    lib.unique (map (route: route.port) mappedEndpoints);
+    lib.unique (
+      (map (route: route.port) mappedEndpoints)
+      ++ lib.optional (tlsDomains != []) 80
+    );

  acmeDomains =
    lib.unique (map (route: route.domain) (lib.filter (route: route.force_ssl) mappedEndpoints));