services/nginx: enable for dandelion

2024-07-24 13:23:12 +10:00 · 2024-07-24 13:23:12 +10:00 · d4b9c485b6
commit d4b9c485b6
parent ef9c4f3a08
3 changed files with 9 additions and 1 deletions
--- a/hosts/dandelion/default.nix
+++ b/hosts/dandelion/default.nix
@ -14,6 +14,7 @@
    security
    #wireguard

+    modules.services.nginx
    modules.services.postgres

    ./filesystem.nix
--- a/modules/services/nginx.nix
+++ b/modules/services/nginx.nix
@ -1,4 +1,5 @@
 { config, inputs, ... }: {
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
  security.acme = {
    acceptTerms = true;
    email = "me@lava.moe";
@ -27,6 +28,11 @@
        forceSSL = true;
        root = inputs.website.outPath;
      };
+      "cdn.lava.moe" = {
+        useACMEHost = "lava.moe";
+        forceSSL = true;
+        root = "/persist/cdn";
+      };
      "_" = {
        default = true;
        addSSL = true;
--- a/secrets.nix
+++ b/secrets.nix
@ -3,13 +3,14 @@ let
  blossom = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA5wfPCcpkNR3ubr7cBV0UwVCDo/sMmV0aI/JOJTIxQj";
  caramel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIPFJT1XYyjDZFHYT/8RdxAReKkeU8QfpLrmMjEeW/80";
  sugarcane = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIImymDDLSOdLcsox8wxS9Z84fsbsz6Mi58OU0od2p/ZQ";
+  dandelion = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFUk99ku7+eiIO7Q9sIPlPx3GiUljLv7W404W/zwrtzI";

  rin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPru5eTBvHJ4ZmrrzPRHCGM09wQP/ZHSaKYalDuBVO15";
 in {
  "secrets/passwd.age".publicKeys = [ anemone blossom caramel sugarcane rin ];
  "secrets/wpa_conf.age".publicKeys = [ blossom caramel rin ];

-  "secrets/acme_dns.age".publicKeys = [ caramel rin ];
+  "secrets/acme_dns.age".publicKeys = [ dandelion rin ];
  "secrets/warden_admin.age".publicKeys = [ caramel rin ];
  "secrets/wg_blossom.age".publicKeys = [ blossom rin ];
  "secrets/wg_caramel.age".publicKeys = [ caramel rin ];