From d5ee1fecce8fb33a6187ea085aed45d118e7ba60 Mon Sep 17 00:00:00 2001
From: Christoph Hollizeck <christoph.hollizeck@hey.com>
Date: Thu, 7 Nov 2024 21:36:01 +0100
Subject: [PATCH] loptland: move acme to its own file

---
 modules/nixos/security/acme/default.nix   | 75 +++++++++++++++++++++++
 secrets/secrets-loptland.yaml             |  9 ++-
 systems/x86_64-linux/loptland/default.nix | 34 +++++++---
 3 files changed, 108 insertions(+), 10 deletions(-)
 create mode 100644 modules/nixos/security/acme/default.nix

diff --git a/modules/nixos/security/acme/default.nix b/modules/nixos/security/acme/default.nix
new file mode 100644
index 0000000..e8cd265
--- /dev/null
+++ b/modules/nixos/security/acme/default.nix
@@ -0,0 +1,75 @@
+{
+  config,
+  lib,
+  namespace,
+  pkgs,
+  ...
+}:
+with lib;
+with lib.${namespace};
+let
+  cfg = config.${namespace}.security.acme;
+in
+{
+  options.${namespace}.security.acme = with lib.types; {
+    enable = mkEnableOption "Enable sops (Default true)";
+    email = mkOpt str config.${namespace}.user.email "The email to use.";
+    sopsFile = mkOption {
+      type = lib.types.path;
+      default = lib.snowfall.fs.get-file "secrets/secrets.yaml";
+      description = "SecretFile";
+    };
+    domainname = mkOpt str "christophhollizeck.dev";
+    staging = mkOpt bool virtual "Use staging server for testing or not";
+  };
+
+  config = mkIf cfg.enable {
+    sops = {
+      secrets = {
+        netcup_customer_number = {
+          inherit sopsFile;
+        };
+
+        netcup_api_key = {
+          inherit sopsFile;
+        };
+
+        netcup_api_password = {
+          inherit sopsFile;
+        };
+      };
+
+      templates = {
+        "netcup.env" = {
+          content = ''
+            NETCUP_CUSTOMER_NUMBER=${config.sops.placeholder.netcup_customer_number}
+            NETCUP_API_KEY=${config.sops.placeholder.netcup_api_key}
+            NETCUP_API_PASSWORD=${config.sops.placeholder.netcup_api_password}
+            NETCUP_PROPAGATION_TIMEOUT=1200
+          '';
+        };
+      };
+
+    };
+
+    security.acme = {
+      acceptTerms = true;
+      defaults = {
+        inherit (cfg) email;
+
+        group = mkIf config.services.nginx.enable "nginx";
+        reloadServices = optional config.services.nginx.enable "nginx.service";
+
+        dnsProvider = "netcup";
+        environmentFile = config.sops.templates."netcup.env".path;
+      };
+
+      certs."${cfg.domainName}" = {
+        server = mkIf cfg.staging "https://acme-staging-v02.api.letsencrypt.org/directory";
+        dnsResolver = "1.1.1.1:53";
+        extraDomainNames = [ "*.${cfg.domainName}" ];
+      };
+    };
+
+  };
+}
diff --git a/secrets/secrets-loptland.yaml b/secrets/secrets-loptland.yaml
index fe53cdb..76030da 100644
--- a/secrets/secrets-loptland.yaml
+++ b/secrets/secrets-loptland.yaml
@@ -1,10 +1,13 @@
-domain: ENC[AES256_GCM,data:9NNsGWnIot9Y9pwLVD9AknFoffZdBD331QdSSlNf1ic=,iv:TbCXwbN9RL4cYY2Aa/Qefccdj+hN9DJhEcKlpkGhFdw=,tag:iNEZRZhrlUUHvOzWnEHcjw==,type:str]
 #ENC[AES256_GCM,data:Cgp+gOU81+rvdlY=,iv:8DxJxnCslDoEu0bxtlTjmNiAUCdiAV/8VYKTb4yqQ50=,tag:ZTkK7WCOBh1It6GuKPUXdg==,type:comment]
 factorio_username: ENC[AES256_GCM,data:egV5kXtAiw==,iv:Hay0PC2yol5FAJGcWxLkxzNdwpD1V4UfDDnkhsjvjVQ=,tag:QBDS6eAeOswQoHBoi4Gj6A==,type:str]
 factorio_token: ENC[AES256_GCM,data:whruEJQCNIqqfMA0A3yQdwwrzpIJBt815Lvex4Au,iv:hh3zZt+UxV9ltSHIAjpTRwtDvPgPU5APrB/1bXtKUkE=,tag:AgUmBYWp+Oyxm8O7yD8vlA==,type:str]
 factorio_game_password: ENC[AES256_GCM,data:Gu/p0+Sbd6Y=,iv:6AB1T3JdleiUnusU7hw/0wOFNSBsAsBgP2yD9FB7zXk=,tag:DMgD4csthynuBon+KNZtOw==,type:str]
 #ENC[AES256_GCM,data:15i2BBxM4iM=,iv:JV6Lsk8jUZl/eIJWkH/w5I2NraB9J9+0ggsENBGgbdI=,tag:HDwGheUv7dFIztQoJBjGmQ==,type:comment]
 forgejo_db_password: ENC[AES256_GCM,data:CFsvko1AXRymDBC6WiOBs98rvFM=,iv:Wemhu8URxA6HsWQyYcPSwJzuMP4myrDC3rU3GEDVt7c=,tag:6wcNlDFVdnjez8hzi4E2cw==,type:str]
+#ENC[AES256_GCM,data:nQnLBl7v,iv:HORr/Uvw4eUXfW5uS6rWr+6FkFF9bTNpMYGaRpVITRY=,tag:/r4n/xpqp7EPecGxDj4N+w==,type:comment]
+netcup_customer_number: ENC[AES256_GCM,data:pRooJa3O,iv:0U/ONcWa2eqcsT1UpgXmLpAvJndaU8zln2g1HMbBQYE=,tag:+pu8EBl/dnm6DoLAtrjZBQ==,type:str]
+netcup_api_key: ENC[AES256_GCM,data:nlkDz1VV2NIXxv/tIROWDHN9DLI0lVq9n9l2FlDwt+3H4G4gg6yCeZjGtR+pTCNfwio=,iv:x8HLL10ww52UJDkz7Yi02KBg7jbuLFHAlG0iMYDd8hk=,tag:pcuka4/Hu/QFIwS0b8GlxQ==,type:str]
+netcup_api_password: ENC[AES256_GCM,data:k2mdQp57x5ZTypRCHbVlq1fembJ0uj5D0rb72K5rac43p888y3TFyiYVuDTosxR66mo=,iv:0OhtKWD/LWeV5ZWN9fbPozebSxvaFRdSn1AkX97ffAM=,tag:uY6A4jBL/9mtGy7++Yvn0A==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -20,8 +23,8 @@ sops:
             NmhrdXhpbVlmUFNsT1VaQjZyYkZkdzgKhL2BKXfPWNWUbFavpmtBQpnNEm/x0xH6
             NsjiV05AcrqPmGjj2kjvTv4ULPSoHiHiC5McUMfFTYIrCJgNvUbmMg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-06T15:56:31Z"
-    mac: ENC[AES256_GCM,data:DPZelvgjo39BDVak1eqsZhc8BK+g5btBV/4GsbBvZsdGOfjTywjwKe2Bz6NZukorCIWzqC6JBED3yLUpYCi+noWJgzPrUQoWKu+qPF1lH4B7FJixJjfSC44ETR21AZtU65UTNEFl1X1pb/+HhD8aLtKy34Dfhw26/Yrh5ZAMex8=,iv:k/adT/ydTLW1TIT+BSanp2xe9S/i2HnTBe1Wpzr94aA=,tag:iEHBO8b2ZFZIfF+Eep00fQ==,type:str]
+    lastmodified: "2024-11-07T14:40:34Z"
+    mac: ENC[AES256_GCM,data:uk2AeOA9pnhekuofIjXavCGy9ZaO0ObprkvnGhJg5lPr/hyT9l7YcZtMQ7wckKDLS03I1hCAcNg0w/EmSUeU2+EHLb6Z1IUj3l0HBUPtPIJwJZifkrzp9iQwGwlK+i6nfREEgPGeuNMj/rnD67MECO4NRHTzGBzH7ZImoDpu0Us=,iv:ss8Q7i75UOQDMJfw4dQCT0qxPUGwfHizX0c/TUej+vc=,tag:iufeO6sfaToNcJg6E8tuxA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.1
diff --git a/systems/x86_64-linux/loptland/default.nix b/systems/x86_64-linux/loptland/default.nix
index f68bc9a..9dc9e73 100644
--- a/systems/x86_64-linux/loptland/default.nix
+++ b/systems/x86_64-linux/loptland/default.nix
@@ -6,19 +6,26 @@
   ...
 }:
 let
+  inherit (lib) mkIf;
   inherit (lib.${namespace}) enabled;
 
-  domainName = "v2202411240203293899.ultrasrv.de";
+  domainName = "christophhollizeck.dev";
   forgejoPort = 3000;
 
+  cfg.enableAcme = true;
+
   sopsFile = lib.snowfall.fs.get-file "secrets/secrets-loptland.yaml";
 in
 {
   imports = [ ./hardware.nix ];
 
-  sops.secrets = {
-    forgejo_db_password = {
-      inherit sopsFile;
+  environment.systemPackages = [ ];
+
+  sops = {
+    secrets = {
+      forgejo_db_password = {
+        inherit sopsFile;
+      };
     };
   };
 
@@ -36,18 +43,23 @@ in
 
     virtualHosts = {
       "git.${domainName}" = {
+        forceSSL = cfg.enableAcme;
+        useACMEHost = mkIf cfg.enableAcme domainName;
+
         locations."/" = {
           proxyPass = "http://localhost:${toString forgejoPort}/";
         };
       };
 
       "${domainName}" = {
+        forceSSL = cfg.enableAcme;
+        useACMEHost = mkIf cfg.enableAcme domainName;
+
         locations."/" = {
-          return = "404 This Site does not exist yet";
+          return = "404";
         };
       };
     };
-
   };
 
   services.forgejo = {
@@ -57,6 +69,7 @@ in
     database = {
       passwordFile = config.sops.secrets.forgejo_db_password.path;
     };
+
     settings = {
       server = {
         DOMAIN = "git.${domainName}";
@@ -64,7 +77,7 @@ in
         HTTP_PORT = forgejoPort;
       };
 
-      service.DISABLE_REGISTRATION = false;
+      service.DISABLE_REGISTRATION = true;
     };
   };
 
@@ -86,6 +99,13 @@ in
       };
     };
 
+    security = {
+      acme = {
+        enable = cfg.enableAcme;
+        inherit sopsFile;
+      };
+    };
+
     user.trustedPublicKeys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHFrDiO5+vMfD5MimkzN32iw3MnSMLZ0mHvOrHVVmLD0"
     ];