www: proxy some domains via cloudflare

modules/www/certs/blog.hillion.co.uk.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDGTCCAsCgAwIBAgIUMOkPfgLpbA08ovrPt+deXQPpA9kwCgYIKoZIzj0EAwIw
+gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
+YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL
+Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0
+eTAeFw0yNDA0MTMyMTQ0MDBaFw0zOTA0MTAyMTQ0MDBaMGIxGTAXBgNVBAoTEENs
+b3VkRmxhcmUsIEluYy4xHTAbBgNVBAsTFENsb3VkRmxhcmUgT3JpZ2luIENBMSYw
+JAYDVQQDEx1DbG91ZEZsYXJlIE9yaWdpbiBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49
+AgEGCCqGSM49AwEHA0IABNweW8IgrXj7Q64RxyK8s9XpbxJ8TbYVv7NALbWUahlT
+QPlGX/5XoM3Z5AtISBi1irLEy5o6mx7ebNK4NmwzNlCjggEkMIIBIDAOBgNVHQ8B
+Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB
+/wQCMAAwHQYDVR0OBBYEFMy3oz9l3bwpjgtx6IqL9IH90PXcMB8GA1UdIwQYMBaA
+FIUwXTsqcNTt1ZJnB/3rObQaDjinMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcw
+AYYoaHR0cDovL29jc3AuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYTAdBgNV
+HREEFjAUghJibG9nLmhpbGxpb24uY28udWswPAYDVR0fBDUwMzAxoC+gLYYraHR0
+cDovL2NybC5jbG91ZGZsYXJlLmNvbS9vcmlnaW5fZWNjX2NhLmNybDAKBggqhkjO
+PQQDAgNHADBEAiAgVRgo5V09uyMbz1Mevmxe6d2K5xvZuBElVYja/Rf99AIgZkm1
+wHEq9wqVYP0oWTiEYQZ6dzKoSwxviOEZI+ttQRA=
+-----END CERTIFICATE-----

modules/www/certs/gitea.hillion.co.uk.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHDCCAsGgAwIBAgIUMHdmb+Ef9YvVmCtliDhg1gDGt8cwCgYIKoZIzj0EAwIw
+gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
+YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL
+Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0
+eTAeFw0yNDA0MTMyMTQ1MDBaFw0zOTA0MTAyMTQ1MDBaMGIxGTAXBgNVBAoTEENs
+b3VkRmxhcmUsIEluYy4xHTAbBgNVBAsTFENsb3VkRmxhcmUgT3JpZ2luIENBMSYw
+JAYDVQQDEx1DbG91ZEZsYXJlIE9yaWdpbiBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49
+AgEGCCqGSM49AwEHA0IABGn2vImTE+gpWx/0ELXue7cL0eGb+I2c9VbUYcy3TBJi
+G7S+wl79MBM5+5G0wKhTpBgVpXu1/NHunfM97LGZb5ejggElMIIBITAOBgNVHQ8B
+Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB
+/wQCMAAwHQYDVR0OBBYEFI6dxFPItIKnNN7/xczMOtlTytuvMB8GA1UdIwQYMBaA
+FIUwXTsqcNTt1ZJnB/3rObQaDjinMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcw
+AYYoaHR0cDovL29jc3AuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYTAeBgNV
+HREEFzAVghNnaXRlYS5oaWxsaW9uLmNvLnVrMDwGA1UdHwQ1MDMwMaAvoC2GK2h0
+dHA6Ly9jcmwuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYS5jcmwwCgYIKoZI
+zj0EAwIDSQAwRgIhAKfRSEKCGNY5x4zUNzOy6vfxgDYPfkP6iW5Ha4gNmE+QAiEA
+nTsGKr2EoqEdPtnB+wVrYMblWF7/or3JpRYGs6zD2FU=
+-----END CERTIFICATE-----

modules/www/certs/hillion.co.uk.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDFDCCArugAwIBAgIUedwIJx096VH/KGDgpAKK/Q8jGWUwCgYIKoZIzj0EAwIw
+gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
+YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL
+Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0
+eTAeFw0yNDA0MTMyMTIzMDBaFw0zOTA0MTAyMTIzMDBaMGIxGTAXBgNVBAoTEENs
+b3VkRmxhcmUsIEluYy4xHTAbBgNVBAsTFENsb3VkRmxhcmUgT3JpZ2luIENBMSYw
+JAYDVQQDEx1DbG91ZEZsYXJlIE9yaWdpbiBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49
+AgEGCCqGSM49AwEHA0IABIdc0hnQQP7tLADaCGXxZ+1BGbZ8aow/TtHl+aXDbN3t
+2vVV2iLmsMbiPcJZ5e9Q2M27L8fZ0uPJP19dDvvN97SjggEfMIIBGzAOBgNVHQ8B
+Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB
+/wQCMAAwHQYDVR0OBBYEFJilRKL8wXskL/LmgH8BnIvLIpkEMB8GA1UdIwQYMBaA
+FIUwXTsqcNTt1ZJnB/3rObQaDjinMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcw
+AYYoaHR0cDovL29jc3AuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYTAYBgNV
+HREEETAPgg1oaWxsaW9uLmNvLnVrMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9j
+cmwuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYS5jcmwwCgYIKoZIzj0EAwID
+RwAwRAIgbexSqkt3pzCpnpqYXwC5Gmt+nG5OEqETQ6690kpIS74CIFQI3zXlx8zk
+GB0BlaZdrraAQP7AuI8CcMd5vbQdnldY
+-----END CERTIFICATE-----

modules/www/certs/homeassistant.hillion.co.uk.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDJDCCAsmgAwIBAgIUaSXrL4UHFHxDvvnW1720aZkkBCkwCgYIKoZIzj0EAwIw
+gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
+YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL
+Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0
+eTAeFw0yNDA0MTMyMTUzMDBaFw0zOTA0MTAyMTUzMDBaMGIxGTAXBgNVBAoTEENs
+b3VkRmxhcmUsIEluYy4xHTAbBgNVBAsTFENsb3VkRmxhcmUgT3JpZ2luIENBMSYw
+JAYDVQQDEx1DbG91ZEZsYXJlIE9yaWdpbiBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49
+AgEGCCqGSM49AwEHA0IABOz/ljJJjKawHtILlD09YMwmAdhzxTfPPi61qw7R670T
+Oe4/KA4zClCKfzqnVEZ4YonfgK8U6VqhLPI4crxUQk+jggEtMIIBKTAOBgNVHQ8B
+Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB
+/wQCMAAwHQYDVR0OBBYEFO7S2TbvL1kel0QH+sYfjD6v2L7oMB8GA1UdIwQYMBaA
+FIUwXTsqcNTt1ZJnB/3rObQaDjinMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcw
+AYYoaHR0cDovL29jc3AuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYTAmBgNV
+HREEHzAdghtob21lYXNzaXN0YW50LmhpbGxpb24uY28udWswPAYDVR0fBDUwMzAx
+oC+gLYYraHR0cDovL2NybC5jbG91ZGZsYXJlLmNvbS9vcmlnaW5fZWNjX2NhLmNy
+bDAKBggqhkjOPQQDAgNJADBGAiEAgaiFVCBLVYKjTJV67qKOg1R1GBVszNF+9PCi
+ZejJcjwCIQDtl9S3zCl/h8/7uYfk8dHg0Y6kwd5GVuu6HE67GWJ2Yg==
+-----END CERTIFICATE-----

modules/www/certs/links.hillion.co.uk.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDGzCCAsGgAwIBAgIUFUDTvq6L7SR3qKxaNh77g3XkJk8wCgYIKoZIzj0EAwIw
+gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
+YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL
+Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0
+eTAeFw0yNDA0MTMyMTQ2MDBaFw0zOTA0MTAyMTQ2MDBaMGIxGTAXBgNVBAoTEENs
+b3VkRmxhcmUsIEluYy4xHTAbBgNVBAsTFENsb3VkRmxhcmUgT3JpZ2luIENBMSYw
+JAYDVQQDEx1DbG91ZEZsYXJlIE9yaWdpbiBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49
+AgEGCCqGSM49AwEHA0IABGpSYrOqMuzCfE6qdpXqFze8RxWDcDSUFRYmotnp4cyK
+i6ISovoK7YDKarrHRIvIrsNBaqk+0hjZpOhN/XpU16SjggElMIIBITAOBgNVHQ8B
+Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB
+/wQCMAAwHQYDVR0OBBYEFLoqUdEVGspJs/SGcV7pf2bCzqTrMB8GA1UdIwQYMBaA
+FIUwXTsqcNTt1ZJnB/3rObQaDjinMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcw
+AYYoaHR0cDovL29jc3AuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYTAeBgNV
+HREEFzAVghNsaW5rcy5oaWxsaW9uLmNvLnVrMDwGA1UdHwQ1MDMwMaAvoC2GK2h0
+dHA6Ly9jcmwuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYS5jcmwwCgYIKoZI
+zj0EAwIDSAAwRQIhANh3Ds0ZSZp3rEZ46z4sBp+WNQejnDhTCXt2OIRiCrecAiAB
+oe21Oz1Pmqv0htFxNf1YbkgJMCoGfENlViuR0cUAJg==
+-----END CERTIFICATE-----

modules/www/global.nix

@@ -10,6 +10,25 @@ in
   };
 
   config = lib.mkIf cfg.enable {
+    age.secrets =
+      let
+        mkSecret = domain: {
+          name = "caddy/${domain}.pem";
+          value = {
+            file = ../../secrets/certs/${domain}.pem.age;
+            owner = config.services.caddy.user;
+            group = config.services.caddy.group;
+          };
+        };
+      in
+      builtins.listToAttrs (builtins.map mkSecret [
+        "hillion.co.uk"
+        "blog.hillion.co.uk"
+        "gitea.hillion.co.uk"
+        "homeassistant.hillion.co.uk"
+        "links.hillion.co.uk"
+      ]);
+
     custom.www.www-repo.enable = true;
 
     services.caddy = {
@@ -17,6 +36,7 @@ in
 
       virtualHosts = {
         "hillion.co.uk".extraConfig = ''
+          tls ${./certs/hillion.co.uk.pem} ${config.age.secrets."caddy/hillion.co.uk.pem".path}
           handle /.well-known/* {
             header /.well-known/matrix/* Content-Type application/json
             header /.well-known/matrix/* Access-Control-Allow-Origin *
@@ -32,13 +52,16 @@ in
           }
         '';
         "blog.hillion.co.uk".extraConfig = ''
+          tls ${./certs/blog.hillion.co.uk.pem} ${config.age.secrets."caddy/blog.hillion.co.uk.pem".path}
           root * /var/www/blog.hillion.co.uk
           file_server
         '';
         "homeassistant.hillion.co.uk".extraConfig = ''
+          tls ${./certs/homeassistant.hillion.co.uk.pem} ${config.age.secrets."caddy/homeassistant.hillion.co.uk.pem".path}
           reverse_proxy http://${locations.services.homeassistant}:8123
         '';
         "gitea.hillion.co.uk".extraConfig = ''
+          tls ${./certs/gitea.hillion.co.uk.pem} ${config.age.secrets."caddy/gitea.hillion.co.uk.pem".path}
           reverse_proxy http://${locations.services.gitea}:3000
         '';
         "matrix.hillion.co.uk".extraConfig = ''
@@ -46,6 +69,7 @@ in
           reverse_proxy /_synapse/client/* http://${locations.services.matrix}:8008
         '';
         "links.hillion.co.uk".extraConfig = ''
+          tls ${./certs/links.hillion.co.uk.pem} ${config.age.secrets."caddy/links.hillion.co.uk.pem".path}
           redir https://matrix.to/#/@jake:hillion.co.uk
         '';
       };

secrets/certs/blog.hillion.co.uk.pem.age

@@ -0,0 +1,20 @@
+age-encryption.org/v1
+-> ssh-rsa GxPFJQ
+BhcjC4aVJ6dwicbtct4aTmN8knBwmRSv7dQZqN2wRQEoPzghmfSFO2wHodChWv3v
+8Y6UtpZh7zUyfJPvI8Ss2MkLHHwdq0tnehTL8IfXBOWLDwod7499cviJarh0F2Ha
+tgvXrXtkm9ayVc9aWc/DBnktWvJIqthlv+R171dyXQjY+VD8Tk8E04U/4tVLM+PF
++IEmBz3XhHARsmI7vBl8BvdgyODDxKRGSYxjt/V0ezry8lJKj1k8RJNkkZgj3TNP
+0h3T07lyD/XOVcgFoaZD3zDco9I8sKATCPzNckdNFY061u6PiOKkzdQKiekkVWJT
+8u6VnEYB3leJiol0NKTuBw
+-> ssh-rsa K9mW1w
+a3zdyBgFSu7BN2Hs8haZVHtjXoPzqo5YcxbFDaEsb16cBEzhOZLtEoxcYve0FWp/
+xKhDusj3ePo7L4KtkvoJS/rbo5Gg1GnLT1a/99myzps+3SGOye5U8cZmZ/NanXDr
+B4GTCcJB0H+Vkbbi80+ozL55U0goeN4LV+9vnGXgSHZftrG1D0ZcEZbTnR5rHQZz
+v7ACZP6UppBahKou3yS+GZfeAERlSmFqHwg8mLuiO0dVjT+aZGer3zQ6BfgLPdC7
+Z1CvWvToKvD9CaNYXEkkv7edzK2SjBpIubfzrZEXBIc29mO+v1hgPVLa0UXxJYUm
+EJJwot+h5LbLL/88gsmpxw
+-> ssh-ed25519 Qo6/7A sf8CS5cIQDZvP9MKAeVvM5fs+v5LFa8piHZy7wYkSlQ
+M20vk0GZVRtfAWqMvMfAmY6CzTNBWIPJVjGfGuvkxP8
+--- JCHao8ft02He5sH6okZRwhOdr4C7khjNSA3ofQlmH4o
+“ H˛]ÓENÍeĚzíD¤RçśÔŞ–<0OAźř<C5BA>ýŔŰG0<PA=[ďfČű{|	»]Ŕnđ™ZŽĺŔHd€‚<E282AC>2 <CčĄöĘpŰćń’ó¶W_Ąăš{ˇŁŹL.čÎĹŹ0ßśŹ.nk«í°Ŕă›YCDøDńKIkV^XśF]"č—ů^şÂ•$]śÍ©`ŤŤLH˙ńTvň¦,H3pzí'jNÝć$ŇoNjĹjGpĄŇśŘ;kś¤<>ťš|É0^„Ľ=Ú”hďr-bňß'ŢÚ´ľWqC¨™Î<E284A2>µŕf%\;śFô¦«Üł~7sĘäł«N<C2AB>
+wŕú@A|ďÇŽ3ü÷$ű4×Cg)!ř

secrets/secrets.nix

@@ -108,4 +108,11 @@ in
 
   # HomeAssistant Secrets
   "homeassistant/secrets.yaml.age".publicKeys = jake_users ++ [ ts.home.microserver ];
+
+  # Web certificates
+  "certs/hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
+  "certs/blog.hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
+  "certs/gitea.hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
+  "certs/homeassistant.hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
+  "certs/links.hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
 }