acme

2026-01-13 18:44:11 -05:00 · 2025-02-02 12:14:33 -05:00 · 2025-02-02 12:14:33 -05:00 · 1d2e865638
commit 1d2e865638
parent 6ad7ccc0c5
9 changed files with 106 additions and 75 deletions
--- a/flake.lock
+++ b/flake.lock
@ -101,11 +101,11 @@
    },
    "nix-secrets": {
      "locked": {
-        "lastModified": 1738161184,
-        "narHash": "sha256-8ma/3Ynp2AzRm9ER5IqFm3pV05WVf0MtVDKHkxZSftA=",
+        "lastModified": 1738516276,
+        "narHash": "sha256-ZA8mBJ0pogSL+gZYg+DUHJ8Arwi0bBIsLy+/OeHKwvk=",
        "ref": "refs/heads/master",
-        "rev": "300319bbe2c60b201e451fc74a49465a2f1c2681",
-        "revCount": 28,
+        "rev": "7c110c28d15076b694c534ffda14dcf8f69c98ed",
+        "revCount": 30,
        "type": "git",
        "url": "ssh://git@github.com/TheWanderingCrow/nix-secrets"
      },
--- a/modules/users/overseer/acme.nix
+++ b/modules/users/overseer/acme.nix
@ -0,0 +1,44 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+lib.mkIf config.user.overseer.enable {
+  sops = {
+    secrets = {
+      "aws/access_key" = {};
+      "aws/secret_key" = {};
+      "aws/region" = {};
+    };
+    templates = {
+      "aws_shared_credentials".content = ''
+        [default]
+        aws_access_key_id=${config.sops.placeholder."aws/access_key"}
+        aws_secret_access_key=${config.sops.placeholder."aws/secret_key"}
+      '';
+      "aws_config".content = ''
+        [default]
+        region=${config.sops.placeholder."aws/region"}
+      '';
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = "infrastructure@wanderingcrow.net";
+      dnsProvider = "route53";
+      credentialFiles = {
+        "AWS_SHARED_CREDENTIALS_FILE" = config.sops.templates."aws_shared_credentials".path;
+      };
+      environmentFile = config.sops.templates."aws_config".path;
+    };
+    certs = {
+      "home.wanderingcrow.net" = {};
+      "homebox.wanderingcrow.net" = {};
+      "bar.wanderingcrow.net" = {};
+      "bookstack.wanderingcrow.net" = {};
+    };
+  };
+}
--- a/modules/users/overseer/default.nix
+++ b/modules/users/overseer/default.nix
@ -1,12 +1,9 @@
 {
-  lib,
-  config,
-  ...
-}: {
  imports = [
    ./user.nix
    ./setup.nix
    ./secrets.nix
+    ./acme.nix
    ./services
  ];
 }
--- a/modules/users/overseer/services/bar-assistant.nix
+++ b/modules/users/overseer/services/bar-assistant.nix
@ -3,9 +3,7 @@ let
 in
  {
    lib,
-    inputs,
    config,
-    pkgs,
    ...
  }:
    lib.mkIf config.user.overseer.enable {
@ -13,16 +11,18 @@ in
      # SECRETS #
      ###########

-      # Meilisearch secrets
-      sops.secrets."meilisearch/masterkey" = {};
-      sops.templates."meilisearch-environment".content = ''
-        MEILI_MASTER_KEY=${config.sops.placeholder."meilisearch/masterkey"}
-      '';
+      sops = {
+        # Meilisearch secrets
+        secrets."meilisearch/masterkey" = {};
+        templates."meilisearch-environment".content = ''
+          MEILI_MASTER_KEY=${config.sops.placeholder."meilisearch/masterkey"}
+        '';

-      # Bar Assistant secrets
-      sops.templates."bar_assistant-env".content = ''
-        MEILISEARCH_KEY=${config.sops.placeholder."meilisearch/masterkey"}
-      '';
+        # Bar Assistant secrets
+        templates."bar_assistant-env".content = ''
+          MEILISEARCH_KEY=${config.sops.placeholder."meilisearch/masterkey"}
+        '';
+      };

      systemd.tmpfiles.rules = [
        "d ${volumePath}/bar-assistant 770 33 33"
--- a/modules/users/overseer/services/default.nix
+++ b/modules/users/overseer/services/default.nix
@ -1,8 +1,4 @@
 {
-  lib,
-  config,
-  ...
-}: {
  imports = [
    ./bar-assistant.nix
    ./homebox.nix
--- a/modules/users/overseer/services/grocy.nix
+++ b/modules/users/overseer/services/grocy.nix
@ -1,16 +1,12 @@
-let
-  volumePath = "/overseer/services";
-in
-  {
-    lib,
-    pkgs,
-    config,
-    ...
-  }:
-    lib.mkIf config.user.overseer.enable {
-      services.grocy = {
-        enable = true;
-        hostName = "grocy.wanderingcrow.net";
-        nginx.enableSSL = false;
-      };
-    }
+{
+  lib,
+  config,
+  ...
+}:
+lib.mkIf config.user.overseer.enable {
+  services.grocy = {
+    enable = true;
+    hostName = "grocy.wanderingcrow.net";
+    nginx.enableSSL = false;
+  };
+}
--- a/modules/users/overseer/services/homebox.nix
+++ b/modules/users/overseer/services/homebox.nix
@ -1,41 +1,41 @@
 {
  lib,
-  inputs,
  config,
-  pkgs,
  ...
 }:
 lib.mkIf config.user.overseer.enable {
-  services.restic.backups.homebox = {
-    user = "root";
-    timerConfig = {
-      OnCalendar = "hourly";
-      Persistent = true;
+  services = {
+    restic.backups.homebox = {
+      user = "root";
+      timerConfig = {
+        OnCalendar = "hourly";
+        Persistent = true;
+      };
+      paths = [
+        "/var/lib/homebox/data"
+      ];
+      repositoryFile = config.sops.secrets."restic/url".path;
+      passwordFile = config.sops.secrets."restic/key".path;
    };
-    paths = [
-      "/var/lib/homebox/data"
-    ];
-    repositoryFile = config.sops.secrets."restic/url".path;
-    passwordFile = config.sops.secrets."restic/key".path;
-  };

-  services.nginx = {
-    enable = true;
-    recommendedProxySettings = true;
-    virtualHosts = {
-      "homebox.wanderingcrow.net" = {
-        locations."/" = {
-          proxyPass = "http://localhost:7745";
-          proxyWebsockets = true;
+    nginx = {
+      enable = true;
+      recommendedProxySettings = true;
+      virtualHosts = {
+        "homebox.wanderingcrow.net" = {
+          locations."/" = {
+            proxyPass = "http://localhost:7745";
+            proxyWebsockets = true;
+          };
        };
      };
    };
-  };

-  services.homebox = {
-    enable = true;
-    settings = {
-      HBOX_OPTIONS_ALLOW_REGISTRATION = "true";
+    homebox = {
+      enable = true;
+      settings = {
+        HBOX_OPTIONS_ALLOW_REGISTRATION = "true";
+      };
    };
  };
 }
--- a/modules/users/overseer/services/homepage.nix
+++ b/modules/users/overseer/services/homepage.nix
@ -1,18 +1,18 @@
 {
  lib,
-  inputs,
  config,
-  pkgs,
  ...
 }:
 lib.mkIf config.user.overseer.enable {
  # Homepage.dev secrets
-  sops.secrets."homepage/openmeteo/lat" = {};
-  sops.secrets."homepage/openmeteo/long" = {};
-  sops.templates."homepage-environment".content = ''
-    HOMEPAGE_VAR_LAT = ${config.sops.placeholder."homepage/openmeteo/lat"}
-    HOMEPAGE_VAR_LONG = ${config.sops.placeholder."homepage/openmeteo/long"}
-  '';
+  sops = {
+    secrets."homepage/openmeteo/lat" = {};
+    secrets."homepage/openmeteo/long" = {};
+    templates."homepage-environment".content = ''
+      HOMEPAGE_VAR_LAT = ${config.sops.placeholder."homepage/openmeteo/lat"}
+      HOMEPAGE_VAR_LONG = ${config.sops.placeholder."homepage/openmeteo/long"}
+    '';
+  };

  services.nginx = {
    enable = true;
--- a/modules/users/overseer/services/invidious.nix
+++ b/modules/users/overseer/services/invidious.nix
@ -1,8 +1,6 @@
 {
  lib,
-  inputs,
  config,
-  pkgs,
  ...
 }:
 lib.mkIf config.user.overseer.enable {