diff --git a/secrets/secrets-loptland.yaml b/secrets/secrets-loptland.yaml index fe53cdb..76030da 100644 --- a/secrets/secrets-loptland.yaml +++ b/secrets/secrets-loptland.yaml @@ -1,10 +1,13 @@ -domain: ENC[AES256_GCM,data:9NNsGWnIot9Y9pwLVD9AknFoffZdBD331QdSSlNf1ic=,iv:TbCXwbN9RL4cYY2Aa/Qefccdj+hN9DJhEcKlpkGhFdw=,tag:iNEZRZhrlUUHvOzWnEHcjw==,type:str] #ENC[AES256_GCM,data:Cgp+gOU81+rvdlY=,iv:8DxJxnCslDoEu0bxtlTjmNiAUCdiAV/8VYKTb4yqQ50=,tag:ZTkK7WCOBh1It6GuKPUXdg==,type:comment] factorio_username: ENC[AES256_GCM,data:egV5kXtAiw==,iv:Hay0PC2yol5FAJGcWxLkxzNdwpD1V4UfDDnkhsjvjVQ=,tag:QBDS6eAeOswQoHBoi4Gj6A==,type:str] factorio_token: ENC[AES256_GCM,data:whruEJQCNIqqfMA0A3yQdwwrzpIJBt815Lvex4Au,iv:hh3zZt+UxV9ltSHIAjpTRwtDvPgPU5APrB/1bXtKUkE=,tag:AgUmBYWp+Oyxm8O7yD8vlA==,type:str] factorio_game_password: ENC[AES256_GCM,data:Gu/p0+Sbd6Y=,iv:6AB1T3JdleiUnusU7hw/0wOFNSBsAsBgP2yD9FB7zXk=,tag:DMgD4csthynuBon+KNZtOw==,type:str] #ENC[AES256_GCM,data:15i2BBxM4iM=,iv:JV6Lsk8jUZl/eIJWkH/w5I2NraB9J9+0ggsENBGgbdI=,tag:HDwGheUv7dFIztQoJBjGmQ==,type:comment] forgejo_db_password: ENC[AES256_GCM,data:CFsvko1AXRymDBC6WiOBs98rvFM=,iv:Wemhu8URxA6HsWQyYcPSwJzuMP4myrDC3rU3GEDVt7c=,tag:6wcNlDFVdnjez8hzi4E2cw==,type:str] +#ENC[AES256_GCM,data:nQnLBl7v,iv:HORr/Uvw4eUXfW5uS6rWr+6FkFF9bTNpMYGaRpVITRY=,tag:/r4n/xpqp7EPecGxDj4N+w==,type:comment] +netcup_customer_number: ENC[AES256_GCM,data:pRooJa3O,iv:0U/ONcWa2eqcsT1UpgXmLpAvJndaU8zln2g1HMbBQYE=,tag:+pu8EBl/dnm6DoLAtrjZBQ==,type:str] +netcup_api_key: ENC[AES256_GCM,data:nlkDz1VV2NIXxv/tIROWDHN9DLI0lVq9n9l2FlDwt+3H4G4gg6yCeZjGtR+pTCNfwio=,iv:x8HLL10ww52UJDkz7Yi02KBg7jbuLFHAlG0iMYDd8hk=,tag:pcuka4/Hu/QFIwS0b8GlxQ==,type:str] +netcup_api_password: ENC[AES256_GCM,data:k2mdQp57x5ZTypRCHbVlq1fembJ0uj5D0rb72K5rac43p888y3TFyiYVuDTosxR66mo=,iv:0OhtKWD/LWeV5ZWN9fbPozebSxvaFRdSn1AkX97ffAM=,tag:uY6A4jBL/9mtGy7++Yvn0A==,type:str] sops: kms: [] gcp_kms: [] @@ -20,8 +23,8 @@ sops: NmhrdXhpbVlmUFNsT1VaQjZyYkZkdzgKhL2BKXfPWNWUbFavpmtBQpnNEm/x0xH6 NsjiV05AcrqPmGjj2kjvTv4ULPSoHiHiC5McUMfFTYIrCJgNvUbmMg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-06T15:56:31Z" - mac: ENC[AES256_GCM,data:DPZelvgjo39BDVak1eqsZhc8BK+g5btBV/4GsbBvZsdGOfjTywjwKe2Bz6NZukorCIWzqC6JBED3yLUpYCi+noWJgzPrUQoWKu+qPF1lH4B7FJixJjfSC44ETR21AZtU65UTNEFl1X1pb/+HhD8aLtKy34Dfhw26/Yrh5ZAMex8=,iv:k/adT/ydTLW1TIT+BSanp2xe9S/i2HnTBe1Wpzr94aA=,tag:iEHBO8b2ZFZIfF+Eep00fQ==,type:str] + lastmodified: "2024-11-07T14:40:34Z" + mac: ENC[AES256_GCM,data:uk2AeOA9pnhekuofIjXavCGy9ZaO0ObprkvnGhJg5lPr/hyT9l7YcZtMQ7wckKDLS03I1hCAcNg0w/EmSUeU2+EHLb6Z1IUj3l0HBUPtPIJwJZifkrzp9iQwGwlK+i6nfREEgPGeuNMj/rnD67MECO4NRHTzGBzH7ZImoDpu0Us=,iv:ss8Q7i75UOQDMJfw4dQCT0qxPUGwfHizX0c/TUej+vc=,tag:iufeO6sfaToNcJg6E8tuxA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.1 diff --git a/systems/x86_64-linux/loptland/default.nix b/systems/x86_64-linux/loptland/default.nix index f68bc9a..8358a4d 100644 --- a/systems/x86_64-linux/loptland/default.nix +++ b/systems/x86_64-linux/loptland/default.nix @@ -6,19 +6,69 @@ ... }: let + inherit (lib) optional mkIf; inherit (lib.${namespace}) enabled; - domainName = "v2202411240203293899.ultrasrv.de"; + domainName = "christophhollizeck.dev"; forgejoPort = 3000; + staging = false; + + cfg.enableAcme = true; sopsFile = lib.snowfall.fs.get-file "secrets/secrets-loptland.yaml"; in { imports = [ ./hardware.nix ]; - sops.secrets = { - forgejo_db_password = { - inherit sopsFile; + environment.systemPackages = [ ]; + + sops = { + secrets = { + forgejo_db_password = { + inherit sopsFile; + }; + + netcup_customer_number = { + inherit sopsFile; + }; + + netcup_api_key = { + inherit sopsFile; + }; + + netcup_api_password = { + inherit sopsFile; + }; + + }; + + templates = { + "netcup.env" = { + content = '' + NETCUP_CUSTOMER_NUMBER=${config.sops.placeholder.netcup_customer_number} + NETCUP_API_KEY=${config.sops.placeholder.netcup_api_key} + NETCUP_API_PASSWORD=${config.sops.placeholder.netcup_api_password} + NETCUP_PROPAGATION_TIMEOUT=1200 + ''; + }; + }; + }; + + security.acme = mkIf cfg.enableAcme { + acceptTerms = true; + defaults = { + email = "christoph.hollizeck@hey.com"; + group = mkIf config.services.nginx.enable "nginx"; + + reloadServices = optional config.services.nginx.enable "nginx.service"; + + dnsProvider = "netcup"; + environmentFile = config.sops.templates."netcup.env".path; + }; + certs."${domainName}" = { + server = mkIf staging "https://acme-staging-v02.api.letsencrypt.org/directory"; + dnsResolver = "1.1.1.1:53"; + extraDomainNames = [ "*.${domainName}" ]; }; }; @@ -36,14 +86,24 @@ in virtualHosts = { "git.${domainName}" = { + forceSSL = cfg.enableAcme; + useACMEHost = mkIf cfg.enableAcme domainName; + locations."/" = { proxyPass = "http://localhost:${toString forgejoPort}/"; }; }; "${domainName}" = { + forceSSL = cfg.enableAcme; + useACMEHost = mkIf cfg.enableAcme domainName; + + # sslCertificate = "/var/lib/acme/christophhollizeck.dev/fullchain.pem"; + # sslCertificateKey = "/var/lib/acme/christophhollizeck.dev/key.pem"; + # sslTrustedCertificate = "/var/lib/acme/christophhollizeck.dev/chain.pem"; + locations."/" = { - return = "404 This Site does not exist yet"; + return = "404"; }; }; }; @@ -64,7 +124,7 @@ in HTTP_PORT = forgejoPort; }; - service.DISABLE_REGISTRATION = false; + service.DISABLE_REGISTRATION = true; }; };