diff --git a/lib/modules/headscale/default.nix b/lib/modules/headscale/default.nix index 04f401b..7e74ba8 100644 --- a/lib/modules/headscale/default.nix +++ b/lib/modules/headscale/default.nix @@ -17,7 +17,7 @@ in { services.nginx.virtualHosts."${domain}" = { forceSSL = true; - enableACME = true; + useACMEHost = "enclave.ctsk.dev"; locations."/".proxyPass = "http://127.0.0.1:${toString port}"; locations."/".proxyWebsockets = true; }; diff --git a/lib/systems/fugitive/default.nix b/lib/systems/fugitive/default.nix index 0917e3d..7499051 100644 --- a/lib/systems/fugitive/default.nix +++ b/lib/systems/fugitive/default.nix @@ -1,4 +1,4 @@ -{ impermanence, pkgs, ... }: +{ config, pkgs, agenix, ... }: let @@ -67,6 +67,10 @@ in }; }; + age = { + secrets.namecheap.file = ../../../secrets/namecheap.age; + }; + security = { sudo = { wheelNeedsPassword = false; @@ -76,7 +80,14 @@ in }; acme = { acceptTerms = true; - defaults.email = "cert@ctsk.xyz"; + defaults.email = "monitor@ctsk.dev"; + + certs."enclave.ctsk.dev" = { + dnsProvider = "namecheap"; + environmentFile = config.age.secrets.namecheap.path; + group = "nginx"; + extraDomainNames = [ "*.enclave.ctsk.dev" ]; + }; }; }; diff --git a/lib/systems/fugitive/hardware.nix b/lib/systems/fugitive/hardware.nix index bd26160..47e58f2 100644 --- a/lib/systems/fugitive/hardware.nix +++ b/lib/systems/fugitive/hardware.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, modulesPath, ... }: +{ config, lib, pkgs, modulesPath, impermanence, ... }: { imports = diff --git a/secrets/namecheap.age b/secrets/namecheap.age new file mode 100644 index 0000000..1ec269a --- /dev/null +++ b/secrets/namecheap.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 jfi4TQ Mr2LVSJ3Qs03ZQm6/QXpl0Cj5szDcS96FykXk5WLnw0 +hHTV/lno3zsmJbxQLvMxBO8CPXBUpFkDuS5595QHpsE +-> <{fBHP-grease FcCEA :6 SSUZ y,$Ho +JzJVrqUxVGP8TMZkNaj9Og3kvL3buI6b+DSfkDg/UBqVAign2dcvOh0njPFHDRDd +7jK+4c1x9e8fdas4Z+ceorzj4TYYTYLVakc68MV9FbJ9LOmn +--- L6xbkwzb4O64N0mM/L7I/+o/Z+MABEZhlzGoszoCapY +fx 6šŠýhôæ5~žíz š×Ùšàj2Hü«ô.¿¬&Ť8Ä ü¹»6ý2y1Úøîºóù$Ÿ3üqP€(ïäSæ¹E ST¦FÿR 5JŠêZ’O.5CF_¿õ]­ \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..1dbb4fc --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,6 @@ +let + fugitive = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHVatfyuEoMyvQedoS/dvjPg9NZZYlmWgUnNOGvwVe6"; +in +{ + "namecheap.age".publicKeys = [ fugitive ]; +} \ No newline at end of file