diff --git a/configuration/nginx/default.nix b/configuration/nginx/default.nix index dab0259..2ef1527 100644 --- a/configuration/nginx/default.nix +++ b/configuration/nginx/default.nix @@ -1,4 +1,9 @@ -{ lib, ... }: +{ + flake-inputs, + pkgs, + lib, + ... +}: { imports = [ ./logging.nix @@ -10,13 +15,64 @@ description = "The base domain name to append to virtual domain names"; }; - config.services.nginx = { - enable = true; - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; - clientMaxBodySize = "10G"; - statusPage = true; # For metrics, should be accessible only from localhost + config = { + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + clientMaxBodySize = "10G"; + statusPage = true; # For metrics, should be accessible only from localhost + }; + + serviceTests = + let + testHostConfig = + { config, ... }: + { + _module.args = { inherit flake-inputs; }; + imports = [ + ./. + ../../modules/serviceTests/mocks.nix + flake-inputs.sops-nix.nixosModules.sops + ]; + + services.nginx = { + domain = "testHost"; + + virtualHosts."${config.services.nginx.domain}" = { + useACMEHost = "tlater.net"; + forceSSL = true; + enableHSTS = true; + locations."/".return = "200 ok"; + }; + }; + }; + in + { + hstsIsSet = pkgs.testers.runNixOSTest { + name = "assert-hsts"; + nodes = { + testHost = testHostConfig; + + client = + { pkgs, ... }: + { + environment.systemPackages = [ pkgs.curl ]; + }; + }; + + testScript = '' + start_all() + + testHost.wait_for_unit("nginx") + testHost.succeed("systemctl start network-online.target") + testHost.wait_for_unit("network-online.target") + + client.succeed("curl http://testHost") + ''; + }; + }; }; } diff --git a/configuration/nginx/ssl.nix b/configuration/nginx/ssl.nix index 4cea508..7abc38e 100644 --- a/configuration/nginx/ssl.nix +++ b/configuration/nginx/ssl.nix @@ -64,5 +64,10 @@ in ''${pkgs.runtimeShell} -c '${confirm}' ''; }; + + sops.secrets = { + "porkbun/api-key".owner = "acme"; + "porkbun/secret-api-key".owner = "acme"; + }; }; } diff --git a/configuration/services/backups.nix b/configuration/services/backups.nix index 688f5f9..0ae8abf 100644 --- a/configuration/services/backups.nix +++ b/configuration/services/backups.nix @@ -265,5 +265,18 @@ in }; groups.backup = { }; }; + + sops.secrets = { + "restic/storagebox-backups" = { + owner = "root"; + group = "backup"; + mode = "0440"; + }; + "restic/storagebox-ssh-key" = { + owner = "backup"; + group = "backup"; + mode = "0040"; + }; + }; }; } diff --git a/configuration/sops.nix b/configuration/sops.nix index 0337438..a5b19f6 100644 --- a/configuration/sops.nix +++ b/configuration/sops.nix @@ -38,30 +38,12 @@ group = "nextcloud"; }; - # Porkbub/ACME - "porkbun/api-key" = { - owner = "acme"; - }; - "porkbun/secret-api-key" = { - owner = "acme"; - }; - # Restic "restic/local-backups" = { owner = "root"; group = "backup"; mode = "0440"; }; - "restic/storagebox-backups" = { - owner = "root"; - group = "backup"; - mode = "0440"; - }; - "restic/storagebox-ssh-key" = { - owner = "backup"; - group = "backup"; - mode = "0040"; - }; # Steam "steam/tlater" = { }; diff --git a/flake.lock b/flake.lock index 705d87c..ad4903f 100644 --- a/flake.lock +++ b/flake.lock @@ -136,11 +136,11 @@ "pyproject-nix": "pyproject-nix" }, "locked": { - "lastModified": 1754978539, - "narHash": "sha256-nrDovydywSKRbWim9Ynmgj8SBm8LK3DI2WuhIqzOHYI=", + "lastModified": 1763413832, + "narHash": "sha256-dkqBwDXiv8MPoFyIvOuC4bVubAP+TlVZUkVMB78TTSg=", "owner": "nix-community", "repo": "dream2nix", - "rev": "fbec3263cb4895ac86ee9506cdc4e6919a1a2214", + "rev": "5658fba3a0b6b7d5cb0460b949651f64f644a743", "type": "github" }, "original": { @@ -356,11 +356,11 @@ ] }, "locked": { - "lastModified": 1762868777, - "narHash": "sha256-QqS72GvguP56oKDNUckWUPNJHjsdeuXh5RyoKz0wJ+E=", + "lastModified": 1763319842, + "narHash": "sha256-YG19IyrTdnVn0l3DvcUYm85u3PaqBt6tI6VvolcuHnA=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "c5c3147730384576196fb5da048a6e45dee10d56", + "rev": "7275fa67fbbb75891c16d9dee7d88e58aea2d761", "type": "github" }, "original": { diff --git a/modules/default.nix b/modules/default.nix index 70f35b0..1bf5314 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1,6 +1,6 @@ { imports = [ ./crowdsec - ./serviceTests.nix + ./serviceTests/stub.nix ]; } diff --git a/modules/serviceTests/mocks.nix b/modules/serviceTests/mocks.nix new file mode 100644 index 0000000..6d7be84 --- /dev/null +++ b/modules/serviceTests/mocks.nix @@ -0,0 +1,27 @@ +/** + Module containing mock definitions for service test runners. +*/ +{ lib, ... }: +{ + imports = [ + ../. + ../../configuration/services/backups.nix + ]; + # imports = [ flake-inputs.sops-nix.nixosModules.sops ]; + + sops.defaultSopsFile = ../../keys/staging.yaml; + environment.etc."staging.key" = { + mode = "0400"; + source = ../../keys/hosts/staging.key; + }; + services.openssh = { + enable = true; + hostKeys = lib.mkForce [ + { + type = "rsa"; + bits = 4096; + path = "/etc/staging.key"; + } + ]; + }; +} diff --git a/modules/serviceTests.nix b/modules/serviceTests/stub.nix similarity index 100% rename from modules/serviceTests.nix rename to modules/serviceTests/stub.nix