config

NixOS config
Log | Files | Refs | README | LICENSE
commit 2e970a22cec57072aa0e4b5f405ae69604abb42c (tree)
parent e4c39bf8575c515f64bd7a5cc6f4f7ddaf71f46c
Author: Motiejus Jakštys <motiejus@jakstys.lt>
Date:   Tue, 28 Feb 2023 15:30:10 +0200

patched systemd

that passes secrets in `ExecStartPre`.

Diffstat:

Mconfiguration.nix | 37+++++++++++++++++++++++++++++++++++++


1 file changed, 37 insertions(+), 0 deletions(-)

diff --git a/configuration.nix b/configuration.nix
@@ -12,6 +12,7 @@ let
     vno1_root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMiWb7yeSeuFCMZWarKJD6ZSxIlpEHbU++MfpOIy/2kh";
 };
 
+
   mountLatest = ({mountpoint, zfs_name}:
     ''
     set -euo pipefail
@@ -55,6 +56,19 @@ in {
       /etc/nixos/hardware-configuration.nix /etc/nixos/zfs.nix
     ];
 
+  #nixpkgs.overlays = [ (self: super: {} ) ];
+
+  nixpkgs.overlays = [ (self: super: {
+    systemd = super.systemd.overrideAttrs (old: {
+      patches = (old.patches or []) ++ [
+        (super.fetchpatch {
+          url = "https://github.com/systemd/systemd/commit/e7f64b896201da4a11da158c35865604cf02062f.patch";
+          sha256 = "sha256-AvBkrD9n5ux1o167yKg1eJK8C300vBS/ks3Gbvy5vjw=";
+        })
+      ];
+    });
+  } ) ];
+
   boot.initrd.network = {
     enable = true;
     ssh = {
@@ -289,6 +303,9 @@ in {
       virtualHosts."git.jakstys.lt".extraConfig = ''
         reverse_proxy 127.0.0.1:3000
       '';
+      virtualHosts."turn.jakstys.lt".extraConfig = ''
+        redir https://jakstys.lt
+      '';
       virtualHosts."beta.jakstys.lt" = {
         logFormat = ''
             output file ${config.services.caddy.logDir}/access-beta.jakstys.lt.log {
@@ -324,6 +341,11 @@ in {
       };
     };
 
+    coturn = {
+      enable = true;
+      static-auth-secret-file = "\${CREDENTIALS_DIRECTORY}/static-auth-secret";
+    };
+
     postfix = {
       enable = true;
       enableSmtp = true;
@@ -409,6 +431,20 @@ in {
       };
     };
 
+    coturn = let
+      cert_dir = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/turn.jakstys.lt/";
+    in {
+      unitConfig.ConditionPathExists = [
+        "${cert_dir}/turn.jakstys.lt.key"
+        "${cert_dir}/turn.jakstys.lt.crt"
+      ];
+      serviceConfig.LoadCredential = [
+        "static-auth-secret:/var/src/secrets/turn/static-auth-secret"
+        "tls-key:${cert_dir}/turn.jakstys.lt.key"
+        "tls-cert:${cert_dir}/turn.jakstys.lt.crt"
+      ];
+    };
+
     # https://northernlightlabs.se/2014-07-05/systemd-status-mail-on-unit-failure.html
     "unit-status-mail@" = let
       script = pkgs.writeShellScript "unit-status-mail" ''
@@ -444,6 +480,7 @@ in {
       };
     }) backup_paths;
 
+
   # Do not change
   system.stateVersion = "22.11";
 }