From b8455c491b35ea401c53ae9434c46ee541af29a2 Mon Sep 17 00:00:00 2001 From: Lucas Thelen Date: Thu, 2 Oct 2025 03:32:00 +0000 Subject: [PATCH] Site hosting --- flake.lock | 24 ++++++++++++- flake.nix | 11 +++++- secrets.nix | 5 ++- secrets/aws.age | Bin 0 -> 453 bytes services/site.nix | 86 ++++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 123 insertions(+), 3 deletions(-) create mode 100644 secrets/aws.age create mode 100644 services/site.nix diff --git a/flake.lock b/flake.lock index 8cee96c..5f21279 100644 --- a/flake.lock +++ b/flake.lock @@ -85,7 +85,8 @@ "root": { "inputs": { "agenix": "agenix", - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs", + "thelenlucas": "thelenlucas" } }, "systems": { @@ -102,6 +103,27 @@ "repo": "default", "type": "github" } + }, + "thelenlucas": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1758437915, + "narHash": "sha256-Pov34Iw1P9kZwBQcNYt5Sur0ewBBt2EcY+M6eO+NpcY=", + "owner": "thelenlucas", + "repo": "thelenlucas.github.io", + "rev": "e5e7c6f05c6bad70861e1b0ea7e41ebe607fc6f7", + "type": "github" + }, + "original": { + "owner": "thelenlucas", + "ref": "main", + "repo": "thelenlucas.github.io", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 70cd66b..5d51fb2 100644 --- a/flake.nix +++ b/flake.nix @@ -3,13 +3,20 @@ inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; + inputs.thelenlucas = { + url = "github:thelenlucas/thelenlucas.github.io/main"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + inputs.agenix = { url = "github:ryantm/agenix"; inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = { self, nixpkgs, agenix }: { + outputs = { self, nixpkgs, thelenlucas, agenix }@inputs: { nixosConfigurations.homelab = nixpkgs.lib.nixosSystem { + specialArgs = { inherit inputs; }; + modules = [ agenix.nixosModules.default ./system.nix @@ -22,9 +29,11 @@ ./networking/adblock.nix ./networking/vpn-host.nix ./services/jellyfin.nix + ./services/site.nix { environment.systemPackages = [ agenix.packages.x86_64-linux.default ]; age.secrets.tailscale.file = ./tailscale.age; + age.secrets.aws.file = ./secrets/aws.age; } ]; }; diff --git a/secrets.nix b/secrets.nix index fb0196c..50464f5 100644 --- a/secrets.nix +++ b/secrets.nix @@ -4,5 +4,8 @@ let machine1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINptuT84VNef3qdFdkqj5kbJtnzoenWcOwcWbdOqQxld root@labtop"; users = [ user1 machine1 ]; -in { "tailscale.age".publicKeys = users; } +in { + "tailscale.age".publicKeys = users; + "secrets/aws.age".publicKeys = users; +} diff --git a/secrets/aws.age b/secrets/aws.age new file mode 100644 index 0000000000000000000000000000000000000000..8912cbe261f4533b4278f7352227cf2b2d68aff9 GIT binary patch literal 453 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCUFH^_3%FIVs~Fw4!f zOw5f)%Ca=bPOLI;^mi#s3Mx)aH3|##4J&rcGRetxN^;S5_vETd_sTPM@e2z}^~z0; z$dB@?^vle5%d;rSGOV=pHg+<%bTtV#jHpcWj6}CBDy%p;AW*@r!nn*L$=f&I(l|6J zEGR3$&&anl%Qe};#92Ql+bKKBJ25lB%PcA*J)JAm&@VJKOgk*nH7MOQ&)>t>-6`3% zveL-WDJ9(1JvZ02*u}##!`$2>-Gob5S63n2r`*iaB_hN*C&fD?t*RtD(akW>DZ@9- zFu=Q@#L?2A$V@*XIiS+i&4P=AvHs}s=y}H~csEC%PMUHeav7J8!o!Z;RVRg+Cy57g zsr^tfUnX|xYH;u4DNmx8+{k<`${_(06YK*^hm%Y6A|L%-OO&fcQ`l>23Kdee`>Rt9hX1TxR o6ZNOc?^D#W*X#DKU@y#AwB^6fpQF)AO0n)NJ05gwV%R?)02=&2 + exit 1 + fi + + # Get current DNS record + DNS_IP=$(${pkgs.dig}/bin/dig +short "$DOMAIN" @8.8.8.8 | tail -n1) + + if [ "$CURRENT_IP" != "$DNS_IP" ]; then + echo "[$(date)] IP changed: $DNS_IP -> $CURRENT_IP" + + ${pkgs.awscli2}/bin/aws route53 change-resource-record-sets \ + --hosted-zone-id "$HOSTED_ZONE_ID" \ + --change-batch "{ + \"Changes\": [{ + \"Action\": \"UPSERT\", + \"ResourceRecordSet\": { + \"Name\": \"$DOMAIN\", + \"Type\": \"A\", + \"TTL\": 300, + \"ResourceRecords\": [{\"Value\": \"$CURRENT_IP\"}] + } + }] + }" + + echo "[$(date)] DNS updated successfully to $CURRENT_IP" + else + echo "[$(date)] IP unchanged: $CURRENT_IP" + fi + ''; +in { + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + services.nginx = { + enable = true; + + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + virtualHosts."${domain}" = { + forceSSL = false; + enableACME = false; + + root = "${inputs.thelenlucas.packages.${pkgs.system}.default}"; + }; + }; + + environment.systemPackages = [ pkgs.awscli2 ]; + systemd.services.route53-ddns = { + description = "Update Route 53 with current IP periodically"; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + + serviceConfig = { + Type = "oneshot"; + ExecStart = updateRoute53; + }; + }; + + systemd.timers.route53-ddns = { + description = "Route 53 DDNS Update Timer"; + wantedBy = [ "timers.target" ]; + + timerConfig = { + OnBootSec = "1min"; + OnUnitActiveSec = "5min"; + Persistent = true; + }; + }; +}