diff --git a/modules/hosts/common/secrets.yaml b/modules/hosts/common/secrets.yaml index 2230e29..6dfce05 100644 --- a/modules/hosts/common/secrets.yaml +++ b/modules/hosts/common/secrets.yaml @@ -1,5 +1,7 @@ gandi_dns_pat: ENC[AES256_GCM,data:biWxwhrrE1ZOwViDtg0G0eIZz7+k804kBwN1icJWmh5TVi/Ylqbixw==,iv:pip7MXKdf5i0Ks7zdCs2O7UpxLq3HJY0KPNOwgta5+8=,tag:6X98FRXctX8cgBPY1pm+cw==,type:str] gandi_api: ENC[AES256_GCM,data:YsdDMk75miIKO4LkCZjfwJw6gxfrmsTL,iv:BOPRxB661sPJnUH1AUKEALIJfBeyAHZpkWJEDbY+7i8=,tag:TvtW7qhPbOqi9kKDcIe28w==,type:str] +hetzner_api_token: ENC[AES256_GCM,data:8+bYBnI6vSQ7QIDFv0zplU2A2lW2c7JA9WArCGeAgjg=,iv:Y92uRgjKfuGDY4HMr+j6uDweMmMCx0FBydP3alGgb3M=,tag:cbmeVnP1XcqE+T0qpzJfbw==,type:str] +hetzner_lego_env: ENC[AES256_GCM,data:xRADnkMC/mTq8/oRpZ+NYTStB9qX2N6V0GNIpGsXNedgO3bTvowgMukyDW4nX19V627ykk5vPC/HTRhZ8ia2KxRJfqa+9n5+Eg83iAFtrQGOe2rvEGEHDUoCTSb/G8YA8XzB3t69Xc+o8g59Grf4rXvNLEEwewn92BP7YWoxvpPaeT3yl/g7/0m4SDXKR/D3LtiN4nikiUFYT6nBG+WipMK3oEw=,iv:dL4hw4/v1FgJKwmCzIpMKvryrm+mMb7SoohPi78paPY=,tag:Lq3vBkyVbv7w5/RIHcsiUg==,type:str] restic_env: ENC[AES256_GCM,data:FCYR8tkClRwfcjUotcr28D6uRz7sNihn50nw38CaYnqOD/U9+5kU0iAPSvqAbeuw+xUoKKKAPAfMHI12dPTYt17Wz1N7i4a+MRkiIR9pjyv5KZTK59G+,iv:jStc8GMbZUQUgooZiRdImSZskdckYN1cRm2gsKbUyYY=,tag:HpQQIj1j7fjCmxkSeY/k4g==,type:str] restic_repo: ENC[AES256_GCM,data:kCoNYVKwB87W4h5doa3IXj4n,iv:jKEw/Hki/tp3RSTsRB4dlg593I5B4pCLBav84ADCh70=,tag:+GFF5vHOVw0r/G8BbhcCjw==,type:str] restic_password: ENC[AES256_GCM,data:PfQsxJul1Qpt3WQoUEI941l+yng3lVjhDd8=,iv:U5KjhcVqyksN2ay19RBjNhYIB31tUbfNRIqCEx/+Wbc=,tag:jsoU+B1mjAprPK+M5I0pAQ==,type:str] @@ -106,7 +108,7 @@ sops: ODFjcWxtRjkweGJvdzdWSEphMHRCdm8Kx0amHgaZZR26c+VRVTyBEnm+w5c5nA7R txHj1U349LbfEsovTqZAL1o2WuX+gmXSj1aeXPKW+S0bIagC6dDacA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-08-10T00:59:54Z" - mac: ENC[AES256_GCM,data:AKy/k2axRglNFCf8O1jENOcAAliIar9mWyTeLbDetFOaxAWFAFUEDXLMTDprTyiAgVO8M1nesg69ii6ZhFPSfOBfgKQDMJqJa0QPvVQ9piUd00ZAuq6Gf98SOTPVlHenzuemPsc87+niRFSQyLGRzMg25Kf0OcoRT3JUCinmbBs=,iv:Uryu/7kKrRbLkZWoqLjesR1Yk1/kD3tPfPSxrUkbOVA=,tag:Ai7Yh55TeJMjsv9UKaokZw==,type:str] + lastmodified: "2025-10-30T02:44:34Z" + mac: ENC[AES256_GCM,data:CqqfSnNfUK8BI7n6/n7UbtANa0TmWkjmgb4aZwPzc1NPLXtH1xRMdysb8UtNFKwz5pDmGihT4VeVVu11vkOm6iPyS4no7FatkSA1zqGw97vo9kYKZETzKbw6a8nw1Lgbj6MRpxZQYidgir13AOiilzAEsEhzFddAOkNwr9K2NJ8=,iv:1Ns8+JKWeWdwCTIkQk1zTPDm8JtLtZ76gL5JU1A0100=,tag:j58QBexUW/SBZ5+kyoV0Zg==,type:str] unencrypted_suffix: _unencrypted - version: 3.10.2 + version: 3.11.0 diff --git a/modules/hosts/nixos/hetznix02/default.nix b/modules/hosts/nixos/hetznix02/default.nix index 1fb9472..1915a93 100644 --- a/modules/hosts/nixos/hetznix02/default.nix +++ b/modules/hosts/nixos/hetznix02/default.nix @@ -28,6 +28,8 @@ # Open ports in the firewall. firewall.allowedTCPPorts = [ 22 # ssh + 80 # Nginx + 443 # Nginx ]; # firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether. diff --git a/modules/hosts/nixos/hetznix02/post-install/default.nix b/modules/hosts/nixos/hetznix02/post-install/default.nix index abef4ef..4545616 100644 --- a/modules/hosts/nixos/hetznix02/post-install/default.nix +++ b/modules/hosts/nixos/hetznix02/post-install/default.nix @@ -1,4 +1,9 @@ { config, username, ... }: { + imports = [ + ../../../common/linux/lets-encrypt.nix + ./nginx.nix + ]; + sops = { age.keyFile = "${config.users.users.${username}.home}/.config/sops/age/keys.txt"; defaultSopsFile = ../secrets.yaml; diff --git a/modules/hosts/nixos/hetznix02/post-install/nginx.nix b/modules/hosts/nixos/hetznix02/post-install/nginx.nix new file mode 100644 index 0000000..6c8a9f0 --- /dev/null +++ b/modules/hosts/nixos/hetznix02/post-install/nginx.nix @@ -0,0 +1,76 @@ + +{ config, ... }: let + domain = "genebean.me"; + http_port = 80; + https_port = 443; +in { + security.acme.certs."${domain}" = { + email = "lets-encrypt@technicalissues.us"; + inheritDefaults = false; + listenHTTP = ":80"; + # uncomment below for testing + # server = "https://acme-staging-v02.api.letsencrypt.org/directory"; + }; + + services.nginx = { + enable = true; + recommendedBrotliSettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + appendHttpConfig = '' + # Add HSTS header with preloading to HTTPS requests. + # Adding this header to HTTP requests is discouraged + map $scheme $hsts_header { + https "max-age=31536000;"; + } + add_header Strict-Transport-Security $hsts_header; + ''; + virtualHosts = { + "${domain}" = { + serverAliases = [ + "www.${domain}" + ]; + default = true; + enableACME = true; + acmeRoot = null; + forceSSL = true; + locations = { + "/" = { + return = "302 https://beanbag.technicalissues.us"; + }; + "/.well-known/lnurlp/genebean" = { + return = '' + 200 '{"status":"OK","tag":"payRequest","commentAllowed":255,"callback":"https://getalby.com/lnurlp/genebean/callback","metadata":"[[\\"text/identifier\\",\\"genebean@getalby.com\\"],[\\"text/plain\\",\\"Sats for GeneBean\\"]]","minSendable":1000,"maxSendable":10000000000,"payerData":{"name":{"mandatory":false},"email":{"mandatory":false},"pubkey":{"mandatory":false}},"nostrPubkey":"79f00d3f5a19ec806189fcab03c1be4ff81d18ee4f653c88fac41fe03570f432","allowsNostr":true}' + ''; + extraConfig = '' + default_type application/json; + source_charset utf-8; + charset utf-8; + add_header Access-Control-Allow-Origin *; + ''; + }; + "/.well-known/nostr.json" = { + return = '' + 200 '{"names": {"genebean": "dba168fc95fdbd94b40096f4a6db1a296c0e85c4231bfc9226fca5b7fcc3e5ca"}}' + ''; + extraConfig = '' + default_type application/json; + add_header Access-Control-Allow-Origin *; + ''; + }; + "/github" = { + return = "301 https://github.com/genebean"; + }; + "/mastodon" = { + return = "302 https://fosstodon.org/@genebean"; + }; + "/nostr" = { + return = "302 https://primal.net/p/npub1mwsk3ly4lk7efdqqjm62dkc699kqapwyyvdley3xljjm0lxruh9qzvu46p"; + }; + }; + }; # end bare domain + }; # end virtualHosts + }; # end nginx +} diff --git a/modules/hosts/nixos/hetznix02/secrets.yaml b/modules/hosts/nixos/hetznix02/secrets.yaml index e940ad4..7e53243 100644 --- a/modules/hosts/nixos/hetznix02/secrets.yaml +++ b/modules/hosts/nixos/hetznix02/secrets.yaml @@ -2,10 +2,6 @@ local_git_config: ENC[AES256_GCM,data:iA21ugn3r8VOyDS0T6/MiyDEP0j9wSWIE55AQ55neG local_private_env: ENC[AES256_GCM,data:Vfbw+jRsrqB1oJUtMwu6imzu6UTzQ1Yirb//o4mAuTJeAZ72qgxjXcqYCP82/7IP4hHnoQ1+YFPQxvekEQ==,iv:+7sxEbsz7tT/daAqR7xYPbBpamo9sLcGUGLiclKMV8A=,tag:ckxeQeeiHlxVOa9BfEEkaw==,type:str] tailscale_key: ENC[AES256_GCM,data:8/ZqHv/XqL9ACkw3HQfK6DCRs/w+2d4NJxEsP7/D8aZyuc99PL3MV6kDM4q1b792CthiioQrHnc=,iv:wfi1RS8PTwazMOUNc64Njoj7NylYUN0R/bx0Ggod+yc=,tag:Y359/pOlYTuykP0oOFUrfw==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age180w4c04kga07097u0us6d72aslnv2523hx64x8fzgzu4tccrxuyqa50hpm enc: | @@ -16,8 +12,7 @@ sops: K3NIVTBXdlVjbGZoSTdwUHYvMzRCUWMKixJlZliRrsKOQVGYwwINSmHDZm7zsLRM k0aGV0MJUafukPMYRbT/2H7dh/yhZx/Tn0fVFHbSeLvpf9ig3x8jkQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-09-07T01:44:24Z" - mac: ENC[AES256_GCM,data:xB0CvralCxv3oHUha4PEdmolKGMxJYaOsIomN3V0J64Wyq/UnCicFel/uraED/LKbMBprQRsXjkh3vB9ncINUI3vYr1Cm61XnL4WEfxaUYLso0Xn1gc8rJP6qXGDSShpCaZQj+oRi4tPzNXYc1v90IKZboukjBHWF0D4zEP1rWQ=,iv:1So597QQyyrVwXXkjXRe7hgyPgghdNgr/fpdaxYjUls=,tag:6X1Ds4mfy8LjHuJKIGKmMQ==,type:str] - pgp: [] + lastmodified: "2025-10-30T02:21:28Z" + mac: ENC[AES256_GCM,data:riwS1phH6Ttzdpf6r2LvYh2xrS8ggyl3kTTrwZjwrpvhqRcgIxd9Hy7/kbeTUQT4yeFxFfnKCbI/JxNPVf7O9HQ3DU/K45k/jZQGARcQF6SwA9e1TaEIXVP7VFsPmWT4M6FuyCgSZS5RpnqiGta6vPW0+bvusYPAcya2ydch2Wg=,iv:4LKIMvgHQOFh13MRL4Z0E25tuJPltLZvu/rXURjWJIs=,tag:VXQYw4Wy9lywQ4O2UUJAwA==,type:str] unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.11.0