From fa06bbe9cebf60e86b5a4bdefba7633c4b98dafb Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Wed, 18 Mar 2026 15:53:17 +0100 Subject: [PATCH 1/3] scrutiny: Fix persistence --- modules/nixos/web-services/scrutiny.nix | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/modules/nixos/web-services/scrutiny.nix b/modules/nixos/web-services/scrutiny.nix index 0789008..ebe0159 100644 --- a/modules/nixos/web-services/scrutiny.nix +++ b/modules/nixos/web-services/scrutiny.nix @@ -34,7 +34,16 @@ in }; }; - systemd.services.scrutiny.enableStrictShellChecks = false; + systemd.services.scrutiny = { + enableStrictShellChecks = false; + serviceConfig = { + DynamicUser = lib.mkForce false; + ProtectSystem = "strict"; + ProtectHome = "read-only"; + PrivateTmp = true; + RemoveIPC = true; + }; + }; custom = { services.caddy.virtualHosts.${cfg.domain}.port = cfg.port; From b554146792610f9b1f3b44e636e6b6fd859f7486 Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Wed, 18 Mar 2026 15:53:45 +0100 Subject: [PATCH 2/3] caddy: Ensure acme certs before start --- modules/nixos/services/caddy.nix | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/modules/nixos/services/caddy.nix b/modules/nixos/services/caddy.nix index 3a2062a..eb89a2d 100644 --- a/modules/nixos/services/caddy.nix +++ b/modules/nixos/services/caddy.nix @@ -13,6 +13,12 @@ let publicHostsExist = virtualHosts |> lib.any (vHost: (!self.lib.isPrivateDomain vHost.domain)); privateHostsExist = virtualHosts |> lib.any (vHost: self.lib.isPrivateDomain vHost.domain); + privateDomains = + virtualHosts + |> lib.filter (vHost: self.lib.isPrivateDomain vHost.domain) + |> lib.map (vHost: vHost.domain) + |> lib.unique; + mkVirtualHost = { domain, @@ -138,11 +144,7 @@ in reloadServices = [ "caddy.service" ]; }; - certs = - virtualHosts - |> lib.filter (host: self.lib.isPrivateDomain host.domain) - |> lib.map (host: lib.nameValuePair host.domain { }) - |> lib.listToAttrs; + certs = privateDomains |> lib.map (domain: lib.nameValuePair domain { }) |> lib.listToAttrs; }; services.nebula.networks.mesh.firewall.inbound = [ @@ -160,7 +162,11 @@ in systemd.services.caddy = { requires = [ netCfg.overlay.systemdUnit ]; - after = [ netCfg.overlay.systemdUnit ]; + wants = privateDomains |> lib.map (domain: "acme-${domain}.service"); + after = [ + netCfg.overlay.systemdUnit + ] + ++ (privateDomains |> lib.map (domain: "acme-${domain}.service")); }; custom.persistence.directories = [ "/var/lib/acme" ]; From def00d7a52978de33212dbdfe4d56ff3fa3a28b4 Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Wed, 18 Mar 2026 16:10:07 +0100 Subject: [PATCH 3/3] glance: Improve title of of per-host-sites-widgets --- modules/nixos/web-services/glance.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/web-services/glance.nix b/modules/nixos/web-services/glance.nix index 02ef141..d38e7e2 100644 --- a/modules/nixos/web-services/glance.nix +++ b/modules/nixos/web-services/glance.nix @@ -17,7 +17,7 @@ let |> lib.map (host: { type = "monitor"; cache = "1m"; - title = host.config.networking.hostName; + title = "${host.config.networking.hostName} Services"; sites = host.config.custom.meta.sites |> lib.attrValues