From 3e1745954fa4928ad7cb825b79e834ad1b7c6f3f Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@hoyer.xyz>
Date: Sat, 15 Mar 2025 15:01:28 +0100
Subject: [PATCH] refactor: update host binding and consolidate ACME domains

- Change OpenWebUI host binding from 0.0.0.0 to 127.0.0.1 for security.
- Consolidate ACME certificates under internal.hoyer.world with extra domain names.
- Update Nginx virtual hosts to use the unified ACME host internal.hoyer.world.
---
 systems/x86_64-linux/sgx/acme.nix      | 15 ++++++++-------
 systems/x86_64-linux/sgx/nginx.nix     | 11 ++++-------
 systems/x86_64-linux/sgx/openwebui.nix |  2 +-
 3 files changed, 13 insertions(+), 15 deletions(-)

diff --git a/systems/x86_64-linux/sgx/acme.nix b/systems/x86_64-linux/sgx/acme.nix
index e8e6e3e..f3ed939 100644
--- a/systems/x86_64-linux/sgx/acme.nix
+++ b/systems/x86_64-linux/sgx/acme.nix
@@ -1,8 +1,5 @@
-{
-  pkgs,
-  lib,
-  config,
-  ...
+{ config
+, ...
 }:
 {
   sops.secrets.internetbs = {
@@ -17,8 +14,12 @@
       credentialsFile = config.sops.secrets.internetbs.path;
     };
     certs = {
-      "openwebui.hoyer.world" = { };
-      "syncthing.hoyer.world" = { };
+      "internal.hoyer.world" = {
+        extraDomainNames = [
+          "openwebui.hoyer.world"
+          "syncthing.hoyer.world"
+        ];
+      };
     };
   };
 }
diff --git a/systems/x86_64-linux/sgx/nginx.nix b/systems/x86_64-linux/sgx/nginx.nix
index 6d86d9f..96a7761 100644
--- a/systems/x86_64-linux/sgx/nginx.nix
+++ b/systems/x86_64-linux/sgx/nginx.nix
@@ -1,8 +1,5 @@
-{
-  pkgs,
-  lib,
-  config,
-  ...
+{ config
+, ...
 }:
 {
   users.users.nginx.extraGroups = [ "acme" ];
@@ -23,7 +20,7 @@
     virtualHosts = {
       "openwebui.hoyer.world" = {
         enableACME = false;
-        useACMEHost = "openwebui.hoyer.world";
+        useACMEHost = "internal.hoyer.world";
         forceSSL = true;
         locations."/" = {
           proxyPass = "http://127.0.0.1:${toString config.services.open-webui.port}";
@@ -32,7 +29,7 @@
       };
       "syncthing.hoyer.world" = {
         enableACME = false;
-        useACMEHost = "syncthing.hoyer.world";
+        useACMEHost = "internal.hoyer.world";
         forceSSL = true;
         locations."/" = {
           proxyPass = "http://127.0.0.1:8384";
diff --git a/systems/x86_64-linux/sgx/openwebui.nix b/systems/x86_64-linux/sgx/openwebui.nix
index 0c91512..fed3e21 100644
--- a/systems/x86_64-linux/sgx/openwebui.nix
+++ b/systems/x86_64-linux/sgx/openwebui.nix
@@ -3,7 +3,7 @@
   services.open-webui = {
     enable = true;
     port = 8080;
-    host = "0.0.0.0";
+    host = "127.0.0.1";
     environment = {
       ANONYMIZED_TELEMETRY = "False";
       DO_NOT_TRACK = "True";