From d4b9c485b66816f88b8ff1aa46f235ac1235999b Mon Sep 17 00:00:00 2001
From: LavaDesu <me@lava.moe>
Date: Wed, 24 Jul 2024 13:23:12 +1000
Subject: [PATCH] services/nginx: enable for dandelion

---
 hosts/dandelion/default.nix | 1 +
 modules/services/nginx.nix  | 6 ++++++
 secrets.nix                 | 3 ++-
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/hosts/dandelion/default.nix b/hosts/dandelion/default.nix
index 735cd03..01eb6ab 100644
--- a/hosts/dandelion/default.nix
+++ b/hosts/dandelion/default.nix
@@ -14,6 +14,7 @@
     security
     #wireguard
 
+    modules.services.nginx
     modules.services.postgres
 
     ./filesystem.nix
diff --git a/modules/services/nginx.nix b/modules/services/nginx.nix
index 4b01c80..c58f2ee 100644
--- a/modules/services/nginx.nix
+++ b/modules/services/nginx.nix
@@ -1,4 +1,5 @@
 { config, inputs, ... }: {
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
   security.acme = {
     acceptTerms = true;
     email = "me@lava.moe";
@@ -27,6 +28,11 @@
         forceSSL = true;
         root = inputs.website.outPath;
       };
+      "cdn.lava.moe" = {
+        useACMEHost = "lava.moe";
+        forceSSL = true;
+        root = "/persist/cdn";
+      };
       "_" = {
         default = true;
         addSSL = true;
diff --git a/secrets.nix b/secrets.nix
index f83332a..7a1ea24 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -3,13 +3,14 @@ let
   blossom = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA5wfPCcpkNR3ubr7cBV0UwVCDo/sMmV0aI/JOJTIxQj";
   caramel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIPFJT1XYyjDZFHYT/8RdxAReKkeU8QfpLrmMjEeW/80";
   sugarcane = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIImymDDLSOdLcsox8wxS9Z84fsbsz6Mi58OU0od2p/ZQ";
+  dandelion = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFUk99ku7+eiIO7Q9sIPlPx3GiUljLv7W404W/zwrtzI";
 
   rin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPru5eTBvHJ4ZmrrzPRHCGM09wQP/ZHSaKYalDuBVO15";
 in {
   "secrets/passwd.age".publicKeys = [ anemone blossom caramel sugarcane rin ];
   "secrets/wpa_conf.age".publicKeys = [ blossom caramel rin ];
 
-  "secrets/acme_dns.age".publicKeys = [ caramel rin ];
+  "secrets/acme_dns.age".publicKeys = [ dandelion rin ];
   "secrets/warden_admin.age".publicKeys = [ caramel rin ];
   "secrets/wg_blossom.age".publicKeys = [ blossom rin ];
   "secrets/wg_caramel.age".publicKeys = [ caramel rin ];