refactor(nginx): Clean up nginx configuration

configuration/nginx/ssl.nix

@@ -0,0 +1,68 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+{
+  options = {
+    # Add a custom per-host option to enable HSTS
+    services.nginx.virtualHosts = lib.mkOption {
+      type = lib.types.attrsOf (
+        lib.types.submodule (
+          { config, ... }:
+          {
+            options.enableHSTS = lib.mkEnableOption "HSTS";
+            config.extraConfig = lib.mkIf config.enableHSTS ''
+              add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+            '';
+          }
+        )
+      );
+    };
+  };
+
+  config = {
+    # Certificate settings
+    security.acme = {
+      defaults.email = "tm@tlater.net";
+      acceptTerms = true;
+
+      certs."tlater.net" = {
+        extraDomainNames = [
+          "*.tlater.net"
+          "tlater.com"
+          "*.tlater.com"
+        ];
+        dnsProvider = "porkbun";
+        group = config.users.groups.ssl-cert.name;
+        credentialFiles = {
+          PORKBUN_API_KEY_FILE = config.sops.secrets."porkbun/api-key".path;
+          PORKBUN_SECRET_API_KEY_FILE = config.sops.secrets."porkbun/secret-api-key".path;
+        };
+      };
+    };
+    users.groups.ssl-cert = { };
+
+    # Back up the SSL certificate, just in case
+    services.backups.acme = {
+      user = "acme";
+      paths = [ "/var/lib/acme/tlater.net" ];
+    };
+
+    systemd.services = {
+      nginx.serviceConfig.SupplementaryGroups = [ config.security.acme.certs."tlater.net".group ];
+
+      # Don't attempt to retrieve a certificate if the domain name
+      # doesn't *actually* match the cert name
+      #
+      # TODO(tlater): Set up pebble to retrieve certs "properly"
+      # instead
+      "acme-tlater.net".serviceConfig.ExecCondition =
+        let
+          confirm = ''[[ "tlater.net" = "${config.services.nginx.domain}" ]]'';
+        in
+        ''${pkgs.runtimeShell} -c '${confirm}' '';
+    };
+  };
+}