This commit is contained in:
Motiejus Jakštys 2023-08-14 08:46:41 +03:00
parent 7fcb4b7ad0
commit 98a4ad79f8
2 changed files with 70 additions and 4 deletions

View File

@ -63,8 +63,9 @@
};
services = {
# TODO move to grafana service lib
friendlyport.vpn.ports = [
80
443
myData.ports.grafana
myData.ports.prometheus
myData.ports.exporters.node
@ -121,6 +122,18 @@
services = {
tailscale.enable = true;
caddy = {
enable = true;
acmeCA = null;
virtualHosts."grafana.jakstys.lt" = {
extraConfig = ''
encode gzip
reverse_proxy 127.0.0.1:3000
tls {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-key.pem
'';
};
};
grafana = {
enable = true;
provision = {
@ -187,6 +200,48 @@
};
};
systemd.services = {
caddy = let
grafanaZone = config.mj.services.nsd-acme.zones."grafana.jakstys.lt";
in {
unitConfig.ConditionPathExists = [
grafanaZone.certFile
grafanaZone.keyFile
];
serviceConfig.LoadCredential = [
"grafana.jakstys.lt-cert.pem:${grafanaZone.certFile}"
"grafana.jakstys.lt-key.pem:${grafanaZone.keyFile}"
];
after = ["nsd-acme-grafana.jakstys.lt.service"];
wants = ["nsd-acme-grafana.jakstys.lt.service"];
};
cert-watcher = {
description = "Restart caddy when tls keys/certs change";
wantedBy = ["multi-user.target"];
unitConfig = {
StartLimitIntervalSec = 10;
StartLimitBurst = 5;
};
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.systemd}/bin/systemctl restart caddy.service";
};
};
};
systemd.paths = {
cert-watcher = {
wantedBy = ["multi-user.target"];
pathConfig = {
PathChanged = [
config.mj.services.nsd-acme.zones."grafana.jakstys.lt".certFile
];
Unit = "cert-watcher.service";
};
};
};
networking = {
hostId = "f9117e1b";
hostName = "vno1-oh2";
@ -200,8 +255,8 @@
}
];
firewall = {
allowedUDPPorts = [53];
allowedTCPPorts = [53];
allowedUDPPorts = [53 80 443];
allowedTCPPorts = [53 80 443];
logRefusedConnections = false;
checkReversePath = "loose"; # for tailscale
};

View File

@ -55,7 +55,7 @@ in {
zones = lib.mkOption {
default = {};
type = attrsOf (submodule (
{...}: {
{name, ...}: {
options = {
accountKey = lib.mkOption {type = path;};
days = lib.mkOption {
@ -66,6 +66,17 @@ in {
type = bool;
default = false;
};
# Warning: paths here are here to be read from. Changing them will
# not place the files somewhere else.
certFile = lib.mkOption {
type = str;
default = "/var/lib/nsd-acme/${name}/${name}/cert.pem";
};
keyFile = lib.mkOption {
type = str;
default = "/var/lib/nsd-acme/${name}/private/${name}/key.pem";
};
};
}
));