Compare commits

..

2 commits

5 changed files with 29 additions and 5 deletions

View file

@ -138,7 +138,6 @@
recommendedGzipSettings = true; recommendedGzipSettings = true;
recommendedProxySettings = true; recommendedProxySettings = true;
clientMaxBodySize = "10G"; clientMaxBodySize = "10G";
domain = "tlater.net";
statusPage = true; # For metrics, should be accessible only from localhost statusPage = true; # For metrics, should be accessible only from localhost

View file

@ -4,6 +4,14 @@
./disko.nix ./disko.nix
]; ];
# Intel's special encrypted memory<->CPU feature. Hetzner's BIOS
# disables it by default.
#
# TODO(tlater): See if would be useful for anything?
boot.kernelParams = ["nosgx"];
services.nginx.domain = "116.202.158.55";
systemd.network.networks."eth0" = { systemd.network.networks."eth0" = {
matchConfig.MACAddress = "90:1b:0e:c1:8c:62"; matchConfig.MACAddress = "90:1b:0e:c1:8c:62";

View file

@ -6,6 +6,8 @@
# Required for the lish console # Required for the lish console
boot.kernelParams = ["console=ttyS0,19200n8"]; boot.kernelParams = ["console=ttyS0,19200n8"];
services.nginx.domain = "tlater.net";
boot.loader = { boot.loader = {
# Timeout to allow lish to connect # Timeout to allow lish to connect
timeout = 10; timeout = 10;

View file

@ -6,7 +6,7 @@
# Sets the base domain for nginx to localhost so that we # Sets the base domain for nginx to localhost so that we
# can easily test locally with the VM. # can easily test locally with the VM.
services.nginx.domain = lib.mkOverride 99 "localhost"; services.nginx.domain = "localhost";
# Use the staging secrets # Use the staging secrets
sops.defaultSopsFile = lib.mkOverride 99 ../../keys/staging.yaml; sops.defaultSopsFile = lib.mkOverride 99 ../../keys/staging.yaml;

View file

@ -1,8 +1,23 @@
{lib, ...}: let {
inherit (lib) mkOption types; pkgs,
in { config,
lib,
...
}: {
options.services.nginx.domain = lib.mkOption { options.services.nginx.domain = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = "The base domain name to append to virtual domain names"; description = "The base domain name to append to virtual domain names";
}; };
config = {
# Don't attempt to run acme if the domain name is not tlater.net
systemd.services = let
confirm = ''[[ "tlater.net" = ${config.services.nginx.domain} ]]'';
in
lib.mapAttrs' (cert: _:
lib.nameValuePair "acme-${cert}" {
serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' '';
})
config.security.acme.certs;
};
} }