diff --git a/.sops.yaml b/.sops.yaml
index 14bdb13..37c6e83 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -11,6 +11,11 @@ creation_rules:
- *prescientmoon
- *tethys
- *lapetus
+ - path_regex: hosts/nixos/common/optional/services/acme/secrets.yaml
+ key_groups:
+ - age:
+ - *prescientmoon
+ - *lapetus
- path_regex: home/features/desktop/wakatime/secrets.yaml
key_groups:
- age:
diff --git a/home/features/cli/ssh.nix b/home/features/cli/ssh.nix
index 2d240ff..f702010 100644
--- a/home/features/cli/ssh.nix
+++ b/home/features/cli/ssh.nix
@@ -1,7 +1,6 @@
{
programs.ssh.enable = true;
- # TODO: age persistence
satellite.persistence.at.state.apps.ssh.directories = [ ".ssh" ];
# Makes it easy to copy ssh keys at install time without messing up permissions
diff --git a/home/features/persistence.nix b/home/features/persistence.nix
index d895adc..bf14730 100644
--- a/home/features/persistence.nix
+++ b/home/features/persistence.nix
@@ -144,4 +144,9 @@
];
# }}}
# }}}
+ # {{{ Cli
+ # {{{ Sops
+ satellite.persistence.at.state.apps.sops.directories = [ "${config.xdg.configHome}/sops/age" ];
+ # }}}
+ # }}}
}
diff --git a/hosts/nixos/common/optional/services/acme/default.nix b/hosts/nixos/common/optional/services/acme/default.nix
new file mode 100644
index 0000000..1a3aabe
--- /dev/null
+++ b/hosts/nixos/common/optional/services/acme/default.nix
@@ -0,0 +1,10 @@
+{ config, ... }: {
+ sops.secrets.porkbun_secrets.sopsFile = ./secrets.yaml;
+ security.acme.acceptTerms = true;
+ security.acme.defaults = {
+ # TODO: update this email
+ email = "rafaeladriel11@gmail.com";
+ dnsProvider = "porkbun";
+ environmentFile = config.sops.secrets.porkbun_secrets.path;
+ };
+}
diff --git a/hosts/nixos/common/optional/services/acme/secrets.yaml b/hosts/nixos/common/optional/services/acme/secrets.yaml
new file mode 100644
index 0000000..144d7e3
--- /dev/null
+++ b/hosts/nixos/common/optional/services/acme/secrets.yaml
@@ -0,0 +1,30 @@
+porkbun_secrets: ENC[AES256_GCM,data:aLJsbk/FQ5mPn6fYoWGlmT8nWfAZV4Z0EY0S5t6YXeKjSwieRzAWDoN7X/LQjZfSGzL4QDO8m1CFtfqQJsRXj4GBWe/njy/MuWp32XFMh5TLN/RHNoJ0++y6Jno+IDKQvTeOH0BVcZpe4quJB5aueIc5qSr8aoHIrYnO/zWlRSGDtu2ZSCye6atCdy09CFypwl+6tsvRh9DbU+FwRwT8Z2HaqbwWo5XGHemGWJQYnpSp,iv:RwY6l+GAAxBBN+nr0WoLoXXSkmpn8lP7g2Uoj1GJ8/M=,tag:8FaeUG4V1MTzQadxn/WmqA==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age14mga4r0xa82a2uus3wq5q7rqnvflms3jmhknz4f3hsda8wttk9gsv2k9fs
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBReWRaSHZsdzZlWmg5N1d3
+ UXJmRVdxOHBxS3pqQXVPVGlzY2ZuYlovSUQ4Ckg4NjBpNEtLVkUzUWJzVlF4MkQ2
+ dkNRWHVLUHBnQmsxWmF3SllJdjI4U1kKLS0tIDhiak9pVGc1eS9Ca015WkxscWd5
+ Z20wWWxBTlBuNFRZdUM1QVVMUVFhQzgKi7NscHHhZDkSBgynppWW2vu6wIbGzv5M
+ HmyGhOmbWD1HDlCiu0yY8OFkhyG7pd4Ujw9omlPrwkUAs/wAc6u+5g==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1jem6jfkmfq54wzhqqhrnf786jsn5dmx82ewtt4vducac8m2fyukskun2p4
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZSjNVdjNaZVFHRkc4Q0xk
+ T2JDTzRvaDdWR1kxT2pQSTdSUWpCZmd0WHpvCmllRXBqenNidUhUV1RrV3JDeWJK
+ WkJwcjdpN1E3ZWdCZGxYQjBDcWRZWGcKLS0tICtlZ00xZENyMWFTeXdaWFRpcEF4
+ NXREQTQxR1pGakVlWEVYS2VCcVhSSzAKXSX8tIxS0mssx4GsAVotn6/pQ8fqPl5j
+ ruC7XQc7DuYUGub/czm5lLodzfjPtSYzWYPC1Xh/7mB14bop60UJYA==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2024-01-31T19:12:27Z"
+ mac: ENC[AES256_GCM,data:8ezOQ9Fqpf8aXR7VPEqXdOqHVWoD3VVYXY2ISNdWs88LyTyaYfTDLdNf/zJeC4/03hGcNr6lEu6kAbOZI+JP98kqUYG2XFgwcAu+e/Gi/t/BCqmPFd8AdaaNJhtRZc6lvrvONUG809RZ2qwIOmYAfDf/NM9nhTKO5ZVY0Z1Wh3c=,iv:9OaX2OFxxh+uMcza0i5auC3wlzvyBQUZU5uzlcKXE0c=,tag:x0nK2xqpoFy910rDIJ9cBQ==,type:str]
+ pgp: []
+ unencrypted_suffix: _unencrypted
+ version: 3.8.1
diff --git a/hosts/nixos/lapetus/default.nix b/hosts/nixos/lapetus/default.nix
index 14e59b1..5ba8676 100644
--- a/hosts/nixos/lapetus/default.nix
+++ b/hosts/nixos/lapetus/default.nix
@@ -3,6 +3,7 @@
../common/global
../common/users/adrielus.nix
../common/optional/services/slambda.nix
+ ../common/optional/services/acme
./services/syncthing.nix
./services/whoogle.nix
diff --git a/hosts/nixos/lapetus/services/nginx.nix b/hosts/nixos/lapetus/services/nginx.nix
new file mode 100644
index 0000000..3b9e48c
--- /dev/null
+++ b/hosts/nixos/lapetus/services/nginx.nix
@@ -0,0 +1,9 @@
+{
+ services.nginx = {
+ enable = true;
+ recommendedGzipSettings = true;
+ recommendedOptimisation = true;
+ recommendedProxySettings = true;
+ recommendedTlsSettings = true;
+ };
+}
diff --git a/hosts/nixos/lapetus/services/whoogle.nix b/hosts/nixos/lapetus/services/whoogle.nix
index 44b2f76..2a92789 100644
--- a/hosts/nixos/lapetus/services/whoogle.nix
+++ b/hosts/nixos/lapetus/services/whoogle.nix
@@ -2,16 +2,15 @@
let
port = 8401;
websiteBlocklist = [
- "www.saashub.com/"
+ "www.saashub.com"
"slant.co"
"nix-united.com"
"libhunt.com"
];
in
{
- imports = [ ../../common/optional/podman.nix ];
+ imports = [ ../../common/optional/podman.nix ./nginx.nix ];
- networking.firewall.allowedTCPPorts = [ port ];
virtualisation.oci-containers.containers.whoogle-search = {
image = "benbusby/whoogle-search";
autoStart = true;
@@ -23,4 +22,10 @@ in
WHOOGLE_CONFIG_THEME = "system";
};
};
+
+ services.nginx.virtualHosts."search.moonythm.dev" = {
+ enableACME = true;
+ forceSSL = true;
+ locations."/".proxyPass = "http://127.0.0.1:${toString port}";
+ };
}