This commit is contained in:
Motiejus Jakštys 2023-08-14 08:46:41 +03:00
parent 7fcb4b7ad0
commit 98a4ad79f8
2 changed files with 70 additions and 4 deletions

View File

@ -63,8 +63,9 @@
}; };
services = { services = {
# TODO move to grafana service lib
friendlyport.vpn.ports = [ friendlyport.vpn.ports = [
80
443
myData.ports.grafana myData.ports.grafana
myData.ports.prometheus myData.ports.prometheus
myData.ports.exporters.node myData.ports.exporters.node
@ -121,6 +122,18 @@
services = { services = {
tailscale.enable = true; tailscale.enable = true;
caddy = {
enable = true;
acmeCA = null;
virtualHosts."grafana.jakstys.lt" = {
extraConfig = ''
encode gzip
reverse_proxy 127.0.0.1:3000
tls {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-key.pem
'';
};
};
grafana = { grafana = {
enable = true; enable = true;
provision = { provision = {
@ -187,6 +200,48 @@
}; };
}; };
systemd.services = {
caddy = let
grafanaZone = config.mj.services.nsd-acme.zones."grafana.jakstys.lt";
in {
unitConfig.ConditionPathExists = [
grafanaZone.certFile
grafanaZone.keyFile
];
serviceConfig.LoadCredential = [
"grafana.jakstys.lt-cert.pem:${grafanaZone.certFile}"
"grafana.jakstys.lt-key.pem:${grafanaZone.keyFile}"
];
after = ["nsd-acme-grafana.jakstys.lt.service"];
wants = ["nsd-acme-grafana.jakstys.lt.service"];
};
cert-watcher = {
description = "Restart caddy when tls keys/certs change";
wantedBy = ["multi-user.target"];
unitConfig = {
StartLimitIntervalSec = 10;
StartLimitBurst = 5;
};
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.systemd}/bin/systemctl restart caddy.service";
};
};
};
systemd.paths = {
cert-watcher = {
wantedBy = ["multi-user.target"];
pathConfig = {
PathChanged = [
config.mj.services.nsd-acme.zones."grafana.jakstys.lt".certFile
];
Unit = "cert-watcher.service";
};
};
};
networking = { networking = {
hostId = "f9117e1b"; hostId = "f9117e1b";
hostName = "vno1-oh2"; hostName = "vno1-oh2";
@ -200,8 +255,8 @@
} }
]; ];
firewall = { firewall = {
allowedUDPPorts = [53]; allowedUDPPorts = [53 80 443];
allowedTCPPorts = [53]; allowedTCPPorts = [53 80 443];
logRefusedConnections = false; logRefusedConnections = false;
checkReversePath = "loose"; # for tailscale checkReversePath = "loose"; # for tailscale
}; };

View File

@ -55,7 +55,7 @@ in {
zones = lib.mkOption { zones = lib.mkOption {
default = {}; default = {};
type = attrsOf (submodule ( type = attrsOf (submodule (
{...}: { {name, ...}: {
options = { options = {
accountKey = lib.mkOption {type = path;}; accountKey = lib.mkOption {type = path;};
days = lib.mkOption { days = lib.mkOption {
@ -66,6 +66,17 @@ in {
type = bool; type = bool;
default = false; default = false;
}; };
# Warning: paths here are here to be read from. Changing them will
# not place the files somewhere else.
certFile = lib.mkOption {
type = str;
default = "/var/lib/nsd-acme/${name}/${name}/cert.pem";
};
keyFile = lib.mkOption {
type = str;
default = "/var/lib/nsd-acme/${name}/private/${name}/key.pem";
};
}; };
} }
)); ));