From bccb96a0b3cae3a67015a15790c7a14eb3b47c6e Mon Sep 17 00:00:00 2001 From: John Lancaster <32917998+jsl12@users.noreply.github.com> Date: Sat, 4 Apr 2026 12:26:05 -0500 Subject: [PATCH] updated soteria settings --- modules/hosts/soteria/soteria.nix | 47 ++++++++++++++++--------------- 1 file changed, 25 insertions(+), 22 deletions(-) diff --git a/modules/hosts/soteria/soteria.nix b/modules/hosts/soteria/soteria.nix index cec2159..4ff3299 100644 --- a/modules/hosts/soteria/soteria.nix +++ b/modules/hosts/soteria/soteria.nix @@ -17,21 +17,8 @@ in nixos.forgejo # nixos.restic-server # nixos.restic-envoy - ({ pkgs, ... }: { + ({ config, pkgs, ... }: { networking.hostName = hostname; - mtls = { - enable = true; - subject = hostname; - san = [ - "${hostname}.john-stream.com" - "192.168.1.142" - ]; - lifetime = "1h"; - renew.onCalendar = "*:3/15"; - renew.postCommands = [ - "${lib.getExe pkgs.docker} restart envoy" - ]; - }; # Removes password for sudo security.sudo-rs.extraRules = lib.mkAfter [ @@ -45,13 +32,31 @@ in ]; } ]; - # nix.settings.build-dir = "/var/tmp/nix-build"; - # systemd.tmpfiles.rules = [ - # "d /var/tmp/nix-build 1777 root root -" - # ]; - step-ssh-host = { - hostname = hostname; + + users.users."${username}".extraGroups = [ "mtls" ]; + mtls = { + enable = true; + certDir = config.janus-ca.certDir; + subject = hostname; + san = [ + "${hostname}.john-stream.com" + # "192.168.1.142" + "forgejo.john-stream.com" + "192.168.1.244" + ]; + lifetime = "12h"; + renew.onCalendar = "*:3/15"; + renew.reloadUnits = [ "forgejo.service" ]; + certReaders = [ config.services.forgejo.user "postgres" ]; }; + forgejo = { + enable = true; + https = true; + port = 443; + }; + + step-ssh-host.hostname = hostname; + # This provides the secrets at install time sops.defaultSopsFile = ./secrets.yaml; @@ -66,8 +71,6 @@ in inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.janus-ca inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.my-neovim ]; - - forgejo.enable = true; }) ]; };