From e3ebc04dc23864c6490de8ee57b950f52700f0dc Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Fri, 15 May 2026 13:53:28 +0200
Subject: ...

---
 hosts/surtr/http/default.nix |  1 +
 hosts/surtr/http/online.nix  | 29 +++++++++++++++++++++++++++++
 2 files changed, 30 insertions(+)
 create mode 100644 hosts/surtr/http/online.nix

(limited to 'hosts/surtr/http')

diff --git a/hosts/surtr/http/default.nix b/hosts/surtr/http/default.nix
index b643ded6..0e13acf7 100644
--- a/hosts/surtr/http/default.nix
+++ b/hosts/surtr/http/default.nix
@@ -2,6 +2,7 @@
 {
   imports = [
     ./webdav
+    ./online.nix
   ];
 
   config = {
diff --git a/hosts/surtr/http/online.nix b/hosts/surtr/http/online.nix
new file mode 100644
index 00000000..daad65d9
--- /dev/null
+++ b/hosts/surtr/http/online.nix
@@ -0,0 +1,29 @@
+{ config, ... }:
+{
+  config = {
+    services.nginx.virtualHosts."online.yggdrasil.li" = {
+      forceSSL = true;
+      kTLS = true;
+      http3 = true;
+      sslCertificate = "/run/credentials/nginx.service/online.yggdrasil.li.pem";
+      sslCertificateKey = "/run/credentials/nginx.service/online.yggdrasil.li.key.pem";
+      sslTrustedCertificate = "/run/credentials/nginx.service/online.yggdrasil.li.chain.pem";
+
+      locations."/".extraConfig = ''
+        add_header X-NetworkManager-Status online;
+        add_header Cache-Control "max-age=0, must-revalidate";
+        return 204;
+      '';
+    };
+    security.acme.rfc2136Domains."online.yggdrasil.li" = {
+      restartUnits = ["nginx.service"];
+    };
+    systemd.services.nginx.serviceConfig = {
+      LoadCredential = [
+        "online.yggdrasil.li.key.pem:${config.security.acme.certs."online.yggdrasil.li".directory}/key.pem"
+        "online.yggdrasil.li.pem:${config.security.acme.certs."online.yggdrasil.li".directory}/fullchain.pem"
+        "online.yggdrasil.li.chain.pem:${config.security.acme.certs."online.yggdrasil.li".directory}/chain.pem"
+      ];
+    };
+  };
+}
-- 
cgit v1.2.3