gatus: Fix ntfy url

vps-monitor: Only allow writes to ntfy over vpn
vps-public: Only allow access to radicale's login page over vpn
2026-01-21 12:51:34 +01:00 · 2026-01-15 22:39:28 +01:00 · 2026-01-15 22:21:25 +01:00 · 2026-01-15 22:20:48 +01:00 · 2026-01-15 22:18:22 +01:00 · 2026-01-15 21:05:40 +01:00
6 changed files with 111 additions and 79 deletions
--- a/hosts/vps-monitor/default.nix
+++ b/hosts/vps-monitor/default.nix
@ -40,6 +40,14 @@
      nebula.enable = true;
      sshd.enable = true;
      dns.enable = true;
+
+      caddy.virtualHosts."alerts.sprouted.cloud" = {
+        inherit (config.custom.web-services.ntfy) port;
+        extraConfig = ''
+          @putpost method PUT POST
+          respond @putpost "Access denied" 403 { close }
+        '';
+      };
    };

    web-services =
@ -59,7 +67,7 @@

        ntfy = {
          enable = true;
-          domain = "alerts.sprouted.cloud";
+          domain = "alerts.${privateDomain}";
        };

        grafana = {
--- a/hosts/vps-public/default.nix
+++ b/hosts/vps-public/default.nix
@ -13,7 +13,11 @@
    ports.validate = true;
  };

-  custom = {
+  custom =
+    let
+      sproutedDomain = "sprouted.cloud";
+    in
+    {
      persistence.enable = true;

      sops.enable = true;
@ -38,12 +42,21 @@

        nebula.enable = true;
        sshd.enable = true;
+
+        caddy.virtualHosts."dav.${sproutedDomain}" = {
+          inherit (config.custom.web-services.radicale) port;
+          extraConfig = ''
+            respond /.web/ "Access denied" 403 {
+            	close
+            }
+          '';
+        };
      };

      web-services =
        let
+          privateDomain = config.custom.networking.overlay.domain;
          sstorkDomain = "sstork.dev";
-        sproutedDomain = "sprouted.cloud";
        in
        {
          personal-blog = {
@ -76,13 +89,13 @@

          radicale = {
            enable = true;
-          domain = "dav.${sproutedDomain}";
+            domain = "dav.${privateDomain}";
            doBackups = true;
          };

          alloy = {
            enable = true;
-          domain = "alloy.${config.networking.hostName}.${config.custom.networking.overlay.domain}";
+            domain = "alloy.${config.networking.hostName}.${privateDomain}";
          };
        };
    };
--- a/modules/system/networking.nix
+++ b/modules/system/networking.nix
@ -21,18 +21,15 @@ in
    overlay = {
      networkAddress = lib.mkOption {
        type = lib.types.nonEmptyStr;
-        default = "10.254.250.0";
-        readOnly = true;
+        default = "";
      };
      prefixLength = lib.mkOption {
-        type = lib.types.ints.between 0 32;
-        default = 24;
-        readOnly = true;
+        type = lib.types.nullOr (lib.types.ints.between 0 32);
+        default = null;
      };
      domain = lib.mkOption {
        type = lib.types.nonEmptyStr;
-        default = "splitleaf.de";
-        readOnly = true;
+        default = "";
      };

      address = lib.mkOption {
@ -41,11 +38,11 @@ in
      };
      interface = lib.mkOption {
        type = lib.types.nonEmptyStr;
-        default = "nebula";
+        default = "";
      };
      systemdUnit = lib.mkOption {
        type = lib.types.nonEmptyStr;
-        default = "nebula@mesh.service";
+        default = "";
      };

      dnsServers = lib.mkOption {
--- a/modules/system/services/caddy.nix
+++ b/modules/system/services/caddy.nix
@ -23,6 +23,7 @@ let
      domain,
      port,
      files,
+      extraConfig,
      ...
    }:
    lib.nameValuePair domain {
@ -43,6 +44,7 @@ let
          encode
          file_server
        '')
+        (lib.optionalString (extraConfig != null) extraConfig)
      ];
    };
 in
@ -73,6 +75,10 @@ in
                type = lib.types.nullOr lib.types.path;
                default = null;
              };
+              extraConfig = lib.mkOption {
+                type = lib.types.nullOr lib.types.lines;
+                default = null;
+              };
            };
          }
        )
--- a/modules/system/services/nebula/default.nix
+++ b/modules/system/services/nebula/default.nix
@ -30,6 +30,14 @@ in
      message = "'${netCfg.hostname}' is a Nebula lighthouse, but underlay.isPublic is not set. Lighthouses must be publicly reachable.";
    };

+    custom.networking.overlay = {
+      networkAddress = "10.254.250.0";
+      prefixLength = 24;
+      domain = "splitleaf.de";
+      interface = "nebula";
+      systemdUnit = "nebula@mesh.service";
+    };
+
    meta.ports.udp = lib.optional netCfg.underlay.isPublic publicPort;

    sops.secrets."nebula/host-key" = {
--- a/modules/system/web-services/gatus.nix
+++ b/modules/system/web-services/gatus.nix
@ -113,7 +113,7 @@ in
        connectivity.checker.target = "1.1.1.1:53"; # Cloudflare DNS
        alerting.ntfy = {
          topic = "uptime";
-          url = "https://alerts.sprouted.cloud";
+          url = "https://alerts.${config.custom.networking.overlay.domain}";
          click = "https://${cfg.domain}";
          default-alert = {
            enable = true;
Author	SHA1	Message	Date
SebastianStork	92d61afc40	gatus: Fix ntfy url	2026-01-15 22:39:28 +01:00
SebastianStork	9299842ce0	vps-monitor: Only allow writes to ntfy over vpn	2026-01-15 22:21:25 +01:00
SebastianStork	d73e3744a8	vps-public: Only allow access to radicale's login page over vpn	2026-01-15 22:20:48 +01:00
SebastianStork	2f246153d4	caddy: Add `extraConfig` option	2026-01-15 22:18:22 +01:00
SebastianStork	82844a3bb4	networking: Set overlay options in nebula module	2026-01-15 21:05:40 +01:00