feat: implement repository-wide secrets

hosts/zackbiene/default.nix

@@ -20,6 +20,7 @@
     ./mosquitto.nix
     ./zigbee2mqtt.nix
     ./esphome.nix
+    ./nginx.nix
   ];
 
   boot.loader.grub.enable = false;

hosts/zackbiene/nginx.nix

@@ -0,0 +1,43 @@
+{
+  lib,
+  config,
+  nodeSecrets,
+  ...
+}: {
+  #security.acme.acceptTerms = true;
+  #security.acme.defaults.email = "admin+acme@example.com";
+  services.nginx = {
+    enable = true;
+
+    # Use recommended settings
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    # Only allow PFS-enabled ciphers with AES256
+    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+    ## SSL config
+    #ssl_protocols TLSv1.2 TLSv1.3;
+    #ssl_dhparam /etc/nginx/dhparam.pem;
+    #ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
+    #ssl_ecdh_curve secp384r1;
+    #ssl_session_timeout 10m;
+    #ssl_session_cache shared:SSL:10m;
+    #ssl_session_tickets off;
+    #
+    ## OCSP stapling
+    #ssl_stapling on;
+    #ssl_stapling_verify on;
+
+    virtualHosts = {
+      "${nodeSecrets.zigbee2mqtt.domain}" = {
+        #forceSSL = true;
+        #enableACME = true;
+        locations."/" = {
+          root = "/var/www";
+        };
+      };
+    };
+  };
+}

hosts/zackbiene/secrets/secrets.nix.age

@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> X25519 i6aU9NyNgN17pez4P33oV7d/HNDirMTDIDvZQiWyD0U
+3TgVPXyYypC+b7c17ZoV1ZbASpqzgskJ0OUVtBgxhFk
+-> piv-p256 xqSe8Q A3kpyhwhqEsSqoVD7SB8VK5dU0ZiOrsOdloF+iviN/mq
+W315d5mn13I4JWpsut801LKgGieKF8NIuJ6TeF4wCtI
+-> Vzkv-grease u
+ScmUF1PthzjmA8USzPlx5s5zcTDMGb2zcniHiOHz/ax4cTDKtnDgr8hI6r/6cKXs
+5EkFcJHCI4nNFSCK8WHIIaGDpWWB6YrkkicVQU9K7QRa57xhVniotpH1rOnbEcFN
+j5M
+--- 4rSnr2uChIZoKOe3DDWFK/3JUUPAst1LDOulv1WN1Ek
+þÊýÔ´‹âW…b^zËrFç<Zh®šp	ʘëöѬzf# & ëÔφÖ\ÑlÝDQÅwé9º#¢ÕS¢ü0ÜF¢A’/N
ãŽ%Ûßxÿ�™¸uÄl„