From be67bc49bb8184cd0421efb0e68d89b12bee8fd2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Sun, 3 Mar 2024 01:06:52 +0100 Subject: [PATCH] acme: Don't attempt to get certs if the domain is wrong --- configuration/default.nix | 1 - .../hardware-specific/hetzner/default.nix | 2 ++ .../hardware-specific/linode/default.nix | 2 ++ configuration/hardware-specific/vm.nix | 2 +- modules/default.nix | 21 ++++++++++++++++--- 5 files changed, 23 insertions(+), 5 deletions(-) diff --git a/configuration/default.nix b/configuration/default.nix index 6d5090f..f82830f 100644 --- a/configuration/default.nix +++ b/configuration/default.nix @@ -138,7 +138,6 @@ recommendedGzipSettings = true; recommendedProxySettings = true; clientMaxBodySize = "10G"; - domain = "tlater.net"; statusPage = true; # For metrics, should be accessible only from localhost diff --git a/configuration/hardware-specific/hetzner/default.nix b/configuration/hardware-specific/hetzner/default.nix index 6149628..f6915ee 100644 --- a/configuration/hardware-specific/hetzner/default.nix +++ b/configuration/hardware-specific/hetzner/default.nix @@ -10,6 +10,8 @@ # TODO(tlater): See if would be useful for anything? boot.kernelParams = ["nosgx"]; + services.nginx.domain = "116.202.158.55"; + systemd.network.networks."eth0" = { matchConfig.MACAddress = "90:1b:0e:c1:8c:62"; diff --git a/configuration/hardware-specific/linode/default.nix b/configuration/hardware-specific/linode/default.nix index b05fade..8194ec4 100644 --- a/configuration/hardware-specific/linode/default.nix +++ b/configuration/hardware-specific/linode/default.nix @@ -6,6 +6,8 @@ # Required for the lish console boot.kernelParams = ["console=ttyS0,19200n8"]; + services.nginx.domain = "tlater.net"; + boot.loader = { # Timeout to allow lish to connect timeout = 10; diff --git a/configuration/hardware-specific/vm.nix b/configuration/hardware-specific/vm.nix index 32423ab..8e7720a 100644 --- a/configuration/hardware-specific/vm.nix +++ b/configuration/hardware-specific/vm.nix @@ -6,7 +6,7 @@ # Sets the base domain for nginx to localhost so that we # can easily test locally with the VM. - services.nginx.domain = lib.mkOverride 99 "localhost"; + services.nginx.domain = "localhost"; # Use the staging secrets sops.defaultSopsFile = lib.mkOverride 99 ../../keys/staging.yaml; diff --git a/modules/default.nix b/modules/default.nix index 55e356c..de1c7c2 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1,8 +1,23 @@ -{lib, ...}: let - inherit (lib) mkOption types; -in { +{ + pkgs, + config, + lib, + ... +}: { options.services.nginx.domain = lib.mkOption { type = lib.types.str; description = "The base domain name to append to virtual domain names"; }; + + config = { + # Don't attempt to run acme if the domain name is not tlater.net + systemd.services = let + confirm = ''[[ "tlater.net" = ${config.services.nginx.domain} ]]''; + in + lib.mapAttrs' (cert: _: + lib.nameValuePair "acme-${cert}" { + serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' ''; + }) + config.security.acme.certs; + }; }