From 8092bac6b76deb5f2f4777d92829caa8dc37ff3a Mon Sep 17 00:00:00 2001
From: soraefir <soraefir+git@helcel>
Date: Thu, 7 May 2026 00:03:43 +0200
Subject: [PATCH] nginx

---
 modules/server/containers/defs/authentik.nix |  5 +--
 modules/server/nginx/default.nix             | 45 ++++++++++++++++++++
 systems/sandbox/cfg.nix                      |  1 +
 3 files changed, 47 insertions(+), 4 deletions(-)
 create mode 100644 modules/server/nginx/default.nix

diff --git a/modules/server/containers/defs/authentik.nix b/modules/server/containers/defs/authentik.nix
index c3d30ae..30fe24e 100644
--- a/modules/server/containers/defs/authentik.nix
+++ b/modules/server/containers/defs/authentik.nix
@@ -13,9 +13,8 @@ in {
   }];
 
   containers = {
-
     server = builder.mkContainer {
-      subdomain = "sso";
+      subdomain = containerCfg.subdomain;
       image = "ghcr.io/goauthentik/server:latest";
       port = containerCfg.port;
       ip = containerCfg.ip;
@@ -33,7 +32,6 @@ in {
         "AUTHENTIK_EMAIL__TIMEOUT" = "10";
         "AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}";
       };
-
       overrides = {
         cmd = [ "server" ];
         ports = [ "9999:${toString containerCfg.port}" ];
@@ -45,7 +43,6 @@ in {
     };
 
     worker = builder.mkContainer {
-      subdomain = "sso";
       image = "ghcr.io/goauthentik/server:latest";
       secret = "authentik";
       extraEnv = {
diff --git a/modules/server/nginx/default.nix b/modules/server/nginx/default.nix
new file mode 100644
index 0000000..d4ff5e3
--- /dev/null
+++ b/modules/server/nginx/default.nix
@@ -0,0 +1,45 @@
+{ config, lib, ... }:
+let
+  cfg = config.syscfg.server;
+  containers = cfg.containers; 
+  
+  # Function to convert your container config into an NGINX vhost
+  mkVhost = name: container: {
+    forceSSL = true;
+    useACMEHost = "${cfg.hostDomain}";
+    locations."/" = {
+      proxyPass = "http://${container.ip}:${toString container.port}";
+      proxyWebsockets = true; # Recommended for modern apps
+    };
+  };
+in {
+
+
+security.acme = {
+  acceptTerms = true;
+  defaults.email = "admin@domain.org";
+
+  certs."${cfg.hostDomain}" = {
+    domain = "*.${cfg.hostDomain}";
+    extraDomainNames = [ "${cfg.hostDomain}" ]; # Adds the root too
+    dnsProvider = "cloudflare"; # Change to your provider
+    # File containing your API token (e.g. CLOUDFLARE_DNS_API_TOKEN=...)
+    credentialsFile = "/var/lib/secrets/acme-dns.env";
+    group = "nginx"; 
+  };
+};
+
+  services.nginx = {
+    enable = true;
+    
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    virtualHosts = lib.mapAttrs' (name: value: 
+      lib.nameValuePair "${value.subdomain}.${cfg.hostDomain}" (mkVhost name value)
+    ) cfg;
+  };
+
+  # Open the firewall
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+}
diff --git a/systems/sandbox/cfg.nix b/systems/sandbox/cfg.nix
index ec1a3e2..ac76081 100644
--- a/systems/sandbox/cfg.nix
+++ b/systems/sandbox/cfg.nix
@@ -35,6 +35,7 @@
         authentik = {
           enable = true;
           db = true;
+          subdomain = "sso";
           ip = "10.88.0.125";
           port = 9000 ;
         };