4 files changed, 36 insertions, 4 deletions

diff --git a/flake.nix b/flake.nix
index 5ee485d4..bb326751 100644
--- a/flake.nix
+++ b/flake.nix
@@ -22,10 +22,7 @@
       url = "git+file:packages";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    searchix = {
-      url = "git+https://git.alanpearce.eu/searchix";
-      inputs.nixpkgs.follows = "nixpkgs-small";
-    };
+    searchix.url = "git+https://git.alanpearce.eu/searchix";
     golink = {
       url = "github:tailscale/golink";
       inputs.nixpkgs.follows = "nixpkgs-small";
diff --git a/secrets/redis-website.age b/secrets/redis-website.age
new file mode 100644
index 00000000..c28e4d49
--- /dev/null
+++ b/secrets/redis-website.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 cvV2sw WjKi0Y30MLKz+gFIJq5Lnie/aODMvzrDX+hiHfaPXUs
+9vRdGtOho2jLMFezA4+6w9v3yySe9nHFcaDqBJi0ZGE
+-> piv-p256 VBDKjg A+wOv0SEzn47kbJhQMWWTcOcRV/aB6UAOX0xdcz3d8Wo
+SlCae0RyX188XcgHlQOa/1jpzqaaYq6w2m+FCaXa4qU
+--- aEDkTWQh00KXlzeyGew4qTnFyjvhmSubgUWnonUAJP0
+��L\V7�{�u��C����f�#�1𖽃M��/��vUn-�}�CL-vc�AN�S������Yq
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index be2acf14..3cfcf017 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -13,6 +13,8 @@ let
   secrets = with machines; {
     acme = [ linde nanopi ];
 
+    redis-website = [ linde ];
+
     binarycache = [ linde ];
     paperless = [ linde ];
     powerdns = [ linde ];
diff --git a/system/linde.nix b/system/linde.nix
index bffa2645..368bda24 100644
--- a/system/linde.nix
+++ b/system/linde.nix
@@ -13,6 +13,7 @@ let
   net-gw = "172.31.1.1";
   net-ip6 = "2a01:4f8:c012:23a4::1";
   net-rdnsip = "2a01:4f8:c012:23a4::53";
+  net-redisip = "2a01:4f8:c012:23a4::6379";
   net-mask6 = "64";
   net-gw6 = "fe80::1";
   domain = "alanpearce.eu";
@@ -42,6 +43,7 @@ in
     binarycache.file = ../secrets/binarycache.age;
     dex.file = ../secrets/dex.age;
     powerdns.file = ../secrets/powerdns.age;
+    redis-website.file = ../secrets/redis-website.age;
     golink = let golink = config.services.golink; in {
       # hope this doesn't collide...
       path = "${golink.dataDir}/.config/tsnet-golink/auth.key";
@@ -162,6 +164,7 @@ in
       ${net-ip4} = [ "${hostname}.alanpearce.eu" hostname ];
       ${net-ip6} = [ "${hostname}.alanpearce.eu" hostname ];
       ${net-rdnsip} = [ "dns" ];
+      ${net-redisip} = [ "redis" ];
     };
     firewall = {
       enable = true;
@@ -174,6 +177,7 @@ in
         443
         53
         853
+        6379
         9418
         6922
       ];
@@ -219,6 +223,7 @@ in
         address = [
           "${net-ip6}/${net-mask6}"
           "${net-rdnsip}/${net-mask6}"
+          "${net-redisip}/${net-mask6}"
         ];
         addresses = [{
           Address = "${net-ip4}/${net-mask4}";
@@ -627,6 +632,9 @@ in
     certs."stats.alanpearce.eu" = {
       extraDomainNames = [ "*.stats.alanpearce.eu" ];
     };
+    certs."redis.alanpearce.eu" = {
+      group = "redis-website";
+    };
   };
   users.groups.acme.members = [
     "caddy"
@@ -959,6 +967,24 @@ in
     Requires = [ "etcd.service" ];
   };
 
+  services.redis = {
+    servers = {
+      website = {
+        enable = true;
+        port = 0;
+        bind = net-redisip;
+        databases = 1;
+        maxclients = 6;
+        requirePassFile = config.age.secrets.redis-website.path;
+        settings = {
+          tls-port = 6379;
+          tls-cert-file = "/var/lib/acme/redis.alanpearce.eu/cert.pem";
+          tls-key-file = "/var/lib/acme/redis.alanpearce.eu/key.pem";
+          tls-ca-cert-file = "/etc/ssl/certs/ca-certificates.crt";
+        };
+      };
+    };
+  };
 
   services.syncthing = {
     enable = true;