refactor: update host binding and consolidate ACME domains

- Change OpenWebUI host binding from 0.0.0.0 to 127.0.0.1 for security.
- Consolidate ACME certificates under internal.hoyer.world with extra domain names.
- Update Nginx virtual hosts to use the unified ACME host internal.hoyer.world.

systems/x86_64-linux/sgx/acme.nix

@@ -1,8 +1,5 @@
-{
-  pkgs,
-  lib,
-  config,
-  ...
+{ config
+, ...
 }:
 {
   sops.secrets.internetbs = {
@@ -17,8 +14,12 @@
       credentialsFile = config.sops.secrets.internetbs.path;
     };
     certs = {
-      "openwebui.hoyer.world" = { };
-      "syncthing.hoyer.world" = { };
+      "internal.hoyer.world" = {
+        extraDomainNames = [
+          "openwebui.hoyer.world"
+          "syncthing.hoyer.world"
+        ];
+      };
     };
   };
 }

systems/x86_64-linux/sgx/nginx.nix

@@ -1,8 +1,5 @@
-{
-  pkgs,
-  lib,
-  config,
-  ...
+{ config
+, ...
 }:
 {
   users.users.nginx.extraGroups = [ "acme" ];
@@ -23,7 +20,7 @@
     virtualHosts = {
       "openwebui.hoyer.world" = {
         enableACME = false;
-        useACMEHost = "openwebui.hoyer.world";
+        useACMEHost = "internal.hoyer.world";
         forceSSL = true;
         locations."/" = {
           proxyPass = "http://127.0.0.1:${toString config.services.open-webui.port}";
@@ -32,7 +29,7 @@
       };
       "syncthing.hoyer.world" = {
         enableACME = false;
-        useACMEHost = "syncthing.hoyer.world";
+        useACMEHost = "internal.hoyer.world";
         forceSSL = true;
         locations."/" = {
           proxyPass = "http://127.0.0.1:8384";

systems/x86_64-linux/sgx/openwebui.nix

@@ -3,7 +3,7 @@
   services.open-webui = {
     enable = true;
     port = 8080;
-    host = "0.0.0.0";
+    host = "127.0.0.1";
     environment = {
       ANONYMIZED_TELEMETRY = "False";
       DO_NOT_TRACK = "True";