modules/nixos/services/caddy.nix

@@ -13,12 +13,6 @@ let
   publicHostsExist = virtualHosts |> lib.any (vHost: (!self.lib.isPrivateDomain vHost.domain));
   privateHostsExist = virtualHosts |> lib.any (vHost: self.lib.isPrivateDomain vHost.domain);
 
-  privateDomains =
-    virtualHosts
-    |> lib.filter (vHost: self.lib.isPrivateDomain vHost.domain)
-    |> lib.map (vHost: vHost.domain)
-    |> lib.unique;
-
   mkVirtualHost =
     {
       domain,
@@ -144,7 +138,11 @@ in
             reloadServices = [ "caddy.service" ];
           };
 
-          certs = privateDomains |> lib.map (domain: lib.nameValuePair domain { }) |> lib.listToAttrs;
+          certs =
+            virtualHosts
+            |> lib.filter (host: self.lib.isPrivateDomain host.domain)
+            |> lib.map (host: lib.nameValuePair host.domain { })
+            |> lib.listToAttrs;
         };
 
         services.nebula.networks.mesh.firewall.inbound = [
@@ -162,11 +160,7 @@ in
 
         systemd.services.caddy = {
           requires = [ netCfg.overlay.systemdUnit ];
-          wants = privateDomains |> lib.map (domain: "acme-${domain}.service");
-          after = [
-            netCfg.overlay.systemdUnit
-          ]
-          ++ (privateDomains |> lib.map (domain: "acme-${domain}.service"));
+          after = [ netCfg.overlay.systemdUnit ];
         };
 
         custom.persistence.directories = [ "/var/lib/acme" ];

modules/nixos/web-services/glance.nix

@@ -17,7 +17,7 @@ let
     |> lib.map (host: {
       type = "monitor";
       cache = "1m";
-      title = "${host.config.networking.hostName} Services";
+      title = host.config.networking.hostName;
       sites =
         host.config.custom.meta.sites
         |> lib.attrValues

modules/nixos/web-services/scrutiny.nix

@@ -34,16 +34,7 @@ in
       };
     };
 
-    systemd.services.scrutiny = {
-      enableStrictShellChecks = false;
-      serviceConfig = {
-        DynamicUser = lib.mkForce false;
-        ProtectSystem = "strict";
-        ProtectHome = "read-only";
-        PrivateTmp = true;
-        RemoveIPC = true;
-      };
-    };
+    systemd.services.scrutiny.enableStrictShellChecks = false;
 
     custom = {
       services.caddy.virtualHosts.${cfg.domain}.port = cfg.port;