From e88982d7c7e8769573192adacd6174a0be575c33 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 27 Jul 2024 22:24:54 +0200
Subject: [PATCH] Give esphome a static v6 and get cert directly via chal.
 served over v6

Give the host a static v4 as well.
Also let the nginx redirect from the hosts FQDN to the service domain.
---
 config/hosts/esphome/default.nix    |  1 +
 config/hosts/esphome/networking.nix | 30 ++++++++++++++++
 config/hosts/esphome/nginx.nix      | 56 +++++++++++++++++++++--------
 3 files changed, 73 insertions(+), 14 deletions(-)
 create mode 100644 config/hosts/esphome/networking.nix

diff --git a/config/hosts/esphome/default.nix b/config/hosts/esphome/default.nix
index cfe47bc..8d5150d 100644
--- a/config/hosts/esphome/default.nix
+++ b/config/hosts/esphome/default.nix
@@ -3,6 +3,7 @@
   imports = [
     ./configuration.nix
     ./esphome.nix
+    ./networking.nix
     ./nginx.nix
   ];
 }
diff --git a/config/hosts/esphome/networking.nix b/config/hosts/esphome/networking.nix
new file mode 100644
index 0000000..6f65f93
--- /dev/null
+++ b/config/hosts/esphome/networking.nix
@@ -0,0 +1,30 @@
+{ ... }:
+
+{
+  networking.interfaces.net0 = {
+    ipv4.addresses = [
+      {
+        address = "10.31.208.24";
+        prefixLength = 23;
+      }
+    ];
+  };
+  networking.defaultGateway = "10.31.208.1";
+  networking.nameservers = [ "10.31.208.1" ];
+  networking.search = [ "z9.ccchh.net" ];
+
+  networking.interfaces.net0 = {
+    ipv6.addresses = [
+      {
+        address = "2a07:c480:0:1d0::66";
+        prefixLength = 64;
+      }
+    ];
+  };
+  networking.defaultGateway6 = "2a07:c480:0:1d0::1";
+
+  systemd.network.links."10-net0" = {
+    matchConfig.MACAddress = "7E:3C:F0:77:8A:F4";
+    linkConfig.Name = "net0";
+  };
+}
diff --git a/config/hosts/esphome/nginx.nix b/config/hosts/esphome/nginx.nix
index 3c5cfb9..2b154f0 100644
--- a/config/hosts/esphome/nginx.nix
+++ b/config/hosts/esphome/nginx.nix
@@ -1,35 +1,34 @@
 { config, ... }:
+
 {
   services.nginx = {
     enable = true;
 
     virtualHosts = {
-      "acme-esphome.ccchh.net" = {
-        enableACME = true;
-        serverName = "esphome.ccchh.net";
-
-        listen = [
-          {
-            addr = "0.0.0.0";
-            port = 31820;
-          }
-        ];
-      };
-
       "esphome.ccchh.net" = {
         forceSSL = true;
-        useACMEHost = "esphome.ccchh.net";
+        enableACME = true;
+        serverName = "esphome.ccchh.net";
 
         listen = [
           {
             addr = "0.0.0.0";
             port = 80;
           }
+          {
+            addr = "[::]";
+            port = 80;
+          }
           {
             addr = "0.0.0.0";
             port = 443;
             ssl = true;
           }
+          {
+            addr = "[::]";
+            port = 443;
+            ssl = true;
+          }
         ];
 
         locations."/" = {
@@ -37,9 +36,38 @@
           proxyWebsockets = true;
         };
       };
+      "esphome.z9.ccchh.net" = {
+        forceSSL = true;
+        useACMEHost = "esphome.ccchh.net";
+        serverName = "esphome.z9.ccchh.net";
 
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 80;
+          }
+          {
+            addr = "[::]";
+            port = 80;
+          }
+          {
+            addr = "0.0.0.0";
+            port = 443;
+            ssl = true;
+          }
+          {
+            addr = "[::]";
+            port = 443;
+            ssl = true;
+          }
+        ];
+
+        globalRedirect = "esphome.ccchh.net";
+        redirectCode = 307;
+      };
     };
   };
+  security.acme.certs."esphome.ccchh.net".extraDomainNames = [ "esphome.z9.ccchh.net" ];
 
-  networking.firewall.allowedTCPPorts = [ 80 443 31820 ];
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
 }