router: add secrix for secrets; add cloudflare api key

2025-05-11 21:25:34 -07:00
parent bb633e5bce
commit 1fbba65785
6 changed files with 50 additions and 10 deletions
--- a/hosts/router/default.nix
+++ b/hosts/router/default.nix
@@ -1,5 +1,7 @@
 { config, lib, pkgs, ... }:
-
+let
+  vars = import ./vars.nix;
+in
 {
  imports =
    [ # Include the results of the hardware scan.
@@ -10,6 +12,8 @@
      ./kea.nix
      ./services.nix
    ];
+  # Secrix for secrets management
+  secrix.hostPubKey = vars.pubkey;

  # Bootloader.
  boot.loader.systemd-boot.enable = true;
--- a/hosts/router/services.nix
+++ b/hosts/router/services.nix
@@ -47,6 +47,8 @@ in
    };
  };

+  secrix.system.secrets.cf-api-key.encrypted.file = ../../secrets/cf_api_key.age;
+  systemd.services.caddy.serviceConfig.EnvironmentFile = config.secrix.system.secrets.cf-api-key.decrypted.path;
  services.caddy = {
    enable = true;
    package = pkgs.caddy.withPlugins {
@@ -55,7 +57,7 @@ in
    };
    virtualHosts."grouter.${domain}".extraConfig = ''
      tls {
-          dns cloudflare xx
+          dns cloudflare {env.CF_API_KEY}
          resolvers 1.1.1.1
      }
      @grafana path /grafana /grafana/*
--- a/hosts/router/vars.nix
+++ b/hosts/router/vars.nix
@@ -31,6 +31,7 @@ let
    };
 in
 rec {
+  pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFobB87yYVwhuYrA+tfztLuks3s9jZOqEFktwGw1mo83 root@grouter";
  domain = "cazzzer.com";
  ldomain = "l.${domain}";
  sysdomain = "sys.${domain}";