Setup genebean.me

modules/hosts/common/secrets.yaml

@@ -1,5 +1,7 @@
 gandi_dns_pat: ENC[AES256_GCM,data:biWxwhrrE1ZOwViDtg0G0eIZz7+k804kBwN1icJWmh5TVi/Ylqbixw==,iv:pip7MXKdf5i0Ks7zdCs2O7UpxLq3HJY0KPNOwgta5+8=,tag:6X98FRXctX8cgBPY1pm+cw==,type:str]
 gandi_api: ENC[AES256_GCM,data:YsdDMk75miIKO4LkCZjfwJw6gxfrmsTL,iv:BOPRxB661sPJnUH1AUKEALIJfBeyAHZpkWJEDbY+7i8=,tag:TvtW7qhPbOqi9kKDcIe28w==,type:str]
+hetzner_api_token: ENC[AES256_GCM,data:8+bYBnI6vSQ7QIDFv0zplU2A2lW2c7JA9WArCGeAgjg=,iv:Y92uRgjKfuGDY4HMr+j6uDweMmMCx0FBydP3alGgb3M=,tag:cbmeVnP1XcqE+T0qpzJfbw==,type:str]
+hetzner_lego_env: ENC[AES256_GCM,data:xRADnkMC/mTq8/oRpZ+NYTStB9qX2N6V0GNIpGsXNedgO3bTvowgMukyDW4nX19V627ykk5vPC/HTRhZ8ia2KxRJfqa+9n5+Eg83iAFtrQGOe2rvEGEHDUoCTSb/G8YA8XzB3t69Xc+o8g59Grf4rXvNLEEwewn92BP7YWoxvpPaeT3yl/g7/0m4SDXKR/D3LtiN4nikiUFYT6nBG+WipMK3oEw=,iv:dL4hw4/v1FgJKwmCzIpMKvryrm+mMb7SoohPi78paPY=,tag:Lq3vBkyVbv7w5/RIHcsiUg==,type:str]
 restic_env: ENC[AES256_GCM,data:FCYR8tkClRwfcjUotcr28D6uRz7sNihn50nw38CaYnqOD/U9+5kU0iAPSvqAbeuw+xUoKKKAPAfMHI12dPTYt17Wz1N7i4a+MRkiIR9pjyv5KZTK59G+,iv:jStc8GMbZUQUgooZiRdImSZskdckYN1cRm2gsKbUyYY=,tag:HpQQIj1j7fjCmxkSeY/k4g==,type:str]
 restic_repo: ENC[AES256_GCM,data:kCoNYVKwB87W4h5doa3IXj4n,iv:jKEw/Hki/tp3RSTsRB4dlg593I5B4pCLBav84ADCh70=,tag:+GFF5vHOVw0r/G8BbhcCjw==,type:str]
 restic_password: ENC[AES256_GCM,data:PfQsxJul1Qpt3WQoUEI941l+yng3lVjhDd8=,iv:U5KjhcVqyksN2ay19RBjNhYIB31tUbfNRIqCEx/+Wbc=,tag:jsoU+B1mjAprPK+M5I0pAQ==,type:str]
@@ -106,7 +108,7 @@ sops:
             ODFjcWxtRjkweGJvdzdWSEphMHRCdm8Kx0amHgaZZR26c+VRVTyBEnm+w5c5nA7R
             txHj1U349LbfEsovTqZAL1o2WuX+gmXSj1aeXPKW+S0bIagC6dDacA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-08-10T00:59:54Z"
+    lastmodified: "2025-10-30T02:44:34Z"
-    mac: ENC[AES256_GCM,data:AKy/k2axRglNFCf8O1jENOcAAliIar9mWyTeLbDetFOaxAWFAFUEDXLMTDprTyiAgVO8M1nesg69ii6ZhFPSfOBfgKQDMJqJa0QPvVQ9piUd00ZAuq6Gf98SOTPVlHenzuemPsc87+niRFSQyLGRzMg25Kf0OcoRT3JUCinmbBs=,iv:Uryu/7kKrRbLkZWoqLjesR1Yk1/kD3tPfPSxrUkbOVA=,tag:Ai7Yh55TeJMjsv9UKaokZw==,type:str]
+    mac: ENC[AES256_GCM,data:CqqfSnNfUK8BI7n6/n7UbtANa0TmWkjmgb4aZwPzc1NPLXtH1xRMdysb8UtNFKwz5pDmGihT4VeVVu11vkOm6iPyS4no7FatkSA1zqGw97vo9kYKZETzKbw6a8nw1Lgbj6MRpxZQYidgir13AOiilzAEsEhzFddAOkNwr9K2NJ8=,iv:1Ns8+JKWeWdwCTIkQk1zTPDm8JtLtZ76gL5JU1A0100=,tag:j58QBexUW/SBZ5+kyoV0Zg==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.11.0

modules/hosts/nixos/hetznix02/default.nix

@@ -28,6 +28,8 @@
     # Open ports in the firewall.
     firewall.allowedTCPPorts = [
       22   # ssh
+      80   # Nginx
+      443  # Nginx
     ];
     # firewall.allowedUDPPorts = [ ... ];
     # Or disable the firewall altogether.

modules/hosts/nixos/hetznix02/post-install/default.nix

@@ -1,4 +1,9 @@
 { config, username, ... }: {
+  imports = [
+    ../../../common/linux/lets-encrypt.nix
+    ./nginx.nix
+  ];
+
   sops = {
     age.keyFile = "${config.users.users.${username}.home}/.config/sops/age/keys.txt";
     defaultSopsFile = ../secrets.yaml;

modules/hosts/nixos/hetznix02/post-install/nginx.nix

@@ -0,0 +1,76 @@
+
+{ config, ... }: let
+  domain = "genebean.me";
+  http_port = 80;
+  https_port = 443;
+in {
+  security.acme.certs."${domain}" = {
+    email = "lets-encrypt@technicalissues.us";
+    inheritDefaults = false;
+    listenHTTP = ":80";
+    # uncomment below for testing
+    # server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedBrotliSettings = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    appendHttpConfig = ''
+      # Add HSTS header with preloading to HTTPS requests.
+      # Adding this header to HTTP requests is discouraged
+      map $scheme $hsts_header {
+          https   "max-age=31536000;";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+    '';
+    virtualHosts = {
+      "${domain}" = {
+        serverAliases = [
+          "www.${domain}"
+        ];
+        default = true;
+        enableACME = true;
+        acmeRoot = null;
+        forceSSL = true;
+        locations = {
+          "/" = {
+            return = "302 https://beanbag.technicalissues.us";
+          };
+          "/.well-known/lnurlp/genebean" = {
+            return = ''
+              200 '{"status":"OK","tag":"payRequest","commentAllowed":255,"callback":"https://getalby.com/lnurlp/genebean/callback","metadata":"[[\\"text/identifier\\",\\"genebean@getalby.com\\"],[\\"text/plain\\",\\"Sats for GeneBean\\"]]","minSendable":1000,"maxSendable":10000000000,"payerData":{"name":{"mandatory":false},"email":{"mandatory":false},"pubkey":{"mandatory":false}},"nostrPubkey":"79f00d3f5a19ec806189fcab03c1be4ff81d18ee4f653c88fac41fe03570f432","allowsNostr":true}'
+            '';
+            extraConfig = ''
+              default_type application/json;
+              source_charset utf-8;
+              charset utf-8;
+              add_header Access-Control-Allow-Origin *;
+            '';
+          };
+          "/.well-known/nostr.json" = {
+            return = ''
+              200 '{"names": {"genebean": "dba168fc95fdbd94b40096f4a6db1a296c0e85c4231bfc9226fca5b7fcc3e5ca"}}'
+            '';
+            extraConfig = ''
+              default_type application/json;
+              add_header Access-Control-Allow-Origin *;
+            '';
+          };
+          "/github" = {
+            return = "301 https://github.com/genebean";
+          };
+          "/mastodon" = {
+            return = "302 https://fosstodon.org/@genebean";
+          };
+          "/nostr" = {
+            return = "302 https://primal.net/p/npub1mwsk3ly4lk7efdqqjm62dkc699kqapwyyvdley3xljjm0lxruh9qzvu46p";
+          };
+        };
+      }; # end bare domain
+    }; # end virtualHosts
+  }; # end nginx
+}

modules/hosts/nixos/hetznix02/secrets.yaml

@@ -2,10 +2,6 @@ local_git_config: ENC[AES256_GCM,data:iA21ugn3r8VOyDS0T6/MiyDEP0j9wSWIE55AQ55neG
 local_private_env: ENC[AES256_GCM,data:Vfbw+jRsrqB1oJUtMwu6imzu6UTzQ1Yirb//o4mAuTJeAZ72qgxjXcqYCP82/7IP4hHnoQ1+YFPQxvekEQ==,iv:+7sxEbsz7tT/daAqR7xYPbBpamo9sLcGUGLiclKMV8A=,tag:ckxeQeeiHlxVOa9BfEEkaw==,type:str]
 tailscale_key: ENC[AES256_GCM,data:8/ZqHv/XqL9ACkw3HQfK6DCRs/w+2d4NJxEsP7/D8aZyuc99PL3MV6kDM4q1b792CthiioQrHnc=,iv:wfi1RS8PTwazMOUNc64Njoj7NylYUN0R/bx0Ggod+yc=,tag:Y359/pOlYTuykP0oOFUrfw==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age180w4c04kga07097u0us6d72aslnv2523hx64x8fzgzu4tccrxuyqa50hpm
           enc: |
@@ -16,8 +12,7 @@ sops:
             K3NIVTBXdlVjbGZoSTdwUHYvMzRCUWMKixJlZliRrsKOQVGYwwINSmHDZm7zsLRM
             k0aGV0MJUafukPMYRbT/2H7dh/yhZx/Tn0fVFHbSeLvpf9ig3x8jkQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-07T01:44:24Z"
+    lastmodified: "2025-10-30T02:21:28Z"
-    mac: ENC[AES256_GCM,data:xB0CvralCxv3oHUha4PEdmolKGMxJYaOsIomN3V0J64Wyq/UnCicFel/uraED/LKbMBprQRsXjkh3vB9ncINUI3vYr1Cm61XnL4WEfxaUYLso0Xn1gc8rJP6qXGDSShpCaZQj+oRi4tPzNXYc1v90IKZboukjBHWF0D4zEP1rWQ=,iv:1So597QQyyrVwXXkjXRe7hgyPgghdNgr/fpdaxYjUls=,tag:6X1Ds4mfy8LjHuJKIGKmMQ==,type:str]
+    mac: ENC[AES256_GCM,data:riwS1phH6Ttzdpf6r2LvYh2xrS8ggyl3kTTrwZjwrpvhqRcgIxd9Hy7/kbeTUQT4yeFxFfnKCbI/JxNPVf7O9HQ3DU/K45k/jZQGARcQF6SwA9e1TaEIXVP7VFsPmWT4M6FuyCgSZS5RpnqiGta6vPW0+bvusYPAcya2ydch2Wg=,iv:4LKIMvgHQOFh13MRL4Z0E25tuJPltLZvu/rXURjWJIs=,tag:VXQYw4Wy9lywQ4O2UUJAwA==,type:str]
-    pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.11.0