From dcb3f903933f7fab27b38c54a67dc969d0bc4f92 Mon Sep 17 00:00:00 2001
From: Oliver Davies <oliver@oliverdavies.dev>
Date: Thu, 26 Dec 2024 00:13:42 +0000
Subject: [PATCH] Add Cloudflare API keys to hetznix server with

...agenix
---
 flake.nix                           |  2 ++
 nix/hosts/hetznix/configuration.nix |  1 +
 nix/hosts/hetznix/modules/acme.nix  |  6 ++++++
 nix/hosts/hetznix/secrets.nix       |  5 +++++
 nix/secrets/cloudflare.age          | 17 +++++++++++++++++
 nix/secrets/secrets.nix             | 17 +++++++++++++++--
 6 files changed, 46 insertions(+), 2 deletions(-)
 create mode 100644 nix/hosts/hetznix/secrets.nix
 create mode 100644 nix/secrets/cloudflare.age

diff --git a/flake.nix b/flake.nix
index c7a3f6d..36d90a2 100644
--- a/flake.nix
+++ b/flake.nix
@@ -94,7 +94,9 @@
           };
 
           modules = [
+            agenix.nixosModules.default
             disko.nixosModules.disko
+
             ./nix/hosts/hetznix/configuration.nix
           ];
         };
diff --git a/nix/hosts/hetznix/configuration.nix b/nix/hosts/hetznix/configuration.nix
index 08b5adc..f1a9e91 100644
--- a/nix/hosts/hetznix/configuration.nix
+++ b/nix/hosts/hetznix/configuration.nix
@@ -12,6 +12,7 @@
 
     ./disks.nix
     ./hardware-configuration.nix
+    ./secrets.nix
 
     ./modules/acme.nix
     ./modules/nginx
diff --git a/nix/hosts/hetznix/modules/acme.nix b/nix/hosts/hetznix/modules/acme.nix
index 742e26a..c96c68b 100644
--- a/nix/hosts/hetznix/modules/acme.nix
+++ b/nix/hosts/hetznix/modules/acme.nix
@@ -1,10 +1,16 @@
+{ config, ... }:
+
 {
   security.acme = {
     acceptTerms = true;
     defaults.email = "oliver@oliverdavies.uk";
+    defaults.environmentFile = config.age.secrets.cloudflare.path;
 
     certs."oliverdavies.uk" = {
       domain = "oliverdavies.uk";
+      dnsProvider = "cloudflare";
+      webroot = null;
+
       extraDomainNames = [
         # TODO Refactor to use a wildcard certificate.
         "2020.oliverdavies.uk"
diff --git a/nix/hosts/hetznix/secrets.nix b/nix/hosts/hetznix/secrets.nix
new file mode 100644
index 0000000..e203222
--- /dev/null
+++ b/nix/hosts/hetznix/secrets.nix
@@ -0,0 +1,5 @@
+{
+  age.secrets = {
+    cloudflare.file = ../../secrets/cloudflare.age;
+  };
+}
diff --git a/nix/secrets/cloudflare.age b/nix/secrets/cloudflare.age
new file mode 100644
index 0000000..2bdf0a4
--- /dev/null
+++ b/nix/secrets/cloudflare.age
@@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> ssh-ed25519 nmofLg ulxze6jNUmIB72CLo23yqmx7he8mPqTcLR0oHJaHr0k
+qhi20IiROe9RNO949XNR6iqAf6KvXqfXl7u7WiqIaH8
+-> ssh-rsa +vTWQw
+VtDyb9urRPA7Hh+2Kb+cw8Dlo5lPCExHwH9Iw/XMbYGn/jvATdS/T4tMsLIwgctA
+xCBHMtMeXuCEX9bybrr9r+Azf/5zQqs/I1QN5USnyRtjmaWDonDtGlGIPXfZBlCU
+slUi1yWk1Jm8sadwQqrw1YLvGpszn1iPpnLhmdBvEoC3LSYI4Wib4kYU6QhirJfe
+flW8GMkZtr96ozmyJswXRFr6Zf7XUUd3TTeCPahkzoE4Un8NFDmviBEjeqvMYE1h
+5KoLQwdVo8P8IPnDmTAd5Rpb/bbEQ3OWt5xNd2ZYtL5lGEJ9gg9S+pgTR+WOL1UZ
+UOuBE2u71df5tjTg4OEa05TWB93he0wURjT+mmJARebNWqlGtpsEVhLF6rYAfrMB
+9ywUqbCV3WRS8a3EpI5wSPmAQZLeWE/L0+gH17qatM+dzf2jkIRZZCWiIVFDFDyA
++s2cMk5Gya44I5RM9CjjHr3Zpq2poixNYsg1opaVByrgsPZrxetGXaKSzt+VRTXV
+H/jx9/zqSruY1An0RnFo4DnKQ5vA3YgJK3NbiSMjayUtN9sAWZ7dDONkOdTBTDSX
+wM1D4bY688ajHSHvsteeVIDBpDVpUl6pn5GUqcV1cRCV8dHXBxzYiNWjVVAxLXwk
+Y4le2oI1w6Ak9nNLY1N2311X3EFZqxTyJIPBvv3yZnw
+--- cc2VwKFT2Dqo/TYLZ/vPcWAkHoi/h6P1XrDmN2ymyXU
+	ˆ¯ÚÿÍÕO£x¯éöz’xþ`ô2³µì–´ç×Šÿ]W,ðcš p+òfÄq¤¬Dé–hÙ–ó€kÙòÝXMÌô‰"áp‡dX…åwÃB9µŠ‡zsÕ,pJá,úä¹þÚµ6}x¦úÛâA¨VªÛq›-Â2{¢<Ü<
\ No newline at end of file
diff --git a/nix/secrets/secrets.nix b/nix/secrets/secrets.nix
index 31ab779..b6216aa 100644
--- a/nix/secrets/secrets.nix
+++ b/nix/secrets/secrets.nix
@@ -1,6 +1,19 @@
 let
-  lemp11 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEZ+ljJKd6uqdAk+fqxwtObI4Stab2N9Bjo4QFHY/v8n";
+  hosts = {
+    hetznix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMk8n03VeShc0q4ztcaNrmScwM7u0j6fFVtmupy2RlM2";
+    lemp11 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEZ+ljJKd6uqdAk+fqxwtObI4Stab2N9Bjo4QFHY/v8n";
+    t490 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvtcGJnc94k6wCPfvK9oBvGey0WWVCR8IYSqg5vqage";
+  };
+
+  users = {
+    opdavies = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDkkbYaCD9NUIQT0NnsmlyfepwjxBYeiJSBCotOpdPTyc5inFAd29DiVw98j4skfaHdzjcqWmMFmDQWM6tGkK7eg8n0WuaABmsjdEbzTtfjHwM0tRDCIh5AtoT4IvoLhwLjEI2jKM05BGCQ2m5lS//AYJK1DjiV4UH+IjXHz6oy/3eFzQwANjxWS+mbR565p21yuAu1DKEyaGeVzT1xDhgzlnZG7Cys/rFgUYpIvYDHMOFxG6hsDB8vqyHiTXniniti5tdvGGYHgRGQcynRTU12aerrqHTIOefrElXJdf3/PA8FIY/Pd3MmZocY/vvQe0EVHXWrNtnHOF3MFQ1tFyfubKO51Dcp9KmzHnyBvO4CtvGVr/upSVWfo0I/EqkIqvCvBbdSIPeH9V5hAcyWENGF4Wf0/Yqtc0dBhfXJmPVBsC2ghZp9oERK+h5Xs7DpzkT0vtkN+wjgA5weIuG8e2UVNO29LWASzlychVqb7BVa6kNn5CyGwauyIGsYvAFnUjkyJpK8qleNM3VO5x9aw26IhSKlnSE9PAdX8p7PpdoWfxWRekKTc4h6iAe7pFOENvuokAvCNsE5LolR4VrYKXjA0m3nupDNWYexAWfR3lSeSlKd9nD3OENS0biJKayZHs11iDUTxm5u5gm/U60b4z0zDXjh1H/DI/pSCG6jjaXDpw==";
+  };
 in
 {
-  "tubearchivist.age".publicKeys = [ lemp11 ];
+  "cloudflare.age".publicKeys = [
+    hosts.hetznix
+    users.opdavies
+  ];
+
+  "tubearchivist.age".publicKeys = [ hosts.lemp11 ];
 }