diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-11-08 09:38:18 +0100 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-11-08 09:38:18 +0100 |
commit | e1cae7cc17d7ad9d062bf7f561ee90712b51b5e8 (patch) | |
tree | f9c0a3271c6d5b5c20f4df86de98013039b30a7d | |
parent | ac9bdcb42a3396268aebda74b7a69b1a6a4117b5 (diff) | |
download | nixos-e1cae7cc17d7ad9d062bf7f561ee90712b51b5e8.tar nixos-e1cae7cc17d7ad9d062bf7f561ee90712b51b5e8.tar.gz nixos-e1cae7cc17d7ad9d062bf7f561ee90712b51b5e8.tar.bz2 nixos-e1cae7cc17d7ad9d062bf7f561ee90712b51b5e8.tar.xz nixos-e1cae7cc17d7ad9d062bf7f561ee90712b51b5e8.zip |
...
-rw-r--r-- | hosts/surtr/prometheus/default.nix | 6 | ||||
-rw-r--r-- | hosts/surtr/tls/default.nix | 6 |
2 files changed, 9 insertions, 3 deletions
diff --git a/hosts/surtr/prometheus/default.nix b/hosts/surtr/prometheus/default.nix index 0f0cf586..685d117b 100644 --- a/hosts/surtr/prometheus/default.nix +++ b/hosts/surtr/prometheus/default.nix | |||
@@ -203,6 +203,12 @@ in { | |||
203 | }; | 203 | }; |
204 | }; | 204 | }; |
205 | 205 | ||
206 | systemd.services.prometheus = { | ||
207 | serviceConfig = { | ||
208 | SystemCallFilter = mkForce [ "@system-service" "~@privileged" ]; | ||
209 | }; | ||
210 | }; | ||
211 | |||
206 | sops.secrets."prometheus.key" = { | 212 | sops.secrets."prometheus.key" = { |
207 | format = "binary"; | 213 | format = "binary"; |
208 | sopsFile = ./tls.key; | 214 | sopsFile = ./tls.key; |
diff --git a/hosts/surtr/tls/default.nix b/hosts/surtr/tls/default.nix index d4eb1fb0..0a3024d2 100644 --- a/hosts/surtr/tls/default.nix +++ b/hosts/surtr/tls/default.nix | |||
@@ -8,7 +8,7 @@ let | |||
8 | tsigSecretName = domain: "${domain}_tsig-secret"; | 8 | tsigSecretName = domain: "${domain}_tsig-secret"; |
9 | 9 | ||
10 | cfg = config.security.acme; | 10 | cfg = config.security.acme; |
11 | 11 | ||
12 | domainOptions = { | 12 | domainOptions = { |
13 | options = { | 13 | options = { |
14 | wildcard = mkOption { | 14 | wildcard = mkOption { |
@@ -34,10 +34,10 @@ in { | |||
34 | }; | 34 | }; |
35 | }; | 35 | }; |
36 | }; | 36 | }; |
37 | 37 | ||
38 | config = { | 38 | config = { |
39 | security.acme.domains = genAttrs ["dirty-haskell.org" "141.li" "xmpp.li" "synapse.li" "yggdrasil.li" "praseodym.org" "rheperire.org" "kleen.li" "nights.email" "bouncy.email"] (domain: { wildcard = true; }); | 39 | security.acme.domains = genAttrs ["dirty-haskell.org" "141.li" "xmpp.li" "synapse.li" "yggdrasil.li" "praseodym.org" "rheperire.org" "kleen.li" "nights.email" "bouncy.email"] (domain: { wildcard = true; }); |
40 | 40 | ||
41 | fileSystems."/var/lib/acme" = | 41 | fileSystems."/var/lib/acme" = |
42 | { device = "surtr/safe/var-lib-acme"; | 42 | { device = "surtr/safe/var-lib-acme"; |
43 | fsType = "zfs"; | 43 | fsType = "zfs"; |