From 6d0b676ccebbae63d54cb6753b42b23ae2773093 Mon Sep 17 00:00:00 2001
From: Felix Buehler <account@buehler.rocks>
Date: Thu, 23 Feb 2023 20:02:46 +0100
Subject: [PATCH] machine/serverle: enable nginx with separate network config

---
 machines/serverle/configuration.nix |  5 +----
 machines/serverle/network.nix       | 11 +++++++++++
 machines/serverle/services.nix      | 27 +++++++++++++++++++++++++++
 3 files changed, 39 insertions(+), 4 deletions(-)
 create mode 100644 machines/serverle/network.nix

diff --git a/machines/serverle/configuration.nix b/machines/serverle/configuration.nix
index 591f48e..0b9ce68 100644
--- a/machines/serverle/configuration.nix
+++ b/machines/serverle/configuration.nix
@@ -4,6 +4,7 @@
     ./hardware-configuration.nix
     ./disks.nix
     ./dyndns.nix
+    ./network.nix
     ./services.nix
     ./syncthing.nix
     ./system.nix
@@ -21,10 +22,6 @@
     gnupg.sshKeyPaths = [ ];
   };
 
-  networking.firewall.allowedTCPPorts = [
-    8080 # aria
-  ];
-
   # Nix
   nix.gc = {
     automatic = true;
diff --git a/machines/serverle/network.nix b/machines/serverle/network.nix
new file mode 100644
index 0000000..fface95
--- /dev/null
+++ b/machines/serverle/network.nix
@@ -0,0 +1,11 @@
+{ config, lib, pkgs, ... }:
+{
+  networking.firewall.allowedTCPPorts = [
+    8080 # aria
+  ];
+
+  networking = {
+    domain = "stunkymonkey.de";
+    search = [ "stunkymonkey.de" ];
+  };
+}
diff --git a/machines/serverle/services.nix b/machines/serverle/services.nix
index 7f9950d..e4b06ae 100644
--- a/machines/serverle/services.nix
+++ b/machines/serverle/services.nix
@@ -4,8 +4,12 @@ let
   secrets = config.sops.secrets;
 in
 {
+  sops.secrets."acme/inwx" = { };
   sops.secrets."borgbackup/password" = { };
   sops.secrets."borgbackup/ssh_key" = { };
+  sops.secrets."sso/auth-key" = { };
+  sops.secrets."sso/felix/password-hash" = { };
+  sops.secrets."sso/felix/totp-secret" = { };
 
   # List services that you want to enable:
   my.services = {
@@ -23,5 +27,28 @@ in
     jellyfin = {
       enable = true;
     };
+    # Dashboard
+    homer = {
+      enable = true;
+    };
+    # Webserver
+    nginx = {
+      enable = true;
+      acme = {
+        credentialsFile = secrets."acme/inwx".path;
+      };
+      sso = {
+        authKeyFile = secrets."sso/auth-key".path;
+        users = {
+          felix = {
+            passwordHashFile = secrets."sso/felix/password-hash".path;
+            totpSecretFile = secrets."sso/felix/totp-secret".path;
+          };
+        };
+        groups = {
+          root = [ "felix" ];
+        };
+      };
+    };
   };
 }