Setup genebean.me

2026-03-27 01:17:42 -04:00 · 2025-10-29 23:11:27 -04:00 · 2025-10-29 23:11:27 -04:00 · 0f90477654
commit 0f90477654
parent 9f4704c9b9
5 changed files with 91 additions and 11 deletions
--- a/modules/hosts/nixos/hetznix02/default.nix
+++ b/modules/hosts/nixos/hetznix02/default.nix
@ -28,6 +28,8 @@
    # Open ports in the firewall.
    firewall.allowedTCPPorts = [
      22   # ssh
+      80   # Nginx
+      443  # Nginx
    ];
    # firewall.allowedUDPPorts = [ ... ];
    # Or disable the firewall altogether.
--- a/modules/hosts/nixos/hetznix02/post-install/default.nix
+++ b/modules/hosts/nixos/hetznix02/post-install/default.nix
@ -1,4 +1,9 @@
 { config, username, ... }: {
+  imports = [
+    ../../../common/linux/lets-encrypt.nix
+    ./nginx.nix
+  ];
+
  sops = {
    age.keyFile = "${config.users.users.${username}.home}/.config/sops/age/keys.txt";
    defaultSopsFile = ../secrets.yaml;
--- a/modules/hosts/nixos/hetznix02/post-install/nginx.nix
+++ b/modules/hosts/nixos/hetznix02/post-install/nginx.nix
@ -0,0 +1,76 @@
+
+{ config, ... }: let
+  domain = "genebean.me";
+  http_port = 80;
+  https_port = 443;
+in {
+  security.acme.certs."${domain}" = {
+    email = "lets-encrypt@technicalissues.us";
+    inheritDefaults = false;
+    listenHTTP = ":80";
+    # uncomment below for testing
+    # server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedBrotliSettings = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    appendHttpConfig = ''
+      # Add HSTS header with preloading to HTTPS requests.
+      # Adding this header to HTTP requests is discouraged
+      map $scheme $hsts_header {
+          https   "max-age=31536000;";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+    '';
+    virtualHosts = {
+      "${domain}" = {
+        serverAliases = [
+          "www.${domain}"
+        ];
+        default = true;
+        enableACME = true;
+        acmeRoot = null;
+        forceSSL = true;
+        locations = {
+          "/" = {
+            return = "302 https://beanbag.technicalissues.us";
+          };
+          "/.well-known/lnurlp/genebean" = {
+            return = ''
+              200 '{"status":"OK","tag":"payRequest","commentAllowed":255,"callback":"https://getalby.com/lnurlp/genebean/callback","metadata":"[[\\"text/identifier\\",\\"genebean@getalby.com\\"],[\\"text/plain\\",\\"Sats for GeneBean\\"]]","minSendable":1000,"maxSendable":10000000000,"payerData":{"name":{"mandatory":false},"email":{"mandatory":false},"pubkey":{"mandatory":false}},"nostrPubkey":"79f00d3f5a19ec806189fcab03c1be4ff81d18ee4f653c88fac41fe03570f432","allowsNostr":true}'
+            '';
+            extraConfig = ''
+              default_type application/json;
+              source_charset utf-8;
+              charset utf-8;
+              add_header Access-Control-Allow-Origin *;
+            '';
+          };
+          "/.well-known/nostr.json" = {
+            return = ''
+              200 '{"names": {"genebean": "dba168fc95fdbd94b40096f4a6db1a296c0e85c4231bfc9226fca5b7fcc3e5ca"}}'
+            '';
+            extraConfig = ''
+              default_type application/json;
+              add_header Access-Control-Allow-Origin *;
+            '';
+          };
+          "/github" = {
+            return = "301 https://github.com/genebean";
+          };
+          "/mastodon" = {
+            return = "302 https://fosstodon.org/@genebean";
+          };
+          "/nostr" = {
+            return = "302 https://primal.net/p/npub1mwsk3ly4lk7efdqqjm62dkc699kqapwyyvdley3xljjm0lxruh9qzvu46p";
+          };
+        };
+      }; # end bare domain
+    }; # end virtualHosts
+  }; # end nginx
+}
--- a/modules/hosts/nixos/hetznix02/secrets.yaml
+++ b/modules/hosts/nixos/hetznix02/secrets.yaml
@ -2,10 +2,6 @@ local_git_config: ENC[AES256_GCM,data:iA21ugn3r8VOyDS0T6/MiyDEP0j9wSWIE55AQ55neG
 local_private_env: ENC[AES256_GCM,data:Vfbw+jRsrqB1oJUtMwu6imzu6UTzQ1Yirb//o4mAuTJeAZ72qgxjXcqYCP82/7IP4hHnoQ1+YFPQxvekEQ==,iv:+7sxEbsz7tT/daAqR7xYPbBpamo9sLcGUGLiclKMV8A=,tag:ckxeQeeiHlxVOa9BfEEkaw==,type:str]
 tailscale_key: ENC[AES256_GCM,data:8/ZqHv/XqL9ACkw3HQfK6DCRs/w+2d4NJxEsP7/D8aZyuc99PL3MV6kDM4q1b792CthiioQrHnc=,iv:wfi1RS8PTwazMOUNc64Njoj7NylYUN0R/bx0Ggod+yc=,tag:Y359/pOlYTuykP0oOFUrfw==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
    age:
        - recipient: age180w4c04kga07097u0us6d72aslnv2523hx64x8fzgzu4tccrxuyqa50hpm
          enc: |
@ -16,8 +12,7 @@ sops:
            K3NIVTBXdlVjbGZoSTdwUHYvMzRCUWMKixJlZliRrsKOQVGYwwINSmHDZm7zsLRM
            k0aGV0MJUafukPMYRbT/2H7dh/yhZx/Tn0fVFHbSeLvpf9ig3x8jkQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-07T01:44:24Z"
-    mac: ENC[AES256_GCM,data:xB0CvralCxv3oHUha4PEdmolKGMxJYaOsIomN3V0J64Wyq/UnCicFel/uraED/LKbMBprQRsXjkh3vB9ncINUI3vYr1Cm61XnL4WEfxaUYLso0Xn1gc8rJP6qXGDSShpCaZQj+oRi4tPzNXYc1v90IKZboukjBHWF0D4zEP1rWQ=,iv:1So597QQyyrVwXXkjXRe7hgyPgghdNgr/fpdaxYjUls=,tag:6X1Ds4mfy8LjHuJKIGKmMQ==,type:str]
-    pgp: []
+    lastmodified: "2025-10-30T02:21:28Z"
+    mac: ENC[AES256_GCM,data:riwS1phH6Ttzdpf6r2LvYh2xrS8ggyl3kTTrwZjwrpvhqRcgIxd9Hy7/kbeTUQT4yeFxFfnKCbI/JxNPVf7O9HQ3DU/K45k/jZQGARcQF6SwA9e1TaEIXVP7VFsPmWT4M6FuyCgSZS5RpnqiGta6vPW0+bvusYPAcya2ydch2Wg=,iv:4LKIMvgHQOFh13MRL4Z0E25tuJPltLZvu/rXURjWJIs=,tag:VXQYw4Wy9lywQ4O2UUJAwA==,type:str]
    unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.11.0