Attempt to set up acme + nginx

.sops.yaml

@@ -11,6 +11,11 @@ creation_rules:
         - *prescientmoon
         - *tethys
         - *lapetus
+  - path_regex: hosts/nixos/common/optional/services/acme/secrets.yaml
+    key_groups:
+      - age: 
+        - *prescientmoon
+        - *lapetus
   - path_regex: home/features/desktop/wakatime/secrets.yaml
     key_groups:
       - age:

home/features/cli/ssh.nix

@@ -1,7 +1,6 @@
 {
   programs.ssh.enable = true;
 
-  # TODO: age persistence
   satellite.persistence.at.state.apps.ssh.directories = [ ".ssh" ];
 
   # Makes it easy to copy ssh keys at install time without messing up permissions

home/features/persistence.nix

@@ -144,4 +144,9 @@
   ];
   # }}}
   # }}}
+  # {{{ Cli
+  # {{{ Sops 
+  satellite.persistence.at.state.apps.sops.directories = [ "${config.xdg.configHome}/sops/age" ];
+  # }}}
+  # }}}
 }

hosts/nixos/common/optional/services/acme/default.nix

@@ -0,0 +1,10 @@
+{ config, ... }: {
+  sops.secrets.porkbun_secrets.sopsFile = ./secrets.yaml;
+  security.acme.acceptTerms = true;
+  security.acme.defaults = {
+    # TODO: update this email
+    email = "rafaeladriel11@gmail.com";
+    dnsProvider = "porkbun";
+    environmentFile = config.sops.secrets.porkbun_secrets.path;
+  };
+}

hosts/nixos/common/optional/services/acme/secrets.yaml

@@ -0,0 +1,30 @@
+porkbun_secrets: ENC[AES256_GCM,data:aLJsbk/FQ5mPn6fYoWGlmT8nWfAZV4Z0EY0S5t6YXeKjSwieRzAWDoN7X/LQjZfSGzL4QDO8m1CFtfqQJsRXj4GBWe/njy/MuWp32XFMh5TLN/RHNoJ0++y6Jno+IDKQvTeOH0BVcZpe4quJB5aueIc5qSr8aoHIrYnO/zWlRSGDtu2ZSCye6atCdy09CFypwl+6tsvRh9DbU+FwRwT8Z2HaqbwWo5XGHemGWJQYnpSp,iv:RwY6l+GAAxBBN+nr0WoLoXXSkmpn8lP7g2Uoj1GJ8/M=,tag:8FaeUG4V1MTzQadxn/WmqA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age14mga4r0xa82a2uus3wq5q7rqnvflms3jmhknz4f3hsda8wttk9gsv2k9fs
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBReWRaSHZsdzZlWmg5N1d3
+            UXJmRVdxOHBxS3pqQXVPVGlzY2ZuYlovSUQ4Ckg4NjBpNEtLVkUzUWJzVlF4MkQ2
+            dkNRWHVLUHBnQmsxWmF3SllJdjI4U1kKLS0tIDhiak9pVGc1eS9Ca015WkxscWd5
+            Z20wWWxBTlBuNFRZdUM1QVVMUVFhQzgKi7NscHHhZDkSBgynppWW2vu6wIbGzv5M
+            HmyGhOmbWD1HDlCiu0yY8OFkhyG7pd4Ujw9omlPrwkUAs/wAc6u+5g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1jem6jfkmfq54wzhqqhrnf786jsn5dmx82ewtt4vducac8m2fyukskun2p4
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZSjNVdjNaZVFHRkc4Q0xk
+            T2JDTzRvaDdWR1kxT2pQSTdSUWpCZmd0WHpvCmllRXBqenNidUhUV1RrV3JDeWJK
+            WkJwcjdpN1E3ZWdCZGxYQjBDcWRZWGcKLS0tICtlZ00xZENyMWFTeXdaWFRpcEF4
+            NXREQTQxR1pGakVlWEVYS2VCcVhSSzAKXSX8tIxS0mssx4GsAVotn6/pQ8fqPl5j
+            ruC7XQc7DuYUGub/czm5lLodzfjPtSYzWYPC1Xh/7mB14bop60UJYA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-01-31T19:12:27Z"
+    mac: ENC[AES256_GCM,data:8ezOQ9Fqpf8aXR7VPEqXdOqHVWoD3VVYXY2ISNdWs88LyTyaYfTDLdNf/zJeC4/03hGcNr6lEu6kAbOZI+JP98kqUYG2XFgwcAu+e/Gi/t/BCqmPFd8AdaaNJhtRZc6lvrvONUG809RZ2qwIOmYAfDf/NM9nhTKO5ZVY0Z1Wh3c=,iv:9OaX2OFxxh+uMcza0i5auC3wlzvyBQUZU5uzlcKXE0c=,tag:x0nK2xqpoFy910rDIJ9cBQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

hosts/nixos/lapetus/default.nix

@@ -3,6 +3,7 @@
     ../common/global
     ../common/users/adrielus.nix
     ../common/optional/services/slambda.nix
+    ../common/optional/services/acme
 
     ./services/syncthing.nix
     ./services/whoogle.nix

hosts/nixos/lapetus/services/nginx.nix

@@ -0,0 +1,9 @@
+{
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+  };
+}

hosts/nixos/lapetus/services/whoogle.nix

@@ -2,16 +2,15 @@
 let
   port = 8401;
   websiteBlocklist = [
-    "www.saashub.com/"
+    "www.saashub.com"
     "slant.co"
     "nix-united.com"
     "libhunt.com"
   ];
 in
 {
-  imports = [ ../../common/optional/podman.nix ];
+  imports = [ ../../common/optional/podman.nix ./nginx.nix ];
 
-  networking.firewall.allowedTCPPorts = [ port ];
   virtualisation.oci-containers.containers.whoogle-search = {
     image = "benbusby/whoogle-search";
     autoStart = true;
@@ -23,4 +22,10 @@ in
       WHOOGLE_CONFIG_THEME = "system";
     };
   };
+
+  services.nginx.virtualHosts."search.moonythm.dev" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/".proxyPass = "http://127.0.0.1:${toString port}";
+  };
 }