SebastianStork/nixos-config
1
0
Fork 0
mirror of https://github.com/SebastianStork/nixos-config.git synced 2026-03-22 20:09:07 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Compare commits

base: SebastianStork:6d5a9538a7aab0714d6cd047fc106c60f977a24a
Branches Tags
SebastianStork:main
SebastianStork:dependabot/github_actions/cachix/cachix-action-17
SebastianStork:deploy
SebastianStork:deployed/srv-core
SebastianStork:deployed/vps-ns
SebastianStork:deployed/vps-www
SebastianStork:testing-srv-core
..
compare: SebastianStork:31bc84ee6c7260d0bdb4adae7653a5f2af5eb670
Branches Tags
SebastianStork:dependabot/github_actions/cachix/cachix-action-17
SebastianStork:deploy
SebastianStork:deployed/srv-core
SebastianStork:deployed/vps-ns
SebastianStork:deployed/vps-www
SebastianStork:main
SebastianStork:testing-srv-core

No commits in common. "6d5a9538a7aab0714d6cd047fc106c60f977a24a" and "31bc84ee6c7260d0bdb4adae7653a5f2af5eb670" have entirely different histories.
6d5a9538a7 ... 31bc84ee6c

3 changed files with 31 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

6
hosts/vps-private/default.nix
View file

@ -70,6 +70,12 @@
doBackups = true;
};
freshrss = {
enable = true;
domain = "rss.${privateDomain}";
doBackups = true;
};
alloy = {
enable = true;
domain = "alloy.${config.networking.hostName}.${privateDomain}";

2
modules/system/services/auto-gc.nix
View file

@ -18,8 +18,8 @@ in
[
"--keep 10"
"--keep-since 7d"
(lib.optionalString cfg.onlyCleanRoots "--no-gc")
]
++ lib.optional cfg.onlyCleanRoots "--no-gc"
|> lib.concatStringsSep " ";
};
};

47
modules/system/services/caddy.nix
View file

@ -13,6 +13,11 @@ let
publicHostsExist = virtualHosts |> lib.any (vHost: (!self.lib.isPrivateDomain vHost.domain));
privateHostsExist = virtualHosts |> lib.any (vHost: self.lib.isPrivateDomain vHost.domain);
webPorts = [
80
443
];
mkVirtualHost =
{
domain,
@ -23,25 +28,24 @@ let
}:
lib.nameValuePair domain {
logFormat = "output file ${config.services.caddy.logDir}/${domain}.log { mode 640 }";
extraConfig =
let
certDir = config.security.acme.certs.${domain}.directory;
in
[
(lib.optionals (self.lib.isPrivateDomain domain) [
"tls ${certDir}/fullchain.pem ${certDir}/key.pem"
"bind ${config.custom.networking.overlay.address}"
])
(lib.optional (port != null) "reverse_proxy localhost:${toString port}")
(lib.optionals (files != null) [
"root * ${files}"
"encode"
"file_server"
])
(lib.optional (extraConfig != null) extraConfig)
]
|> lib.concatLists
|> lib.concatLines;
extraConfig = lib.concatLines [
(lib.optionalString (self.lib.isPrivateDomain domain) (
let
certDir = config.security.acme.certs.${domain}.directory;
in
''
tls ${certDir}/fullchain.pem ${certDir}/key.pem
bind ${config.custom.networking.overlay.address}
''
))
(lib.optionalString (port != null) "reverse_proxy localhost:${toString port}")
(lib.optionalString (files != null) ''
root * ${files}
encode
file_server
'')
(lib.optionalString (extraConfig != null) extraConfig)
];
};
in
{
@ -91,10 +95,7 @@ in
message = "Each caddy virtual host must set exactly one of `port` or `files`";
};
networking.firewall.allowedTCPPorts = lib.mkIf publicHostsExist [
80
443
];
networking.firewall.allowedTCPPorts = lib.mkIf publicHostsExist webPorts;
services.caddy = {
enable = true;