secrets: rekey

services/nginx: open ports 80 and 443
hosts/sugarcane: fix secrets
2022-03-28 23:07:42 +07:00 · 2022-03-28 23:04:30 +07:00 · 2022-03-28 23:00:30 +07:00 · 2022-03-28 22:57:48 +07:00
11 changed files with 54 additions and 51 deletions
--- a/hosts/sugarcane/default.nix
+++ b/hosts/sugarcane/default.nix
@ -4,25 +4,30 @@
  time.timeZone = "Asia/Singapore";

  age.secrets = {
+    acme_dns.file = ../../secrets/acme_dns.age;
    passwd.file = ../../secrets/passwd.age;
    wg_sugarcane.file = ../../secrets/wg_sugarcane.age;
  };
-  imports = with modules.system; [
-    (modulesPath + "/profiles/qemu-guest.nix")
-    inputs.home-manager-porcupine.nixosModule
+  imports =
+    (with modules.system; [
+      (modulesPath + "/profiles/qemu-guest.nix")
+      inputs.home-manager-porcupine.nixosModule

-    base
-    home-manager
-    input
-    nix-porcupine
-    security
-    wireguard
+      base
+      home-manager
+      input
+      nix-porcupine
+      security
+      wireguard

-    ./filesystem.nix
-    ./kernel.nix
-    ./networking.nix
-    ./packages.nix
+      ./filesystem.nix
+      ./kernel.nix
+      ./networking.nix
+      ./packages.nix

-    ../../users/hana
-  ];
+      ../../users/hana
+    ]) ++
+    (with modules.services; [
+      nginx
+    ]);
 }
--- a/modules/services/nginx.nix
+++ b/modules/services/nginx.nix
@ -1,4 +1,5 @@
 { config, inputs, ... }: {
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
  security.acme = {
    acceptTerms = true;
    email = "me@lava.moe";
@ -27,16 +28,16 @@
        forceSSL = true;
        root = inputs.website.outPath;
      };
-      "_" = {
-        default = true;
-        addSSL = true;
-        # TODO generate this somewhere
-        sslCertificate = "/persist/fakeCerts/fake.crt";
-        sslCertificateKey = "/persist/fakeCerts/fake.key";
-        extraConfig = ''
-          return 444;
-        '';
-      };
+      # "_" = {
+      #   default = true;
+      #   addSSL = true;
+      #   # TODO generate this somewhere
+      #   sslCertificate = "/persist/fakeCerts/fake.crt";
+      #   sslCertificateKey = "/persist/fakeCerts/fake.key";
+      #   extraConfig = ''
+      #     return 444;
+      #   '';
+      # };
    };
  };
 }
--- a/modules/system/wireguard.nix
+++ b/modules/system/wireguard.nix
@ -6,8 +6,8 @@ let
  serverIp = "51.79.240.130";

  forwarding = {
-    "80" = [ "10.100.0.2" "80" ];
-    "443" = [ "10.100.0.2" "443" ];
+#    "80" = [ "10.100.0.2" "80" ];
+#    "443" = [ "10.100.0.2" "443" ];
    "22727" = [ "10.100.0.3" "7777" ];
  };

--- a/secrets.nix
+++ b/secrets.nix
@ -8,7 +8,7 @@ in {
  "secrets/passwd.age".publicKeys = [ blossom caramel sugarcane rin ];
  "secrets/wpa_conf.age".publicKeys = [ blossom caramel rin ];

-  "secrets/acme_dns.age".publicKeys = [ caramel rin ];
+  "secrets/acme_dns.age".publicKeys = [ caramel sugarcane rin ];
  "secrets/warden_admin.age".publicKeys = [ caramel rin ];
  "secrets/wg_blossom.age".publicKeys = [ blossom rin ];
  "secrets/wg_caramel.age".publicKeys = [ caramel rin ];
--- a/secrets/acme_dns.age
+++ b/secrets/acme_dns.age
--- a/secrets/passwd.age
+++ b/secrets/passwd.age
@ -1,14 +1,13 @@
 age-encryption.org/v1
-> ssh-ed25519 U9FXlg U5BvNdCURLw3Za/EFnyiwJWE+nR05pw6N/gyCCtejRg
-UwW0knEEwdbsNIDF8pCIbwwf4X5hahwZ0Cx8w2+b6i0
-> ssh-ed25519 Hx37cw vO0M5kzkG7BtuNpC5+xtM663HKqj80KQ0qWh+wkSPxM
-lbTCCCv+VNuGXPmpC7rzLeTlqZWqAXzc24eZ1gZShBI
-> ssh-ed25519 krYeuQ DCsEUqV49Wg4BdWydxKmVQnFZrwxpFd6ZhJ1w9RyC3w
-gio9eITeS3kjOW/jtm2ajmKqvBecj+rjlvAqLILuiW4
-> ssh-ed25519 CUCjXQ eGjsQfi+/Habc+KcQZRtVp2T+Vs/QK+VR6tmouxkzWw
-y1aAwk8qJ4m0xmIGsQbMnT01+zawmp0B34tUX+mPkSw
-> 4"nrU-grease hfIl x e)a
-xyMmSA
--- ISCslqpC6CkOA7RcpPOtAC8JA68s3AhMdYdeDlJOW6M
-›\o°$Ò;ò|„Àªà*ýå,<ÅöÕç
-úëyáCÆ Œ¦<C592>ŒYSAÇÚuÛˆËîû«ûà¿áUÂû2÷–Úøáî`DUÑwñ,±èf~Sà›â´|BØ´2÷é;˜Êc+Õ±aƒ)±‹…F$ï¶TÜ¸rÐ«vš^söA”tdÃ²ÏXP
+-> ssh-ed25519 CUCjXQ ZrbLZXETJagm+HHfxYT0a8pyUngDlw6YKNG3xK5W9zQ
+L8D/Hr/ir0BFnZrJKtCkfSQkX+/4OzHg0m26RzHCE9U
+-> ssh-ed25519 krYeuQ 10ymP+C5ZeRwrnxtErKA9VKHuVPy8+bNHJObzX0Jp0U
+OCquEuxRe3xt12IkmkP8RnY8pz9KcRKNVIQVWA52eIE
+-> ssh-ed25519 Hx37cw v1nwWHdbSLdk8Wk0RF0nKBGIiANyXBxOEyU8jESA7Wc
+an8NMIhDKgNhHBecOzEuXHKdcr3+aAQPXly88+791a0
+-> ssh-ed25519 U9FXlg L/9mBIcwWLDcEZWT32Oo0WzWeoRVoZN2Rah7oNt7Gio
+akZ3AdYuKAEfXiNKZk3XHm4IrwSCjCPKe9yk9mfYmVI
+-> +-grease Q{/
+e/clwQ33SN111HEvsNUxjXJl0NRROAK
+--- f0/c5YRQjnyZirMkYSA05W0meE1lOMXaDSh9xbwBiR4
+Í…Ð˜¸_NÁÌ@˜üÖrÄ‹±nv_y,å€¬]!nìáDxÒ¶ï‘×ýñ¯®´ËSX¨BÝÅÖønz~Ñü°b–“79bÈŒÀeîH«AÖ®Üd÷!ÎŒþûìãÚOs¤‡JZà…}å„ Á»P3W¤&öSß\´wî_g¶C¬´"®
--- a/secrets/warden_admin.age
+++ b/secrets/warden_admin.age
--- a/secrets/wg_blossom.age
+++ b/secrets/wg_blossom.age
@ -1,11 +1,9 @@
 age-encryption.org/v1
-> ssh-ed25519 U9FXlg Y/Q29duiKdP+fV11ellTIMtHFyi9saczXfbcnq7iB0s
-D9P8MAHlFOLR7P8Ux90CjljnhExARGnuSuw24AXOr5c
-> ssh-ed25519 CUCjXQ eGpAJd5fydYBlC7o34CP7091jg4O4NsuLji1/rYtQVg
-9/rgYCpe9wcCrLM7fTYI92oa+3+SAEK6ZgJNmBeOtnM
-> A-grease xTj~+6%4 aF]RZn tj](JCp
-5iDN8bexrr7eNqyFwBNCUefrOqAIS10KppbrdDJH1+fD0TkUifEOjcM2uV/+3tH2
-dYX5eM94zkmwxw
--- QKnJmu6ICTTfadXCKLKii03FXVTBqAFvbAZVHGzGLzE
-äï<GÚÓ4q§<71>#gàâ
ªJ_<17>ÿ^o–ò4G•Vð£æþ5ä§
-ÑÈŠ$½<7F>wŸTú‹œ‹Íl¡•t—‹!…a†wÅ˜í<CB9C>[Å„›
+-> ssh-ed25519 CUCjXQ Fp3Mrgaw4yRKvdabJJ3dNcnKXJUqRuZP4QO8f3wN3SY
+IkH7jnotoXzo8HE42s2pT3MR4JckFbdBWajnsOBJZl8
+-> ssh-ed25519 U9FXlg 89PWDDxlJs2wAx0MpHQ4/nQOYBhDOW3IHbT8ZMNrW1U
+5SqO0LRGbnPSaT4Wyskn+TjLROkBlXZj4CZpUdprASw
+-> 7.-grease "7|kya
+h1PiRYdaZsbG0yfAlNY/jSFOwcKxWi5DhZqn20c8iQ
+--- Z76EcD46quTH32YiSgnqhHpDdRcZJu5Q/+jtOutFl6c
+xó•ÛCÓôª¯rÕw<EFBFBD>bk˜gcÄÞ¦ôqnòÕ¢Í²æß’ËÖœd'<27>t<EFBFBD>ç<EFBFBD>s¯ò¶Ö<>ä>µ\ðnÝŸÓTo¤Ð/„»~4|Ö–÷
--- a/secrets/wg_caramel.age
+++ b/secrets/wg_caramel.age
--- a/secrets/wg_sugarcane.age
+++ b/secrets/wg_sugarcane.age
--- a/secrets/wpa_conf.age
+++ b/secrets/wpa_conf.age
Author	SHA1	Message	Date
LavaDesu	3b5f8350e3	secrets: rekey	2022-03-28 23:07:42 +07:00
LavaDesu	328b028348	services/nginx: open ports 80 and 443	2022-03-28 23:04:30 +07:00
LavaDesu	c34578dd03	hosts/sugarcane: fix secrets	2022-03-28 23:00:30 +07:00
LavaDesu	613280b0e2	hosts: move nginx from caramel to sugarcane	2022-03-28 22:57:48 +07:00