From 63c776c23813cf48cbeaf8fa464c0c1e818c706f Mon Sep 17 00:00:00 2001
From: Alejandro Angulo <iam@alejandr0angul0.dev>
Date: Fri, 3 May 2024 19:57:00 -0700
Subject: [PATCH] Added hydra proxy

---
 modules/nixos/security/acme/default.nix |   7 +-
 secrets/cf_dns_kilonull.age             | Bin 673 -> 783 bytes
 secrets/hass_mqtt.age                   | Bin 573 -> 573 bytes
 secrets/hydra-aws-creds.age             | Bin 422 -> 422 bytes
 secrets/nextcloud_admin.age             |  16 ++--
 secrets/secrets.nix                     |   3 +-
 secrets/teslamate_db.age                |  17 ++--
 secrets/teslamate_encryption.age        | Bin 463 -> 463 bytes
 secrets/teslamate_mqtt.age              | Bin 605 -> 605 bytes
 secrets/theengs_ble_mqtt.age            |  16 ++--
 systems/x86_64-do/proxy/README.md       |   5 ++
 systems/x86_64-do/proxy/default.nix     | 105 ++++++++++++++++++++++++
 12 files changed, 143 insertions(+), 26 deletions(-)
 create mode 100644 systems/x86_64-do/proxy/README.md
 create mode 100644 systems/x86_64-do/proxy/default.nix

diff --git a/modules/nixos/security/acme/default.nix b/modules/nixos/security/acme/default.nix
index 740eea9..ff54ce1 100644
--- a/modules/nixos/security/acme/default.nix
+++ b/modules/nixos/security/acme/default.nix
@@ -23,6 +23,11 @@ in {
       type = str;
       description = "The domain to request a wildcard cert for.";
     };
+    isWildcard = mkOption {
+      type = bool;
+      default = true;
+      description = "Whether or not to request a wildcard cert.";
+    };
     dnsCredentialsFile = mkOption {
       type = path;
       description = "The path to the credentials file for the DNS provider.";
@@ -49,7 +54,7 @@ in {
         # own DNS to make `lego` happy (will resolve names to a public IP).
         dnsResolver = "1.1.1.1:53";
         credentialsFile = cfg.dnsCredentialsFile;
-        extraDomainNames = [("*." + cfg.domainName)];
+        extraDomainNames = mkIf cfg.isWildcard [("*." + cfg.domainName)];
       };
     };
   };
diff --git a/secrets/cf_dns_kilonull.age b/secrets/cf_dns_kilonull.age
index df96353cd5492e9213df573441cada40654d0f31..10dc1cf3e03894352fea69f727396371e6479d90 100644
GIT binary patch
delta 695
zcmWO2OKZ~r003Z}_*nHcCSwRvM38NiCe5>RPSU1n(>86Arb#K&txMBanlx$Cr0r#n
zfscde@G+bR-8^_6Q<xr{;!QnFrr^ng8~8$}9(HrOU+}@Vu>abD>w}UZ*JUBCAT(8g
z>Org8>I7M)Sf6B!s)dx=NJs^9PF|O2!*MZG0S45x?DYi{3e1<%9NQ2@yBT53YKfXe
zqkyUlPRz^);o0dv2{WQXCPE{HR*s}p49A*8DPnONp;|-1d?!JYt!6PRWq7XPvZ9Wq
zVQ5f9RK#Y$WR29+Y8ZrBf*18LA`5{)2ur|a$Vty`^+~v-z*0n}KnxQhvLef2ts2P3
zTS+^q#?lcjY<HwevITlU+?65oPSi;kIi4^QN`XaUIzUrdJ&~$Z1w6q(nV1FU>}G1R
zapT<HzA1t<k!sd<bOz1Uz?2x%@ittx)lggrn^Fw|I+}wqN>C>lm*IoeGH*+%-8$4n
zNr4qG0uxH!wuF*ACkkevV5uxFDzwWp>TWbj9wqNX5YX>NsFVT_Za$&=kXlwJfik8N
zTt%A-G()wdo$)(#9O3{{SBiB8ktj}*T}j+$unHB=sU<&LlVb#A`U_IC06H0h3wQyv
zJ!F|Fp=HK*IgiJkQdtJ$SswB0PF#y48M$E%>2yc1WE|x>wT=?fxCjJ7GVMxT;9ni?
z<-Ak9N59@)Ub>YfyCOfwuReX76Mr0egYKE!xI91d^1fgG@b1vU-Sx$bD^EN-!#i6W
zaCc<;dv{R~V*?}Z`DYHWXY=Iy{(Hw3h1H3!wc(yezh3n8hE61xmyC+?v3ch-K6vJJ
z@$uZvnbCs}eWy0*Z_0%6XYuS>xZVj(w~yoh#=f{#2F5>U&tLkz`e|Qlef#f&p}Btd
J^XkmlmH&q<`-T7j

delta 584
zcmV-O0=NB-2B8IzDpxOTPiS&(VtQw6L})l+Zb(%*Yjsv^ZdO?{HbhrTF-LJqN@`MQ
zWp!~lRtjcwHe^z7Xg4xUFLif9VrepSNNR3ySu0s$S7btHI7o9vH*`=-PB&vTW08Ru
zS3zM$Qbu@gY-BNYW<^9;Gj>@^bZB^VR55IHbyQkvIB$0~b5w0KaaC+p3Q%KdT1Hw>
zSTk!maX3XbZca{NPk3-SD{@CgRYNa#OJOp4NJV*VZ%kt_k?$8*X>l)hZA(TtGFfy~
zcS>_%H)2qFMrlZ6D{N_WXJKP(NM=e@S4ebNY*R@JN@PSha!NHqLTp23Qf6~bOlx^!
zPHHPKZcledHcL)HLrqq9P)ToCXj4^_T>%$=PBv9?cxf~?YDrXRH!(v|LP<C)Z!~Xd
zY-Vz2FK0AQL}o`>XlYb2Rd_`TXKhkRPf{;tRWmS2Nn&ScZE!JVRZvQ6aA<mYOf@uQ
zM`b~8D=}_WZc0H4EiEk|Q(96|SxZ4RW>;@`Wh+N3b1`*rc4&23Fn2jGb}=$*VN*kY
zW><GIH*IKD3e~pGZ#1}eZ9wEN-oH@sL7U<IXTfH*r6Qmn2|6tVZ9H8NGpc;54<7QC
zH@HL(8i1uzuKMxC&iIY86~O{C5X^3SdloyMVg$&+VK}l@CxF4R)Vg9&R(}ax>_i3w
zl>8znb2sVRga($zc_{#|RhZPByU^+{1dltx^|RJRRt>B+xJjfJ8X$vwl$^PxHuxuX
WN<Hv)EQdJ2TlR*Ged)G){f;!_ciTMx

diff --git a/secrets/hass_mqtt.age b/secrets/hass_mqtt.age
index b010afb745833c7323394c87c1beac754f583f4e..8d064cdea3321333960fb8f0dc0150120afc9cb3 100644
GIT binary patch
delta 483
zcmV~$J&V&|003Z=n*xgB(Dha=y`)K+CJ0KKCQX~KrfKu00m0^@Z_~H&n(s6qhyTFS
z!NoxY!Bx1$p@Sg0=;rRAgWG|)iayWb=y3G(4oDec$9fAAAH!U6OTTmkq!1kwkg<3w
zXi?-tiXgmzT-BIn_NsD{`Fqr*DJ5sDNfuE$Ou@tpbWJM;PDTcvS8Nb{{-gmmh7;n_
z5=|3v9(E}!<D7yX3cYM?%m;DXUC2DcN^Od&5GLDBU{4uA+Eh}cWnq)x(*YL)Qz{jC
zQ(K}^*-);))`sVo4bT@o1ZR3uZMJ|Xb76);l~5AAYe~){-e>fM7FmdM-O|Gf$Sq_s
zq0@ROYbh&Aq#RR<F7hLeA<K#$_^P~D4PqU#&mUZAoN=cbVSrIPn$mgG#BoRm{aFqB
zd59N=-}ee5;px)0WLw2ZxJIUB2-a%rGJ;G8Yl&@ceZJ(qAVX=d2D)xWLA}#itkr5A
zJF_KlwGQmqOJhLpQEk?-lX!K<+48ihRl8grcbAr9g0+DCe0A%(`tn0-{PvwvpMdu_
zpZ)m0yd>@&zgc}fbncGyKj7^Culcp#7yn*-i$8w8c*t9ShgV;RH*P=9voG^c{{dod
Bs%QWJ

delta 483
zcmV~$yNlCs003YM=aOBziQsVHkD4}39|1wrB+a8q+B}*xMTfM_J82$Gd;Mj(6U0Rj
zPZ692!9_t36yZQu!9l@uaPtq)QE>A6&JNBF9$ho>?Km{5Zi1>T4_J;0!rpoymh5&F
zG@+Uifz5dI5iRD}6bZTJdQ>*IxI=-e!~0x93>=0gK<Y>SN>L1UNb5|JLd`n8TQ`l7
zh0h?FnFK|ud<S4e1!P8wtTgn2Ql)tp?%UZqCBrEKo31s1Wn6|Exmjv))#}Maz664Z
zk(fpmcEuUiaFt3)ditksG9I=)8n}ys?O@a0ZnE)E-bH8QJ{|R?o;+GC35Ci`A60Oq
zFFEX@WZT|E+phPz5H4bX3A$7UBs&oFA<603GBo(W!Jpiz)sLOnRZ%xm-B#ek5k2hD
zGb$ewSrD`HL^A=lq5&MMPAiEJ*(EmA((WiLd>BA5C1!FjX7lMLP6^J_lPuFjf=9u;
z+#roc<BD#_u)y1-9L1rVEcOtp38f`1%<k@ThVd-B5Mr^@Hs-2_96r4L`uois7LTu=
zJh=Dl`G+s>il6)YpAPZb+Y2`?(Z8;K`~CMslYX4nKEAoQfBNs``&(irV3(KYuf86C
H7GL}aLCUH=

diff --git a/secrets/hydra-aws-creds.age b/secrets/hydra-aws-creds.age
index 07a1e6ea471acf2d7378968ebd6ba9a49c891021..b5e593677023a5af420990defde7f60a8a916181 100644
GIT binary patch
delta 370
zcmV-&0ge8q1EvFzDpxskW;riaMOaTmaY<@PHcxbOO+!jzRZMqvPjOFCVo`ETYcp|h
zVKzo(L<&P`Sx!|_MrV0uFgaRsD@kl~VM$6&crh_BO+s!?H83(vdN6cibXG((Ns)mU
ze^p{Qd3ZKbH8*KBdTMAdZbMfvZgX&Da#2%RaXDjSD|It%VPsBbS#oJ(3QA&hQBgx>
zd1qxvVp>FZXE|qVF=Ti{cvWS0bysLJSyVSUS!6M9H8M0s3N0-yAX!o?abzz`S}`z0
zbVf-}VRCIqLSay0GI4HpOICDjYC|?ye`t4FQ898WZwl*T1Xkx3J`<Zuj?$ekah8C2
zl990)QOFm6;RnI;g=tRgRfApRFq&;|r<s-`S`6|?;sE4fe|Z3?3ApR1;rW$JW2sOy
znHQ?=zK8owbgBrTw5Si=52Q-6`B;;eS6UE`tZOnG+V*z8kgM)S!Q+Y;P>#Q45Yl4%
Qjt)9M$u@bJdamV=G+=F!IRF3v

delta 370
zcmV-&0ge8q1EvFzDpzQBWKK*pL}@d1Q#EBvD`-zqIYTfxNl|TRZC7qFa6~j_P*P-W
zLTNcGX9_fVY<Wg=VQOnwIY~u&MMPOgSxj{^F=sGVOJplTcV%s2c12`GY)WoQRgr-g
ze|bSRa#1%kc4{(CFGoi=cXUB(MrBNQOiWQnQe$*9baGHORabR)Id4a63UF{TOh;O2
zZ)Y+|W<^F*QcPqpYjZL&O>1RqVpeuhYe-{sI5J6PH%&)t3N0-yAVD!|VnQ}!cx`q#
zFG@{Dc0)%}O+-0XdP^`lPAhjbP<TOOe|k1@He^y{I0~KxNB&DZ8IaA3>u){`-k--2
z$@}kuz+82aa;hl2HU>g|jqO^aaqaZ1RHG2?x`v9Uzvz!|eL#FyEPz>tOT}P@%5Wad
z5>!@jZRBjQs-n){N8ez75Jg?{5pX9(l_~AF2k<;ReYvGfo8m*n1<rBEJ^S?j5JEwQ
Qa~yX@UZmi!@G$5f8twX!djJ3c

diff --git a/secrets/nextcloud_admin.age b/secrets/nextcloud_admin.age
index 8b679b7..28d0118 100644
--- a/secrets/nextcloud_admin.age
+++ b/secrets/nextcloud_admin.age
@@ -1,9 +1,9 @@
 age-encryption.org/v1
--> piv-p256 UIEGzg AnK3fZAMaiuHUwPHAI0061l8KBzmjSgZBMjk3UIPJwHd
-1iwaFAOz0zIx6B41JtcG2DK2N069hYQ4Vnqg4fedpjo
--> ssh-ed25519 Yk7ehg IyyI4ryCFtm+chFhUKfwa4xolCvEvNhxNjkNZgK18X8
-VaSato0zX/b39z+Gg+7e249RUxNMHeEmRBs+42jIu0Q
--> ssh-ed25519 SYNSNQ fmj8P+lL02Yul83iYLBgUsEjGvqhmhY9cX9v/MNTORk
-WiwoKI9T6NJG7W5LvD+uyNuQMNRTDoCJ1G1SAEtv8Lo
---- miVPF2w5xzQgwPwqt66QSR/Cu8/yyZK2W+MJgd2VcMM
-%W��H����h|_W�I�7'|=J@�P�h�!�;j�Vj����$c����v��]d�|��
\ No newline at end of file
+-> piv-p256 UIEGzg AlVgFIs0fcxvCxhQpvJy0zoxyDG/jjdH3tanlh6g03Hb
+h0BWlUFf6thkOhL7C7p4a+y6pcSyxNcaQRqJB+t5MPI
+-> ssh-ed25519 Yk7ehg FISeG4j0GnisFHqaKG3EQlHVwvyMgNaB/azd+K406mE
+Hls/fpeD7Y8ijA4i8PVkLOUKIe7G9TGaUegwVBTLV/c
+-> ssh-ed25519 SYNSNQ iNNqmZu6C7L5encU/oLYXQswn2DtuW/hvtSLGJft8gQ
+EjwJRLMuqezJ427LC9pfR0VibL+IL/idlAJE9WupD9k
+--- v3VGseXZtHJeTOxhRIp2fSGAJ8rr/dWQpJP1p12To/I
+�T%y�Fҽ
�f�:_9
�8z�M{�Me����y�FLɵ�w�x�gs��zw��:򌎧n(U>B�
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index f144354..e2ad489 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -6,9 +6,10 @@ let
     gospel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGDzjXVoQEfO9JIcFbp56EvQ0oBdr9Cmhxp4z0ih+ZEZ";
     node = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIETLBnc8kJokmFiA28BaSYpeE7flY1W0SM5C1pWv/tOv";
     pi4 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK9fnNXzEmDdmtR+KWj/M9vQioFR0s/4jMnIkUFcj8As";
+    proxy = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAf6Z7SZEOH3H51T/GPIc/B0OpbaydM5l2PP3nMnwpFl";
   };
 in {
-  "cf_dns_kilonull.age".publicKeys = [users.me machines.node machines.gospel machines.pi4];
+  "cf_dns_kilonull.age".publicKeys = [users.me machines.node machines.gospel machines.pi4 machines.proxy];
   "nextcloud_admin.age".publicKeys = [users.me machines.node machines.gospel];
   "theengs_ble_mqtt.age".publicKeys = [users.me machines.pi4 machines.gospel];
   "hass_mqtt.age".publicKeys = [users.me machines.pi4 machines.node machines.gospel];
diff --git a/secrets/teslamate_db.age b/secrets/teslamate_db.age
index 6f7332e..f992338 100644
--- a/secrets/teslamate_db.age
+++ b/secrets/teslamate_db.age
@@ -1,9 +1,10 @@
 age-encryption.org/v1
--> piv-p256 UIEGzg A8ilJuoE2n5sF0XF6PhErjsJ1/EttBm4tn5Sv51WATLr
-KtXedCvKhAyM7cNaHNqMsiNBgRDb6N1ZO/nj0+NFLQY
--> ssh-ed25519 Yk7ehg yA2ilbzpLOSs2D3pDXu3p6kpUwkdr7gK9et5mf5iuhs
-ON1C1BCQRwQTavOfqGq0byy5elO7EWTkuOi+h5BLa6Y
--> ssh-ed25519 SYNSNQ ywdfhuW5cs1aSDPo+JL2b6APhiTijZ892yQk0GA/hlI
-m3UBcMG6riihCV1ZNkn11nU+TOfMUyixbC3vnEpvLao
---- CiF9tD78NMgnvy788sBkFti4LdMPx8kQ9DKWphIW8Fo
-�^9���=]}Ɏ��(�n�G�<��C:$BeG��X�
\ No newline at end of file
+-> piv-p256 UIEGzg A7y0aAtgUDLMypaXczhKrN0YTi82Ebmj3YTQ1WZTHU+U
+SsotYlcsVQN/O8DTUXIxFmeISElpTF5nxYzsrhVCABE
+-> ssh-ed25519 Yk7ehg epI85HdXuSYs7C/01CT7Y8XaTRrw+HkVo6wOa0fz2Bo
+mf5q0kcWeElyNAShdVY7MLGSun0cL0ixK5QzQu1NEOk
+-> ssh-ed25519 SYNSNQ YgAvuTGFh6hpkaAHIBda4uqmzFEJQkNj2HPenWRoz3o
+QjIZqvcqMo4rI+diLDgffrW65qWGnGqrhTR/5Gx8B+4
+--- 2co6b8q6Yg+J4SyPY56r9HGl/gfvEF5Ad010PaftIR0
+�LA!��xɇ�
+]$F���L�Z�a|m�X�iq&׻:=ed�B
�
\ No newline at end of file
diff --git a/secrets/teslamate_encryption.age b/secrets/teslamate_encryption.age
index 15e0c46abe234cec547f6039448dde930e480c47..794812f92567cd763126c02931c79e32ec634790 100644
GIT binary patch
delta 390
zcmV;10eSw<1J47HDpxaWWHC{BacnU~cy2dtbVqqeNOw|eFhhA^NOx6PI6`VeQDtme
zVoOO>Y6?hbWI0oIGf-19MMXwuD={=Ncu-PTbY?><WKvOZM=w!MH!^QoH#KT?XOV#y
zS9oJ=WlnNRNmz4rNNR3$N?|xOZ)R&Ycw|*oIB!X0Y<XpHX*5`GLReTq3OHeBX;W}D
zZb5Z9IcZllM`=iEG;LNzX-8pfQgl!&Q))~$T5xD%L~CYEk?$CPS2uY>dQ){UWmQTx
zHBwJ6adK2KH8^HfM=@+#H*;4@Zf`SgPdRxjF>?wuYj-$EHdRk6GIVHHNlj>4H)~OJ
zIC3{gLU=_~K~GjVOm9(ja&9X_b3qC%EiE8MIB+*jPGvYNaWh13OjKiWQ%yxeGiXkA
zW;a!LH8VMLc1CweOjb{AIB#zXG^(SV$rAfYh#3Z3tC2R7@MvU67GkW~HXAFfV}iAD
k%XPK(J~Z!Ww>lvumsLxC7TNZ-;PofC^e@Ci39Hib>30!}#sB~S

delta 390
zcmV;10eSw<1J47HDpxi`K|*<IT4-oUPD@Z_L`67NQDkm8GHzB{cq>{rP*-&;XGudV
zK`&5oa0+^DY(+s?R8LJ|OmIPPGe$`?F*9mPQ8##1OnESKMQ~(OVRmamMNctWL6LzM
zS7uR0OLcKdaw|koWK=L~VNFv;bYy62M`cVeGI)A5RZ%rqb7)s_YcFV73RF~iGg5kL
zWH&Z;K~qsfQ%PYrYEMZ-cr<8vLV9|4FK97HRWwjWYjjUzk?$CPL2NchV|sLXa8^-R
zQ!r6wbzyljZDCPTXlF}oFl=f_OLJ6bc5rA|YC#H2HFs=MNI@|#N^((TdUsVZQbjgX
zI5jVFI9FF;RZcN_Vl-`VR6$u(H){$lEiE8&Y)MB&Ff(Ozc`++ZO?NbEIb>#bZg4kC
zIB7;zI5Ih8MmRZ1ZFo6BPDVHiBdYTaK%O*~qOGk^!^<sypiuE)xM{}^%`QJu^^S)x
keucF`D}%RLl=HB3*;;%A04cALUer1&6SpKRjO{MB&c~aHvH$=8

diff --git a/secrets/teslamate_mqtt.age b/secrets/teslamate_mqtt.age
index daee6ac18f5866b38e31feeb21c0f2b29d7a19f3..6133be41310e1adc0f960de043aa61722ccdb2dd 100644
GIT binary patch
delta 515
zcmV~$OK8&o002-1bx3Z0pkBmzT`f!6{E7<Z+cr&>=F=oCC?su@G)<GVNt-4N#@J+6
zhlqz=Wr7E9f<nFR>c!7R+(kU-$;*&|Aij52I4eBa)M0zv7-)1f1`SM8E2c>jh@xi+
zAKJ79Mhi>M9J5mbBasBs7+0voL|LpQqRj@cIxIM5G9rOOD)WPey%dMsJP`Y(^k}cB
zBQ#{8S~Sor0n10E#4B~nrv(_(M{>2x63!NEI7pbyjTC_5sAYPr*n#*arl|6AD;ab{
zg>xm0BLoK41{|`S+A8C9j(!*QB!~NP2nX>D?a`LTPn%J{7q-=rEK!25N_=K|lZMRY
z1PqMkGrL_?ErE=jwrLnp52?1%CO?r=Hj)y#7MEPBH%zQb|LMcE;%+Ih*|}1K1UwUR
z*E16ZXW9Z!q!~+)DMm$*mj_6N88JA3;IWUSb$nY#g_-IriR_XQOw;x@XN+4g2HIgC
z(-#`qfq`<lyfMgqxT18KMH0B9VFcAuuw=ke*HYOU6|@+{#XV>`o#f6K2d2)6_2cga
zcX0gSo%}5Q;v8cBVPWUi{*~~ue>GM2?wzjhOX$nHJJ-&y-+A<>_<iM8SL>@^-wZMM
p^zYK?^ELfg<2PPE*u8o1;{EN<{C)4_?Z?em^~dL5-%vMx{s$7px26C9

delta 515
zcmV~$OK8(z003ZRlZ|-tVlN8Ai)bm!qs=<-lBP@2w0Sm7nnH(vvo_DBX_GElF5;XQ
z(bcIJ4|?$=9y|yN)1wy;lOl*axZNfy$PNm^F8X~3vj?;HuWF+~*G+7XL`}lR)FRRE
zq^b?`e&9Hm04Fj^#p>8ftNKa=wU*>8F9@#eQ*|fqHhHlTu{P(66k07B1wkeTPAM<B
zEMo55%xFW|=%W-EEP=He#lr&Kw0ufcR02c6TDQ~~0!OeMe#1>U$V|&4CLM5~$M!{-
z88XEfDTBaOTj7cvm`<m=XjPJ|PH4rQ<BZm&L(|{{rhqW5zJ^jv)${G<I#REU*%pm8
zLR#}{H16`44q<h55yKOU>V;H!8M6T5(W#^OOd2I|y&!mI3}h1%gC*%<`*h}p-qZkT
z6zUydz(7+2Jqqn4>a!+UNINOq)WjMQVWp;`#E?vu;4qeOc%w&q><CxAK<PPd1pBmH
z>G9)+ikU-(LBwbP<#M?Nd)>B@qR(<}h0D@e+{trg7UYd(K~`zK67?v_QOcxCB}D_e
zBDPoG9G;!b@BR5bH$6V};?lWa?RR_f(T@krv-!u{>gKd{VX|<$bnDLc<ki3TXYS&U
y_UF!D`vRU{zevt}-kh0kZM}ZEx_kLZlHY#V|9i6gg#PwPy7%$qJM^{s^XY$b1-|D1

diff --git a/secrets/theengs_ble_mqtt.age b/secrets/theengs_ble_mqtt.age
index 82b90a0..a10192b 100644
--- a/secrets/theengs_ble_mqtt.age
+++ b/secrets/theengs_ble_mqtt.age
@@ -1,9 +1,9 @@
 age-encryption.org/v1
--> piv-p256 UIEGzg A+4ueAfFezO+SbFTU2WVj37mD4CccdnordVpwye7j+6g
-FMiMoUqfyNgw/uhhBxuKyx6yUPiZZ1pPt6iIxe0DZHM
--> ssh-ed25519 t5XIGA zRq/bzdlJZy9ll2MqKrFuoqSW4oeJ5UxhSkJ+3qlaG8
-y4EFhlpHL6zivpDZW35Fa3vNkbwTmcAOmtvE3HMtfIo
--> ssh-ed25519 SYNSNQ LAgvsPWPPz6cn1n3Ygu8HgT8NUyuhDn4xY9APX6T0D8
-sEX8cCiwf/poOeKEox279MCEGMyIUHnMHbiYZdwR/xU
---- nIO+s3lXRheBzqq9AZgNmg6rs8+HoF1sQOYzWy0wfds
-E�0���&�k�'/��9i��g9F
FZ
4w1� D�<*IXq��?=�p"z�4hK�	v���
\ No newline at end of file
+-> piv-p256 UIEGzg Asl/n0iFj2Swc/Nf1bcMFxgFu64etnimDaw0oC74BbZT
+jHCir4VWyhxVGlLkdFYL/pH141ZczE9CRZ9ubWynaEQ
+-> ssh-ed25519 t5XIGA QiipiJkDoXn9Vsfwvs2bwvUDygdCaBbm2hPXCmSkpBA
+u6PipiF2jSvdt8ydx69UCEjYnMHGAkqOLqGNn78fo3I
+-> ssh-ed25519 SYNSNQ NMTuIYkgsxKEcwk7egjbzwlOmmKbrvvPOuUYtjUtjQM
+vpyVsReEuAPrcxqkXBWmyWFhx01o67fRznW3UG8R8qk
+--- zCzWtcgc8Cnu0XLFXZ9Rlk2u3h1ubZ2K+WqKl7qCaA8
+�U-f�L���T|Ă/.�>��Ϫo}yW�O��G�Z�������������H�����`
\ No newline at end of file
diff --git a/systems/x86_64-do/proxy/README.md b/systems/x86_64-do/proxy/README.md
new file mode 100644
index 0000000..5e3fa24
--- /dev/null
+++ b/systems/x86_64-do/proxy/README.md
@@ -0,0 +1,5 @@
+- Log in (SSH key should already be configured)
+- Change password with `passwd`
+- Set up tailscale with `sudo tailscale up --accept-routes --ssh`
+- Write cloudflare creds to `/var/acme/creds`
+  - Ensure permissions `sudo chmod -R 700 /var/acme/creds`
diff --git a/systems/x86_64-do/proxy/default.nix b/systems/x86_64-do/proxy/default.nix
new file mode 100644
index 0000000..f25c444
--- /dev/null
+++ b/systems/x86_64-do/proxy/default.nix
@@ -0,0 +1,105 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  aa = {
+    nix.enable = true;
+    nix.useSelfhostedCache = true;
+
+    security.acme = {
+      enable = true;
+      domainName = "proxy.kilonull.com";
+      isWildcard = false;
+      # TODO: Use a different cert with more targetted permissions (this one
+      # can make wildcard certs)
+      # TODO: Add machine public key in secrets/secrets.nix
+      dnsCredentialsFile = "/var/acme/creds";
+    };
+
+    services = {
+      openssh.enable = true;
+      # NOTE: Need to run `tailscale login` on first boot
+      tailscale = {
+        enable = true;
+        configureClientRouting = true;
+      };
+    };
+
+    tools.zsh.enable = true;
+  };
+
+  services.nginx = {
+    enable = true;
+    appendHttpConfig = ''
+      log_format upstreamlog '[$time_local] $remote_addr - $remote_user - $server_name to: $upstream_addr: $request upstream_response_time $upstream_response_time msec $msec request_time $request_time';
+      access_log  /var/log/nginx/access.log upstreamlog;
+    '';
+    virtualHosts."proxy.kilonull.com" = let
+      commonConfig = pkgs.writeText "common_config.conf" ''
+        proxy_redirect off;
+        proxy_set_header Host "hydra.kilonull.com";
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+
+        allow 127.0.0.1;
+        allow 100.0.0.0/8;
+        allow 192.168.113.0/24;
+      '';
+    in {
+      forceSSL = true;
+      useACMEHost = "proxy.kilonull.com";
+      locations = {
+        "/" = {
+          extraConfig = ''
+            deny all;
+          '';
+        };
+        "/hydra" = {
+          proxyPass = "https://hydra.kilonull.com";
+          extraConfig = ''
+            rewrite /hydra(.*) /$1 break;
+            include ${commonConfig};
+            deny all;
+          '';
+        };
+        "/hydra/api/push-github" = {
+          proxyPass = "https://hydra.kilonull.com/api/push-github";
+          extraConfig = ''
+            include ${commonConfig};
+            # GitHub webhook IPs
+            allow 192.30.252.0/22;
+            allow 185.199.108.0/22;
+            allow 140.82.112.0/20;
+            allow 143.55.64.0/20;
+            allow 2a0a:a440::/29;
+            allow 2606:50c0::/3;
+            deny all;
+          '';
+        };
+      };
+    };
+  };
+
+  users.users.${config.aa.user.name} = {
+    initialHashedPassword = "$y$j9T$/AuWXo5argOeEi1hwlu161$bvB.V5tfB.acWAvr6mV9lVucdGzQc16UVffMdPbqWD0";
+  };
+  networking.firewall.allowedTCPPorts = [
+    # SSH
+    22
+
+    # HTTP(S)
+    80
+    443
+  ];
+
+  virtualisation.digitalOcean = {
+    setRootPassword = true;
+    setSshKeys = true;
+  };
+
+  system.stateVersion = "24.05";
+}