diff --git a/flake.nix b/flake.nix
index c7a3f6d2..36d90a2a 100644
--- a/flake.nix
+++ b/flake.nix
@@ -94,7 +94,9 @@
};
modules = [
+ agenix.nixosModules.default
disko.nixosModules.disko
+
./nix/hosts/hetznix/configuration.nix
];
};
diff --git a/nix/hosts/hetznix/configuration.nix b/nix/hosts/hetznix/configuration.nix
index 08b5adc7..f1a9e91e 100644
--- a/nix/hosts/hetznix/configuration.nix
+++ b/nix/hosts/hetznix/configuration.nix
@@ -12,6 +12,7 @@
./disks.nix
./hardware-configuration.nix
+ ./secrets.nix
./modules/acme.nix
./modules/nginx
diff --git a/nix/hosts/hetznix/modules/acme.nix b/nix/hosts/hetznix/modules/acme.nix
index 742e26a1..c96c68b4 100644
--- a/nix/hosts/hetznix/modules/acme.nix
+++ b/nix/hosts/hetznix/modules/acme.nix
@@ -1,10 +1,16 @@
+{ config, ... }:
+
{
security.acme = {
acceptTerms = true;
defaults.email = "oliver@oliverdavies.uk";
+ defaults.environmentFile = config.age.secrets.cloudflare.path;
certs."oliverdavies.uk" = {
domain = "oliverdavies.uk";
+ dnsProvider = "cloudflare";
+ webroot = null;
+
extraDomainNames = [
# TODO Refactor to use a wildcard certificate.
"2020.oliverdavies.uk"
diff --git a/nix/hosts/hetznix/secrets.nix b/nix/hosts/hetznix/secrets.nix
new file mode 100644
index 00000000..e2032222
--- /dev/null
+++ b/nix/hosts/hetznix/secrets.nix
@@ -0,0 +1,5 @@
+{
+ age.secrets = {
+ cloudflare.file = ../../secrets/cloudflare.age;
+ };
+}
diff --git a/nix/secrets/cloudflare.age b/nix/secrets/cloudflare.age
new file mode 100644
index 00000000..2bdf0a4a
--- /dev/null
+++ b/nix/secrets/cloudflare.age
@@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> ssh-ed25519 nmofLg ulxze6jNUmIB72CLo23yqmx7he8mPqTcLR0oHJaHr0k
+qhi20IiROe9RNO949XNR6iqAf6KvXqfXl7u7WiqIaH8
+-> ssh-rsa +vTWQw
+VtDyb9urRPA7Hh+2Kb+cw8Dlo5lPCExHwH9Iw/XMbYGn/jvATdS/T4tMsLIwgctA
+xCBHMtMeXuCEX9bybrr9r+Azf/5zQqs/I1QN5USnyRtjmaWDonDtGlGIPXfZBlCU
+slUi1yWk1Jm8sadwQqrw1YLvGpszn1iPpnLhmdBvEoC3LSYI4Wib4kYU6QhirJfe
+flW8GMkZtr96ozmyJswXRFr6Zf7XUUd3TTeCPahkzoE4Un8NFDmviBEjeqvMYE1h
+5KoLQwdVo8P8IPnDmTAd5Rpb/bbEQ3OWt5xNd2ZYtL5lGEJ9gg9S+pgTR+WOL1UZ
+UOuBE2u71df5tjTg4OEa05TWB93he0wURjT+mmJARebNWqlGtpsEVhLF6rYAfrMB
+9ywUqbCV3WRS8a3EpI5wSPmAQZLeWE/L0+gH17qatM+dzf2jkIRZZCWiIVFDFDyA
++s2cMk5Gya44I5RM9CjjHr3Zpq2poixNYsg1opaVByrgsPZrxetGXaKSzt+VRTXV
+H/jx9/zqSruY1An0RnFo4DnKQ5vA3YgJK3NbiSMjayUtN9sAWZ7dDONkOdTBTDSX
+wM1D4bY688ajHSHvsteeVIDBpDVpUl6pn5GUqcV1cRCV8dHXBxzYiNWjVVAxLXwk
+Y4le2oI1w6Ak9nNLY1N2311X3EFZqxTyJIPBvv3yZnw
+--- cc2VwKFT2Dqo/TYLZ/vPcWAkHoi/h6P1XrDmN2ymyXU
+ ��������O��x���z�x�`��2���얍���]W,�c� p+�f��q����D�hٖ�k���XM���"���p��dX����w�B9���zs�,pJ�,�����ڵ6�}x����A��V��q�-�2{�<���<
\ No newline at end of file
diff --git a/nix/secrets/secrets.nix b/nix/secrets/secrets.nix
index 31ab7798..b6216aa9 100644
--- a/nix/secrets/secrets.nix
+++ b/nix/secrets/secrets.nix
@@ -1,6 +1,19 @@
let
- lemp11 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEZ+ljJKd6uqdAk+fqxwtObI4Stab2N9Bjo4QFHY/v8n";
+ hosts = {
+ hetznix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMk8n03VeShc0q4ztcaNrmScwM7u0j6fFVtmupy2RlM2";
+ lemp11 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEZ+ljJKd6uqdAk+fqxwtObI4Stab2N9Bjo4QFHY/v8n";
+ t490 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvtcGJnc94k6wCPfvK9oBvGey0WWVCR8IYSqg5vqage";
+ };
+
+ users = {
+ opdavies = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDkkbYaCD9NUIQT0NnsmlyfepwjxBYeiJSBCotOpdPTyc5inFAd29DiVw98j4skfaHdzjcqWmMFmDQWM6tGkK7eg8n0WuaABmsjdEbzTtfjHwM0tRDCIh5AtoT4IvoLhwLjEI2jKM05BGCQ2m5lS//AYJK1DjiV4UH+IjXHz6oy/3eFzQwANjxWS+mbR565p21yuAu1DKEyaGeVzT1xDhgzlnZG7Cys/rFgUYpIvYDHMOFxG6hsDB8vqyHiTXniniti5tdvGGYHgRGQcynRTU12aerrqHTIOefrElXJdf3/PA8FIY/Pd3MmZocY/vvQe0EVHXWrNtnHOF3MFQ1tFyfubKO51Dcp9KmzHnyBvO4CtvGVr/upSVWfo0I/EqkIqvCvBbdSIPeH9V5hAcyWENGF4Wf0/Yqtc0dBhfXJmPVBsC2ghZp9oERK+h5Xs7DpzkT0vtkN+wjgA5weIuG8e2UVNO29LWASzlychVqb7BVa6kNn5CyGwauyIGsYvAFnUjkyJpK8qleNM3VO5x9aw26IhSKlnSE9PAdX8p7PpdoWfxWRekKTc4h6iAe7pFOENvuokAvCNsE5LolR4VrYKXjA0m3nupDNWYexAWfR3lSeSlKd9nD3OENS0biJKayZHs11iDUTxm5u5gm/U60b4z0zDXjh1H/DI/pSCG6jjaXDpw==";
+ };
in
{
- "tubearchivist.age".publicKeys = [ lemp11 ];
+ "cloudflare.age".publicKeys = [
+ hosts.hetznix
+ users.opdavies
+ ];
+
+ "tubearchivist.age".publicKeys = [ hosts.lemp11 ];
}