Merge pull request #1371 from flyingcircusio/PL-131278-nginx-fix-sensu-servername

platform-pr-manager[bot] · web-flow · commit 057f7c45bbd0 · 2025-03-27T13:33:59.000Z
nginx: make HTTPS sensu check work for vhost name != serverName
diff --git a/nixos/services/nginx/default.nix b/nixos/services/nginx/default.nix
@@ -83,7 +83,16 @@ let
     lib.filterAttrs (_: val: val ? emailACME && val.emailACME != null) cfg.virtualHosts
   );
 
-  acmeVhosts = (lib.filterAttrs (_: vhost: vhost.enableACME) nginxCfg.virtualHosts);
+  acmeVhostsWithTLS = (
+    lib.filterAttrs (
+      _: vhost:
+      let
+        onlySSL = vhost.onlySSL || vhost.enableSSL;
+        hasSSL = onlySSL || vhost.addSSL || vhost.forceSSL;
+      in
+      vhost.enableACME && hasSSL
+    ) nginxCfg.virtualHosts
+  );
 
   mainConfig = ''
     worker_processes ${toString cfg.workerProcesses};
@@ -478,22 +487,23 @@ in
           };
 
         }
-        // (lib.listToAttrs (
-          map (
-            n:
-            lib.nameValuePair "nginx_https_${n}" {
-              notification = "HTTPS certificate check failed for vhost ${n}";
-              # We're using a timeout of 15 seconds because 10 seconds is the timeout
-              # that will trigger if DNS issues occur and giving the check a higher
-              # timeout allows us to see those. Otherwise they get hidden behind
-              # a generic timeout message.
-              # Note that we assume that the certificate is reachable via port 443.
-              # Other configurations might need overrides for the sensu check command.
-              command = "check_http -p 443 -S --sni -C 25,14 -H ${n} -t 15";
-              interval = 600;
-            }
-          ) (lib.attrNames acmeVhosts)
-        ));
+        // (lib.mapAttrs' (
+          n: vhost:
+          let
+            host = if vhost.serverName != null then vhost.serverName else n;
+          in
+          lib.nameValuePair "nginx_https_${n}" {
+            notification = "HTTPS certificate check failed for vhost ${n}";
+            # We're using a timeout of 15 seconds because 10 seconds is the timeout
+            # that will trigger if DNS issues occur and giving the check a higher
+            # timeout allows us to see those. Otherwise they get hidden behind
+            # a generic timeout message.
+            # Note that we assume that the certificate is reachable via port 443.
+            # Other configurations might need overrides for the sensu check command.
+            command = "check_http -p 443 -S --sni -C 25,14 -H ${host} -t 15";
+            interval = 600;
+          }
+        ) acmeVhostsWithTLS);
 
       networking.firewall.allowedTCPPorts = [
         80
