diff --git a/.sops.yaml b/.sops.yaml index 14bdb13..37c6e83 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -11,6 +11,11 @@ creation_rules: - *prescientmoon - *tethys - *lapetus + - path_regex: hosts/nixos/common/optional/services/acme/secrets.yaml + key_groups: + - age: + - *prescientmoon + - *lapetus - path_regex: home/features/desktop/wakatime/secrets.yaml key_groups: - age: diff --git a/home/features/cli/ssh.nix b/home/features/cli/ssh.nix index 2d240ff..f702010 100644 --- a/home/features/cli/ssh.nix +++ b/home/features/cli/ssh.nix @@ -1,7 +1,6 @@ { programs.ssh.enable = true; - # TODO: age persistence satellite.persistence.at.state.apps.ssh.directories = [ ".ssh" ]; # Makes it easy to copy ssh keys at install time without messing up permissions diff --git a/home/features/persistence.nix b/home/features/persistence.nix index d895adc..bf14730 100644 --- a/home/features/persistence.nix +++ b/home/features/persistence.nix @@ -144,4 +144,9 @@ ]; # }}} # }}} + # {{{ Cli + # {{{ Sops + satellite.persistence.at.state.apps.sops.directories = [ "${config.xdg.configHome}/sops/age" ]; + # }}} + # }}} } diff --git a/hosts/nixos/common/optional/services/acme/default.nix b/hosts/nixos/common/optional/services/acme/default.nix new file mode 100644 index 0000000..1a3aabe --- /dev/null +++ b/hosts/nixos/common/optional/services/acme/default.nix @@ -0,0 +1,10 @@ +{ config, ... }: { + sops.secrets.porkbun_secrets.sopsFile = ./secrets.yaml; + security.acme.acceptTerms = true; + security.acme.defaults = { + # TODO: update this email + email = "rafaeladriel11@gmail.com"; + dnsProvider = "porkbun"; + environmentFile = config.sops.secrets.porkbun_secrets.path; + }; +} diff --git a/hosts/nixos/common/optional/services/acme/secrets.yaml b/hosts/nixos/common/optional/services/acme/secrets.yaml new file mode 100644 index 0000000..144d7e3 --- /dev/null +++ b/hosts/nixos/common/optional/services/acme/secrets.yaml @@ -0,0 +1,30 @@ +porkbun_secrets: ENC[AES256_GCM,data:aLJsbk/FQ5mPn6fYoWGlmT8nWfAZV4Z0EY0S5t6YXeKjSwieRzAWDoN7X/LQjZfSGzL4QDO8m1CFtfqQJsRXj4GBWe/njy/MuWp32XFMh5TLN/RHNoJ0++y6Jno+IDKQvTeOH0BVcZpe4quJB5aueIc5qSr8aoHIrYnO/zWlRSGDtu2ZSCye6atCdy09CFypwl+6tsvRh9DbU+FwRwT8Z2HaqbwWo5XGHemGWJQYnpSp,iv:RwY6l+GAAxBBN+nr0WoLoXXSkmpn8lP7g2Uoj1GJ8/M=,tag:8FaeUG4V1MTzQadxn/WmqA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age14mga4r0xa82a2uus3wq5q7rqnvflms3jmhknz4f3hsda8wttk9gsv2k9fs + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBReWRaSHZsdzZlWmg5N1d3 + UXJmRVdxOHBxS3pqQXVPVGlzY2ZuYlovSUQ4Ckg4NjBpNEtLVkUzUWJzVlF4MkQ2 + dkNRWHVLUHBnQmsxWmF3SllJdjI4U1kKLS0tIDhiak9pVGc1eS9Ca015WkxscWd5 + Z20wWWxBTlBuNFRZdUM1QVVMUVFhQzgKi7NscHHhZDkSBgynppWW2vu6wIbGzv5M + HmyGhOmbWD1HDlCiu0yY8OFkhyG7pd4Ujw9omlPrwkUAs/wAc6u+5g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1jem6jfkmfq54wzhqqhrnf786jsn5dmx82ewtt4vducac8m2fyukskun2p4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZSjNVdjNaZVFHRkc4Q0xk + T2JDTzRvaDdWR1kxT2pQSTdSUWpCZmd0WHpvCmllRXBqenNidUhUV1RrV3JDeWJK + WkJwcjdpN1E3ZWdCZGxYQjBDcWRZWGcKLS0tICtlZ00xZENyMWFTeXdaWFRpcEF4 + NXREQTQxR1pGakVlWEVYS2VCcVhSSzAKXSX8tIxS0mssx4GsAVotn6/pQ8fqPl5j + ruC7XQc7DuYUGub/czm5lLodzfjPtSYzWYPC1Xh/7mB14bop60UJYA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-01-31T19:12:27Z" + mac: ENC[AES256_GCM,data:8ezOQ9Fqpf8aXR7VPEqXdOqHVWoD3VVYXY2ISNdWs88LyTyaYfTDLdNf/zJeC4/03hGcNr6lEu6kAbOZI+JP98kqUYG2XFgwcAu+e/Gi/t/BCqmPFd8AdaaNJhtRZc6lvrvONUG809RZ2qwIOmYAfDf/NM9nhTKO5ZVY0Z1Wh3c=,iv:9OaX2OFxxh+uMcza0i5auC3wlzvyBQUZU5uzlcKXE0c=,tag:x0nK2xqpoFy910rDIJ9cBQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/hosts/nixos/lapetus/default.nix b/hosts/nixos/lapetus/default.nix index 14e59b1..5ba8676 100644 --- a/hosts/nixos/lapetus/default.nix +++ b/hosts/nixos/lapetus/default.nix @@ -3,6 +3,7 @@ ../common/global ../common/users/adrielus.nix ../common/optional/services/slambda.nix + ../common/optional/services/acme ./services/syncthing.nix ./services/whoogle.nix diff --git a/hosts/nixos/lapetus/services/nginx.nix b/hosts/nixos/lapetus/services/nginx.nix new file mode 100644 index 0000000..3b9e48c --- /dev/null +++ b/hosts/nixos/lapetus/services/nginx.nix @@ -0,0 +1,9 @@ +{ + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + }; +} diff --git a/hosts/nixos/lapetus/services/whoogle.nix b/hosts/nixos/lapetus/services/whoogle.nix index 44b2f76..2a92789 100644 --- a/hosts/nixos/lapetus/services/whoogle.nix +++ b/hosts/nixos/lapetus/services/whoogle.nix @@ -2,16 +2,15 @@ let port = 8401; websiteBlocklist = [ - "www.saashub.com/" + "www.saashub.com" "slant.co" "nix-united.com" "libhunt.com" ]; in { - imports = [ ../../common/optional/podman.nix ]; + imports = [ ../../common/optional/podman.nix ./nginx.nix ]; - networking.firewall.allowedTCPPorts = [ port ]; virtualisation.oci-containers.containers.whoogle-search = { image = "benbusby/whoogle-search"; autoStart = true; @@ -23,4 +22,10 @@ in WHOOGLE_CONFIG_THEME = "system"; }; }; + + services.nginx.virtualHosts."search.moonythm.dev" = { + enableACME = true; + forceSSL = true; + locations."/".proxyPass = "http://127.0.0.1:${toString port}"; + }; }