5 files changed, 53 insertions, 15 deletions

diff --git a/sys/preset/dmz.nix b/sys/preset/dmz.nix
index 16b125f..c6e290e 100644
--- a/sys/preset/dmz.nix
+++ b/sys/preset/dmz.nix
@@ -36,7 +36,7 @@ in
         hostname = "dmz";
       };
 
-      web.enable = true;
+      web.sites.portal.enable = true;
     };
 
     users = {
diff --git a/sys/web/default.nix b/sys/web/default.nix
index 6c73506..2fc769f 100644
--- a/sys/web/default.nix
+++ b/sys/web/default.nix
@@ -2,5 +2,6 @@
   imports = [
     ./nginx.nix
     ./php-fpm.nix
+    ./sites
   ];
 }
diff --git a/sys/web/nginx.nix b/sys/web/nginx.nix
index db2d27d..a971eb2 100644
--- a/sys/web/nginx.nix
+++ b/sys/web/nginx.nix
@@ -6,6 +6,11 @@ in
 {
   options.local.web = {
     enable = mkEnableOption "web server";
+
+    ownedCerts = mkOption {
+      type = with lib.types; listOf str;
+      default = [ ];
+    };
   };
 
   config = mkIf cfg.enable {
@@ -21,25 +26,29 @@ in
 
       clientMaxBodySize = "42M";
 
-      virtualHosts = {
-        ${domains.host.www} = {
-          serverAliases = [ domains.host.main ];
-          useACMEHost = domains.host.main;
-          forceSSL = true;
-        };
-      };
+      virtualHosts = { };
     };
 
+    local.certs = listToAttrs (map
+      (name: {
+        inherit name;
+        value.enable = true;
+      })
+      cfg.ownedCerts);
+
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
+
     security = {
-      acme.certs.${domains.host.main} = {
-        inherit (config.services.nginx) group;
-      };
+      acme.certs = listToAttrs (map
+        (name: {
+          name = domains.${name}.main;
+          value = {
+            group = mkDefault config.services.nginx.group;
+          };
+        })
+        cfg.ownedCerts);
 
       dhparams.params.nginx = { };
     };
-
-    networking.firewall.allowedTCPPorts = [ 80 443 ];
-
-    local.certs.host.enable = true;
   };
 }
diff --git a/sys/web/sites/default.nix b/sys/web/sites/default.nix
new file mode 100644
index 0000000..b453d24
--- /dev/null
+++ b/sys/web/sites/default.nix
@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./portal.nix
+  ];
+}
diff --git a/sys/web/sites/portal.nix b/sys/web/sites/portal.nix
new file mode 100644
index 0000000..e46a9b1
--- /dev/null
+++ b/sys/web/sites/portal.nix
@@ -0,0 +1,23 @@
+{ config, lib, ... }:
+with lib; let
+  cfg = config.local.web.sites.portal;
+  inherit (config.local) domains;
+in
+{
+  options.local.web.sites.portal = {
+    enable = mkEnableOption "public non-fqdn portal";
+  };
+
+  config = mkIf cfg.enable {
+    local.web = {
+      enable = mkDefault true;
+      ownedCerts = [ "host" ];
+    };
+
+    services.nginx.virtualHosts.${domains.host.www} = {
+      forceSSL = true;
+      useACMEHost = domains.host.main;
+      serverAliases = [ domains.host.main ];
+    };
+  };
+}