rrvsh · rrvsh · Oct 3, 2025 · Oct 3, 2025 · Oct 3, 2025
diff --git a/docs/README.md b/docs/README.md
@@ -3,3 +3,5 @@ the flake uses import-tree to essentially import every file recursively in `nix/
 `veil` is a raspberry pi 4b that will serve as a reverse proxy to the network and other services. it currently hosts my website http://rrv.sh
 
 user passwords are stored in the git repo using sops-nix for encryption and mounting
+
+ssl is handled by lets encrypt via acme using DNS-01 validation thru cloudflare
diff --git a/nix/keys.yaml b/nix/keys.yaml
@@ -0,0 +1,17 @@
+keys:
+    cloudflare: ENC[AES256_GCM,data:p2IISOuU/ShoifW5OFY/6Bi6PI0iIiQoBfnV512f2z84U9QS/KEhzA==,iv:5AkwtNAK8mD2DbvXCtTeNeIrpF/GIsSyOYxy8G4Jsqo=,tag:u2xJcRBR5WTMWdzupx4tbQ==,type:str]
+sops:
+    age:
+        - recipient: age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmcTdPWURrK2w1QUZubVZo
+            VUMrcFFQU0UxdDU3OG9PdEUxcGs2bzZNcmg0Cm03cUlPZkRMK0ZXOTllV3BtZWFp
+            QXBPRWtOd0xjZC9BdGdmWnVoVGpHR1UKLS0tIEpaVXlSNkhpMVZnTFZWTFVEWTgv
+            T3VyZXZnaGZaMVBnVko2Tlc2S3FpdDQKRiHCOtkHKugfquQfYkk4o9SMtZlo1CqZ
+            3i9+9Z516KS1+ERTklBUzZDBRZISY0c2nluO+tn71wnKAMIxetKryQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-10-03T13:45:09Z"
+    mac: ENC[AES256_GCM,data:wLmnbhu+vRSBHm3fWntFjz1idm9ATgLFDs4HYSrw8mFa6Pn0FwREoHHNZMmQnYouzb22yXfR2FkkJznx5IShaY/U6zOTngMN2plU5lgBNoHPzB3jzNA82ShYpZgiXQz7ewrdr+U7rGMBdtjiuimLLPssIfiV1x88VnrPC25nqMY=,iv:Gfp7Niwde5aZjOwRGwO026nABk8ppm2W6gv2N18fRQg=,tag:uxR9EewHbufyezIe9YV0Ag==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0
diff --git a/nix/veil.nix b/nix/veil.nix
@@ -25,7 +25,12 @@
           services = {
             openssh.enable = true;
             nginx.enable = true;
-            nginx.virtualHosts."_".root = ../www/rrv.sh;
+            nginx.virtualHosts."rrv.sh" = {
+              addSSL = true;
+              useACMEHost = "rrv.sh";
+              acmeRoot = null; # needed for DNS validation
+              locations."/".root = ../www/rrv.sh;
+            };
           };
           users = {
             mutableUsers = false;
@@ -39,8 +44,20 @@
                 "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILdsZyY3gu8IGB8MzMnLdh+ClDxQQ2RYG9rkeetIKq8n rafiq"
               ];
             };
+            users.nginx.extraGroups = [ "acme" ];
+          };
+          security = {
+            sudo.wheelNeedsPassword = false;
+            acme = {
+              acceptTerms = true;
+              defaults = {
+                email = "rafiq@rrv.sh";
+                dnsProvider = "cloudflare";
+                credentialFiles."CLOUDFLARE_DNS_API_TOKEN_FILE" = config.sops.secrets."keys/cloudflare".path;
+              };
+              certs."rrv.sh".extraDomainNames = [ "*.rrv.sh" ];
+            };
           };
-          security.sudo.wheelNeedsPassword = false;
           networking.hostName = "veil";
           networking.firewall.allowedTCPPorts = [
             80
@@ -52,6 +69,7 @@
               neededForUsers = true;
               sopsFile = ./users.yaml;
             };
+            secrets."keys/cloudflare".sopsFile = ./keys.yaml;
           };
         }
       )
Original file line number	Diff line number	Diff line change
Expand Up		@@ -3,3 +3,5 @@ the flake uses import-tree to essentially import every file recursively in `nix/
		`veil` is a raspberry pi 4b that will serve as a reverse proxy to the network and other services. it currently hosts my website http://rrv.sh

		user passwords are stored in the git repo using sops-nix for encryption and mounting

		ssl is handled by lets encrypt via acme using DNS-01 validation thru cloudflare