further refactor work

2026-02-09 20:39:18 -08:00 · 2023-11-19 11:00:57 -08:00 · 2023-11-19 11:00:57 -08:00 · befe6ea564
commit befe6ea564
parent eb4713ec37
32 changed files with 39 additions and 14 deletions
--- a/nixos/servers/web/acme.nix
+++ b/nixos/servers/web/acme.nix
@ -0,0 +1,14 @@
+_: {
+  environment.etc."ssl/credentials_template".text = ''
+    CF_API_EMAIL=!!CLOUDFLARE_EMAIL!!
+    CLOUDFLARE_API_KEY=!!CLOUDFLARE_API_KEY!!
+  '';
+
+  security.acme = {
+    defaults = {
+      dnsProvider = "cloudflare";
+      email = "acme@inskip.me";
+    };
+    acceptTerms = true;
+  };
+}
--- a/nixos/servers/web/firewall.nix
+++ b/nixos/servers/web/firewall.nix
@ -0,0 +1,6 @@
+_: {
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+}
--- a/nixos/servers/web/nginx.nix
+++ b/nixos/servers/web/nginx.nix
@ -0,0 +1,10 @@
+_: {
+  services.nginx = {
+    enable = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+    statusPage = true;
+  };
+}
--- a/nixos/servers/web/scalpel.nix
+++ b/nixos/servers/web/scalpel.nix
@ -0,0 +1,12 @@
+{config, ...}: {
+  scalpel.trafos."credentials_file" = {
+    source = "/etc/ssl/credentials_template";
+    matchers."CLOUDFLARE_EMAIL".secret = config.sops.secrets.cloudflare_email.path;
+    matchers."CLOUDFLARE_API_KEY".secret = config.sops.secrets.cloudflare_api_key.path;
+    owner = "acme";
+    group = "acme";
+    mode = "0440";
+  };
+
+  security.acme.defaults.credentialsFile = config.scalpel.trafos."credentials_file".destination;
+}
--- a/nixos/servers/web/secrets.nix
+++ b/nixos/servers/web/secrets.nix
@ -0,0 +1,13 @@
+_: let
+  secretConfig = {
+    format = "yaml";
+    sopsFile = ./secrets.yaml;
+  };
+in {
+  sops.secrets.cloudflare_email = secretConfig;
+  sops.secrets.cloudflare_api_key = secretConfig;
+
+  scalpels = [
+    ./scalpel.nix
+  ];
+}
--- a/nixos/servers/web/secrets.yaml
+++ b/nixos/servers/web/secrets.yaml
@ -0,0 +1,43 @@
+cloudflare_email: ENC[AES256_GCM,data:fwcHkWRqH3hEPDbFmA==,iv:He6yJHpD9oXrZSHPJKL7mnkRWm621HRj2cS6qLSn6aI=,tag:lON1D+55zSiJQljTox2JKQ==,type:str]
+cloudflare_api_key: ENC[AES256_GCM,data:kCDaXb1BPWoNVFVRjfOw4577BlIbMtsaouRT8dwNiL/JGNWH9w==,iv:rKSpeSfjIiQNFu58qjNnUtdBPIfXhIa6u7G7wqBohSg=,tag:7wnoB1MBj55okWzNISKftA==,type:str]
+sops:
+    shamir_threshold: 1
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1n4kdchmkk3rfkaknxhveqr2ftprdpgwckutt23y6u8639lazzuks77tgav
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArVG5kTUFmcHdZNmtUZlFO
+            Mm9wWVV5NkdRb1hCZmNyZDU5Y3UxZ2NRSGxnCjl0QktuWHgzTk1lQW9hQUxzVzdU
+            QllDZXcvYVJVVnliQ3BCcFhIeWRGdjQKLS0tIFplZzdnMmx2RS9TbEZESHVnSHlP
+            VDM0QUcyeVBmRzdyUHNrTUVablcyY2cK4WD0mB/EvZNmagFMq1kZz8y5M9mdHxwB
+            o44D7JYE31czIpM/CJTfjsxG4NlQn//H48W60edSZPFHwIDNzjnbLA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-04-27T01:10:09Z"
+    mac: ENC[AES256_GCM,data:tsvbspqI3jrwWQ/728g+urvhbDTvYJ70rcW1F3w5hC0YR6n7M4oED+QXOoH437Q85A9168OvfNqoIIIq3zEq7OWhk1dtInW2EWh2j5nHz1aFkiYg7VonfktJN9ylyamuZVKkmarMc87thzZrU+Ntb2VOdYsYd0AdWtlfY1CT++4=,iv:TI7tUjAUNc6DxpPRrrEdrsWxiJP6F+BZLGaOzTyo+3I=,tag:2zbq3/rMWFNjkRoBnYgfEA==,type:str]
+    pgp:
+        - created_at: "2023-04-25T23:00:27Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA82M54yws73UAQ//fd8bxMcv1cIrBPEc1w0LKWaQtpeRhHmVOaU+DdHvzo5L
+            ++aw+pe8Tz/+D5lfz67Aw0U3R4eBrBnjetZ5C+sjVHqrzaKEReddlk22dG0NF9JM
+            Ejepxo/G85PwWsC3cXgoBeJs2IqcWdAhtS6dH9GoiM4Wwhx0Am4JvLrvo9OJO7dR
+            ZpSGpBeC9OJGw+nkPLrwMK7dVtfx9JO5A1jdAvapGa+XwP8XxC31IhRHOH0hSwjQ
+            JQuQFOPz/MqjHb8eHuZa6GPUxjQTX5RN9RbvtRNI5h/fvQxNycQR4GETI/Y+P5Pb
+            r55+jgR8acJ8p/Z6R7uQLF5tbcHdtM2SY6ANDVgcoBoHe29hAXe6gpLzme54Wo3j
+            Cm/pt5+TS14uKGKiQjeHJ84EGUsOr+GL2Hpm1qu8VKSkznI19f3zyqcDNWQTYKJA
+            P5EGO4c4vMp2ihqnDqZC8FurKmzkFpFLgua+snNOd5rVy5kC8f8BA6lQyIdA5dOf
+            KHf1OjpfbwASr4RrHdNLKj8Z7bkJ+yQ7fmkP2z3uQjk7WveMVa+1r5GNaMk/wYUV
+            YUOl3TSZNuNaIOnqIqjTCYntbkuwliyenREB8GN1iZA8pCp/mEwa1zyvU6xP8x17
+            zPhwveevs96GgZBK4QMLJfYoUD5wCaMuXKIvUGHvM653+eL+Fk6Z1v3lo9+pPC3S
+            XAEQAzvt47ZhTvQVzWHEnBh9KlsxC6hS0vqbdIddSGXYZ7vsQMszG2r8CNGAGjJ2
+            OIq2LsKlrW1KVgrBCWrYnH6HxPi+t+TBVjgehAWZ6qiVoTkI09yNC9MarC64
+            =4AdG
+            -----END PGP MESSAGE-----
+          fp: CD8CE78CB0B3BDD4
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3