SebastianStork/nixos-config
1
0
Fork 0
mirror of https://github.com/SebastianStork/nixos-config.git synced 2026-03-23 13:28:27 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Compare commits

base: SebastianStork:6d5a9538a7aab0714d6cd047fc106c60f977a24a
Branches Tags
SebastianStork:main
SebastianStork:dependabot/github_actions/cachix/cachix-action-17
SebastianStork:deploy
SebastianStork:deployed/srv-core
SebastianStork:deployed/vps-ns
SebastianStork:deployed/vps-www
SebastianStork:testing-srv-core
..
compare: SebastianStork:31bc84ee6c7260d0bdb4adae7653a5f2af5eb670
Branches Tags
SebastianStork:dependabot/github_actions/cachix/cachix-action-17
SebastianStork:deploy
SebastianStork:deployed/srv-core
SebastianStork:deployed/vps-ns
SebastianStork:deployed/vps-www
SebastianStork:main
SebastianStork:testing-srv-core

No commits in common. "6d5a9538a7aab0714d6cd047fc106c60f977a24a" and "31bc84ee6c7260d0bdb4adae7653a5f2af5eb670" have entirely different histories.
6d5a9538a7 ... 31bc84ee6c

3 changed files with 31 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

6
hosts/vps-private/default.nix
View file

@ -70,6 +70,12 @@
doBackups = true; doBackups = true;
}; };
freshrss = {
enable = true;
domain = "rss.${privateDomain}";
doBackups = true;
};
alloy = { alloy = {
enable = true; enable = true;
domain = "alloy.${config.networking.hostName}.${privateDomain}"; domain = "alloy.${config.networking.hostName}.${privateDomain}";

2
modules/system/services/auto-gc.nix
View file

@ -18,8 +18,8 @@ in
[ [
"--keep 10" "--keep 10"
"--keep-since 7d" "--keep-since 7d"
(lib.optionalString cfg.onlyCleanRoots "--no-gc")
] ]
++ lib.optional cfg.onlyCleanRoots "--no-gc"
|> lib.concatStringsSep " "; |> lib.concatStringsSep " ";
}; };
}; };

47
modules/system/services/caddy.nix
View file

@ -13,6 +13,11 @@ let
publicHostsExist = virtualHosts |> lib.any (vHost: (!self.lib.isPrivateDomain vHost.domain)); publicHostsExist = virtualHosts |> lib.any (vHost: (!self.lib.isPrivateDomain vHost.domain));
privateHostsExist = virtualHosts |> lib.any (vHost: self.lib.isPrivateDomain vHost.domain); privateHostsExist = virtualHosts |> lib.any (vHost: self.lib.isPrivateDomain vHost.domain);
webPorts = [
80
443
];
mkVirtualHost = mkVirtualHost =
{ {
domain, domain,
@ -23,25 +28,24 @@ let
}: }:
lib.nameValuePair domain { lib.nameValuePair domain {
logFormat = "output file ${config.services.caddy.logDir}/${domain}.log { mode 640 }"; logFormat = "output file ${config.services.caddy.logDir}/${domain}.log { mode 640 }";
extraConfig = extraConfig = lib.concatLines [
let (lib.optionalString (self.lib.isPrivateDomain domain) (
certDir = config.security.acme.certs.${domain}.directory; let
in certDir = config.security.acme.certs.${domain}.directory;
[ in
(lib.optionals (self.lib.isPrivateDomain domain) [ ''
"tls ${certDir}/fullchain.pem ${certDir}/key.pem" tls ${certDir}/fullchain.pem ${certDir}/key.pem
"bind ${config.custom.networking.overlay.address}" bind ${config.custom.networking.overlay.address}
]) ''
(lib.optional (port != null) "reverse_proxy localhost:${toString port}") ))
(lib.optionals (files != null) [ (lib.optionalString (port != null) "reverse_proxy localhost:${toString port}")
"root * ${files}" (lib.optionalString (files != null) ''
"encode" root * ${files}
"file_server" encode
]) file_server
(lib.optional (extraConfig != null) extraConfig) '')
] (lib.optionalString (extraConfig != null) extraConfig)
|> lib.concatLists ];
|> lib.concatLines;
}; };
in in
{ {
@ -91,10 +95,7 @@ in
message = "Each caddy virtual host must set exactly one of `port` or `files`"; message = "Each caddy virtual host must set exactly one of `port` or `files`";
}; };
networking.firewall.allowedTCPPorts = lib.mkIf publicHostsExist [ networking.firewall.allowedTCPPorts = lib.mkIf publicHostsExist webPorts;
80
443
];
services.caddy = { services.caddy = {
enable = true; enable = true;