From 016d0e61b596b4fb60404b0830c295eb41286677 Mon Sep 17 00:00:00 2001
From: Jake Hillion <jake@hillion.co.uk>
Date: Sat, 13 Apr 2024 22:43:03 +0100
Subject: [PATCH] www: proxy some domains via cloudflare

---
 modules/www/certs/blog.hillion.co.uk.pem      |  19 ++++++++++++++
 modules/www/certs/gitea.hillion.co.uk.pem     |  19 ++++++++++++++
 modules/www/certs/hillion.co.uk.pem           |  19 ++++++++++++++
 .../www/certs/homeassistant.hillion.co.uk.pem |  19 ++++++++++++++
 modules/www/certs/links.hillion.co.uk.pem     |  19 ++++++++++++++
 modules/www/global.nix                        |  24 ++++++++++++++++++
 secrets/certs/blog.hillion.co.uk.pem.age      |  20 +++++++++++++++
 secrets/certs/gitea.hillion.co.uk.pem.age     | Bin 0 -> 1186 bytes
 secrets/certs/hillion.co.uk.pem.age           | Bin 0 -> 1186 bytes
 .../certs/homeassistant.hillion.co.uk.pem.age | Bin 0 -> 1186 bytes
 secrets/certs/links.hillion.co.uk.pem.age     | Bin 0 -> 1186 bytes
 secrets/secrets.nix                           |   7 +++++
 12 files changed, 146 insertions(+)
 create mode 100644 modules/www/certs/blog.hillion.co.uk.pem
 create mode 100644 modules/www/certs/gitea.hillion.co.uk.pem
 create mode 100644 modules/www/certs/hillion.co.uk.pem
 create mode 100644 modules/www/certs/homeassistant.hillion.co.uk.pem
 create mode 100644 modules/www/certs/links.hillion.co.uk.pem
 create mode 100644 secrets/certs/blog.hillion.co.uk.pem.age
 create mode 100644 secrets/certs/gitea.hillion.co.uk.pem.age
 create mode 100644 secrets/certs/hillion.co.uk.pem.age
 create mode 100644 secrets/certs/homeassistant.hillion.co.uk.pem.age
 create mode 100644 secrets/certs/links.hillion.co.uk.pem.age

diff --git a/modules/www/certs/blog.hillion.co.uk.pem b/modules/www/certs/blog.hillion.co.uk.pem
new file mode 100644
index 0000000..a4c092a
--- /dev/null
+++ b/modules/www/certs/blog.hillion.co.uk.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDGTCCAsCgAwIBAgIUMOkPfgLpbA08ovrPt+deXQPpA9kwCgYIKoZIzj0EAwIw
+gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
+YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL
+Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0
+eTAeFw0yNDA0MTMyMTQ0MDBaFw0zOTA0MTAyMTQ0MDBaMGIxGTAXBgNVBAoTEENs
+b3VkRmxhcmUsIEluYy4xHTAbBgNVBAsTFENsb3VkRmxhcmUgT3JpZ2luIENBMSYw
+JAYDVQQDEx1DbG91ZEZsYXJlIE9yaWdpbiBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49
+AgEGCCqGSM49AwEHA0IABNweW8IgrXj7Q64RxyK8s9XpbxJ8TbYVv7NALbWUahlT
+QPlGX/5XoM3Z5AtISBi1irLEy5o6mx7ebNK4NmwzNlCjggEkMIIBIDAOBgNVHQ8B
+Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB
+/wQCMAAwHQYDVR0OBBYEFMy3oz9l3bwpjgtx6IqL9IH90PXcMB8GA1UdIwQYMBaA
+FIUwXTsqcNTt1ZJnB/3rObQaDjinMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcw
+AYYoaHR0cDovL29jc3AuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYTAdBgNV
+HREEFjAUghJibG9nLmhpbGxpb24uY28udWswPAYDVR0fBDUwMzAxoC+gLYYraHR0
+cDovL2NybC5jbG91ZGZsYXJlLmNvbS9vcmlnaW5fZWNjX2NhLmNybDAKBggqhkjO
+PQQDAgNHADBEAiAgVRgo5V09uyMbz1Mevmxe6d2K5xvZuBElVYja/Rf99AIgZkm1
+wHEq9wqVYP0oWTiEYQZ6dzKoSwxviOEZI+ttQRA=
+-----END CERTIFICATE-----
diff --git a/modules/www/certs/gitea.hillion.co.uk.pem b/modules/www/certs/gitea.hillion.co.uk.pem
new file mode 100644
index 0000000..07fba8d
--- /dev/null
+++ b/modules/www/certs/gitea.hillion.co.uk.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHDCCAsGgAwIBAgIUMHdmb+Ef9YvVmCtliDhg1gDGt8cwCgYIKoZIzj0EAwIw
+gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
+YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL
+Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0
+eTAeFw0yNDA0MTMyMTQ1MDBaFw0zOTA0MTAyMTQ1MDBaMGIxGTAXBgNVBAoTEENs
+b3VkRmxhcmUsIEluYy4xHTAbBgNVBAsTFENsb3VkRmxhcmUgT3JpZ2luIENBMSYw
+JAYDVQQDEx1DbG91ZEZsYXJlIE9yaWdpbiBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49
+AgEGCCqGSM49AwEHA0IABGn2vImTE+gpWx/0ELXue7cL0eGb+I2c9VbUYcy3TBJi
+G7S+wl79MBM5+5G0wKhTpBgVpXu1/NHunfM97LGZb5ejggElMIIBITAOBgNVHQ8B
+Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB
+/wQCMAAwHQYDVR0OBBYEFI6dxFPItIKnNN7/xczMOtlTytuvMB8GA1UdIwQYMBaA
+FIUwXTsqcNTt1ZJnB/3rObQaDjinMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcw
+AYYoaHR0cDovL29jc3AuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYTAeBgNV
+HREEFzAVghNnaXRlYS5oaWxsaW9uLmNvLnVrMDwGA1UdHwQ1MDMwMaAvoC2GK2h0
+dHA6Ly9jcmwuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYS5jcmwwCgYIKoZI
+zj0EAwIDSQAwRgIhAKfRSEKCGNY5x4zUNzOy6vfxgDYPfkP6iW5Ha4gNmE+QAiEA
+nTsGKr2EoqEdPtnB+wVrYMblWF7/or3JpRYGs6zD2FU=
+-----END CERTIFICATE-----
diff --git a/modules/www/certs/hillion.co.uk.pem b/modules/www/certs/hillion.co.uk.pem
new file mode 100644
index 0000000..f155288
--- /dev/null
+++ b/modules/www/certs/hillion.co.uk.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDFDCCArugAwIBAgIUedwIJx096VH/KGDgpAKK/Q8jGWUwCgYIKoZIzj0EAwIw
+gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
+YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL
+Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0
+eTAeFw0yNDA0MTMyMTIzMDBaFw0zOTA0MTAyMTIzMDBaMGIxGTAXBgNVBAoTEENs
+b3VkRmxhcmUsIEluYy4xHTAbBgNVBAsTFENsb3VkRmxhcmUgT3JpZ2luIENBMSYw
+JAYDVQQDEx1DbG91ZEZsYXJlIE9yaWdpbiBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49
+AgEGCCqGSM49AwEHA0IABIdc0hnQQP7tLADaCGXxZ+1BGbZ8aow/TtHl+aXDbN3t
+2vVV2iLmsMbiPcJZ5e9Q2M27L8fZ0uPJP19dDvvN97SjggEfMIIBGzAOBgNVHQ8B
+Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB
+/wQCMAAwHQYDVR0OBBYEFJilRKL8wXskL/LmgH8BnIvLIpkEMB8GA1UdIwQYMBaA
+FIUwXTsqcNTt1ZJnB/3rObQaDjinMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcw
+AYYoaHR0cDovL29jc3AuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYTAYBgNV
+HREEETAPgg1oaWxsaW9uLmNvLnVrMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9j
+cmwuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYS5jcmwwCgYIKoZIzj0EAwID
+RwAwRAIgbexSqkt3pzCpnpqYXwC5Gmt+nG5OEqETQ6690kpIS74CIFQI3zXlx8zk
+GB0BlaZdrraAQP7AuI8CcMd5vbQdnldY
+-----END CERTIFICATE-----
diff --git a/modules/www/certs/homeassistant.hillion.co.uk.pem b/modules/www/certs/homeassistant.hillion.co.uk.pem
new file mode 100644
index 0000000..c98850d
--- /dev/null
+++ b/modules/www/certs/homeassistant.hillion.co.uk.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDJDCCAsmgAwIBAgIUaSXrL4UHFHxDvvnW1720aZkkBCkwCgYIKoZIzj0EAwIw
+gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
+YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL
+Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0
+eTAeFw0yNDA0MTMyMTUzMDBaFw0zOTA0MTAyMTUzMDBaMGIxGTAXBgNVBAoTEENs
+b3VkRmxhcmUsIEluYy4xHTAbBgNVBAsTFENsb3VkRmxhcmUgT3JpZ2luIENBMSYw
+JAYDVQQDEx1DbG91ZEZsYXJlIE9yaWdpbiBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49
+AgEGCCqGSM49AwEHA0IABOz/ljJJjKawHtILlD09YMwmAdhzxTfPPi61qw7R670T
+Oe4/KA4zClCKfzqnVEZ4YonfgK8U6VqhLPI4crxUQk+jggEtMIIBKTAOBgNVHQ8B
+Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB
+/wQCMAAwHQYDVR0OBBYEFO7S2TbvL1kel0QH+sYfjD6v2L7oMB8GA1UdIwQYMBaA
+FIUwXTsqcNTt1ZJnB/3rObQaDjinMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcw
+AYYoaHR0cDovL29jc3AuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYTAmBgNV
+HREEHzAdghtob21lYXNzaXN0YW50LmhpbGxpb24uY28udWswPAYDVR0fBDUwMzAx
+oC+gLYYraHR0cDovL2NybC5jbG91ZGZsYXJlLmNvbS9vcmlnaW5fZWNjX2NhLmNy
+bDAKBggqhkjOPQQDAgNJADBGAiEAgaiFVCBLVYKjTJV67qKOg1R1GBVszNF+9PCi
+ZejJcjwCIQDtl9S3zCl/h8/7uYfk8dHg0Y6kwd5GVuu6HE67GWJ2Yg==
+-----END CERTIFICATE-----
diff --git a/modules/www/certs/links.hillion.co.uk.pem b/modules/www/certs/links.hillion.co.uk.pem
new file mode 100644
index 0000000..9ae487c
--- /dev/null
+++ b/modules/www/certs/links.hillion.co.uk.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDGzCCAsGgAwIBAgIUFUDTvq6L7SR3qKxaNh77g3XkJk8wCgYIKoZIzj0EAwIw
+gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
+YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL
+Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0
+eTAeFw0yNDA0MTMyMTQ2MDBaFw0zOTA0MTAyMTQ2MDBaMGIxGTAXBgNVBAoTEENs
+b3VkRmxhcmUsIEluYy4xHTAbBgNVBAsTFENsb3VkRmxhcmUgT3JpZ2luIENBMSYw
+JAYDVQQDEx1DbG91ZEZsYXJlIE9yaWdpbiBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49
+AgEGCCqGSM49AwEHA0IABGpSYrOqMuzCfE6qdpXqFze8RxWDcDSUFRYmotnp4cyK
+i6ISovoK7YDKarrHRIvIrsNBaqk+0hjZpOhN/XpU16SjggElMIIBITAOBgNVHQ8B
+Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB
+/wQCMAAwHQYDVR0OBBYEFLoqUdEVGspJs/SGcV7pf2bCzqTrMB8GA1UdIwQYMBaA
+FIUwXTsqcNTt1ZJnB/3rObQaDjinMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcw
+AYYoaHR0cDovL29jc3AuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYTAeBgNV
+HREEFzAVghNsaW5rcy5oaWxsaW9uLmNvLnVrMDwGA1UdHwQ1MDMwMaAvoC2GK2h0
+dHA6Ly9jcmwuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYS5jcmwwCgYIKoZI
+zj0EAwIDSAAwRQIhANh3Ds0ZSZp3rEZ46z4sBp+WNQejnDhTCXt2OIRiCrecAiAB
+oe21Oz1Pmqv0htFxNf1YbkgJMCoGfENlViuR0cUAJg==
+-----END CERTIFICATE-----
diff --git a/modules/www/global.nix b/modules/www/global.nix
index 2e7c082..a3aee28 100644
--- a/modules/www/global.nix
+++ b/modules/www/global.nix
@@ -10,6 +10,25 @@ in
   };
 
   config = lib.mkIf cfg.enable {
+    age.secrets =
+      let
+        mkSecret = domain: {
+          name = "caddy/${domain}.pem";
+          value = {
+            file = ../../secrets/certs/${domain}.pem.age;
+            owner = config.services.caddy.user;
+            group = config.services.caddy.group;
+          };
+        };
+      in
+      builtins.listToAttrs (builtins.map mkSecret [
+        "hillion.co.uk"
+        "blog.hillion.co.uk"
+        "gitea.hillion.co.uk"
+        "homeassistant.hillion.co.uk"
+        "links.hillion.co.uk"
+      ]);
+
     custom.www.www-repo.enable = true;
 
     services.caddy = {
@@ -17,6 +36,7 @@ in
 
       virtualHosts = {
         "hillion.co.uk".extraConfig = ''
+          tls ${./certs/hillion.co.uk.pem} ${config.age.secrets."caddy/hillion.co.uk.pem".path}
           handle /.well-known/* {
             header /.well-known/matrix/* Content-Type application/json
             header /.well-known/matrix/* Access-Control-Allow-Origin *
@@ -32,13 +52,16 @@ in
           }
         '';
         "blog.hillion.co.uk".extraConfig = ''
+          tls ${./certs/blog.hillion.co.uk.pem} ${config.age.secrets."caddy/blog.hillion.co.uk.pem".path}
           root * /var/www/blog.hillion.co.uk
           file_server
         '';
         "homeassistant.hillion.co.uk".extraConfig = ''
+          tls ${./certs/homeassistant.hillion.co.uk.pem} ${config.age.secrets."caddy/homeassistant.hillion.co.uk.pem".path}
           reverse_proxy http://${locations.services.homeassistant}:8123
         '';
         "gitea.hillion.co.uk".extraConfig = ''
+          tls ${./certs/gitea.hillion.co.uk.pem} ${config.age.secrets."caddy/gitea.hillion.co.uk.pem".path}
           reverse_proxy http://${locations.services.gitea}:3000
         '';
         "matrix.hillion.co.uk".extraConfig = ''
@@ -46,6 +69,7 @@ in
           reverse_proxy /_synapse/client/* http://${locations.services.matrix}:8008
         '';
         "links.hillion.co.uk".extraConfig = ''
+          tls ${./certs/links.hillion.co.uk.pem} ${config.age.secrets."caddy/links.hillion.co.uk.pem".path}
           redir https://matrix.to/#/@jake:hillion.co.uk
         '';
       };
diff --git a/secrets/certs/blog.hillion.co.uk.pem.age b/secrets/certs/blog.hillion.co.uk.pem.age
new file mode 100644
index 0000000..054a638
--- /dev/null
+++ b/secrets/certs/blog.hillion.co.uk.pem.age
@@ -0,0 +1,20 @@
+age-encryption.org/v1
+-> ssh-rsa GxPFJQ
+BhcjC4aVJ6dwicbtct4aTmN8knBwmRSv7dQZqN2wRQEoPzghmfSFO2wHodChWv3v
+8Y6UtpZh7zUyfJPvI8Ss2MkLHHwdq0tnehTL8IfXBOWLDwod7499cviJarh0F2Ha
+tgvXrXtkm9ayVc9aWc/DBnktWvJIqthlv+R171dyXQjY+VD8Tk8E04U/4tVLM+PF
++IEmBz3XhHARsmI7vBl8BvdgyODDxKRGSYxjt/V0ezry8lJKj1k8RJNkkZgj3TNP
+0h3T07lyD/XOVcgFoaZD3zDco9I8sKATCPzNckdNFY061u6PiOKkzdQKiekkVWJT
+8u6VnEYB3leJiol0NKTuBw
+-> ssh-rsa K9mW1w
+a3zdyBgFSu7BN2Hs8haZVHtjXoPzqo5YcxbFDaEsb16cBEzhOZLtEoxcYve0FWp/
+xKhDusj3ePo7L4KtkvoJS/rbo5Gg1GnLT1a/99myzps+3SGOye5U8cZmZ/NanXDr
+B4GTCcJB0H+Vkbbi80+ozL55U0goeN4LV+9vnGXgSHZftrG1D0ZcEZbTnR5rHQZz
+v7ACZP6UppBahKou3yS+GZfeAERlSmFqHwg8mLuiO0dVjT+aZGer3zQ6BfgLPdC7
+Z1CvWvToKvD9CaNYXEkkv7edzK2SjBpIubfzrZEXBIc29mO+v1hgPVLa0UXxJYUm
+EJJwot+h5LbLL/88gsmpxw
+-> ssh-ed25519 Qo6/7A sf8CS5cIQDZvP9MKAeVvM5fs+v5LFa8piHZy7wYkSlQ
+M20vk0GZVRtfAWqMvMfAmY6CzTNBWIPJVjGfGuvkxP8
+--- JCHao8ft02He5sH6okZRwhOdr4C7khjNSA3ofQlmH4o
+“ H²]ÓENÍeÌzíD¤RçœÔª–<0OAŸøƒýÀÛG0<PA=[ïfÈû{|	»]Ànð™ZŽåÀHd€‚ƒ2 <Cè¥öÊpÛæñ’ó¶W_¥ãš{¡£�L.èÎÅ�0ßœ�.nk«í°Àã›YCDøDñKIkV^XœF]"è—ù^ºÂ•$]œÍ©`��LHÿñTvò¦,H3pzí'jNÝæ$ÒoNjÅjGp¥ÒœØ;kœ¤˜�š|É0^„¼=Ú”hïr-bòß'ÞÚ´¾WqC¨™Îƒµàf%\;œFô¦«Ü³~7sÊ䳫N�
+wàú@A|ïÇŽ3ü÷$û4×Cg)!ø
\ No newline at end of file
diff --git a/secrets/certs/gitea.hillion.co.uk.pem.age b/secrets/certs/gitea.hillion.co.uk.pem.age
new file mode 100644
index 0000000000000000000000000000000000000000..cd7cd9c909b7ef84494481954d2e3cb2231f638e
GIT binary patch
literal 1186
zcmYk&-|N%_008jtA!Q_HhJFi^FG(QIYquYFyCXGjcemSayWMuT?RIAwx7*L#ZMWNY
zyWPOjC_>DqZ@m;&n1mJ-^iW@@jKUJqluCsjEcF`}q+nz(LE2N$=TG?bO+BM~gJAAQ
z_Sk!T9GFlH1DV~6VQ6K7u)kPKc(N`4OibidE^bXtLz_FrX)5r72$?#Bhc0clbhp%x
zo7L>R9d#T<lXEGFDh92pDoAnpUN;8H62gWaSq_qkh3FKE<5k<?RVEO4afbO#19hx~
z!4TLUne73KG=|i?NQVV1!R_v>YXGRq8D%xi3Ju6Wv3fns*Jmo#X%(GX(~`O@ud{)e
zZ8&8u#JKuQ(`2REE%gnqhCxBpc7ezn`M4y3h*L2HOKw^PPpMceNJA9F@?^l}5<+lm
zlZ3&IGTCm3B#MEwCOTaODj@{~n3<Hq)dFndbWu3udC1qtT6=<cUba%OC$g={AYJlH
zrZUwPsYE+*pGzhZPph;n4P+LOWV>A?Tx{NurGkQrW3xB(%>QpQMYjXbfIy@q4W~?|
zQ5S=-*ROYN(;AN<b<PLEG}UY{7I`Kt5eTa`hXa8_(h)u@l_DzP$Qp|Po~^PJGOTK7
zzCG-~dAUtdLqxKIcocPUMg%dNK<sLiwtGZDu?$8^{WhsaAUM<e<<S^WX2G1+71!?L
zs7iF~p~j2GC~n*NWL`qtDjCEgTJX(==nvSihseD~puv+?OO+zfshGg1Be{@br7=7j
zxy4XKTh1tg=m8kPg=|Vq`=T@<!45u{G!2h-Au8MAMX6K4jHwn(B^^keg!FZ?Ofz_o
z9LffstENFfDsoOI8P}(JQ=6VK`8L4^j)T?+$P1+I08<DIERBgl3UHi{giMkY8E#fY
zD@|H=rJV5Jwyq($99&!!#(4-YEt+u0Cy9<Pho%*@dJYry#X*yFYze6s8w6~5Hq2&Q
zqJq)@IH!cF1bcYoja@XI3?&+_(UqAt@dg59Io-5k8#AMkcd9@plUZzJ#hxzBYdR-P
zNh*!HO`;DK*d$jlKq4^JuFYgw3zz3z3}`qTzP={Co>}mh<aqhko3Advv-9SjT_2p^
z`|ckvY}jA^_RFg)`%eF|<?w4#MLc<AZR?-amv_m>zS;Z)x>9=Z<?6kAS1&A`KXVT;
zsD5^Lx^l2o--B>FZmj>I_2EVK)Xz`<bbQ@&N@MGLf8%3nJGp5lZohqJ6>|UgYpjoU
zXB$VrH4E>rKfCd*-b07N{<$v*?D|UQ+K+1w#qqDNJo(ZY*81e;MR4CT20e26*jGpQ
zKk#|y&ZdtM@0sSO2NpLItKc`1Eu#vx<HnWWpZyJa`1D4ay?N^H;MU>qR<@nIdST;V
z;G^-@6Nyc1z0AFRd(UGF#}8mjI}e^Zv2;aVcd7Mf?|S(Xx9!FIo;vXS+3VZ)CiKw@
G=l%r;L#`SC

literal 0
HcmV?d00001

diff --git a/secrets/certs/hillion.co.uk.pem.age b/secrets/certs/hillion.co.uk.pem.age
new file mode 100644
index 0000000000000000000000000000000000000000..7f296aa95d2dcc1b5f61cb0fb44dc0aa938c30b6
GIT binary patch
literal 1186
zcmYk&TdUgy003Z7@F9$`iG$6d9ucRrJLb|fY1KK>HffqBZPTVrn#o4mq`5S=Ce5V>
z9eQK~ne)bQxZycxDsE2CgHDGEvh5)3W$0i!cM+z(`JxPm7dAy-1b@K?pQ3BCnmY)l
z{>1d$N4!7>V;GoyVkQiY*&tMADru8qctA8j5iZeaF&YrYupwZUJtx%g#4i=ycs!}`
zl7WI=?1<T+F~JSQ8kue{rE4~%DzueFfMLr)6=ftDb+_fSxk})cO>~fIbll0?Al1hl
zm(T~Ss9?4^R8=u2cqTs}s|1q~tDMIJByK4sL5#Sp<`3I29n|GAoFSD0r#fg~!Vn<|
z<}#isvrRs(j|w={AAxznZfXq*_Nh7mQbfN(Iz+YFw-N`+gawYPXAD6{AsK77-DUvy
zEHNzPr)XZnkxG-QOv)0?S6YhYr+66{N^v(<@G>`s!YQc2RJ{}XcBh>*JU*Z3Ced-&
zYL=Z6bJ-GKV<{VM4|Ac9ltd#O$5;f|hStl&wU*)dVOQ59J2&Z%lmBnm3XTXTz@UT(
zEGmbQWO~*xNQK^nbD4mhK(I8b6g#-zAD6q(m}cz)Tj}?sYLQL(O3G-4AWk_4km-@Z
z7;P7<5OSUnAWDo0$1|NySg4v-dywm*$gmL^x*+=n&vi}Fre)I9uvUYm2Sy%<Vx!A}
z4OOx+Gxi12X*9r~feGUXWsxj5X_=W6f?O__>09|MCn3RHmdx^!oL2CPGY|k#5pYkD
zaj_C9LJm`jft-qb$Iz#tO+zD?m0M*^MPSeag?>wjBw{$x^0k0P(`+g0r~q0}3JA<-
z6kBT7!r|B&aUIT6iWbTno?ZskW`hLPIyONAvQ;YQXc?PEY(8leMrkiwYXWn&U!usi
zs>KXl#N7Zwy91B-Z~I?6mxBv4yoZ4}F*B@6BnC-CMK?I3(`Feli3N<4#HP_V{4N7#
z7=n?LE}wV+q{X^9sWLupw>gXudoF4h`(Q4UT6TBZoFp7g=ykHAx+pL^J3BK+C9na-
z5>>_{8`asK*eR0{P2owXM|C^3aS};-sU=1u;BsfpuXpd<eJb6&`LLec0AA59y@tH?
ziL(49{L=BQtG8d7Ig{fbe@IKt&EJ2_$$hb(f%QFGu3Z!^-SgbF@1J>jc}Md+J9pom
z;mXzV=^GlIIeBUgcIa&W<l4XY{dT>)aAjeM-uu_`@2j@mvZyZx>&{$Rxs^G3b7ez&
zVbdP__VJ0QKGt8~pszph)wc7u9sK-<wco0jF8;W5_Pgcj<#~B}b;~f{Upf5jdt1Mr
z-^dmpd-}swM|SOJZ?sPALY64PTspVu=R24q8*hFC=RWXWsI7nd#ZLaCU-rH8*#mdI
zdwl-+o!gxY2i~-tqX$pFvG&-)$<-$o7sXHCe-gUTUBBbppI5IVdpF(t;O?K+{qZVV
LT6lQNqvYa0An~$Q

literal 0
HcmV?d00001

diff --git a/secrets/certs/homeassistant.hillion.co.uk.pem.age b/secrets/certs/homeassistant.hillion.co.uk.pem.age
new file mode 100644
index 0000000000000000000000000000000000000000..da7e12bcda45e534af011ca9212643c5f02c6407
GIT binary patch
literal 1186
zcmYk&TdNcW007{EL)3IbOeyftvB09~H20aE2b0;k?Ck99%wFcQXN7Qf=eoPIvvWCn
zdkB;0rWlGMmWdCVh)9LyQ<xqFp$8*R*@c5rkrAOj82E6|dJ6h}!e@ETywh(dlR*|l
z{a2#IgN6t&|LR<t`twO@%@xKKL8<~?O>YPmOQJm#3vo4v$PSG%v<^f0w4T&t9%>B+
zWmbs`8d)V+(U`z`Ui3-40$V;W(*S7tBA(}PC#9vjH62DGoI_k@Bn`OCWt5si`=m~i
zDAuHCgPb(Xg%EV4t|Cm((gdP$pqCqQO?;@}NK(fuK>?9TdrT=DreJDC@`6QJ<5MSy
z8s5+vcDlMb^tvOG2&fjL_XAb~L`n5jq}8gH5xoItLF%^{+|Ai^Pmt=OC=(QpdCiGY
zu=7DJv8XnOBLy?^jZuwrvNj1wbYIIPyzBb<m~wJdTH(wx=JFI&L=COer<!!WAY`FS
z>n#-WK$xHi9IA(6URnSf#R5>KJ-=K7Gs2J@0cuNX)Q)ZM|Jx-xG?5X|Z74<1?&O<2
zT&^lGuX3_n>@C`fCUU}9B&B|#f{r^JC3{#=iR2j8U<P6nwk2YtEZ~5s6f3^ODD@B%
z2i2elriE-2X}qK2Q!VOGBdRGI5u?{rS56VI=!Z&4ipdb-7@fx#N<d$2MjC@NhFi(n
zoTfrdH5Zo=TqZD34w_)tG9%q-2%+UA4Rx3h6j+S=lO7ck0-{X10M>&|o=eouB1PB6
zm3V;L5UrL;%iu?K)MI@uM>bq&GR<O7cEut~wEK`=aKNsKxu}H$9eJ_Q$TLZYsF)+2
zp=(8?7X?0Q@^D81(`Kmk@SMolZM-lDt8SPQaf4`v*o5mwW4n|ASSIig=jZUgRGG5U
zqALiL#r(JJ*eF3D^jtL}A&QwJ#;)Dus|rO$nj*#?Vib6=GD)*Mnvgw<ZD2XOZkOVK
z%>lmU@KI)3<5A}KCIu8u)eJJAzFeMYV?|6tIVmn!#c~ZA0rT_obMY{)r9z8RFkA2k
zsN$(^FW2ra4kFXDnxjT5;PGK=s0@`VAVD9kK6>Q0gR@sU(_I@bT>WJ82Y=l?`1z52
zclKXgxqR=Zuf`8vnp;_bPHbnxLpOFBr`ey)Z8!UeTJ)Y9*PeKM`O5xFe|ir+e1Gro
zsaf^Q_0OG8*1QYd|K@CO3A+6LM()<kftljj)!VN>dG#o29Nu@Y@K$H;_*UiE<&E)d
znlp;|n@_`A*MHo7?2EOv7q=_t#w)`84JXrY_k4H?-|>=gYRmJ#Z(d#f@t5LmWZl;n
zb}jAPZ7f|_{&mNiYgTvLxuv@^_0#LN+=|$h>(gUzp84zta^~gtUV9rx&w;c5oJj6$
z<MzE^MLK)b>}*;FA9?10bDaLJbn?@|AM*J%53p;={_Qj0FK>GG)Wy9c_KoYC{=WXs
Ezg%&vB>(^b

literal 0
HcmV?d00001

diff --git a/secrets/certs/links.hillion.co.uk.pem.age b/secrets/certs/links.hillion.co.uk.pem.age
new file mode 100644
index 0000000000000000000000000000000000000000..1b8728e228575266f6a7ca06c38fcd782d59710b
GIT binary patch
literal 1186
zcmYk&|Em)P008hLrMe#;A%WzhdQc#=UboxrZaYi!zV5c&*X?fiMZ&h-ZMQFXyD!__
zHi8Vq!a}qp;#pcDy^so|&>!*<*f&$kkPwS_RDx-NhFMVgrGAQj`1}K(dfT42y=FM^
zhn<1<@E~l1F$BzSoQoo7K8)&fg|WnxWWY*Ncusbcfs9q4JkL6gI&KH7tq-bbBeAKL
zL;C1s;Bt}c2@@GKkvd6Lq9Co0@m7lPfSy*Wv@L7k)`qpR&Y41GsN1YU2UEDoh6#eG
z4#w2*QrGd39%Xvj5u8#WajaI@0%m{_AdHB(;xj`$D+n!etUC%(GgN9&Dnq!>aaAbs
zC9y1JG0^eAxPyB^2Qeebr3xU5@MsUnfz8H9V4QI_=z6r8G}XAJBdHjP1AT0E1zv#c
zB56qEI4v1EQ4%u<iItOyn#Vz$D1v~`)Lc^F6`~-vJ0lguWNDDsVTNX6hqQWpPeq5K
zH8u>iRq{!`Bvw*AfmLf!&><PqC;}PV?RjA^a*ISjminbBGU2=O|F_GSt3e51k)~?L
zo|+pAW{OGMhJ+IoicK}%%xIPNWKj3@a5_Yqc*JwfYHw_g5(R7%q*O+#W7`Mfg2WY!
zP%hFS6bdlX6RBLMJf#}#0_JE{F_coGzzKX-;gdq26C&0sdkj}>lj?}D9TFH&O)?O8
zoNqCBR3AuewNIp5Jxzm)7Q|YmMDYGa4=Of8W#MLMd!0D)rl35Hb+t<efFkf6ze~}I
zR+u&tPe}^iFvHM&%oCf%7*x{}6Gb&y!&_JaHDIEva(x{pbT@LRle+E#+0v*FQV=dd
zTq|zCu~YS2l5K`?A?!dof*P68bj0V9k=SqQ4%zo;s-Wvov4Fy$Cg}o@$>-5j;B$Gj
z??ze6B0U*G|J$~$41z$|oIF6m96qNNg<2dAy-|j=Bfg4?n1RMn2FYh#$gNMkC?_h#
zMpUb4d7w=7b%g-cDLu{vRHidZAyEo5`pl3HVZ--~l+wX{8jiFyFh4&($F;CY-X{r7
z$C#Y1RM0Bi?Mk82^}AJ7Z8nVJkVUGfS0`lPmebiEeizrBy1DAL>*iPA-1{fE^QySK
zE&t4hc<tuKiEAg(x63a@E9l#IyqVd0m+|eEE5<Q4+_Yx)kF#GNmA+fP@bt{F4NLOU
zje{5Vz53XxHR-Fs-iPYzKmTOrQ1|){v$7|z-ZA^=jnh|VcQH?9AF1y=zWBs}-K#I(
zgWSq`+!xz7p$nJ$vp3FffA`bPf0YhjI{Vvj<%^pStasTdci(3}uDyHrwj-GjZ+rgN
zr|yqdtz1}qpmy%djo+_(>!&?4Gba}wKYI1>&5K9YWX^2-nc?54>5YBoS@yYimiNo6
z$%Feoz9d|Zw>Hz+_pLLBetB?V?|ZLox_0u}zZb*h*JqZNE(R-3EG?(Dd~|46c;^SX
M<HZ+FowHy52c2cLtN;K2

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 020c72f..742ad02 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -108,4 +108,11 @@ in
 
   # HomeAssistant Secrets
   "homeassistant/secrets.yaml.age".publicKeys = jake_users ++ [ ts.home.microserver ];
+
+  # Web certificates
+  "certs/hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
+  "certs/blog.hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
+  "certs/gitea.hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
+  "certs/homeassistant.hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
+  "certs/links.hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
 }