From 714a279fc2e3eca845386d96ea380bc05ab1029d Mon Sep 17 00:00:00 2001
From: Julien Malka <julien@malka.sh>
Date: Sat, 26 Oct 2024 04:09:35 +0200
Subject: [PATCH] feat(dns,nginx): add some weird magic

---
 lib/default.nix                      |   6 --
 lib/dns.nix                          |  10 +++
 modules/dns/default.nix              |  34 --------
 modules/homepage/default.nix         |  30 +++----
 modules/nginx/default.nix            | 117 +++++++++++++++++++++++----
 secrets/404-ssl-certificate-cert.age | Bin 0 -> 3284 bytes
 secrets/404-ssl-certificate-key.age  | Bin 0 -> 4584 bytes
 secrets/secrets.nix                  |   2 +
 8 files changed, 127 insertions(+), 72 deletions(-)
 create mode 100644 secrets/404-ssl-certificate-cert.age
 create mode 100644 secrets/404-ssl-certificate-key.age

diff --git a/lib/default.nix b/lib/default.nix
index 3c22d83..ab24160 100644
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -36,17 +36,11 @@ rec {
 
   mkVPNSubdomain = name: port: {
     luj.nginx.enable = true;
-    security.acme.certs."${name}.luj".server = "https://ca.luj/acme/acme/directory";
     services.nginx.virtualHosts."${name}.luj" = {
       forceSSL = true;
       enableACME = true;
       locations."/" = {
         proxyPass = "http://localhost:${toString port}";
-        extraConfig = ''
-          allow 100.100.45.0/24;
-          allow fd7a:115c:a1e0::/48;
-          deny all;
-        '';
       };
     };
   };
diff --git a/lib/dns.nix b/lib/dns.nix
index f3eca85..2de84b6 100644
--- a/lib/dns.nix
+++ b/lib/dns.nix
@@ -4,6 +4,16 @@ with lib;
 
 rec {
 
+  allowedDomains = [
+    "luj.fr"
+    "julienmalka.me"
+    "malka.family"
+    "luj"
+    "malka.sh"
+  ];
+
+  isVPNDomain = hasSuffix "luj";
+
   hasSuffix' = flip strings.hasSuffix;
 
   domainToZone = allowedDomains: domain: (findFirst (hasSuffix' domain) null allowedDomains);
diff --git a/modules/dns/default.nix b/modules/dns/default.nix
index d0ed934..de36687 100644
--- a/modules/dns/default.nix
+++ b/modules/dns/default.nix
@@ -1,20 +1,9 @@
 {
   lib,
-  config,
   dnsLib,
   ...
 }:
 let
-  cfg = config.machine.meta;
-  allowedDomains = [
-    "luj.fr"
-    "julienmalka.me"
-    "malka.family"
-    "luj"
-    "malka.sh"
-  ];
-
-  isVPNDomain = domain: lib.dns.domainToZone [ "luj" ] domain != null;
   SOA = {
     nameServer = "ns";
     adminEmail = "dns@malka.sh";
@@ -57,27 +46,4 @@ with lib;
     };
   };
 
-  config =
-    let
-      # list of domains that are defined in the current configuration through virtualHosts
-      domains = dns.domainsFromConfiguration allowedDomains config;
-      # AttrSet domain -> { records }
-      recordsPerDomain = map (
-        domain:
-        mapAttrs' (
-          n: v:
-          nameValuePair (dns.domainToZone allowedDomains n) (
-            let
-              subdomain = dns.getDomainPrefix allowedDomains n;
-            in
-            if elem subdomain allowedDomains then v else { subdomains."${subdomain}" = v; }
-          )
-        ) (dns.domainToRecords domain cfg (isVPNDomain domain))
-      ) domains;
-    in
-
-    {
-      machine.meta.zones = mkMerge recordsPerDomain;
-    };
-
 }
diff --git a/modules/homepage/default.nix b/modules/homepage/default.nix
index 6b2e7fa..a12e7d9 100644
--- a/modules/homepage/default.nix
+++ b/modules/homepage/default.nix
@@ -1,4 +1,9 @@
-{ lib, inputs, config, ... }:
+{
+  lib,
+  inputs,
+  config,
+  ...
+}:
 with lib;
 let
   cfg = config.luj.homepage;
@@ -8,21 +13,12 @@ in
     enable = mkEnableOption "enable homepage";
   };
 
-  config = mkIf cfg.enable
-    {
-      luj.nginx.enable = true;
-      services.nginx.virtualHosts."julienmalka.me" = {
-        enableACME = true;
-        forceSSL = true;
-        root = inputs.homepage;
-      };
-
-      services.nginx.virtualHosts."www.julienmalka.me" = {
-        enableACME = true;
-        forceSSL = true;
-        root = inputs.homepage;
-      };
-
-
+  config = mkIf cfg.enable {
+    luj.nginx.enable = true;
+    services.nginx.virtualHosts."julienmalka.me" = {
+      enableACME = true;
+      forceSSL = true;
+      root = inputs.homepage;
     };
+  };
 }
diff --git a/modules/nginx/default.nix b/modules/nginx/default.nix
index 106df41..dd48a74 100644
--- a/modules/nginx/default.nix
+++ b/modules/nginx/default.nix
@@ -1,15 +1,74 @@
-{ lib, config, ... }:
+systemArgs@{ lib, config, ... }:
 with lib;
 let
   cfg = config.luj.nginx;
+  mergeSub =
+    f:
+    lib.mkMerge (
+      map (sub: f (sub.systemConfig systemArgs)) (lib.attrValues config.services.nginx.virtualHosts)
+    );
+
+  recordsFromDomain =
+    domain:
+    mapAttrs' (
+      n: v:
+      nameValuePair (dns.domainToZone dns.allowedDomains n) (
+        let
+          subdomain = dns.getDomainPrefix dns.allowedDomains n;
+        in
+        if elem subdomain dns.allowedDomains then v else { subdomains."${subdomain}" = v; }
+      )
+    ) (dns.domainToRecords domain config.machine.meta (dns.isVPNDomain domain));
+
 in
 {
 
-  options.luj.nginx = {
-    enable = mkEnableOption "activate nginx service";
-    email = mkOption {
-      type = types.str;
-      default = "julien@malka.sh";
+  options = {
+    luj.nginx = {
+      enable = mkEnableOption "activate nginx service";
+      email = mkOption {
+        type = types.str;
+        default = "julien@malka.sh";
+      };
+    };
+
+    # Awesome NixOS crimes
+    services.nginx.virtualHosts = lib.mkOption {
+      type = lib.types.attrsOf (
+        lib.types.submodule (
+          {
+            name,
+            ...
+          }:
+          {
+            options = {
+              systemConfig = lib.mkOption {
+                internal = true;
+                type = types.unspecified; # A function from module arguments to config.
+              };
+            };
+            config = {
+              locations."/".extraConfig = lib.mkIf (lib.hasSuffix "luj" name) ''
+                allow 100.100.45.0/24;
+                allow fd7a:115c:a1e0::/48;
+                deny all;
+              '';
+              extraConfig = ''
+                ssl_stapling off;
+              '';
+
+              systemConfig = _: {
+                security.acme.certs = lib.optionalAttrs (hasSuffix "luj" name) {
+                  "${name}".server = lib.mkIf (hasSuffix "luj" name) "https://ca.luj/acme/acme/directory";
+                };
+
+                machine.meta.zones = lib.optionalAttrs (name != "default") (recordsFromDomain name);
+
+              };
+            };
+          }
+        )
+      );
     };
   };
 
@@ -19,8 +78,7 @@ in
       80
       443
     ];
-    security.acme.defaults.email = "${cfg.email}";
-    security.acme.acceptTerms = true;
+
     users.groups.nginx = {
       name = "nginx";
     };
@@ -35,16 +93,45 @@ in
       commonHttpConfig = ''
         server_names_hash_bucket_size 128;
       '';
-    };
-
-    services.nginx.virtualHosts."404.julienmalka.me" = {
-      default = true;
-      locations."/" = {
-        root = "${./404}";
+      virtualHosts.default = {
+        default = true;
+        addSSL = true;
+        enableACME = false;
+        sslCertificate = "/var/lib/acme/default/cert.pem";
+        sslCertificateKey = "/var/lib/acme/default/key.pem";
+        extraConfig = ''
+          return 444;
+        '';
       };
     };
 
-    machine.meta.zones."julienmalka.me".subdomains."404" = lib.mkForce { };
+    security.acme.certs = mergeSub (c: c.security.acme.certs);
+    security.acme.defaults.email = "${cfg.email}";
+    security.acme.acceptTerms = true;
+
+    age.secrets.nginx-cert = {
+      file = ../../secrets/404-ssl-certificate-cert.age;
+      path = "/var/lib/acme/default/cert.pem";
+      owner = "acme";
+      group = "nginx";
+      mode = "0640";
+      symlink = false;
+    };
+
+    age.secrets.nginx-key = {
+      file = ../../secrets/404-ssl-certificate-key.age;
+      path = "/var/lib/acme/default/key.pem";
+      owner = "acme";
+      group = "nginx";
+      mode = "0640";
+      symlink = false;
+    };
+
+    systemd.tmpfiles.rules = [
+      "d /var/lib/acme/default 0750 acme nginx - -"
+    ];
+
+    machine = mergeSub (c: c.machine);
 
   };
 }
diff --git a/secrets/404-ssl-certificate-cert.age b/secrets/404-ssl-certificate-cert.age
new file mode 100644
index 0000000000000000000000000000000000000000..9fe10255ed0fbc7becbc6f6c7f260a14ba10c814
GIT binary patch
literal 3284
zcmZY8`CkkO0|xNgh^Dr-C{Z-XVn^n_STy(DT+NA>xtsewsT@m(tlBUVyI~a@i5y)>
zQF3huExFrJdbNot=es}m{srI9^E{tNrcouSObVOV;?SB+i_JC-*aZb7EeG1|X-O(2
z42gtdfixZ!r^f;9DM-3ZZH5RW7&ad(Mqp_!2Ty6m!oVnj$)Oc{`AjfZY=J6GB!E@!
z1v4--jerkj+fV`~%E<L16dVGbhca8mRt||mwVQAt8qdlaui>m>m_q~9iQzZ~&OpYK
z;cy|+gfvq@&QuSEBqn&pDK;O*O*EM(8n{hsf&hqewS$A!f(UqqlFp=R-5j*WB|&p=
z9Gis7Ff#=Ls)BD~Fcc{Lcuh{krlE1bR9^}ODkM-PE(!r<k$I4842HpDBIpD<NtU7}
zndE9B#^+!PAZ~ymjYu?^DH<oosYByjS}?(_f;t6wtQ_u8`Sf^Ns?$Oz;=L>cV!Q?u
zIbaMokS27J2zokAn2N!XQFt@Kqs9pZTAP^Tg$Xe<s#Z#4dzE}TUaSY$ls<yj&5%mb
zV1hs<q#@j94GO9d!^~#1F3o5r8$mK2gm3hTAmcTUOsVv`foL4uC<f~-A{>H}Vv;D_
zX+$5)4iVUuDlDCEwBV#-G{R=F!FdRPLI-9uxFj79VN}X6dO3}!wxO(Sf|cpw;9PpJ
zOXo4_X*!3-Z62?oY<h3121p?)6%+)Tui&u^U_pwUA~%{-+y<({;>6;)S~G#>BvPSx
zB$X!tC>c};R!kz=ZD1PQO;JnbHl<mLbo($8NeULp5)k253Cg8)v;VJ2C7cB#x`AE{
zQfr0CU>2`}<^z+B1gr(cz<F63yV~v6ry1lzqFJhvSac>gfW~4Y&}b2!!NEHX1f@lx
z$4L-ojY7<k=v{gf3l4|bZFD9M#KMfvhJmt?Qa8|IkV?%MAya6R!8j}!#i^4BI98d9
zV{@pGM6ZyJVtbGjx(7ty0x(V_S#C2hv4~WW#B0H6VM>aKNCWYlYJvid!!w;ymlMHK
z!ySt88c!=>P;o$98XfOqicJhKL?@>q$sCCht3WaJVvIm+;d-qgtQ&3S@}z7M0w7Yt
zU^=KpsfU==CL9-n))O!+l2pz^DFsqEo}cCrxRI%Rg%-;luc^FzA<Yf+QS<~36aVkE
z_(UWbF1HxG9K8)|B~Z{zEmQ`Fumm0+*$C4MSpbcZj38r>I$;__CD9mUQlyt^b>q20
z2gd@prz-V67fJ_pxU~+_c+Cm-iltnj2%%Gv5NL%Zg-=p@i6}cqj5af&Vp^KV2x4oX
z60X;cl&jcA5e?vm;Yp+vI>;fl2x&f=R6-Vl8CZU*kHKRZQ&PoX0SF1RaJ4?$zq=(R
z0i|5MK!Xyo^*S#MFX7?vCY6s$79fxyyhbk~6I>h$ND9L6_!u*w5|FX3zvy0iRRs2%
z_KV=7S#@K;>4gs(qq)QHBXb{>{y6aA{9q5^@#pga6M2JEgGHBbb7vzt0`S08?){Dx
zC$SHA_J)Tp@IRpY*{^EKKB96E2HC8|o?ZQ>++9DES()B^_MX=h$(xt#jjhT*kbaJt
zzs>*LQ(02KvOOFMS2!myswR`x+OSw(H?PYdhu%xIeXA=STt2v}k{{5vDPah;we0Bj
zNWAlK>y7#Z!w-9Io=H8By?N>K#PzSxuD4w0qV=-dflX`aBzaO5=Eu?eSwW%#?o`6z
zZDX#6#FKZeLi^a|DRWPbbo1kvzkQVP%gh<sA<<B<Tin`EN{tSkbhtN1;P7+)3(K~B
z%Be2kClB9@i}1V({bcD~2z--n+8dQ!tow7(N8}Dah}vA6>~1_g@}g`@Z`C3G`jSs?
z{)PuZ)Mr&+E8bt2u0+467sY+tf8@(4WNI$!NO$*<oGlG6s@M;Mf3vljD)S>03pU)E
z`7|kiTSiy%k-W~jY1_m6OUjXe*v`z3p4vG7`+K|n%i>-;y?4;l35c$Vf-Q(0ZHS#u
zLcC0d^Gr{dj$KqcPcpLq*36R`tu3_~jkI|!C!amhkCl~HeZ*GHDTd_h@@7%bP|p*i
zHU_%hb?(2D4_tn{>YDmtMNH@#bB*%SkP)&pXH`e@zLF)_d;VF|>S*~LH_Hveprq8>
zl&Jm?oMh(irRa9E`q$j!jg_YxYS%BxecE5RebR1z!G%eS*F4sR&z22;jZ1(3&m6P<
zmLjfq!k?DFkX^9fhX$`aynUWi?Ot0_BL793+gTq`5gA-xTtBxBSyHhil$tr`{D0EB
zer8pL*K%fm=YDLzd@CH=&fQXLI{Nf?(uDaR`ojDlj}5Oou+`adap7fR&G4~Av2st-
z%3)?hMa`~jtM7MBdCz-KTlmRTaO^~NIQ0!tL1gy@*MIjw_-Y__<NZ#)u)R-~oi~pK
zhzK&6FT}>vzpXDG_5V1~AM~U)vEyQ9am9(~8#_5SYqvfpJo`Mk>0o(s0bO<0*53Mu
zDzAKE)}FOjMjHF$vKoFW8cT4;+av+e5Ar3{zV6lEC0ql4ll}O^H@UY&p32wz+Dl`G
z+*y6twi%jFMre9sy7Y|u>o(_+JFOcJr~mwV$TiTL8F=gHt;lBd-M!BbjMO%ZH^+rG
zXNIo9YD%_CUJN~jOqy{#12MlRf9<I+hieXG&(9jhW(ry=j{#q%hI4q5>+1u0Sm9Io
z)1$9%4gxP((NxE_t==mpM43DMm$A9W{avTVuwfWd^*-tIHFdok4;3|C)@|x|O8!+?
zq*xmC6e>7VIJ*1qRi^kt&Wx6*nz4sXFE9S~6B{=pu5sV;<i-E6UT(_8Pq=$yG52ih
z^Z1c9j<Trw3+q<x$?!x(MSguw?EjJ<+|n^S;mwB8jQfd_Yc2~j-y4&+J=e2jRN~3%
zXxn+NJ8Z>=yK49XOkk^PfA*HRYq`5Jg{L++T1rPwUg4gurwM9`1|vgym>KurR_4;W
zoOWEqlgD%Z0w44K_`KCtF>p0YQxHX*s2pNF3yv2`&m?_21it#q()h!FDI=yFG=`o1
zH4f4}TAY(u8-O`e-KckUp91b&RFb_wyMBb-6j!;e3R4yqyI0aJf%#hR6L~9o0;buI
z{?;ac2^Z&O{oL=GdhAwk;=*L!(Y|TPy;q;4|J>9uueD~1ujfGx{l#Dd^Vr(~h<B12
zvSVasXV^1}=*zjsEfAC}(N)km{CQ+E`U)sW@c@z@GF)hRdAc<4$fMmg$b*%F`RBIG
z;7_mfBp1xCDgAIWurI2R_T)2Z!Nbm`rDKZf%=u=*MeF3|A>FjwxtA_~@7z&WF)YOm
zahU06Hx;c}OAk3w#J#(`?6X>bw>&UZXPNf(8gbB`vbLu9<+lDKZ}s)<=^;~N-ytJ1
z`qJQwRh}Ov6y*Hyh?^yw54aN>6UiA)t1E2Y9qJv-^a}r~K1#VTZ@o4-U82it2Hn9k
z3^$6;j%^N%VVtWzyIFZ4HFJON$eekj*UP(RJE+pbF_*vZW<lTGX|(fxr|-NSmzcg7
ze7r=t8!MaaY~7U<G@2(WEMn_Q{cU^BH60)AyOOzk<Eg~T_3S-w2Fy9-*-v+@+;f8K
zc~o4EpV|Be>aMSG!$D;Ma%J7Zok-*SuG&7JZPCYFhn~M~Xj&X~?%va&qJ@Un@z-6D
zUfp@)7~rG0Jnepd+fIvO$fAp!bnQ(*dDJqe?LGsu7wxJwTr%<@*W?Qm>RYy->HHLt
zz4VJEDdO#=n1DrH+qY551t7jTOZbNI&&G8{hhs-IleO_3x5Hk-PFPlIC}HfYbC;>R
zf>wQB7)KT*41Cj3h@MiZ?K6B>7k~YqS+!|7e|x&%$H`$-Ps1{LRNlMxB%E1!Xhy8Y
zZ}-<GypEY3dX6+D<lyOd%Q?0o;!9f(O1cY>5S71U*{bfcy9XzEMfyKp9DMZ_tn149
zFxGk1IM_DjSH|AnfVZR1P7zxU7Vcvn3M@d(x$tMy+=Z5k)sg&e);&S+{*42hP%)q5
zCo9A5eZ884&1$Tr7gDvH`nAE~EAyR>8yzVZ;8$Km@1Ju0LRQne$qzrDE)RG(x5(5!
zi=ebMMziMxa~zxh8^ZQ)==u$R5mqx){drES&=R*bS319%bRb&kbPQLU>%}2~ng0WF
C5roJ9

literal 0
HcmV?d00001

diff --git a/secrets/404-ssl-certificate-key.age b/secrets/404-ssl-certificate-key.age
new file mode 100644
index 0000000000000000000000000000000000000000..c05d32b340b813bba02f2068f68eb00dc876edc7
GIT binary patch
literal 4584
zcmZY8`#%$kAII^EPMxV-i*n>n8g?_AE^1>p+w8)wC}wuGi`i_Gita*%a!pb$MY-Qn
zNEf$KB&CaVRc>8G_w@b#e9m9+e7ru7&pSdG<q;*1ROyv!u|n>tPzgbC5P*lTU2Lq#
zBZ?1&!y!I)1UeoiMcKu~E9Dd=kAT%_BdN@2A`48wA|uIat}qf0!};kzycnE@NR-H+
z41g4-^$zxnQbu?&K=ILNW}t#8R%=xVu`*Ca_9F5b3>qIyp<@(L;D2kV7&cTbv{SGp
zGKr2O7AUC!Og5G&kCy-`3N2DdCZQsuNrFI)NU7zDVF5TTARZGO8HmS4NR&aOSgxAI
zgOG(%1XdA%AjSyj5Gh(DlgkKlh$0U2Z;j{gBSN6;e6Wbf05l@T2M&f|d3vxap6Cr{
z@X(aNC~v+J4aP^2KnfUziPZ}MZ~|VU3>Nu_)F8Z<Ko}Vz)#?;MR3Q%U&j{pbnOJ{s
zk;EG)li(Qt)}Smkl&G~sM)Cz{AyO9W1EFBlUT~2r0E-Rq14m<!C_O`g;Y++xfdp?L
zSc?QupfIg~MnixpXx#q~M^MY@USwV@HbP66(;|p?H5fspis1ni;D0n-1fQ?h+QDKF
zGO0gW1dQjiD0nG^%-2U@^&&RhFNlB>3%z~3U`S3ZS^(3=0vO~-rqnB5%L$0pz~Lk%
zJvc&!34)-I5V#-KUji3JbJ$QZR^fw1{=3avCDjKD?X>7vJT<_Fiy;yGBp|UL6cfSl
zfyF3!oB#owLec9uOh_z&5107I0;ni02IURbV7!nK=m@Ett`qzD1QIDecm{$7Vhbop
zHZVv;<i(M+|JL|0GSpvdN1(*TK_r1>IZA=z(EYF^84w1SQxq&h0AHc<@!`e)-|!>o
zSV2+%2t}v!8E6oT>K`w}F+_?uwcL+S0LJ@(bZ9J5D(3KXQoKfwj``1*AR!buS8E59
zdV#?*L2!&d8m|BYc_MP0%u5*umvdntJ_4`j!{gQdEPq0T9~q#g`e9{=I0#b%qEh2y
ziDE1jBZ0<6P{>Fsh3*IOj=@RrB!my2@}D-km_x*)>>wzt6hcRm;UXC$Sjmr!_EO>S
zI1-o|B#(>7M0?W-1Pu-m9Kgqr0YIV(MZ)SSdXg3bVuSo5Y3!&tZzYxi_XZ2qaWo}g
zC82Rd^jPhG_7<fNViL4=UMy9tNZ}I+6AJKHsgxEh^d~5#0zCm78vy2eqbWivP8EfZ
z(7=R%=s*bqAq7R#h**q94%8|{!Cpi!BpJcxh@c3TL?fn2gP1-z5&S=G8knBVrP(Rq
zL}*kLE=oZ}VZ~sHkBTY6Xs~Dr5~uTyBtj*+D0YxHLI45M7yucZr;3ke>X|I5jDrWU
zwSLiFV7XSOV+ZS_;>ofIx>q!gi-8aY|JOV`?DROelpC*t(YO#Yk1Y8A8u{KpA&gIp
z4~_xj(L{C(LI=|Z;h<6)py|%8u+~py7_9Zf9>XSanm8)LAm3!XYKFTk(=GI1*pJme
zem^qOB}4gL8HVLuqeto!3ZX+U=YnZI-22}HldoKo8HlcHBz$$gW9iSlGS!`Zk+XaX
zVL=jm+Fta`d5al6WdE8h?bdclMW+)v+bru)<~!eWC#gN#>kLm(svI;2LK*0gLyaR{
z;pVdzRiz5V`21r3Zu+bP^xAdOmV!Qy7c2gGA7p*#&|Uz%;^Koh##XMJj7l8dMPn=!
zZ50^bm_d+>oGRYtQY5$Dy0&k{QMyW+T{=wuP&|#S<}Y3P-CJ5@H^5AK2TR=fGnybe
zq%vFo^~jHliMWPs%3~|xrjVSb>^76bxSxaOJ4YVjCeNmXJ$LaNG`@MkzBHlcaZh6T
z!|Icpo$%`D9bLwMGZJ$?MdIC;u3K?ErPOfgK?SS8R0AGMnd+Xk{>x=!ZOC5V&#Utb
zFEc{EU(IoNxoGWy6V0YG<=1LQJZ<Upv!j8b>>qH0v7Fq~P6u$eT&mLgX@CxqMUC+7
z%g2v~RnT;vZTfTGd3nRKC6D)WS`Gf(-QWp?%p*KZl03i$kLM>wpY{Ch(MKA;iXVSy
z^NF=><&Ghj-Oe!jy{i^O-IE1dGd0ilzS`z&@H$FS9Wmfo_b3%W81p2RI0w7e(zY12
z4Rj%3*mnz-FBcpQSQ1r#1+-bZs?p7K!LtxjQZev$#~qg*w2_>0T=4Ntkm+QukxlkJ
zV7K)<NN3|$-+LP?Qi@hNsl$g4{w7Eo?sX6WPIp{B{r$^h?LRgL)4u7mhD8mRL-L>L
zUg=S-88@MUKYt!HeG_wP?&Zhz$)}4_lyv3IMegDk0f8~lkmtv9Qw6uWjo#WQrW&Wm
zrY`qm{N;0BHl6s$E2z4--2F5B{`2y0w>JbkPusU{CCt1F0M=2w0x<y-mv-QNIi^1x
zx<?)#uiIf}zo-5TgB8Z<{{S+v`LzC8XVsmgu9B}T?q_%vtGtD5vwbe*^UyCp<?m3<
zG04EW1e!l$Wo>a<$AH4Y1sI&%Nff=_$v5rU9+*G#B;z%QaQ(&=_iYnTBX@M2KJrM#
zZFbEFi)?Cqxy2x}a{P>;nW5oRAH1#1@bOKDSE=oJH1^gxV?%z;i975ja>Za9oU9Lq
zc__*~uZeSPh7Z0cUQEe8G0N<1Tku75>FN401Krd)EX&L|VhQQoNLia#Xnv|?M@I32
zq;y>$3@dx`Xd!-??Kb_<&3P@4t=X5)xVyHMx5h`l26Vn~$OLb3sZ(w6JbQvy&Dp#w
zZ|``tangZa_?}k~QcX^Vt$yjAd2CC_lJQd7hV{xnvS_2Zfqx#Hu70{;1I6FaF%c!q
zIXs_8{PP6BTs#}1;}X)(P67u8*5-67H&c>H2bU*mnqyg)x^BnX)*(E=uMd^5KZg!W
zPnwe~T&XpMW9y1>F}EA}gH_LSw>-}d|7vi?18K6}bKNkr^|o%X*f}PNbUc$9h&=00
z-=4*csBktf=B{qoU(_*Lhz=9f?i`**Kbj#9V~(ZOx&96-dyML+CnK9`+t1ji`<&xP
zkUh3Y*W@p=P#>*8-aE&tt(33%9CNwS^jQ55OFehDQIJ94kyU*QmxtH1?TZ~h?_Wm#
zcq8t7PT9JT9q!$wm!CezL{A%Dwa}0%@-C0*-t>pRI9l8J$%56|;6iEIkZzxGQ+l<^
z^9OIDS-|~JG7bbfxP7;5S_fQs;Hc9Bp#7fY!c8eX>vB1BqfR?~m~*c`CYmiTbdg2g
zUT=TNCaYG#I63tQ;{7?l)wtXB3wbg{Od#UAX%|iZ=*A6#GO{1ryduo3&FH17knY^e
z#nc3g_qXHykf&<atzG5(POkttO<e1XeMJ1$uk3`YTTIc&`N$$)&BiE}q4lW9R~Z+a
zVtW%hR#Q9|?B%lQ)gdp^;*hl+eA;qL1E$6O_6}*-_>O^^We&YBdmXloT&c(p{V=qL
zOOBP?+_=R0_)1r2`Po0dH|nM9AawOU%mXV=bG7R}`wi}b*p6TIRWqv^Req{&&le*P
zR(s8#F(^pT?GEkF_!aKqNm#HR62%;yoJqa0AvvPuRO3cU@!qIULC!r_8`#OtVD%b$
zv6B>~N6lPb_ug=DJHByY|C#3}p%#Y$SK8hz2;FQq-P<IyK)F(%rdPAV9EQB8p8b-8
zYnDqaYpMetu4AluT75U>?NVSRIrAUhIi9tC5%J7O3(Zm_LK+M|Jay|_iACnOEn%la
zK0S`o!SAd+Dmw*?4)Zy%^n)G7^=vz<y><<j$9K%LbLqPZ{JE>B{FCLwG;YU=xl@yi
z_fAvNTn}>Hx@Tu6ccrCvoq-H}KE8L;he7KIqbD<mH|4G*eR%f#MvyZ6fb9$Rhd+Ix
z?j&0u)b=T>lwVg~pZfUGrs>2)3nURVd>fR2`y##AxRhHtUvMhn>VE5|+EvP;;y%F7
z(fT>3S!DS&@rq|&!z+(!%Ro3~mnS~+MU2!kZe`Ypp@Yr+)3Tq_rLe5iVd$yk;Rj}i
z9>_jNrnm_1`xC(#huxzso4uBv$#%z9P-nRL)$wcHATJ>kMQ;R?%qRD)T)V#>&A<LB
zE9~y;)qs#4=WD*(P<Gs{8ILT0me%ggo{*Q>VpFg9jy&AdES)&-_T=Q~tn9(=w>3nX
z(EH>>-K1w|nHenni`ADl$Rv2huiPh?3k1Z5D=)e$Yo4E9AU|TWi0asH(W)}Fx|BMk
zJ$>s)$@B@scR}4DTuvJ8!R~ZFTQhu6U&_>p-lN~3ZuM2jFS9JS>680s6!1k%?~3N8
z(O2bVKdt^Lbhb+RLO+p9tjxk%x%So`Fd4gByX~WW`mKcEwV{MQWPaG-29E&Y4_m8@
zD@`J+f<outKW>>H*tD|w+WhQw$Hti7j!0OH%S6hum9+z;b)Ai4W7q~t%d!?k#^}Or
zzAjTVaaUK#o0E%Ou6M3Uo&At@DWYbm0+-rn-)Ot|$H9>1{B5m_LZ{uf8{0XO>a!?H
z&g8UvM}hT+ff4ccchpS7<>FZLd2a4rbhBiQ3;S~W6we%-t8~bK3?&J6nSamuVfWWn
z@35f@*_#gMEji)Z2RCv%(vwwX@`8n_Hz;aZoiX!|v61K7r_5}myt3JU<omBnS2oPd
zDbu0X&sFSPe=Yg;ttR#E?CfM%%Yn50K8CW0w~T?*5AO{ZnrAAU(gTu=^gC*&1CrYv
zogDmcpSu3HFUz#|i25qndFsApLhYEWeiG(K`w+bQzWo<ab7d39DQ(eUrc~b)$QRUZ
z%2n>1e|aSD;>A3R(I5DR5qYk9l~<orvbJjDuC!O*T#GPn&n`TpRy7>S>b{WCowDV|
z6K<V_IJH+{^3kSxSDsN7P8WRbcKq4Y$h)cP8MEuX!4HntEW-CO&;J$X%4MwWD@aa@
zDNAD(`Wx>(Vfi(3b!SR=c4lW<cG=eOm)3nYuIk-zzXiFb@Gb0={sou=rFPyugVOZ-
z9}s36$8IjXzO!tAw~yC>1+{r5bcK=1+ug40tQ!8kKY2>!nGT@0eml*}k4f{Lt1WOD
zIDG$OqUrGR!S~+*nyrhH696lBMuYd1dc+wQv)3>|lSsiYRP)^r@@{Dup&I=lNmjtQ
zukRU^9$qmq{|-7HbRF~Es{LkALQm?fZ@|?DX6Br;H>TX~^t94Bs^R-egTv0HIl+(T
zdd3O^FNJom-aj^yk@%3YD0q7W#H8&z?Mq)Gx%;NmT-Wm#%l4#ZBssXlTWnM3-W<Oe
z_${Ogb`Wu_aEQga&0}0PO86E6#O!*qrlT5exeR|+v+?zysR5+i$sASRRv!K)aZvy)
z@0j6SqQmi}uGF7{$WK$1m4M%04;25UId>0whwxSI=elE~b(U|dJ`??1*lWM4z2W#<
zRaoAycBkU~UM0g=oa57b;7t1sTjK8?Yh;IzT*4jqxLs)I*Jp3C1P*s)RhMXfeQ`=V
zBw1>wd*9D_KR`9{7J3#pv?eXyY4G`LY<Ft^jb6L9mr(l%Y*2;JxpjAE?YoTQpE_54
zt3>%vnwPwED&Mo3XZyw#r9tvd>b_0y8=n|Z+4*{euYY<a%`qTh+p&$u{bA3FvOF8_
z_I?{q-Lt>Y0rj@7@>6{b_IFER_JC?`$+xon>GRy0OS`^k_m&KqGdK7j216=M)(ov&
z@hX57bnd6KsFb$jGPvvoqwlX3wQrt=^WftJwpEJ>D@tT36P+(^oQ*%_B>sJm^=y$+
zUT{@%r^IpaVL|H~zP+$Xz4?9ORyPIcOcSG_I-E6c{4;8-^lzI=fK5CH>9V-eZI!pd
zdi%N-J^qk!9mpBG58Gm^EHfr|JnnR1X09T9?41Qaz`+}GPB$*$1?2s*4HP=q70t_0
nNBh{8ohEs!vmN7Xta&|+DN^gh9ru3OcsCf@86O?2c`g1Q0cZSe

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 1df5866..32cacc9 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -94,4 +94,6 @@ in
     gustave
     tower
   ];
+  "404-ssl-certificate-cert.age".publicKeys = all;
+  "404-ssl-certificate-key.age".publicKeys = all;
 }