diff --git a/modules/services/dmz/hydra.nix b/modules/services/dmz/hydra.nix index cb849e6..66868ff 100644 --- a/modules/services/dmz/hydra.nix +++ b/modules/services/dmz/hydra.nix @@ -1,19 +1,44 @@ { lib, config, pkgs, ... }: { - services.hydra = { - enable = true; - hydraURL = "http://localhost:3000"; - notificationSender = "hydra@localhost"; - useSubstitutes = true; - }; - - networking.firewall = { - enable = true; - #allowedUDPPorts = [ ]; - allowedTCPPorts = [ 3000 ]; + services = { + hydra = { + enable = true; + hydraURL = "hydra.home.opel-online.de"; + listenHost = "localhost"; + notificationSender = "hydra@localhost"; + useSubstitutes = true; + }; + nix-serve = { + enable = true; + port = 5001; + secretKeyFile = config.age.secrets."keys/nixsign".path; + }; + nginx = { + enable = true; + virtualHosts = { + "${config.services.hydra.hydraURL}" = { + enableACME = true; + forceSSL = true; + listen = [ { + addr = "127.0.0.1"; port = 3000; + } ]; + }; + }; + }; }; + security.acme = { + defaults.email = "webmaster@kabtop.de"; + defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; + acceptTerms = true; + certs.${config.services.hydra.hydraURL} = { + dnsProvider = "netcup"; + environmentFile = config.age.secrets."services/acme/opel-online".path; + webroot = null; + }; + }; + nix = { settings.trusted-users = [ "hydra" @@ -28,6 +53,10 @@ file = ../../../secrets/keys/nixservepriv.age; owner = "hydra"; }; + age.secrets."services/acme/opel-online" = { + file = ../../../services/acme/opel-online.age; + owner = "acme"; + }; } diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 2c751b2..62ba661 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -79,6 +79,7 @@ in "services/gitea/mailerPassword.age".publicKeys = servers ++ users; "services/gitea/homerunner-token.age".publicKeys = homerunners ++ users; "services/gitea/serverrunner-token.age".publicKeys = serverrunners ++ users; + "services/acme/opel-online.age".publicKeys = buildServer ++ users; "keys/nixremote.age".publicKeys = buildClients ++ users; "keys/nixservepriv.age".publicKeys = buildServer ++ users; } diff --git a/secrets/services/acme/opel-online.age b/secrets/services/acme/opel-online.age new file mode 100644 index 0000000..6d5a055 --- /dev/null +++ b/secrets/services/acme/opel-online.age @@ -0,0 +1,23 @@ +age-encryption.org/v1 +-> ssh-ed25519 Xp6AuQ ibCYDe34xExOAbsmEKgGoHwAOg/y64Cil1r/DWXTbCI +7W3BlmZLuPc6m8xEb2cu4KeJURQa9H+9kEsok6yezMQ +-> ssh-ed25519 NNXygQ blG1V4YV0fi7cRbGc5Ji9N622GA91r+HM1CllA2uVSA ++9sbkMz/9VgrJW08/ogFDEABiQHrc1t1rGCt1Fen9JA +-> ssh-rsa VtjGpQ +KNfpNbg2joCTEzMHowbhLrOvPd5umR0koyLUrS6MPTDLQken5asXMJt3y4V/Cyuz +VQaldABIeKRRIFVPhmFUx6PEN7CiR/593j4whoWW7gWIv3DriqCY5FD1P2NvrzSU +a258QZnW0+7zivZMmtbo6EPebT7c93rZwOv5PyB6XPWXU9p/1QZu7gMzoZJmdGtq +t9tj/QheXQ2Zkn/p6lKUNAZRrGQ23PbbgrCdKV+V8mYYAPovPXd6Ner35OZln4P6 +nxNOj0Q2x7TdXZXoOiuxCa5R6H1ZPCbqBivUPHufL+1xf8U2bTZIeD9Kttuy8lMe +MJphExO9JBTAKjEhin+5yR3vXOQUd6VIFT6Kfc12rS5aeKWp/ORBtF+f/FoYbueY +h5eww5sGt3dupBMv90T7H+fSPz6e8REFRzYEbxXNwMiqgNzhOu2f4+0Gw3fy842Z +WtFNbA53R+ddPoUo/j5ePYa9p5H07tlDend30t85vh6UNe4aPoZ8kZidEmEHCPt9 +SJncsqZlQOpwAPSnRza9soy4lELDw1CSYWMMhz8iabAOavBCJBmuP0kbDYGxqYvh +xz1oi4lsKMUigHCXNh2Jlehk5khUeHQjeRIj54XecdHEoKk0UBQi6boN23wCkjfj +dWpeLrM+oktuYBDbIcYVk/xxuGHzxzHX6f3RSpHiSNw +-> piv-p256 grR75w Aqh8nw0yU9aOIySK9ZocRnGxnmeAGtXON0V2L3rboBU7 +b45u/T2J5a8DvyY11wugHFzazZCI4Qgq73iOFcBw1ZU +-> piv-p256 RQguQQ AiKL2FhNLvg+L6UjohDSjUnZh2lmpQwlWE23KkPxa514 +SgVlCYhv2pf95vkZd2JqZ4uF/UfW3EXVkSPzR3gtuu4 +--- pla/ruxkoqhHSWKxOqUW2cFz84aYUTekQEJJtexdCYQ +S9/!e(>^/8*i/Y#W[?0JCBm[ DpevfVdn-~cCƌ-C"^''9EWz ֊?XǼSC0=V