From 018565dd38bfae83ce4bbaeecd057e3131ec0eb0 Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Sat, 31 Jan 2026 19:26:36 +0100 Subject: [PATCH 1/2] Reduce use of `lib.optionalString` --- modules/system/services/auto-gc.nix | 2 +- modules/system/services/caddy.nix | 47 ++++++++++++++--------------- 2 files changed, 24 insertions(+), 25 deletions(-) diff --git a/modules/system/services/auto-gc.nix b/modules/system/services/auto-gc.nix index c6719b6..fa33158 100644 --- a/modules/system/services/auto-gc.nix +++ b/modules/system/services/auto-gc.nix @@ -18,8 +18,8 @@ in [ "--keep 10" "--keep-since 7d" - (lib.optionalString cfg.onlyCleanRoots "--no-gc") ] + ++ lib.optional cfg.onlyCleanRoots "--no-gc" |> lib.concatStringsSep " "; }; }; diff --git a/modules/system/services/caddy.nix b/modules/system/services/caddy.nix index cd863fb..84b026f 100644 --- a/modules/system/services/caddy.nix +++ b/modules/system/services/caddy.nix @@ -13,11 +13,6 @@ let publicHostsExist = virtualHosts |> lib.any (vHost: (!self.lib.isPrivateDomain vHost.domain)); privateHostsExist = virtualHosts |> lib.any (vHost: self.lib.isPrivateDomain vHost.domain); - webPorts = [ - 80 - 443 - ]; - mkVirtualHost = { domain, @@ -28,24 +23,25 @@ let }: lib.nameValuePair domain { logFormat = "output file ${config.services.caddy.logDir}/${domain}.log { mode 640 }"; - extraConfig = lib.concatLines [ - (lib.optionalString (self.lib.isPrivateDomain domain) ( - let - certDir = config.security.acme.certs.${domain}.directory; - in - '' - tls ${certDir}/fullchain.pem ${certDir}/key.pem - bind ${config.custom.networking.overlay.address} - '' - )) - (lib.optionalString (port != null) "reverse_proxy localhost:${toString port}") - (lib.optionalString (files != null) '' - root * ${files} - encode - file_server - '') - (lib.optionalString (extraConfig != null) extraConfig) - ]; + extraConfig = + let + certDir = config.security.acme.certs.${domain}.directory; + in + [ + (lib.optionals (self.lib.isPrivateDomain domain) [ + "tls ${certDir}/fullchain.pem ${certDir}/key.pem" + "bind ${config.custom.networking.overlay.address}" + ]) + (lib.optional (port != null) "reverse_proxy localhost:${toString port}") + (lib.optionals (files != null) [ + "root * ${files}" + "encode" + "file_server" + ]) + (lib.optional (extraConfig != null) extraConfig) + ] + |> lib.concatLists + |> lib.concatLines; }; in { @@ -95,7 +91,10 @@ in message = "Each caddy virtual host must set exactly one of `port` or `files`"; }; - networking.firewall.allowedTCPPorts = lib.mkIf publicHostsExist webPorts; + networking.firewall.allowedTCPPorts = lib.mkIf publicHostsExist [ + 80 + 443 + ]; services.caddy = { enable = true; From 6d5a9538a7aab0714d6cd047fc106c60f977a24a Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Sat, 31 Jan 2026 19:32:10 +0100 Subject: [PATCH 2/2] vps-private: Disable freshrss --- hosts/vps-private/default.nix | 6 ------ 1 file changed, 6 deletions(-) diff --git a/hosts/vps-private/default.nix b/hosts/vps-private/default.nix index c334679..9a0a501 100644 --- a/hosts/vps-private/default.nix +++ b/hosts/vps-private/default.nix @@ -70,12 +70,6 @@ doBackups = true; }; - freshrss = { - enable = true; - domain = "rss.${privateDomain}"; - doBackups = true; - }; - alloy = { enable = true; domain = "alloy.${config.networking.hostName}.${privateDomain}";