diff --git a/configuration/nginx/default.nix b/configuration/nginx/default.nix index 2ef1527..dab0259 100644 --- a/configuration/nginx/default.nix +++ b/configuration/nginx/default.nix @@ -1,9 +1,4 @@ -{ - flake-inputs, - pkgs, - lib, - ... -}: +{ lib, ... }: { imports = [ ./logging.nix @@ -15,64 +10,13 @@ description = "The base domain name to append to virtual domain names"; }; - config = { - services.nginx = { - enable = true; - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; - clientMaxBodySize = "10G"; - statusPage = true; # For metrics, should be accessible only from localhost - }; - - serviceTests = - let - testHostConfig = - { config, ... }: - { - _module.args = { inherit flake-inputs; }; - imports = [ - ./. - ../../modules/serviceTests/mocks.nix - flake-inputs.sops-nix.nixosModules.sops - ]; - - services.nginx = { - domain = "testHost"; - - virtualHosts."${config.services.nginx.domain}" = { - useACMEHost = "tlater.net"; - forceSSL = true; - enableHSTS = true; - locations."/".return = "200 ok"; - }; - }; - }; - in - { - hstsIsSet = pkgs.testers.runNixOSTest { - name = "assert-hsts"; - nodes = { - testHost = testHostConfig; - - client = - { pkgs, ... }: - { - environment.systemPackages = [ pkgs.curl ]; - }; - }; - - testScript = '' - start_all() - - testHost.wait_for_unit("nginx") - testHost.succeed("systemctl start network-online.target") - testHost.wait_for_unit("network-online.target") - - client.succeed("curl http://testHost") - ''; - }; - }; + config.services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + clientMaxBodySize = "10G"; + statusPage = true; # For metrics, should be accessible only from localhost }; } diff --git a/configuration/nginx/ssl.nix b/configuration/nginx/ssl.nix index 7abc38e..4cea508 100644 --- a/configuration/nginx/ssl.nix +++ b/configuration/nginx/ssl.nix @@ -64,10 +64,5 @@ in ''${pkgs.runtimeShell} -c '${confirm}' ''; }; - - sops.secrets = { - "porkbun/api-key".owner = "acme"; - "porkbun/secret-api-key".owner = "acme"; - }; }; } diff --git a/configuration/services/backups.nix b/configuration/services/backups.nix index 0ae8abf..688f5f9 100644 --- a/configuration/services/backups.nix +++ b/configuration/services/backups.nix @@ -265,18 +265,5 @@ in }; groups.backup = { }; }; - - sops.secrets = { - "restic/storagebox-backups" = { - owner = "root"; - group = "backup"; - mode = "0440"; - }; - "restic/storagebox-ssh-key" = { - owner = "backup"; - group = "backup"; - mode = "0040"; - }; - }; }; } diff --git a/configuration/sops.nix b/configuration/sops.nix index a5b19f6..0337438 100644 --- a/configuration/sops.nix +++ b/configuration/sops.nix @@ -38,12 +38,30 @@ group = "nextcloud"; }; + # Porkbub/ACME + "porkbun/api-key" = { + owner = "acme"; + }; + "porkbun/secret-api-key" = { + owner = "acme"; + }; + # Restic "restic/local-backups" = { owner = "root"; group = "backup"; mode = "0440"; }; + "restic/storagebox-backups" = { + owner = "root"; + group = "backup"; + mode = "0440"; + }; + "restic/storagebox-ssh-key" = { + owner = "backup"; + group = "backup"; + mode = "0040"; + }; # Steam "steam/tlater" = { }; diff --git a/flake.lock b/flake.lock index ad4903f..705d87c 100644 --- a/flake.lock +++ b/flake.lock @@ -136,11 +136,11 @@ "pyproject-nix": "pyproject-nix" }, "locked": { - "lastModified": 1763413832, - "narHash": "sha256-dkqBwDXiv8MPoFyIvOuC4bVubAP+TlVZUkVMB78TTSg=", + "lastModified": 1754978539, + "narHash": "sha256-nrDovydywSKRbWim9Ynmgj8SBm8LK3DI2WuhIqzOHYI=", "owner": "nix-community", "repo": "dream2nix", - "rev": "5658fba3a0b6b7d5cb0460b949651f64f644a743", + "rev": "fbec3263cb4895ac86ee9506cdc4e6919a1a2214", "type": "github" }, "original": { @@ -356,11 +356,11 @@ ] }, "locked": { - "lastModified": 1763319842, - "narHash": "sha256-YG19IyrTdnVn0l3DvcUYm85u3PaqBt6tI6VvolcuHnA=", + "lastModified": 1762868777, + "narHash": "sha256-QqS72GvguP56oKDNUckWUPNJHjsdeuXh5RyoKz0wJ+E=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "7275fa67fbbb75891c16d9dee7d88e58aea2d761", + "rev": "c5c3147730384576196fb5da048a6e45dee10d56", "type": "github" }, "original": { diff --git a/modules/default.nix b/modules/default.nix index 1bf5314..70f35b0 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1,6 +1,6 @@ { imports = [ ./crowdsec - ./serviceTests/stub.nix + ./serviceTests.nix ]; } diff --git a/modules/serviceTests/stub.nix b/modules/serviceTests.nix similarity index 100% rename from modules/serviceTests/stub.nix rename to modules/serviceTests.nix diff --git a/modules/serviceTests/mocks.nix b/modules/serviceTests/mocks.nix deleted file mode 100644 index 6d7be84..0000000 --- a/modules/serviceTests/mocks.nix +++ /dev/null @@ -1,27 +0,0 @@ -/** - Module containing mock definitions for service test runners. -*/ -{ lib, ... }: -{ - imports = [ - ../. - ../../configuration/services/backups.nix - ]; - # imports = [ flake-inputs.sops-nix.nixosModules.sops ]; - - sops.defaultSopsFile = ../../keys/staging.yaml; - environment.etc."staging.key" = { - mode = "0400"; - source = ../../keys/hosts/staging.key; - }; - services.openssh = { - enable = true; - hostKeys = lib.mkForce [ - { - type = "rsa"; - bits = 4096; - path = "/etc/staging.key"; - } - ]; - }; -}