tlaternet/tlaternet-server
1
0
Fork 0
Code Issues 8 Pull requests Activity

update(treewide): Update to NixOS 25.11

Browse source
This commit is contained in:
Tristan Daniël Maat 2025-12-01 16:22:00 +08:00
parent 342b6c756a
commit 642dad3afa
Signed by: tlater
GPG key ID: 02E935006CF2E8E7
12 changed files with 44 additions and 60 deletions
Download patch file Download diff file Expand all files Collapse all files

34
configuration/nginx/ssl.nix
View file

@ -51,20 +51,9 @@
paths = [ "/var/lib/acme/tlater.net" ];
};
systemd.services = {
nginx.serviceConfig.SupplementaryGroups = [ config.security.acme.certs."tlater.net".group ];
# Don't attempt to retrieve a certificate if the domain name
# doesn't *actually* match the cert name
#
# TODO(tlater): Set up pebble to retrieve certs "properly"
# instead
"acme-tlater.net".serviceConfig.ExecCondition =
let
confirm = ''[[ "tlater.net" = "${config.services.nginx.domain}" ]]'';
in
''${pkgs.runtimeShell} -c '${confirm}' '';
};
systemd.services.nginx.serviceConfig.SupplementaryGroups = [
config.security.acme.certs."tlater.net".group
];
sops.secrets = {
"porkbun/api-key".owner = "acme";
@ -85,10 +74,18 @@
security.acme.certs."tlater.net".extraDomainNames = [ config.services.nginx.domain ];
services.nginx = {
domain = "testHost";
# Pretend the acme renew succeeds.
#
# TODO(tlater): Set up pebble to retrieve certs "properly"
# instead
systemd.services."acme-order-renew-tlater.net".script = ''
touch out/acme-success
'';
virtualHosts."${config.services.nginx.domain}" = {
services.nginx = {
domain = "testHost.test";
virtualHosts."${config.services.nginx.domain}.local" = {
useACMEHost = "tlater.net";
onlySSL = true;
enableHSTS = true;
@ -109,6 +106,7 @@
{ pkgs, ... }:
{
environment.systemPackages = [ pkgs.curl ];
networking.hosts."192.168.1.2" = [ "testHost.test" ];
};
};
@ -125,7 +123,7 @@
"--silent",
"--dump-header -",
"--cacert /certs/tlater.net/fullchain.pem",
"https://testHost",
"https://testHost.test",
"-o /dev/null"
]))