SebastianStork/nixos-config
1
0
Fork 0
mirror of https://github.com/SebastianStork/nixos-config.git synced 2026-03-22 14:19:08 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Compare commits

base: SebastianStork:7a429c5177440a38b79433a89e460df79b37a980
Branches Tags
SebastianStork:main
SebastianStork:dependabot/github_actions/cachix/cachix-action-17
SebastianStork:deploy
SebastianStork:deployed/srv-core
SebastianStork:deployed/vps-ns
SebastianStork:deployed/vps-www
SebastianStork:testing-srv-core
...
compare: SebastianStork:def00d7a52978de33212dbdfe4d56ff3fa3a28b4
Branches Tags
SebastianStork:dependabot/github_actions/cachix/cachix-action-17
SebastianStork:deploy
SebastianStork:deployed/srv-core
SebastianStork:deployed/vps-ns
SebastianStork:deployed/vps-www
SebastianStork:main
SebastianStork:testing-srv-core

3 commits
7a429c5177 ... def00d7a52

Author SHA1 Message Date
SebastianStork
def00d7a52
glance: Improve title of of per-host-sites-widgets 2026-03-18 16:10:07 +01:00
SebastianStork
b554146792
caddy: Ensure acme certs before start 2026-03-18 15:53:45 +01:00
SebastianStork
fa06bbe9ce
scrutiny: Fix persistence 2026-03-18 15:53:17 +01:00
3 changed files with 23 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

18
modules/nixos/services/caddy.nix
View file

@ -13,6 +13,12 @@ let
publicHostsExist = virtualHosts |> lib.any (vHost: (!self.lib.isPrivateDomain vHost.domain));
privateHostsExist = virtualHosts |> lib.any (vHost: self.lib.isPrivateDomain vHost.domain);
privateDomains =
virtualHosts
|> lib.filter (vHost: self.lib.isPrivateDomain vHost.domain)
|> lib.map (vHost: vHost.domain)
|> lib.unique;
mkVirtualHost =
{
domain,
@ -138,11 +144,7 @@ in
reloadServices = [ "caddy.service" ];
};
certs =
virtualHosts
|> lib.filter (host: self.lib.isPrivateDomain host.domain)
|> lib.map (host: lib.nameValuePair host.domain { })
|> lib.listToAttrs;
certs = privateDomains |> lib.map (domain: lib.nameValuePair domain { }) |> lib.listToAttrs;
};
services.nebula.networks.mesh.firewall.inbound = [
@ -160,7 +162,11 @@ in
systemd.services.caddy = {
requires = [ netCfg.overlay.systemdUnit ];
after = [ netCfg.overlay.systemdUnit ];
wants = privateDomains |> lib.map (domain: "acme-${domain}.service");
after = [
netCfg.overlay.systemdUnit
]
++ (privateDomains |> lib.map (domain: "acme-${domain}.service"));
};
custom.persistence.directories = [ "/var/lib/acme" ];

2
modules/nixos/web-services/glance.nix
View file

@ -17,7 +17,7 @@ let
|> lib.map (host: {
type = "monitor";
cache = "1m";
title = host.config.networking.hostName;
title = "${host.config.networking.hostName} Services";
sites =
host.config.custom.meta.sites
|> lib.attrValues

11
modules/nixos/web-services/scrutiny.nix
View file

@ -34,7 +34,16 @@ in
};
};
systemd.services.scrutiny.enableStrictShellChecks = false;
systemd.services.scrutiny = {
enableStrictShellChecks = false;
serviceConfig = {
DynamicUser = lib.mkForce false;
ProtectSystem = "strict";
ProtectHome = "read-only";
PrivateTmp = true;
RemoveIPC = true;
};
};
custom = {
services.caddy.virtualHosts.${cfg.domain}.port = cfg.port;