invoiceplane: make publicly available

hosts/frikandel/default.nix

@@ -6,6 +6,7 @@
     ./networking.nix
     ./unbound.nix
     ./nginx.nix
+    ./invoiceplane-proxy.nix
     ./wireguard.nix
     ./email.nix
     ./website.nix

hosts/frikandel/invoiceplane-proxy.nix

@@ -0,0 +1,20 @@
+{
+  flake,
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  security.acme.certs = {
+    "invoicing.b12f.io" = {};
+  };
+
+  services.nginx.virtualHosts = {
+    "invoicing.b12f.io" = {
+      forceSSL = true;
+      useACMEHost = "invoicing.b12f.io";
+      # This redirects to invoiceplane on pie
+      locations."/".proxyPass = "https://invoicing.b12f.io";
+    };
+  };
+}

hosts/frikandel/unbound.nix

@@ -58,6 +58,9 @@
           "\"b12f.io\" transparent"
         ];
         local-data = [
+          "\"droppie.b12f.io. 10800 IN A 10.13.12.3\""
+          "\"droppie.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:3::\""
+
           "\"droppie.b12f.io. 10800 IN A 10.13.12.3\""
           "\"droppie.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:3::\""
           "\"backup.b12f.io. 10800 IN A 10.13.12.3\""

hosts/pie/invoiceplane.nix

@@ -33,7 +33,6 @@ in {
 
   services.invoiceplane.webserver = "nginx";
   services.invoiceplane.sites."invoicing.b12f.io" = {
-    # nginx is not supported
     enable = true;
 
     database = {

modules/acme/default.nix

@@ -19,6 +19,8 @@
       # server = "https://acme-staging-v02.api.letsencrypt.org/directory";
       dnsProvider = "hostingde";
       dnsPropagationCheck = true;
+      # We check via dns0 directly or unbound will be in our way
+      dnsResolver = "193.110.81.0";
       credentialsFile = config.age.secrets."hosting-de-acme-secrets".path;
       group = "nginx";
       webroot = null;

terraform/b12f.io.tf

@@ -160,7 +160,7 @@ resource "hostingde_record" "b12f-invoicing" {
   zone_id = hostingde_zone.b12f.id
   name = "invoicing.b12f.io"
   type = "CNAME"
-  content = "pie.b12f.io"
+  content = "frikandel.b12f.io"
   ttl = 300
 }