motiejus/config
1
Fork 0
Code Packages Releases Activity

patched systemd

Browse Source 
that passes secrets in `ExecStartPre`.
This commit is contained in:
Motiejus Jakštys 2023-02-28 15:30:10 +02:00
parent e4c39bf857
commit 2e970a22ce
1 changed files with 37 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
configuration.nix
View File

@ -12,6 +12,7 @@ let
vno1_root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMiWb7yeSeuFCMZWarKJD6ZSxIlpEHbU++MfpOIy/2kh"; vno1_root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMiWb7yeSeuFCMZWarKJD6ZSxIlpEHbU++MfpOIy/2kh";
}; };
mountLatest = ({mountpoint, zfs_name}: mountLatest = ({mountpoint, zfs_name}:
'' ''
set -euo pipefail set -euo pipefail
@ -55,6 +56,19 @@ in {
/etc/nixos/hardware-configuration.nix /etc/nixos/zfs.nix /etc/nixos/hardware-configuration.nix /etc/nixos/zfs.nix
]; ];
#nixpkgs.overlays = [ (self: super: {} ) ];
nixpkgs.overlays = [ (self: super: {
systemd = super.systemd.overrideAttrs (old: {
patches = (old.patches or []) ++ [
(super.fetchpatch {
url = "https://github.com/systemd/systemd/commit/e7f64b896201da4a11da158c35865604cf02062f.patch";
sha256 = "sha256-AvBkrD9n5ux1o167yKg1eJK8C300vBS/ks3Gbvy5vjw=";
})
];
});
} ) ];
boot.initrd.network = { boot.initrd.network = {
enable = true; enable = true;
ssh = { ssh = {
@ -289,6 +303,9 @@ in {
virtualHosts."git.jakstys.lt".extraConfig = '' virtualHosts."git.jakstys.lt".extraConfig = ''
reverse_proxy 127.0.0.1:3000 reverse_proxy 127.0.0.1:3000
''; '';
virtualHosts."turn.jakstys.lt".extraConfig = ''
redir https://jakstys.lt
'';
virtualHosts."beta.jakstys.lt" = { virtualHosts."beta.jakstys.lt" = {
logFormat = '' logFormat = ''
output file ${config.services.caddy.logDir}/access-beta.jakstys.lt.log { output file ${config.services.caddy.logDir}/access-beta.jakstys.lt.log {
@ -324,6 +341,11 @@ in {
}; };
}; };
coturn = {
enable = true;
static-auth-secret-file = "\${CREDENTIALS_DIRECTORY}/static-auth-secret";
};
postfix = { postfix = {
enable = true; enable = true;
enableSmtp = true; enableSmtp = true;
@ -409,6 +431,20 @@ in {
}; };
}; };
coturn = let
cert_dir = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/turn.jakstys.lt/";
in {
unitConfig.ConditionPathExists = [
"${cert_dir}/turn.jakstys.lt.key"
"${cert_dir}/turn.jakstys.lt.crt"
];
serviceConfig.LoadCredential = [
"static-auth-secret:/var/src/secrets/turn/static-auth-secret"
"tls-key:${cert_dir}/turn.jakstys.lt.key"
"tls-cert:${cert_dir}/turn.jakstys.lt.crt"
];
};
# https://northernlightlabs.se/2014-07-05/systemd-status-mail-on-unit-failure.html # https://northernlightlabs.se/2014-07-05/systemd-status-mail-on-unit-failure.html
"unit-status-mail@" = let "unit-status-mail@" = let
script = pkgs.writeShellScript "unit-status-mail" '' script = pkgs.writeShellScript "unit-status-mail" ''
@ -444,6 +480,7 @@ in {
}; };
}) backup_paths; }) backup_paths;
# Do not change # Do not change
system.stateVersion = "22.11"; system.stateVersion = "22.11";
} }