1f9c2669a2
sops: - devShell provides ssh-to-age and sets SOPS_AGE_KEY_FILE to $REPO/.sops-age-key.txt (gitignored, generated locally). - .sops.yaml lists laptop + watcher recipients. The watcher recipient is derived from /etc/ssh/ssh_host_ed25519_key.pub via ssh-to-age, so the watcher decrypts using its SSH host key as the age identity at boot. - hosts/watcher/secrets.yaml holds an `example` placeholder; sops-install- secrets surfaces it at /run/secrets/example (root-only). Forgejo: - modules/forgejo.nix enables services.forgejo (sqlite + daily tar.gz dump), built-in SSH server on :2222, HTTP on 127.0.0.1:3000. - modules/website.nix adds the git.tyrolize.ch vhost reverse-proxying to localhost. Caddy gets a Let's Encrypt cert automatically. - terraform/infomaniak/watcher.tf opens :2222 v4+v6 in the security group. - Admin user `tyro` (role admin) created out-of-band via the gitea CLI. Both services live on the watcher. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
33 lines
824 B
Nix
33 lines
824 B
Nix
{ config, lib, pkgs, ... }: {
|
|
# Caddy serves tyrolize.ch and 301-redirects lize.ch to it.
|
|
# TLS certs auto-provisioned via Let's Encrypt (HTTP-01 challenge), which
|
|
# requires the apex DNS A/AAAA records to already point at this VM.
|
|
|
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
|
|
services.caddy = {
|
|
enable = true;
|
|
email = "tyro@lize.ch"; # Let's Encrypt account contact
|
|
|
|
virtualHosts."tyrolize.ch" = {
|
|
extraConfig = ''
|
|
root * ${../sites/tyrolize.ch}
|
|
file_server
|
|
encode gzip zstd
|
|
'';
|
|
};
|
|
|
|
virtualHosts."lize.ch" = {
|
|
extraConfig = ''
|
|
redir https://tyrolize.ch{uri} permanent
|
|
'';
|
|
};
|
|
|
|
virtualHosts."git.tyrolize.ch" = {
|
|
extraConfig = ''
|
|
reverse_proxy 127.0.0.1:3000
|
|
encode gzip zstd
|
|
'';
|
|
};
|
|
};
|
|
}
|