private certificate fix

hosts/vps/toggles.nix

@@ -38,7 +38,7 @@ in
     "bazarr"
     "collabora"
     "gitea"
-    # "homepage"
+    "homepage"
     "isso"
     "jellyfin"
     "kavita"
@@ -53,7 +53,7 @@ in
     "oauth2-proxy"
     "plausible"
     "plex"
-    # "prowlarr"
+    "prowlarr"
     "radarr"
     "sonarr"
     "vaultwarden"

modules/servers/homepage.nix

@@ -9,16 +9,9 @@ let
 in
 {
   options.my.servers.homepage = setup.mkOptions "homepage" "home" 8082;
-  config = lib.mkIf (cfg.enable && config.my.secureHost) {
+  config = lib.mkMerge [
-    sops.secrets = {
+    (lib.mkIf (cfg.enable && config.my.secureHost) {
-      homepage.sopsFile = ../../secrets/homepage.yaml;
+      sops.secrets.homepage.sopsFile = ../../secrets/homepage.yaml;
-      "private-ca/pem" = {
-        sopsFile = ../../secrets/certs.yaml;
-        owner = "nginx";
-        group = "nginx";
-      };
-    };
-    my.servers.homepage.certPath = config.sops.secrets."private-ca/pem".path;
       services.homepage-dashboard = {
         inherit (cfg) enable;
         listenPort = cfg.port;
@@ -35,5 +28,14 @@ in
           |> builtins.filter (file: builtins.match ".*\\.nix" file != null)
           |> map (file: import ./homepage/bookmarks/${file});
       };
+    })
+    (lib.mkIf (cfg.enableProxy && config.my.enableProxy && config.my.secureHost) {
+      sops.secrets."private-ca/pem" = {
+        sopsFile = ../../secrets/certs.yaml;
+        owner = "nginx";
+        group = "nginx";
       };
+      my.servers.homepage.certPath = config.sops.secrets."private-ca/pem".path;
+    })
+  ];
 }

modules/servers/prowlarr.nix

@@ -9,15 +9,8 @@ let
 in
 {
   options.my.servers.prowlarr = setup.mkOptions "prowlarr" "indexer" 9696;
-  config = lib.mkIf cfg.enable {
+  config = lib.mkMerge [
-    sops.secrets = lib.mkIf cfg.enable {
+    (lib.mkIf cfg.enable {
-      "private-ca/pem" = {
-        sopsFile = ../../secrets/certs.yaml;
-        owner = "nginx";
-        group = "nginx";
-      };
-    };
-    my.servers.prowlarr.certPath = config.sops.secrets."private-ca/pem".path;
       users.users.prowlarr = {
         uid = 987;
         group = "piracy";
@@ -31,5 +24,14 @@ in
           inherit (cfg) enable;
         };
       };
+    })
+    (lib.mkIf (cfg.enableProxy && config.my.enableProxy && config.my.secureHost) {
+      sops.secrets."private-ca/pem" = {
+        sopsFile = ../../secrets/certs.yaml;
+        owner = "nginx";
+        group = "nginx";
       };
+      my.servers.prowlarr.certPath = config.sops.secrets."private-ca/pem".path;
+    })
+  ];
 }

modules/servers/stash.nix

@@ -29,18 +29,13 @@ let
 in
 {
   options.my.servers.stash = setup.mkOptions "stash" "xxx" 9999;
-  config = lib.mkIf (cfg.enable && config.my.secureHost) {
+  config = lib.mkMerge [
+    (lib.mkIf (cfg.enable && config.my.secureHost) {
       sops.secrets = {
         "stash/password".sopsFile = ../../secrets/secrets.yaml;
         "stash/jwt".sopsFile = ../../secrets/secrets.yaml;
         "stash/session".sopsFile = ../../secrets/secrets.yaml;
-      "private-ca/pem" = {
-        sopsFile = ../../secrets/certs.yaml;
-        owner = "nginx";
-        group = "nginx";
       };
-    };
-    my.servers.stash.certPath = config.sops.secrets."private-ca/pem".path;
       services.stash = {
         inherit (cfg) enable;
         group = "glue";
@@ -76,5 +71,14 @@ in
         group = "glue";
         packages = [ stashPythonFHS ];
       };
+    })
+    (lib.mkIf (cfg.enableProxy && config.my.enableProxy && config.my.secureHost) {
+      sops.secrets."private-ca/pem" = {
+        sopsFile = ../../secrets/certs.yaml;
+        owner = "nginx";
+        group = "nginx";
       };
+      my.servers.stash.certPath = config.sops.secrets."private-ca/pem".path;
+    })
+  ];
 }