Compare commits
3 commits
91f37f9023
...
a3b4781bd0
| Author | SHA1 | Date | |
|---|---|---|---|
| a3b4781bd0 | |||
| fe460c9151 | |||
| 10f823a3a6 |
6 changed files with 27 additions and 9 deletions
|
|
@ -1,8 +1,7 @@
|
||||||
{
|
{
|
||||||
lib,
|
|
||||||
config,
|
config,
|
||||||
pkgs,
|
|
||||||
inputs,
|
inputs,
|
||||||
|
pkgs,
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
|
|
||||||
|
|
@ -83,12 +82,12 @@ in
|
||||||
|
|
||||||
age.secrets = {
|
age.secrets = {
|
||||||
"nextcloud-secrets.json" = {
|
"nextcloud-secrets.json" = {
|
||||||
file = ../../../secrets/nextcloud-secrets.json.age;
|
file = "${inputs.self}/secrets/nextcloud-secrets.json.age";
|
||||||
owner = "nextcloud";
|
owner = "nextcloud";
|
||||||
group = "nextcloud";
|
group = "nextcloud";
|
||||||
};
|
};
|
||||||
nextcloud-adminpass = {
|
nextcloud-adminpass = {
|
||||||
file = ../../../secrets/nextcloud-adminpass.age;
|
file = "${inputs.self}/secrets/nextcloud-adminpass.age";
|
||||||
owner = "nextcloud";
|
owner = "nextcloud";
|
||||||
group = "nextcloud";
|
group = "nextcloud";
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -51,7 +51,7 @@ in
|
||||||
];
|
];
|
||||||
|
|
||||||
age.secrets.cloudflare = {
|
age.secrets.cloudflare = {
|
||||||
file = ../../../secrets/cloudflare.age;
|
file = "${inputs.self}/secrets/cloudflare.age";
|
||||||
owner = "nginx";
|
owner = "nginx";
|
||||||
group = "nginx";
|
group = "nginx";
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -67,5 +67,8 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
# Disable PrivateMounts to allow LoadCredential to work with bind-mounted directories
|
# Disable PrivateMounts to allow LoadCredential to work with bind-mounted directories
|
||||||
systemd.services.forgejo.serviceConfig.PrivateMounts = lib.mkForce false;
|
systemd.services.forgejo.serviceConfig = {
|
||||||
|
PrivateMounts = lib.mkForce false;
|
||||||
|
ProtectSystem = lib.mkForce false;
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -8,10 +8,8 @@
|
||||||
let
|
let
|
||||||
services = inputs.self.services;
|
services = inputs.self.services;
|
||||||
|
|
||||||
# Get all unique domains from shared services on trantor (host = "trantor")
|
|
||||||
localDomains = lib.unique (map (s: s.domain) (lib.filter (s: s.host == "trantor") services));
|
localDomains = lib.unique (map (s: s.domain) (lib.filter (s: s.host == "trantor") services));
|
||||||
|
|
||||||
# Generate ACME cert configs for all local domains
|
|
||||||
acmeCerts = lib.genAttrs localDomains (domain: {
|
acmeCerts = lib.genAttrs localDomains (domain: {
|
||||||
group = "nginx";
|
group = "nginx";
|
||||||
});
|
});
|
||||||
|
|
@ -51,7 +49,7 @@ in
|
||||||
];
|
];
|
||||||
|
|
||||||
age.secrets.cloudflare = {
|
age.secrets.cloudflare = {
|
||||||
file = ../../../secrets/cloudflare.age;
|
file = "${inputs.self}/secrets/cloudflare.age";
|
||||||
owner = "nginx";
|
owner = "nginx";
|
||||||
group = "nginx";
|
group = "nginx";
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -27,6 +27,7 @@
|
||||||
|
|
||||||
# other aspects
|
# other aspects
|
||||||
fwupd
|
fwupd
|
||||||
|
podman
|
||||||
]);
|
]);
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
17
aspects/lxc.nix
Normal file
17
aspects/lxc.nix
Normal file
|
|
@ -0,0 +1,17 @@
|
||||||
|
{ ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
flake.modules.nixos.lxc =
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
{
|
||||||
|
virtualisation.lxc = {
|
||||||
|
enable = true;
|
||||||
|
unprivilegedContainers = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
Loading…
Add table
Add a link
Reference in a new issue