From e5a55144aae9b487c8ce97022508be0c1f6d6e04 Mon Sep 17 00:00:00 2001
From: Mel <mel@rnrd.eu>
Date: Sat, 19 Apr 2025 05:03:08 +0200
Subject: Remove cyclic service dependency between tailnet certificate and
 Nginx

Signed-off-by: Mel <mel@rnrd.eu>
---
 modules/foundation/www/tailnet.nix | 79 +++++++++++++++++++++-----------------
 1 file changed, 43 insertions(+), 36 deletions(-)

(limited to 'modules/foundation')

diff --git a/modules/foundation/www/tailnet.nix b/modules/foundation/www/tailnet.nix
index b361fef..90c21e2 100644
--- a/modules/foundation/www/tailnet.nix
+++ b/modules/foundation/www/tailnet.nix
@@ -76,47 +76,54 @@ in
     tailnet = lib.mkEnableOption "tailnet internal host";
   };
 
-  config =
-    lib.mkIf (cfg.enable && cfg.tailnet) {
-      foundation.tailnetServices = [
-        "nginx"
-        "acme-${me.tailscale.domain}"
-      ];
+  config = lib.mkIf (cfg.enable && cfg.tailnet) {
+    security.acme.certs.${me.tailscale.domain} = {
+      # since we replace the renew script, the dns provider is not important,
+      # however, we can't have the configuration thinking that the acme
+      # renewal service depends on nginx, so instead it's a "dns certificate".
+      dnsProvider = "dummy";
+      webroot = null;
+    };
 
-      # overwrite default acme behaviour with tailscale
-      systemd.services."acme-${me.tailscale.domain}" = {
-        serviceConfig.ExecStart = lib.mkForce "+${tailscaleRenewScript}";
-      };
+    # overwrite default acme behaviour with tailscale
+    systemd.services."acme-${me.tailscale.domain}" = {
+      serviceConfig.ExecStart = lib.mkForce "+${tailscaleRenewScript}";
+    };
 
-      # tailnet internal vhost
-      services.nginx.virtualHosts = {
-        # mostly superceded
-        tailnet = {
-          forceSSL = true;
-          enableACME = true;
-          serverName = me.tailscale.domain;
-          listenAddresses = [ me.tailscale.ip ];
-          # point to the default page, for now!
-          locations."/" = {
-            alias = "${cfg.defaultPage}/";
-          };
-          extraConfig = ''
-            access_log /var/log/nginx/tailnet.access.log json_combined;
-          '';
+    # tailnet internal vhost
+    services.nginx.virtualHosts = {
+      # mostly superceded
+      tailnet = {
+        forceSSL = true;
+        enableACME = true;
+        serverName = me.tailscale.domain;
+        listenAddresses = [ me.tailscale.ip ];
+        # point to the default page, for now!
+        locations."/" = {
+          alias = "${cfg.defaultPage}/";
         };
+        extraConfig = ''
+          access_log /var/log/nginx/tailnet.access.log json_combined;
+        '';
+      };
 
-        # default page for the `rnrd.fyi` internal domain
-        ${rnrdInternalUrl} = {
-          useACMEHost = "rnrd.fyi";
-          forceSSL = true;
-          listenAddresses = [ me.tailscale.ip ];
-          locations."/" = {
-            alias = "${cfg.defaultPage}/";
-          };
-          extraConfig = ''
-            access_log /var/log/nginx/tailnet.access.log json_combined;
-          '';
+      # default page for the `rnrd.fyi` internal domain
+      ${rnrdInternalUrl} = {
+        useACMEHost = "rnrd.fyi";
+        forceSSL = true;
+        listenAddresses = [ me.tailscale.ip ];
+        locations."/" = {
+          alias = "${cfg.defaultPage}/";
         };
+        extraConfig = ''
+          access_log /var/log/nginx/tailnet.access.log json_combined;
+        '';
       };
     };
+
+    foundation.tailnetServices = [
+      "nginx"
+      "acme-${me.tailscale.domain}"
+    ];
+  };
 }
-- 
cgit 1.4.1