mirror of
https://github.com/SebastianStork/nixos-config.git
synced 2026-03-22 21:19:07 +01:00
Compare commits
3 commits
7a429c5177
...
def00d7a52
| Author | SHA1 | Date | |
|---|---|---|---|
def00d7a52
|
|||
|
b554146792
|
|||
|
fa06bbe9ce
|
3 changed files with 23 additions and 8 deletions
|
|
@ -13,6 +13,12 @@ let
|
||||||
publicHostsExist = virtualHosts |> lib.any (vHost: (!self.lib.isPrivateDomain vHost.domain));
|
publicHostsExist = virtualHosts |> lib.any (vHost: (!self.lib.isPrivateDomain vHost.domain));
|
||||||
privateHostsExist = virtualHosts |> lib.any (vHost: self.lib.isPrivateDomain vHost.domain);
|
privateHostsExist = virtualHosts |> lib.any (vHost: self.lib.isPrivateDomain vHost.domain);
|
||||||
|
|
||||||
|
privateDomains =
|
||||||
|
virtualHosts
|
||||||
|
|> lib.filter (vHost: self.lib.isPrivateDomain vHost.domain)
|
||||||
|
|> lib.map (vHost: vHost.domain)
|
||||||
|
|> lib.unique;
|
||||||
|
|
||||||
mkVirtualHost =
|
mkVirtualHost =
|
||||||
{
|
{
|
||||||
domain,
|
domain,
|
||||||
|
|
@ -138,11 +144,7 @@ in
|
||||||
reloadServices = [ "caddy.service" ];
|
reloadServices = [ "caddy.service" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
certs =
|
certs = privateDomains |> lib.map (domain: lib.nameValuePair domain { }) |> lib.listToAttrs;
|
||||||
virtualHosts
|
|
||||||
|> lib.filter (host: self.lib.isPrivateDomain host.domain)
|
|
||||||
|> lib.map (host: lib.nameValuePair host.domain { })
|
|
||||||
|> lib.listToAttrs;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nebula.networks.mesh.firewall.inbound = [
|
services.nebula.networks.mesh.firewall.inbound = [
|
||||||
|
|
@ -160,7 +162,11 @@ in
|
||||||
|
|
||||||
systemd.services.caddy = {
|
systemd.services.caddy = {
|
||||||
requires = [ netCfg.overlay.systemdUnit ];
|
requires = [ netCfg.overlay.systemdUnit ];
|
||||||
after = [ netCfg.overlay.systemdUnit ];
|
wants = privateDomains |> lib.map (domain: "acme-${domain}.service");
|
||||||
|
after = [
|
||||||
|
netCfg.overlay.systemdUnit
|
||||||
|
]
|
||||||
|
++ (privateDomains |> lib.map (domain: "acme-${domain}.service"));
|
||||||
};
|
};
|
||||||
|
|
||||||
custom.persistence.directories = [ "/var/lib/acme" ];
|
custom.persistence.directories = [ "/var/lib/acme" ];
|
||||||
|
|
|
||||||
|
|
@ -17,7 +17,7 @@ let
|
||||||
|> lib.map (host: {
|
|> lib.map (host: {
|
||||||
type = "monitor";
|
type = "monitor";
|
||||||
cache = "1m";
|
cache = "1m";
|
||||||
title = host.config.networking.hostName;
|
title = "${host.config.networking.hostName} Services";
|
||||||
sites =
|
sites =
|
||||||
host.config.custom.meta.sites
|
host.config.custom.meta.sites
|
||||||
|> lib.attrValues
|
|> lib.attrValues
|
||||||
|
|
|
||||||
|
|
@ -34,7 +34,16 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.scrutiny.enableStrictShellChecks = false;
|
systemd.services.scrutiny = {
|
||||||
|
enableStrictShellChecks = false;
|
||||||
|
serviceConfig = {
|
||||||
|
DynamicUser = lib.mkForce false;
|
||||||
|
ProtectSystem = "strict";
|
||||||
|
ProtectHome = "read-only";
|
||||||
|
PrivateTmp = true;
|
||||||
|
RemoveIPC = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
custom = {
|
custom = {
|
||||||
services.caddy.virtualHosts.${cfg.domain}.port = cfg.port;
|
services.caddy.virtualHosts.${cfg.domain}.port = cfg.port;
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue