From 64a1924f4a58318207fc4ef684a974bbe68f842d Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Sun, 3 Jan 2021 16:03:42 +0100
Subject: [PATCH] Enable SSL for nginx port forward

---
 modules/nginx-port-forward/default.nix | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/modules/nginx-port-forward/default.nix b/modules/nginx-port-forward/default.nix
index 00ffbec..b0d4817 100644
--- a/modules/nginx-port-forward/default.nix
+++ b/modules/nginx-port-forward/default.nix
@@ -4,11 +4,20 @@ with lib;
 
 let
   cfg = config.clerie.nginx-port-forward;
+  certs = config.security.acme.certs;
+  sslDhparam = config.services.nginx.sslDhparam;
 
   mkServerBlock = isUDP: port: forward: ''
     server {
-      listen ${port}${optionalString isUDP " udp"};
-      listen [::]:${port}${optionalString isUDP " udp"};
+      listen ${port}${optionalString isUDP " udp"}${optionalString (forward.certName != null) " ssl"};
+      listen [::]:${port}${optionalString isUDP " udp"}${optionalString (forward.certName != null) " ssl"};
+
+      ${ optionalString (forward.certName != null) ''
+        ssl_certificate ${certs.${forward.certName}.directory}/fullchain.pem;
+        ssl_certificate_key ${certs.${forward.certName}.directory}/key.pem;
+        ${ optionalString (sslDhparam != null) "ssl_dhparam ${sslDhparam};" }
+      '' }
+
       proxy_pass ${forward.host}:${toString forward.port};
     }
   '';
@@ -28,6 +37,10 @@ let
       port = mkOption {
         type = types.int;
       };
+      certName = mkOption {
+        type = with types; nullOr str;
+        default = null;
+      };
     };
   };