Attempt to set up acme + nginx

2024-01-31 20:26:11 +01:00 · 2024-01-31 20:26:11 +01:00 · ca4b5e3588
parent bd03871ece
commit ca4b5e3588
8 changed files with 68 additions and 4 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -11,6 +11,11 @@ creation_rules:
        - *prescientmoon
        - *tethys
        - *lapetus
+  - path_regex: hosts/nixos/common/optional/services/acme/secrets.yaml
+    key_groups:
+      - age: 
+        - *prescientmoon
+        - *lapetus
  - path_regex: home/features/desktop/wakatime/secrets.yaml
    key_groups:
      - age:
--- a/home/features/cli/ssh.nix
+++ b/home/features/cli/ssh.nix
@ -1,7 +1,6 @@
 {
  programs.ssh.enable = true;

-  # TODO: age persistence
  satellite.persistence.at.state.apps.ssh.directories = [ ".ssh" ];

  # Makes it easy to copy ssh keys at install time without messing up permissions
--- a/home/features/persistence.nix
+++ b/home/features/persistence.nix
@ -144,4 +144,9 @@
  ];
  # }}}
  # }}}
+  # {{{ Cli
+  # {{{ Sops 
+  satellite.persistence.at.state.apps.sops.directories = [ "${config.xdg.configHome}/sops/age" ];
+  # }}}
+  # }}}
 }
--- a/hosts/nixos/common/optional/services/acme/default.nix
+++ b/hosts/nixos/common/optional/services/acme/default.nix
@ -0,0 +1,10 @@
+{ config, ... }: {
+  sops.secrets.porkbun_secrets.sopsFile = ./secrets.yaml;
+  security.acme.acceptTerms = true;
+  security.acme.defaults = {
+    # TODO: update this email
+    email = "rafaeladriel11@gmail.com";
+    dnsProvider = "porkbun";
+    environmentFile = config.sops.secrets.porkbun_secrets.path;
+  };
+}
--- a/hosts/nixos/common/optional/services/acme/secrets.yaml
+++ b/hosts/nixos/common/optional/services/acme/secrets.yaml
@ -0,0 +1,30 @@
+porkbun_secrets: ENC[AES256_GCM,data:aLJsbk/FQ5mPn6fYoWGlmT8nWfAZV4Z0EY0S5t6YXeKjSwieRzAWDoN7X/LQjZfSGzL4QDO8m1CFtfqQJsRXj4GBWe/njy/MuWp32XFMh5TLN/RHNoJ0++y6Jno+IDKQvTeOH0BVcZpe4quJB5aueIc5qSr8aoHIrYnO/zWlRSGDtu2ZSCye6atCdy09CFypwl+6tsvRh9DbU+FwRwT8Z2HaqbwWo5XGHemGWJQYnpSp,iv:RwY6l+GAAxBBN+nr0WoLoXXSkmpn8lP7g2Uoj1GJ8/M=,tag:8FaeUG4V1MTzQadxn/WmqA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age14mga4r0xa82a2uus3wq5q7rqnvflms3jmhknz4f3hsda8wttk9gsv2k9fs
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBReWRaSHZsdzZlWmg5N1d3
+            UXJmRVdxOHBxS3pqQXVPVGlzY2ZuYlovSUQ4Ckg4NjBpNEtLVkUzUWJzVlF4MkQ2
+            dkNRWHVLUHBnQmsxWmF3SllJdjI4U1kKLS0tIDhiak9pVGc1eS9Ca015WkxscWd5
+            Z20wWWxBTlBuNFRZdUM1QVVMUVFhQzgKi7NscHHhZDkSBgynppWW2vu6wIbGzv5M
+            HmyGhOmbWD1HDlCiu0yY8OFkhyG7pd4Ujw9omlPrwkUAs/wAc6u+5g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1jem6jfkmfq54wzhqqhrnf786jsn5dmx82ewtt4vducac8m2fyukskun2p4
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZSjNVdjNaZVFHRkc4Q0xk
+            T2JDTzRvaDdWR1kxT2pQSTdSUWpCZmd0WHpvCmllRXBqenNidUhUV1RrV3JDeWJK
+            WkJwcjdpN1E3ZWdCZGxYQjBDcWRZWGcKLS0tICtlZ00xZENyMWFTeXdaWFRpcEF4
+            NXREQTQxR1pGakVlWEVYS2VCcVhSSzAKXSX8tIxS0mssx4GsAVotn6/pQ8fqPl5j
+            ruC7XQc7DuYUGub/czm5lLodzfjPtSYzWYPC1Xh/7mB14bop60UJYA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-01-31T19:12:27Z"
+    mac: ENC[AES256_GCM,data:8ezOQ9Fqpf8aXR7VPEqXdOqHVWoD3VVYXY2ISNdWs88LyTyaYfTDLdNf/zJeC4/03hGcNr6lEu6kAbOZI+JP98kqUYG2XFgwcAu+e/Gi/t/BCqmPFd8AdaaNJhtRZc6lvrvONUG809RZ2qwIOmYAfDf/NM9nhTKO5ZVY0Z1Wh3c=,iv:9OaX2OFxxh+uMcza0i5auC3wlzvyBQUZU5uzlcKXE0c=,tag:x0nK2xqpoFy910rDIJ9cBQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
--- a/hosts/nixos/lapetus/default.nix
+++ b/hosts/nixos/lapetus/default.nix
@ -3,6 +3,7 @@
    ../common/global
    ../common/users/adrielus.nix
    ../common/optional/services/slambda.nix
+    ../common/optional/services/acme

    ./services/syncthing.nix
    ./services/whoogle.nix
--- a/hosts/nixos/lapetus/services/nginx.nix
+++ b/hosts/nixos/lapetus/services/nginx.nix
@ -0,0 +1,9 @@
+{
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+  };
+}
--- a/hosts/nixos/lapetus/services/whoogle.nix
+++ b/hosts/nixos/lapetus/services/whoogle.nix
@ -2,16 +2,15 @@
 let
  port = 8401;
  websiteBlocklist = [
-    "www.saashub.com/"
+    "www.saashub.com"
    "slant.co"
    "nix-united.com"
    "libhunt.com"
  ];
 in
 {
-  imports = [ ../../common/optional/podman.nix ];
+  imports = [ ../../common/optional/podman.nix ./nginx.nix ];

-  networking.firewall.allowedTCPPorts = [ port ];
  virtualisation.oci-containers.containers.whoogle-search = {
    image = "benbusby/whoogle-search";
    autoStart = true;
@ -23,4 +22,10 @@ in
      WHOOGLE_CONFIG_THEME = "system";
    };
  };
+
+  services.nginx.virtualHosts."search.moonythm.dev" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/".proxyPass = "http://127.0.0.1:${toString port}";
+  };
 }