From 5714efc6682fbd6c51c9809cb51a9c5f1c0febc9 Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Thu, 22 Jan 2026 15:10:42 +0900
Subject: [PATCH] modules/grzegorz: override base certificate config

---
 base/services/nginx.nix | 8 ++++----
 modules/grzegorz.nix    | 4 ++++
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/base/services/nginx.nix b/base/services/nginx.nix
index f97e3ff..9053c09 100644
--- a/base/services/nginx.nix
+++ b/base/services/nginx.nix
@@ -67,10 +67,10 @@
     };
 
     ${config.networking.fqdn} = {
-      sslCertificate = "/etc/certs/nginx.crt";
-      sslCertificateKey = "/etc/certs/nginx.key";
-      addSSL = true;
-      extraConfig = "return 444;";
+      sslCertificate = lib.mkDefault "/etc/certs/nginx.crt";
+      sslCertificateKey = lib.mkDefault "/etc/certs/nginx.key";
+      addSSL = lib.mkDefault true;
+      extraConfig = lib.mkDefault "return 444;";
     };
   };
 }
diff --git a/modules/grzegorz.nix b/modules/grzegorz.nix
index 9a4ddcc..fb0eee9 100644
--- a/modules/grzegorz.nix
+++ b/modules/grzegorz.nix
@@ -37,9 +37,13 @@ in {
   services.nginx.enable = true;
   services.nginx.virtualHosts = {
     ${config.networking.fqdn} = {
+      # NOTE: this overrides the default config in base/services/nginx.nix
+      addSSL = false;
       forceSSL = true;
       enableACME = true;
+
       kTLS = true;
+
       serverAliases = [
         "${machine}.pvv.org"
       ];