john/dendritic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

updated soteria settings

Browse Source
This commit is contained in:
John Lancaster
2026-04-04 12:26:05 -05:00
parent 44fd737afe
commit bccb96a0b3
1 changed files with 25 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/hosts/soteria/soteria.nix
+25 -22
View File
@@ -17,21 +17,8 @@ in
nixos.forgejo nixos.forgejo
# nixos.restic-server # nixos.restic-server
# nixos.restic-envoy # nixos.restic-envoy
({ pkgs, ... }: { ({ config, pkgs, ... }: {
networking.hostName = hostname; networking.hostName = hostname;
mtls = {
enable = true;
subject = hostname;
san = [
"${hostname}.john-stream.com"
"192.168.1.142"
];
lifetime = "1h";
renew.onCalendar = "*:3/15";
renew.postCommands = [
"${lib.getExe pkgs.docker} restart envoy"
];
};
# Removes password for sudo # Removes password for sudo
security.sudo-rs.extraRules = lib.mkAfter [ security.sudo-rs.extraRules = lib.mkAfter [
@@ -45,13 +32,31 @@ in
]; ];
} }
]; ];
# nix.settings.build-dir = "/var/tmp/nix-build";
# systemd.tmpfiles.rules = [ users.users."${username}".extraGroups = [ "mtls" ];
# "d /var/tmp/nix-build 1777 root root -" mtls = {
# ]; enable = true;
step-ssh-host = { certDir = config.janus-ca.certDir;
hostname = hostname; subject = hostname;
san = [
"${hostname}.john-stream.com"
# "192.168.1.142"
"forgejo.john-stream.com"
"192.168.1.244"
];
lifetime = "12h";
renew.onCalendar = "*:3/15";
renew.reloadUnits = [ "forgejo.service" ];
certReaders = [ config.services.forgejo.user "postgres" ];
}; };
forgejo = {
enable = true;
https = true;
port = 443;
};
step-ssh-host.hostname = hostname;
# This provides the secrets at install time # This provides the secrets at install time
sops.defaultSopsFile = ./secrets.yaml; sops.defaultSopsFile = ./secrets.yaml;
@@ -66,8 +71,6 @@ in
inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.janus-ca inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.janus-ca
inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.my-neovim inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.my-neovim
]; ];
forgejo.enable = true;
}) })
]; ];
}; };