services: hydra: create acme and reverse proxy

2024-05-31 18:07:39 +02:00 · 2024-05-31 18:07:39 +02:00 · 01091ff377
commit 01091ff377
parent b20dc93d47
3 changed files with 64 additions and 11 deletions
--- a/modules/services/dmz/hydra.nix
+++ b/modules/services/dmz/hydra.nix
@ -1,19 +1,44 @@
 { lib, config, pkgs, ... }:

 {
-    services.hydra = {
-      enable = true;
-      hydraURL = "http://localhost:3000";
-      notificationSender = "hydra@localhost";
-      useSubstitutes = true;
-    };
-    
-    networking.firewall = {
-      enable = true;
-      #allowedUDPPorts = [  ];
-      allowedTCPPorts = [ 3000 ];
+    services = {
+      hydra = {
+        enable = true;
+        hydraURL = "hydra.home.opel-online.de";
+        listenHost = "localhost";
+        notificationSender = "hydra@localhost";
+        useSubstitutes = true;
+      };
+      nix-serve = {
+          enable = true;
+          port = 5001;
+          secretKeyFile = config.age.secrets."keys/nixsign".path;
+      };
+      nginx = {
+        enable = true;
+        virtualHosts = {
+          "${config.services.hydra.hydraURL}" = {
+            enableACME = true;
+            forceSSL = true;
+            listen = [ {
+                addr = "127.0.0.1"; port = 3000;
+            } ];
+          };
+        };
+      };
    };

+    security.acme = {
+      defaults.email = "webmaster@kabtop.de";
+      defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+      acceptTerms = true;
+      certs.${config.services.hydra.hydraURL} = {
+        dnsProvider = "netcup";
+        environmentFile = config.age.secrets."services/acme/opel-online".path;
+        webroot = null;
+      };
+    };
+    
    nix = {
      settings.trusted-users = [
        "hydra"
@ -28,6 +53,10 @@
      file = ../../../secrets/keys/nixservepriv.age;
      owner = "hydra";
    };
+    age.secrets."services/acme/opel-online" = {
+      file = ../../../services/acme/opel-online.age;
+      owner = "acme";
+    };


 }
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -79,6 +79,7 @@ in
        "services/gitea/mailerPassword.age".publicKeys = servers ++ users;
        "services/gitea/homerunner-token.age".publicKeys = homerunners ++ users;
        "services/gitea/serverrunner-token.age".publicKeys = serverrunners ++ users;
+        "services/acme/opel-online.age".publicKeys = buildServer ++ users;
        "keys/nixremote.age".publicKeys = buildClients ++ users;
        "keys/nixservepriv.age".publicKeys = buildServer ++ users;
    }
--- a/secrets/services/acme/opel-online.age
+++ b/secrets/services/acme/opel-online.age
@ -0,0 +1,23 @@
+age-encryption.org/v1
+-> ssh-ed25519 Xp6AuQ ibCYDe34xExOAbsmEKgGoHwAOg/y64Cil1r/DWXTbCI
+7W3BlmZLuPc6m8xEb2cu4KeJURQa9H+9kEsok6yezMQ
+-> ssh-ed25519 NNXygQ blG1V4YV0fi7cRbGc5Ji9N622GA91r+HM1CllA2uVSA
+9sbkMz/9VgrJW08/ogFDEABiQHrc1t1rGCt1Fen9JA
+-> ssh-rsa VtjGpQ
+KNfpNbg2joCTEzMHowbhLrOvPd5umR0koyLUrS6MPTDLQken5asXMJt3y4V/Cyuz
+VQaldABIeKRRIFVPhmFUx6PEN7CiR/593j4whoWW7gWIv3DriqCY5FD1P2NvrzSU
+a258QZnW0+7zivZMmtbo6EPebT7c93rZwOv5PyB6XPWXU9p/1QZu7gMzoZJmdGtq
+t9tj/QheXQ2Zkn/p6lKUNAZRrGQ23PbbgrCdKV+V8mYYAPovPXd6Ner35OZln4P6
+nxNOj0Q2x7TdXZXoOiuxCa5R6H1ZPCbqBivUPHufL+1xf8U2bTZIeD9Kttuy8lMe
+MJphExO9JBTAKjEhin+5yR3vXOQUd6VIFT6Kfc12rS5aeKWp/ORBtF+f/FoYbueY
+h5eww5sGt3dupBMv90T7H+fSPz6e8REFRzYEbxXNwMiqgNzhOu2f4+0Gw3fy842Z
+WtFNbA53R+ddPoUo/j5ePYa9p5H07tlDend30t85vh6UNe4aPoZ8kZidEmEHCPt9
+SJncsqZlQOpwAPSnRza9soy4lELDw1CSYWMMhz8iabAOavBCJBmuP0kbDYGxqYvh
+xz1oi4lsKMUigHCXNh2Jlehk5khUeHQjeRIj54XecdHEoKk0UBQi6boN23wCkjfj
+dWpeLrM+oktuYBDbIcYVk/xxuGHzxzHX6f3RSpHiSNw
+-> piv-p256 grR75w Aqh8nw0yU9aOIySK9ZocRnGxnmeAGtXON0V2L3rboBU7
+b45u/T2J5a8DvyY11wugHFzazZCI4Qgq73iOFcBw1ZU
+-> piv-p256 RQguQQ AiKL2FhNLvg+L6UjohDSjUnZh2lmpQwlWE23KkPxa514
+SgVlCYhv2pf95vkZd2JqZ4uF/UfW3EXVkSPzR3gtuu4
+--- pla/ruxkoqhHSWKxOqUW2cFz84aYUTekQEJJtexdCYQ
+S†°9/î!<21>¼¾Æe¥´(åÓ¦‚Çð›>^‚/Ì8¿Ý*Ái/–Y¥«#Wü”Ô[?0û<>JCøÿÓBÑçm[
ÍDpe–vfV<56>¸©§§dn-Üïú~c•ÉCÆŒ-Cò•ÝÓÕ˜ÿ®"^'Ö'9žEWâz¸	—Ú	 áÖŠ?†XÇ¼¥›SÌC¬0=·VÙì<ÂQ,k€UrÞî““4<E2809C>UžAol(ó(ØZè”^÷ì õ°%Œ¸” gA