59d742f4ba
- flake.nix exposes a devShell (openstackclient, opentofu, sops, age) plus
nixosConfigurations.watcher (runtime) and packages.watcher-image (QCOW2
via nixos-generators / openstack format).
- hosts/watcher/default.nix: SSH-only base, tyro user with key auth, root
SSH disabled, trusted-users set so laptop closure pushes work.
- modules/website.nix: Caddy serves tyrolize.ch from sites/tyrolize.ch/;
lize.ch 301-redirects; firewall opens 80/443. Let's Encrypt via HTTP-01.
- terraform/infomaniak/: OpenStack provider, security group (22/80/443),
keypair, compute instance booted from the uploaded image. Auth via OS_*
env vars sourced from terraform/infomaniak/.env by the devShell hook.
- scripts/build-image.sh + scripts/deploy.sh.
- dns/{tyrolize,lize}.ch.zone: full BIND zone files for the advanced view
in Infomaniak DNS Manager; preserves kSuite mail records on lize.ch.
Watcher live at 195.15.203.200 (IPv6 2001:1600:10💯:b4e), NixOS 25.05.
HTTPS confirmed working on both domains.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
26 lines
682 B
Nix
26 lines
682 B
Nix
{ config, lib, pkgs, ... }: {
|
|
# Caddy serves tyrolize.ch and 301-redirects lize.ch to it.
|
|
# TLS certs auto-provisioned via Let's Encrypt (HTTP-01 challenge), which
|
|
# requires the apex DNS A/AAAA records to already point at this VM.
|
|
|
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
|
|
services.caddy = {
|
|
enable = true;
|
|
email = "tyro@lize.ch"; # Let's Encrypt account contact
|
|
|
|
virtualHosts."tyrolize.ch" = {
|
|
extraConfig = ''
|
|
root * ${../sites/tyrolize.ch}
|
|
file_server
|
|
encode gzip zstd
|
|
'';
|
|
};
|
|
|
|
virtualHosts."lize.ch" = {
|
|
extraConfig = ''
|
|
redir https://tyrolize.ch{uri} permanent
|
|
'';
|
|
};
|
|
};
|
|
}
|