From b46f3d4ee917450c7bfbde5b6eea11caa5b69301 Mon Sep 17 00:00:00 2001
From: teutat3s <teutates@mailbox.org>
Date: Sat, 13 Apr 2024 02:11:15 +0200
Subject: [PATCH] fae: switch to nginx, use acme with hosting.de DNS

---
 hosts/default.nix                   |   1 +
 hosts/fae/paperless.nix             |  39 +++++++++++++++++-----------
 modules/acme/default.nix            |  27 +++++++++++++++++++
 modules/default.nix                 |   1 +
 secrets/hosting-de-acme-secrets.age | Bin 0 -> 497 bytes
 secrets/secrets.nix                 |   2 ++
 6 files changed, 55 insertions(+), 15 deletions(-)
 create mode 100644 modules/acme/default.nix
 create mode 100644 secrets/hosting-de-acme-secrets.age

diff --git a/hosts/default.nix b/hosts/default.nix
index 2a7acbee..1fa0d609 100644
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -42,6 +42,7 @@
           inputs.nixos-hardware.nixosModules.raspberry-pi-4
           ./fae
           self.nixosModules.pub-solar
+          self.nixosModules.acme
         ];
       };
 
diff --git a/hosts/fae/paperless.nix b/hosts/fae/paperless.nix
index aad4c5f4..6605ba63 100644
--- a/hosts/fae/paperless.nix
+++ b/hosts/fae/paperless.nix
@@ -51,7 +51,7 @@ in {
       PAPERLESS_OCR_LANGUAGE = "nld+deu";
       PAPERLESS_ADMIN_USER = psCfg.user.name;
       PAPERLESS_AUTO_LOGIN_USERNAME = psCfg.user.name;
-      PAPERLESS_URL = "https://paperless.local";
+      PAPERLESS_URL = "https://paperless.faenix.eu";
     };
   };
 
@@ -74,23 +74,32 @@ in {
     };
   };
 
-  #security.acme.certs = {
-  #  "paperless.b12f.io" = {};
-  #};
-  services.caddy = {
-    enable = true;
-    globalConfig = ''
-      local_certs
-    '';
-    virtualHosts = {
-      "paperless.fritz.box" = {
-        extraConfig = ''
-          reverse_proxy :${builtins.toString config.services.paperless.port}
-        '';
-      };
+  security.acme.certs = {
+    "paperless.faenix.eu" = {};
+  };
+
+  services.nginx.virtualHosts = {
+    "paperless.faenix.eu" = {
+      forceSSL = true;
+      useACMEHost = "paperless.faenix.eu";
+      locations."/".proxyPass = "http://127.0.0.1:${builtins.toString config.services.paperless.port}";
     };
   };
 
+  #services.caddy = {
+  #  enable = true;
+  #  globalConfig = ''
+  #    local_certs
+  #  '';
+  #  virtualHosts = {
+  #    "paperless.fritz.box" = {
+  #      extraConfig = ''
+  #        reverse_proxy :${builtins.toString config.services.paperless.port}
+  #      '';
+  #    };
+  #  };
+  #};
+
   networking.firewall.allowedTCPPorts = [ 80 443 ];
 
   systemd.tmpfiles.rules = [
diff --git a/modules/acme/default.nix b/modules/acme/default.nix
new file mode 100644
index 00000000..77b6187c
--- /dev/null
+++ b/modules/acme/default.nix
@@ -0,0 +1,27 @@
+{
+  flake,
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  age.secrets."hosting-de-acme-secrets" = {
+    file = "${flake.self}/secrets/hosting-de-acme-secrets.age";
+    mode = "400";
+    owner = "acme";
+  };
+
+  security.acme = {
+    acceptTerms = true;
+
+    defaults = {
+      email = "jfw@miom.space";
+      # server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+      dnsProvider = "hostingde";
+      dnsPropagationCheck = true;
+      environmentFile = config.age.secrets."hosting-de-acme-secrets".path;
+      group = "nginx";
+      webroot = null;
+    };
+  };
+}
diff --git a/modules/default.nix b/modules/default.nix
index 58ed2c0c..443c1f28 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -5,6 +5,7 @@
 }: {
   flake = {
     nixosModules = rec {
+      acme = import ./acme;
       audio = import ./audio;
       bluetooth = import ./bluetooth;
       core = import ./core;
diff --git a/secrets/hosting-de-acme-secrets.age b/secrets/hosting-de-acme-secrets.age
new file mode 100644
index 0000000000000000000000000000000000000000..20686d2982213c9daf9885a6bfd5a3dd85ee7861
GIT binary patch
literal 497
zcmZ9_O>5I&003YQo}!0&m>}ZF!HG~~^SLx2gEU>+<)h1+v`tzNtx1-T=1tNjO`C|w
zJotfn(TP96gCc^0g5ptsf=s;a;$h%zUIanJtIr>JMy`W7ku@!n%#Wjs@zky61cI%j
zY3gB)O)?C@p(>fW&K!-!fTXuIGmN;Q#?ysVty#9f0Wbv9Ffy}tpi)+<K)sD4N^6_e
zn86_FOyn|AsI<}T$z-VeMKUg1X-BSeL_En@A)o)h)%$7D<<Y6*ve$4J%N{=^iNq45
zn%+<*rcFT?j384piFO62*#Q_MHr}Cw*mU}q>Ny#`@EBH$L$9~+HJ(e!Ac01^XHO`S
zwf=31pJNHhtf7lmS(I~>XCdD7_|PDR^<t*$rlCW1Y|i9rC9pzeQ=r5}bF)cFoo<9=
z)Oa+58=6Gb{nBUMEFbm)0MsrO04j&f7)S%BQW!!XAQ*<BaU;~WMp+rfTUIlWfidGM
zeL-v~9NDpQ7_^;vCQEQqDmb#XcX;K(owvmA{cqyZ`I}dt9UMFUXZ7XXOFPS;viJ0X
z_~GZ1Un?3o`}x(WrB999XI5W-x&C$e$D@3uc3FFKBmv(~?>hS@4&L={9ln@r@4fYt
UJNKgdH?ZBu=RQ8)SUf!X7d-8*=l}o!

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index c0b0aa89..47955d72 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -3,6 +3,7 @@ let
   machines = {
     dumpyourvms = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILDATEWAgDZFfYs1ZPh33Kg4sqQ9tWMVKyk8XqFu3Koe host@dumpyourvms";
     ryzensun = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH/l7MfEmt510BMeNjuXNPmZ0brcQidvrrpcea+qJMjX root@ryzensun";
+    fae = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINP3xI8c8+SI5QPTHqR0YIwKvG8x2MJGC/arBu4BkCP0 root@fae";
   };
   users = {
     teutat3s = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms";
@@ -19,4 +20,5 @@ in {
   "mnx-bonanza-pf1.p12.age".publicKeys = allKeys;
   "docker-ci-runner-secrets.age".publicKeys = allKeys;
   "test-secret.age".publicKeys = [users.teutat3s-5-nfc];
+  "hosting-de-acme-secrets.age".publicKeys = [machines.fae users.teutat3s users.teutat3s-5-nfc];
 }