6 files changed, 125 insertions, 3 deletions
diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix
index 1b33630a..3bbd51a4 100644
--- a/hosts/surtr/default.nix
+++ b/hosts/surtr/default.nix
@@ -7,7 +7,7 @@ with lib;
    tmpfs-root qemu-guest openssh rebuild-machines zfs
    ./zfs.nix ./dns ./tls ./http ./bifrost ./matrix ./postgresql
    ./prometheus ./email ./vpn ./borg.nix ./etebase ./immich.nix
-    ./paperless.nix
+    ./paperless.nix ./hledger.nix
  ];
  config = {
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix
index 64864272..5dd60190 100644
--- a/hosts/surtr/dns/default.nix
+++ b/hosts/surtr/dns/default.nix
@@ -157,7 +157,7 @@ in {
        ${concatMapStringsSep "\n" mkZone [
          { domain = "yggdrasil.li";
            addACLs = { "yggdrasil.li" = ["ymir_acme_acl"]; };
-            acmeDomains = ["surtr.yggdrasil.li" "yggdrasil.li" "etesync.yggdrasil.li" "immich.yggdrasil.li" "app.etesync.yggdrasil.li" "paperless.yggdrasil.li"];
+            acmeDomains = ["surtr.yggdrasil.li" "yggdrasil.li" "etesync.yggdrasil.li" "immich.yggdrasil.li" "app.etesync.yggdrasil.li" "paperless.yggdrasil.li" "hledger.yggdrasil.li"];
          }
          { domain = "nights.email";
            addACLs = { "nights.email" = ["ymir_acme_acl"]; };
diff --git a/hosts/surtr/dns/keys/hledger.yggdrasil.li_acme b/hosts/surtr/dns/keys/hledger.yggdrasil.li_acme
new file mode 100644
index 00000000..b3f4cfb6
--- /dev/null
+++ b/hosts/surtr/dns/keys/hledger.yggdrasil.li_acme
@@ -0,0 +1,24 @@
+{
+        "data": "ENC[AES256_GCM,data:lCj8VYJL9z29FJ154XQtxKQLwwitCRGy4krJ6u8yw2FMzoHprEpFgm33+mFspxSKk/It2G8cfTGMZSeVkYJEHb66HNKHl0A2Fz3hwjpRjh1MZAw0wiZJlnS/LNqoGstQ2PJmTQTW3aJRMoT1GS7q/gSp/3rqySA5EOm0GgUiA3Vi7nGpkBenKDEbQbcIBXRdMOk66BCdiz5XGm/1VLQQLO9oVwY2KBnLaZSISohyGVhbIy7GT2ygoWHHxHn0c5CRVNvGNwesM1gO1NnTFrISLMWSrsDPaAtQ,iv:fa8LFjzqsf2ccfbEe5MOmerb7FzXb4xr24y1GWIMT1Q=,tag:7oQ54DKBb76Pbw1lmEHt+Q==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": [
+                        {
+                                "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzcHJLRHh0VkpDNDU3cGZS\nMWFlVWpFemZ2RnpnSllDWU1EWGoyWUxyejNzClBGandzaFI5NXY1bG51Y3VxRk9r\nc29NbXBOaEZDblBuaVowemQydkxBdjgKLS0tICtVb2xkMmh4T0Q0cU4xQnBzZExI\namFRUnRYTWIyQ3RHNUVHWTFrUzhhK1UKqmATNmxlhkxM5PP1U6w7fSYVA8AgIRAt\nJ9WZrTffQfXMdw4RmjWcoVHFH39Fe4SteedxliCCcqjkjgSEB4Rgow==\n-----END AGE ENCRYPTED FILE-----\n"
+                        },
+                        {
+                                "recipient": "age19a7j77w267z04zls7m28a8hj4a0g5af6ltye2d5wypg33c3l89csd4r9zq",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjWlhpQWI4c0x0ZXRGYVE2\nR1dHZzZud0ZxQWsrREhJWUowWE1zem5FVFI0CkJBUnIwY1FGS3N2VnpuSkZjRllZ\ncVgyeVg4cTVjRitzL0RKb0ZQb3BsOEkKLS0tIGs3SDBkamVBNDhQUlh5dmVVZXJs\nM3VKdlFKc21GcFY0UUtiaHFvYWI4V0kKKuWYEncxe9NT2ZS3X3+l/gT4BQOrdCg8\nj2jGL+Yzy/356GO3PFTn2HHLam6KWDKaYB5TlK/zSohfUt5giQH2Lw==\n-----END AGE ENCRYPTED FILE-----\n"
+                        }
+                ],
+                "lastmodified": "2025-02-19T17:13:51Z",
+                "mac": "ENC[AES256_GCM,data:XsBdMCBjB+YuBMZQrjJ5uZtaYKSqsdWVvm+IEoJflCKPIhPk2rBZ3nY8KngXFbq2fWgsYyTM83kb2trEGIEHUPuERt+mgfCI3bSlylriwgsDWihCjyBecNE+BbdXE0+YcNl8pIwBU4M+3f2StQMH22YamToLJ9i9kfKcBrirDuU=,iv:VTIdBVY3kVBMYWhYUmrP2vZ9rpH90DzF68y1aDf2EAs=,tag:YkL+nw6LNXAceZtx9vgf6A==,type:str]",
+                "pgp": null,
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.9.4"
+        }
+}
+\ No newline at end of file
diff --git a/hosts/surtr/dns/zones/li.yggdrasil.soa b/hosts/surtr/dns/zones/li.yggdrasil.soa
index c77c9b82..2ef120e6 100644
--- a/hosts/surtr/dns/zones/li.yggdrasil.soa
+++ b/hosts/surtr/dns/zones/li.yggdrasil.soa
@@ -1,7 +1,7 @@
 $ORIGIN yggdrasil.li.
 $TTL 3600
 @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
-  2025021300 ; serial
+  2025021901 ; serial
  10800      ; refresh
  3600       ; retry
  604800     ; expire
@@ -85,6 +85,14 @@ _acme-challenge.paperless	IN	NS	ns.yggdrasil.li.
 paperless                       IN      HTTPS   1 . alpn="h2,h3" ipv4hint="202.61.241.61" ipv6hint="2a03:4000:52:ada::"
+hledger                 IN      A       202.61.241.61
+hledger                 IN      AAAA    2a03:4000:52:ada::
+hledger                 IN      MX      0 surtr.yggdrasil.li
+hledger                 IN      TXT     "v=spf1 redirect=surtr.yggdrasil.li"
+_acme-challenge.hledger IN      NS      ns.yggdrasil.li.
+hledger                 IN      HTTPS   1 . alpn="h2,h3" ipv4hint="202.61.241.61" ipv6hint="2a03:4000:52:ada::"
 vidhar                  IN      AAAA    2a03:4000:52:ada:4:1::
 vidhar                  IN      MX      0 ymir.yggdrasil.li
 vidhar                  IN      TXT     "v=spf1 redirect=yggdrasil.li"
diff --git a/hosts/surtr/hledger.nix b/hosts/surtr/hledger.nix
new file mode 100644
index 00000000..e44933c3
--- /dev/null
+++ b/hosts/surtr/hledger.nix
@@ -0,0 +1,66 @@
+{ config, ... }:
+{
+  config = {
+    security.acme.rfc2136Domains = {
+      "hledger.yggdrasil.li" = {
+        restartUnits = ["nginx.service"];
+      };
+    };
+    services.nginx = {
+      upstreams."hledger" = {
+        servers = {
+          "[2a03:4000:52:ada:4:1::]:5000" = {};
+        };
+        extraConfig = ''
+          keepalive 8;
+        '';
+      };
+      virtualHosts = {
+        "hledger.yggdrasil.li" = {
+          kTLS = true;
+          http3 = true;
+          forceSSL = true;
+          sslCertificate = "/run/credentials/nginx.service/hledger.yggdrasil.li.pem";
+          sslCertificateKey = "/run/credentials/nginx.service/hledger.yggdrasil.li.key.pem";
+          sslTrustedCertificate = "/run/credentials/nginx.service/hledger.yggdrasil.li.chain.pem";
+          extraConfig = ''
+            charset utf-8;
+          '';
+          locations = {
+            "/".extraConfig = ''
+              proxy_pass http://hledger;
+              proxy_http_version 1.1;
+              proxy_set_header Upgrade $http_upgrade;
+              proxy_set_header Connection "upgrade";
+              proxy_redirect off;
+              proxy_set_header Host $host;
+              proxy_set_header X-Real-IP $remote_addr;
+              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+              proxy_set_header X-Forwarded-Host $server_name;
+              proxy_set_header X-Forwarded-Proto $scheme;
+              client_max_body_size 0;
+              proxy_request_buffering off;
+              proxy_buffering off;
+            '';
+          };
+        };
+      };
+    };
+    systemd.services.nginx = {
+      serviceConfig = {
+        LoadCredential = [
+          "hledger.yggdrasil.li.key.pem:${config.security.acme.certs."hledger.yggdrasil.li".directory}/key.pem"
+          "hledger.yggdrasil.li.pem:${config.security.acme.certs."hledger.yggdrasil.li".directory}/fullchain.pem"
+          "hledger.yggdrasil.li.chain.pem:${config.security.acme.certs."hledger.yggdrasil.li".directory}/chain.pem"
+        ];
+      };
+    };
+  };
+}
diff --git a/hosts/surtr/tls/tsig_keys/hledger.yggdrasil.li b/hosts/surtr/tls/tsig_keys/hledger.yggdrasil.li
new file mode 100644
index 00000000..ab6cdd68
--- /dev/null
+++ b/hosts/surtr/tls/tsig_keys/hledger.yggdrasil.li
@@ -0,0 +1,24 @@
+{
+        "data": "ENC[AES256_GCM,data:Yd70QIj9DE6a5IN+Mf2M5p95vkRMHRg9BXaM686W7BRtthOw9m54/5FK6JWr,iv:cIOIKinkqFFPgTZdewWVY0h6kM5hGfVzuA4iYNhwK5c=,tag:Ds/oI+TOERbIdcGbI4WoEg==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": [
+                        {
+                                "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1NnJ4SmsvSlh3ZlliSm9C\nNG45clh3NEZWZ05jaHhVK0xqTVRFL2wxN1ZrCk5hL2p2ZjhtcDBjTEZscXFTNkY5\nemVZSUUwV2V5cFBTdWo4RWxsM2xROVEKLS0tIDBFSFlkUVJ0ajJEUENlelVFKzVk\ndnJhMURMU2o3WVBKZGNVRXBiNytqUFEKHivcSTYy5D770C0h7RsmLBmkIG9+MDoV\ngJHvfkGzXPKwmDTMKdHbIk+ctI+u0/1jMn/K2Q9OFnOIYxP3gHiFag==\n-----END AGE ENCRYPTED FILE-----\n"
+                        },
+                        {
+                                "recipient": "age19a7j77w267z04zls7m28a8hj4a0g5af6ltye2d5wypg33c3l89csd4r9zq",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArYUNCQ1U2MXpQdmM4SHR0\nTnJWZlFGTUQ1NjVqZ3Z2MGt5NFpBVFp0b0YwCkdseitkbzI1RkZyL3V5Z1pNMG9R\nVnEzRUxrTDQrS3BiMXB1QUFPeUcxZUkKLS0tIGJFODkwNFY3c0tBLzFBNjFiYjJk\nZW82bTdia2F1NHpNSG1IYmhWb1ZCTHMK9ovFx3+x5PrV4y6+RH5XA5DK2wRPXlAt\ncxxpRZIlmnvhZXIeCYE9yhHFmz3uAn0Oib1RUDblca9FlnF9tyYD6g==\n-----END AGE ENCRYPTED FILE-----\n"
+                        }
+                ],
+                "lastmodified": "2025-02-19T17:13:51Z",
+                "mac": "ENC[AES256_GCM,data:ReRuK9qdZV8AbMzA9Yur0AZW+1RF3aRnfBvsKJkQtXsFdkmJQ4QkRGtL27RmjFdvQ3kXBIyhib7hYA60AJ0amduYrSScY0dtz8AurjyE4f2BGQ9/QeKRBfKXHxLvj4/xWNvS4+PVdGKkKbqIs8isz9n77WQQ3lTHop2K/TjaTuQ=,iv:gUhDK9oeUHdpQ2Fp8mFDIgPFo2JjHE0jjooL7FmvmrE=,tag:2lkwSl3j3oqamdLbM9wbow==,type:str]",
+                "pgp": null,
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.9.4"
+        }
+}
+\ No newline at end of file

diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix index 1b33630a..3bbd51a4 100644 --- a/hosts/surtr/default.nix +++ b/hosts/surtr/default.nix
@@ -7,7 +7,7 @@ with lib;
7	tmpfs-root qemu-guest openssh rebuild-machines zfs	7	tmpfs-root qemu-guest openssh rebuild-machines zfs
8	./zfs.nix ./dns ./tls ./http ./bifrost ./matrix ./postgresql	8	./zfs.nix ./dns ./tls ./http ./bifrost ./matrix ./postgresql
9	./prometheus ./email ./vpn ./borg.nix ./etebase ./immich.nix	9	./prometheus ./email ./vpn ./borg.nix ./etebase ./immich.nix
10	./paperless.nix	10	./paperless.nix ./hledger.nix
11	];	11	];
12		12
13	config = {	13	config = {


diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix index 64864272..5dd60190 100644 --- a/hosts/surtr/dns/default.nix +++ b/hosts/surtr/dns/default.nix
@@ -157,7 +157,7 @@ in {
157	${concatMapStringsSep "\n" mkZone [	157	${concatMapStringsSep "\n" mkZone [
158	{ domain = "yggdrasil.li";	158	{ domain = "yggdrasil.li";
159	addACLs = { "yggdrasil.li" = ["ymir_acme_acl"]; };	159	addACLs = { "yggdrasil.li" = ["ymir_acme_acl"]; };
160	acmeDomains = ["surtr.yggdrasil.li" "yggdrasil.li" "etesync.yggdrasil.li" "immich.yggdrasil.li" "app.etesync.yggdrasil.li" "paperless.yggdrasil.li"];	160	acmeDomains = ["surtr.yggdrasil.li" "yggdrasil.li" "etesync.yggdrasil.li" "immich.yggdrasil.li" "app.etesync.yggdrasil.li" "paperless.yggdrasil.li" "hledger.yggdrasil.li"];
161	}	161	}
162	{ domain = "nights.email";	162	{ domain = "nights.email";
163	addACLs = { "nights.email" = ["ymir_acme_acl"]; };	163	addACLs = { "nights.email" = ["ymir_acme_acl"]; };


diff --git a/hosts/surtr/dns/keys/hledger.yggdrasil.li_acme b/hosts/surtr/dns/keys/hledger.yggdrasil.li_acme new file mode 100644 index 00000000..b3f4cfb6 --- /dev/null +++ b/hosts/surtr/dns/keys/hledger.yggdrasil.li_acme
@@ -0,0 +1,24 @@
		1	{
		2	"data": "ENC[AES256_GCM,data:lCj8VYJL9z29FJ154XQtxKQLwwitCRGy4krJ6u8yw2FMzoHprEpFgm33+mFspxSKk/It2G8cfTGMZSeVkYJEHb66HNKHl0A2Fz3hwjpRjh1MZAw0wiZJlnS/LNqoGstQ2PJmTQTW3aJRMoT1GS7q/gSp/3rqySA5EOm0GgUiA3Vi7nGpkBenKDEbQbcIBXRdMOk66BCdiz5XGm/1VLQQLO9oVwY2KBnLaZSISohyGVhbIy7GT2ygoWHHxHn0c5CRVNvGNwesM1gO1NnTFrISLMWSrsDPaAtQ,iv:fa8LFjzqsf2ccfbEe5MOmerb7FzXb4xr24y1GWIMT1Q=,tag:7oQ54DKBb76Pbw1lmEHt+Q==,type:str]",
		3	"sops": {
		4	"kms": null,
		5	"gcp_kms": null,
		6	"azure_kv": null,
		7	"hc_vault": null,
		8	"age": [
		9	{
		10	"recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
		11	"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzcHJLRHh0VkpDNDU3cGZS\nMWFlVWpFemZ2RnpnSllDWU1EWGoyWUxyejNzClBGandzaFI5NXY1bG51Y3VxRk9r\nc29NbXBOaEZDblBuaVowemQydkxBdjgKLS0tICtVb2xkMmh4T0Q0cU4xQnBzZExI\namFRUnRYTWIyQ3RHNUVHWTFrUzhhK1UKqmATNmxlhkxM5PP1U6w7fSYVA8AgIRAt\nJ9WZrTffQfXMdw4RmjWcoVHFH39Fe4SteedxliCCcqjkjgSEB4Rgow==\n-----END AGE ENCRYPTED FILE-----\n"
		12	},
		13	{
		14	"recipient": "age19a7j77w267z04zls7m28a8hj4a0g5af6ltye2d5wypg33c3l89csd4r9zq",
		15	"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjWlhpQWI4c0x0ZXRGYVE2\nR1dHZzZud0ZxQWsrREhJWUowWE1zem5FVFI0CkJBUnIwY1FGS3N2VnpuSkZjRllZ\ncVgyeVg4cTVjRitzL0RKb0ZQb3BsOEkKLS0tIGs3SDBkamVBNDhQUlh5dmVVZXJs\nM3VKdlFKc21GcFY0UUtiaHFvYWI4V0kKKuWYEncxe9NT2ZS3X3+l/gT4BQOrdCg8\nj2jGL+Yzy/356GO3PFTn2HHLam6KWDKaYB5TlK/zSohfUt5giQH2Lw==\n-----END AGE ENCRYPTED FILE-----\n"
		16	}
		17	],
		18	"lastmodified": "2025-02-19T17:13:51Z",
		19	"mac": "ENC[AES256_GCM,data:XsBdMCBjB+YuBMZQrjJ5uZtaYKSqsdWVvm+IEoJflCKPIhPk2rBZ3nY8KngXFbq2fWgsYyTM83kb2trEGIEHUPuERt+mgfCI3bSlylriwgsDWihCjyBecNE+BbdXE0+YcNl8pIwBU4M+3f2StQMH22YamToLJ9i9kfKcBrirDuU=,iv:VTIdBVY3kVBMYWhYUmrP2vZ9rpH90DzF68y1aDf2EAs=,tag:YkL+nw6LNXAceZtx9vgf6A==,type:str]",
		20	"pgp": null,
		21	"unencrypted_suffix": "_unencrypted",
		22	"version": "3.9.4"
		23	}
		24	} \ No newline at end of file


diff --git a/hosts/surtr/dns/zones/li.yggdrasil.soa b/hosts/surtr/dns/zones/li.yggdrasil.soa index c77c9b82..2ef120e6 100644 --- a/hosts/surtr/dns/zones/li.yggdrasil.soa +++ b/hosts/surtr/dns/zones/li.yggdrasil.soa
@@ -1,7 +1,7 @@
1	$ORIGIN yggdrasil.li.	1	$ORIGIN yggdrasil.li.
2	$TTL 3600	2	$TTL 3600
3	@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (	3	@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
4	2025021300 ; serial	4	2025021901 ; serial
5	10800 ; refresh	5	10800 ; refresh
6	3600 ; retry	6	3600 ; retry
7	604800 ; expire	7	604800 ; expire
@@ -85,6 +85,14 @@ _acme-challenge.paperless IN NS ns.yggdrasil.li.
85		85
86	paperless IN HTTPS 1 . alpn="h2,h3" ipv4hint="202.61.241.61" ipv6hint="2a03:4000:52:ada::"	86	paperless IN HTTPS 1 . alpn="h2,h3" ipv4hint="202.61.241.61" ipv6hint="2a03:4000:52:ada::"
87		87
		88	hledger IN A 202.61.241.61
		89	hledger IN AAAA 2a03:4000:52:ada::
		90	hledger IN MX 0 surtr.yggdrasil.li
		91	hledger IN TXT "v=spf1 redirect=surtr.yggdrasil.li"
		92	_acme-challenge.hledger IN NS ns.yggdrasil.li.
		93
		94	hledger IN HTTPS 1 . alpn="h2,h3" ipv4hint="202.61.241.61" ipv6hint="2a03:4000:52:ada::"
		95
88	vidhar IN AAAA 2a03:4000:52:ada:4:1::	96	vidhar IN AAAA 2a03:4000:52:ada:4:1::
89	vidhar IN MX 0 ymir.yggdrasil.li	97	vidhar IN MX 0 ymir.yggdrasil.li
90	vidhar IN TXT "v=spf1 redirect=yggdrasil.li"	98	vidhar IN TXT "v=spf1 redirect=yggdrasil.li"


diff --git a/hosts/surtr/hledger.nix b/hosts/surtr/hledger.nix new file mode 100644 index 00000000..e44933c3 --- /dev/null +++ b/hosts/surtr/hledger.nix
@@ -0,0 +1,66 @@
		1	{ config, ... }:
		2
		3	{
		4	config = {
		5	security.acme.rfc2136Domains = {
		6	"hledger.yggdrasil.li" = {
		7	restartUnits = ["nginx.service"];
		8	};
		9	};
		10
		11	services.nginx = {
		12	upstreams."hledger" = {
		13	servers = {
		14	"[2a03:4000:52:ada:4:1::]:5000" = {};
		15	};
		16	extraConfig = ''
		17	keepalive 8;
		18	'';
		19	};
		20	virtualHosts = {
		21	"hledger.yggdrasil.li" = {
		22	kTLS = true;
		23	http3 = true;
		24	forceSSL = true;
		25	sslCertificate = "/run/credentials/nginx.service/hledger.yggdrasil.li.pem";
		26	sslCertificateKey = "/run/credentials/nginx.service/hledger.yggdrasil.li.key.pem";
		27	sslTrustedCertificate = "/run/credentials/nginx.service/hledger.yggdrasil.li.chain.pem";
		28	extraConfig = ''
		29	charset utf-8;
		30	'';
		31
		32	locations = {
		33	"/".extraConfig = ''
		34	proxy_pass http://hledger;
		35
		36	proxy_http_version 1.1;
		37	proxy_set_header Upgrade $http_upgrade;
		38	proxy_set_header Connection "upgrade";
		39
		40	proxy_redirect off;
		41	proxy_set_header Host $host;
		42	proxy_set_header X-Real-IP $remote_addr;
		43	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		44	proxy_set_header X-Forwarded-Host $server_name;
		45	proxy_set_header X-Forwarded-Proto $scheme;
		46
		47	client_max_body_size 0;
		48	proxy_request_buffering off;
		49	proxy_buffering off;
		50	'';
		51	};
		52	};
		53	};
		54	};
		55
		56	systemd.services.nginx = {
		57	serviceConfig = {
		58	LoadCredential = [
		59	"hledger.yggdrasil.li.key.pem:${config.security.acme.certs."hledger.yggdrasil.li".directory}/key.pem"
		60	"hledger.yggdrasil.li.pem:${config.security.acme.certs."hledger.yggdrasil.li".directory}/fullchain.pem"
		61	"hledger.yggdrasil.li.chain.pem:${config.security.acme.certs."hledger.yggdrasil.li".directory}/chain.pem"
		62	];
		63	};
		64	};
		65	};
		66	}


diff --git a/hosts/surtr/tls/tsig_keys/hledger.yggdrasil.li b/hosts/surtr/tls/tsig_keys/hledger.yggdrasil.li new file mode 100644 index 00000000..ab6cdd68 --- /dev/null +++ b/hosts/surtr/tls/tsig_keys/hledger.yggdrasil.li
@@ -0,0 +1,24 @@
		1	{
		2	"data": "ENC[AES256_GCM,data:Yd70QIj9DE6a5IN+Mf2M5p95vkRMHRg9BXaM686W7BRtthOw9m54/5FK6JWr,iv:cIOIKinkqFFPgTZdewWVY0h6kM5hGfVzuA4iYNhwK5c=,tag:Ds/oI+TOERbIdcGbI4WoEg==,type:str]",
		3	"sops": {
		4	"kms": null,
		5	"gcp_kms": null,
		6	"azure_kv": null,
		7	"hc_vault": null,
		8	"age": [
		9	{
		10	"recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
		11	"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1NnJ4SmsvSlh3ZlliSm9C\nNG45clh3NEZWZ05jaHhVK0xqTVRFL2wxN1ZrCk5hL2p2ZjhtcDBjTEZscXFTNkY5\nemVZSUUwV2V5cFBTdWo4RWxsM2xROVEKLS0tIDBFSFlkUVJ0ajJEUENlelVFKzVk\ndnJhMURMU2o3WVBKZGNVRXBiNytqUFEKHivcSTYy5D770C0h7RsmLBmkIG9+MDoV\ngJHvfkGzXPKwmDTMKdHbIk+ctI+u0/1jMn/K2Q9OFnOIYxP3gHiFag==\n-----END AGE ENCRYPTED FILE-----\n"
		12	},
		13	{
		14	"recipient": "age19a7j77w267z04zls7m28a8hj4a0g5af6ltye2d5wypg33c3l89csd4r9zq",
		15	"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArYUNCQ1U2MXpQdmM4SHR0\nTnJWZlFGTUQ1NjVqZ3Z2MGt5NFpBVFp0b0YwCkdseitkbzI1RkZyL3V5Z1pNMG9R\nVnEzRUxrTDQrS3BiMXB1QUFPeUcxZUkKLS0tIGJFODkwNFY3c0tBLzFBNjFiYjJk\nZW82bTdia2F1NHpNSG1IYmhWb1ZCTHMK9ovFx3+x5PrV4y6+RH5XA5DK2wRPXlAt\ncxxpRZIlmnvhZXIeCYE9yhHFmz3uAn0Oib1RUDblca9FlnF9tyYD6g==\n-----END AGE ENCRYPTED FILE-----\n"
		16	}
		17	],
		18	"lastmodified": "2025-02-19T17:13:51Z",
		19	"mac": "ENC[AES256_GCM,data:ReRuK9qdZV8AbMzA9Yur0AZW+1RF3aRnfBvsKJkQtXsFdkmJQ4QkRGtL27RmjFdvQ3kXBIyhib7hYA60AJ0amduYrSScY0dtz8AurjyE4f2BGQ9/QeKRBfKXHxLvj4/xWNvS4+PVdGKkKbqIs8isz9n77WQQ3lTHop2K/TjaTuQ=,iv:gUhDK9oeUHdpQ2Fp8mFDIgPFo2JjHE0jjooL7FmvmrE=,tag:2lkwSl3j3oqamdLbM9wbow==,type:str]",
		20	"pgp": null,
		21	"unencrypted_suffix": "_unencrypted",
		22	"version": "3.9.4"
		23	}
		24	} \ No newline at end of file