diff --git a/.sops.yaml b/.sops.yaml index 3f810b3..7049653 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,5 +1,6 @@ keys: - &admin_jrpotter age1huyyxsy4g0e5svmcejxvvdjnnk6qkulgd3qfpue59exnfrnqzudspxnn62 + - &server_deimos age109zux7z2n5qjzfntvj9u52hr30hkvhecas0hvu9p6ehd9zugxqps4p4g4q - &server_thebe age1pjgqvdyzxz30rxvu3zysjpmxrjjsvklggfepswhmwdaunx0kg3vsfept24 - &server_europa age1z0rfzzfll963msxfschxn7m65pz5p8nuz9p3h940mhhfr6uxe5mqpl4dul creation_rules: diff --git a/hive/deimos/default.nix b/hive/deimos/default.nix index e03ee97..ba04c01 100644 --- a/hive/deimos/default.nix +++ b/hive/deimos/default.nix @@ -1,11 +1,11 @@ -{ lib, ... }: +{ sops-nix, lib, ... }: { imports = lib.optional (builtins.pathExists ./do-userdata.nix) ./do-userdata.nix ++ [ + sops-nix.nixosModules.sops ../../digital-ocean/configuration.nix - ../../services/blog.nix ../../services/bookshelf.nix ../../services/notebook.nix - ../../services/portfolio.nix + ../../services/portfolio ]; networking = { diff --git a/services/blog.nix b/services/blog.nix deleted file mode 100644 index bda9574..0000000 --- a/services/blog.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ system, ... }: -let - blog = builtins.getFlake - "github:jrpotter/blog/457bfd6c521d5d8eeb41deb7d5d6a925fd55dda9"; -in -{ - services.nginx = { - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - - virtualHosts."blog.jrpotter.com" = { - forceSSL = true; - enableACME = true; - locations."/" = { - root = blog.packages.${system}.app; - }; - }; - }; -} diff --git a/services/portfolio.nix b/services/portfolio.nix deleted file mode 100644 index 1e6463e..0000000 --- a/services/portfolio.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ system, ... }: -let - portfolio = builtins.getFlake - "github:jrpotter/portfolio/88457c1f03e467e965654d10998875f3b40a9eb5"; -in -{ - services.nginx = { - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - - virtualHosts."www.jrpotter.com" = { - forceSSL = true; - enableACME = true; - serverAliases = [ "jrpotter.com" ]; - locations."/" = { - root = portfolio.packages.${system}.app; - }; - }; - }; -} diff --git a/services/portfolio/default.nix b/services/portfolio/default.nix new file mode 100644 index 0000000..f428e5d --- /dev/null +++ b/services/portfolio/default.nix @@ -0,0 +1,49 @@ +{ system, ... }: +let + portfolio = ( + builtins.getFlake "github:jrpotter/portfolio/0411360113e5afbab0c551dc16a7fbb88cc8be35" + ).packages.${system}.app; +in +{ + services.nginx = { + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + virtualHosts."www.jrpotter.com" = { + forceSSL = true; + enableACME = true; + serverAliases = [ "jrpotter.com" ]; + locations."/" = { + proxyPass = "http://127.0.0.1:4000"; + proxyWebsockets = true; + }; + }; + }; + + systemd.services.portfolio = { + enable = true; + description = "Portfolio Server"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + requires = [ "network-online.target" ]; + environment = { + PHX_HOST = "jrpotter.com"; + }; + serviceConfig = { + Type = "exec"; + EnvironmentFile = "/run/secrets/PORTFOLIO_SECRET_KEY_BASE"; + ExecStart = "${portfolio}/bin/server start"; + ExecStop = "${portfolio}/bin/server stop"; + ExecReload = "${portfolio}/bin/server restart"; + Restart = "on-failure"; + }; + }; + + sops = { + secrets.PORTFOLIO_SECRET_KEY_BASE = { + sopsFile = ./secrets.yaml; + }; + }; +} diff --git a/services/portfolio/secrets.yaml b/services/portfolio/secrets.yaml new file mode 100644 index 0000000..84869df --- /dev/null +++ b/services/portfolio/secrets.yaml @@ -0,0 +1,30 @@ +PORTFOLIO_SECRET_KEY_BASE: ENC[AES256_GCM,data:QaucF6l4KsSysB+Q0Z7N5dwhkcCvjJT5RtAxMpNP3jgYQE1Cn06m7KzZNnsQZ/xczOmv6IRmV/tBau0P3/zBLrwGgOn4C6684dUwoRGaY3Q=,iv:T1iHXsbKXwhJyFDPegaphF2r+mcDPBeRl3cx35y1OhE=,tag:PTArnILaBy6DBGfioIfIww==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1huyyxsy4g0e5svmcejxvvdjnnk6qkulgd3qfpue59exnfrnqzudspxnn62 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKb25BSUxGZDBLd1lOUDRj + VVF1b2xUalhzNldNQVB0dnNBMVplSkNwT21rCk92ZTQ0SE1WMGRoN0ZoT0JqTEJi + MjZnbHJjSmFnVzhoUUtjKy9RK1c1TDgKLS0tIDZBS0hidXBHN3RwSFc5dEdnNk9V + QUdnanR3YWZpbE4yVk90NW80RHFOTW8KR/1t8vkJbBPLnomWjsCVDk98e2U1yGdg + ah8vt4wCB80RfV7GK4ey+9RlV6jsZPLiuCbI/O+bkljnxwVenJyiSQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age109zux7z2n5qjzfntvj9u52hr30hkvhecas0hvu9p6ehd9zugxqps4p4g4q + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHOFJTYWVkNk9HYXpibnVY + VERHT01GWmYzaVpOWC92WC9hcmpDR2ZKNUE0CnQ1OEd4UGlGUEE0Z0lBZ3B0MXRk + bElheVJhZkNLaUZFclhUZitnanEvelkKLS0tIHlNam1ncFFtNzBock5RQ3pNQnRq + YXY1Z3F0R2NNeWZ5aU95bm9nOXhCMVkK4wKE+2xJW6NCwP1UkdiRhCp4AfzGblDk + c1CrBFSXy1SPNoF1IFovzmXaeBTP/z2lL5V3acle/jUDu6lqiFoThA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-05-18T18:01:36Z" + mac: ENC[AES256_GCM,data:W/KwLKfYPjO4U21BeAWc2pXoHrQFvhUzuaBoxD42urTABM4rIRdFyfnZxOWvGONYx625pT0g50PaJQVdl3yKwhw7SrjLPnrB1i/eiGiDrHI1CYaO1JkCab4dVacSia8xu0Kn/A9dEhvh2l1kEafh1q9iplpSlnhhJY9VhHLBOfI=,iv:7JxLYbOgvs1yfeCPkySpcMKvJ1r4Kz+gA6A8P1nku38=,tag:Ql8yaiNFpX9W1irNVWY1RA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3