Mealie: Part 2

machines/modules/ubiquity/default.nix

@@ -1,12 +1,24 @@
-{ build, ... }:
+{ lib, build, ... }:
 
 let
 
     hostname = "cake";
     user = build.config.provision.user."${hostname}".username;
 
+    certType = descExtra: default: lib.mkOption {
+        type = lib.types.path;
+        description = "Path to server SSL certificate${descExtra}.";
+        inherit default;
+    };
+
 in {
     imports = [ ../../../home/modules/ubiquity/theme/base.nix ];
+
+    options = {
+        services.mealie.sslCertificate = certType "" ./dummy.crt;
+        services.mealie.sslCertificateKey = certType " key" ./dummy.key;
+    };
+
     config = {
         nix.extraOptions = ''
             experimental-features = nix-command flakes

machines/modules/ubiquity/dummy.crt

@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBrTCCAVWgAwIBAgIJAJ7H+P8AKLJnMAoGCCqGSM49BAMCMBQxEjAQBgNVBAMM
+CXlvdXItZG9tYWluMCAXDTIwMDEwMTAwMDAwMFoYDzIwNTAwMTAxMDAwMDAwWjAU
+MRIwEAYDVQQDDAl5b3VyLWRvbWFpbjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BCb/y8C8kVmktQIMlq64rL+SH79bsXAzJpA4glxs6x8Jkbh+Hrs1Si+3VSdK4FHv
+Wv1kFjeRtG/i2/q1ibwZk7CjUDBOMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFL6t
+9dqsKwzW62XxQpjQFUVHoKwrMB8GA1UdIwQYMBaAFL6t9dqsKwzW62XxQpjQFUVH
+oKwrMAoGCCqGSM49BAMCA0cAMEQCICfguPMd5L9jyLUMv0RNDplZCojF8uo1cg2V
+pE5GQ/MMAiBa+d6ThAe77/jhB3puZVq+dIQihqS2FJfovRhbXsUw==
+-----END CERTIFICATE-----

machines/modules/ubiquity/dummy.key

@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBPAIBAAJBAL5QOAFNDYVYVqMk+EO8yONMVV2GVOWA+uqlFAJgKjK/xYk7s+jR
+Vwfpj8N9T+rfndtkAvT7dd7y9dh8OB+ZsUECAwEAAQJAV/oa0mVwjsJ58ukBOpJu
+c6ivO+RxU9SD9nUwKDoXK94oNjpyAJGFcRx2+hGe/7Er9/B2RGPXT/E4+VVmb9NJ
+MQIhAOzbm9GyKBkmg9RAH2L7khoNQ5GVnFw+LlRjHR+msH35AiEAztZbXhzLzXx9
+R/fKtuh5Zx9gHYFQnlh/HWMsdpWxx5sCIQDQDqh8PVKfpNxuzWVoaj17Wy/hwnvT
+0mgYxe3LuOKn/QIhAJJoKn4s2HrxPH8kZ5PRIzPy3G6rdc9Y/PC3YMaAuVw/AiEA
+t90Z6ubMjxfXyt+Gxq9nSmPqseYCboM/NMIEuYIsTcQ=
+-----END RSA PRIVATE KEY-----

machines/target/cake/default.nix

@@ -1,4 +1,4 @@
-{ pkgs, build, ... }:
+{ config, pkgs, build, ... }:
 
 let
 
@@ -85,6 +85,7 @@ in {
     location.longitude = -97.7431;
 
     networking.domain = "home.arpa";
+    networking.firewall.allowedTCPPorts = [ 443 ];
     networking.hostId = "2d58ff06";
     networking.hostName = hostname;
     #networking.interfaces.eno1.useDHCP = false;
@@ -127,6 +128,35 @@ in {
     services.libinput.mouse.scrollMethod = "button";
     services.locate.enable = true;
     services.mealie.enable = true;
+
+    services.nginx = {
+        enable = true;
+        virtualHosts = {
+            "meali.home.arpa" = {
+                listen = [
+                    {
+                        addr = "0.0.0.0";
+                        port = 443;
+                        ssl = true;
+                    }
+                ];
+                forceSSL = true;
+                inherit (config.services.mealie)
+                    sslCertificate
+                    sslCertificateKey;
+                locations."/" = {
+                    proxyPass = "http://127.0.0.1:9000";
+                    extraConfig = ''
+                        proxy_set_header Host $host;
+                        proxy_set_header X-Real-IP $remote_addr;
+                        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                        proxy_set_header X-Forwarded-Proto https;
+                    '';
+                };
+            };
+        };
+    };
+
     services.ntp.enable = true;
     services.openssh.enable = true;
     services.openssh.extraConfig = ''AllowUsers tnks mzhajra'';