summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2022-11-08 09:38:18 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2022-11-08 09:38:18 +0100
commite1cae7cc17d7ad9d062bf7f561ee90712b51b5e8 (patch)
treef9c0a3271c6d5b5c20f4df86de98013039b30a7d
parentac9bdcb42a3396268aebda74b7a69b1a6a4117b5 (diff)
downloadnixos-e1cae7cc17d7ad9d062bf7f561ee90712b51b5e8.tar
nixos-e1cae7cc17d7ad9d062bf7f561ee90712b51b5e8.tar.gz
nixos-e1cae7cc17d7ad9d062bf7f561ee90712b51b5e8.tar.bz2
nixos-e1cae7cc17d7ad9d062bf7f561ee90712b51b5e8.tar.xz
nixos-e1cae7cc17d7ad9d062bf7f561ee90712b51b5e8.zip
...
-rw-r--r--hosts/surtr/prometheus/default.nix6
-rw-r--r--hosts/surtr/tls/default.nix6
2 files changed, 9 insertions, 3 deletions
diff --git a/hosts/surtr/prometheus/default.nix b/hosts/surtr/prometheus/default.nix
index 0f0cf586..685d117b 100644
--- a/hosts/surtr/prometheus/default.nix
+++ b/hosts/surtr/prometheus/default.nix
@@ -203,6 +203,12 @@ in {
203 }; 203 };
204 }; 204 };
205 205
206 systemd.services.prometheus = {
207 serviceConfig = {
208 SystemCallFilter = mkForce [ "@system-service" "~@privileged" ];
209 };
210 };
211
206 sops.secrets."prometheus.key" = { 212 sops.secrets."prometheus.key" = {
207 format = "binary"; 213 format = "binary";
208 sopsFile = ./tls.key; 214 sopsFile = ./tls.key;
diff --git a/hosts/surtr/tls/default.nix b/hosts/surtr/tls/default.nix
index d4eb1fb0..0a3024d2 100644
--- a/hosts/surtr/tls/default.nix
+++ b/hosts/surtr/tls/default.nix
@@ -8,7 +8,7 @@ let
8 tsigSecretName = domain: "${domain}_tsig-secret"; 8 tsigSecretName = domain: "${domain}_tsig-secret";
9 9
10 cfg = config.security.acme; 10 cfg = config.security.acme;
11 11
12 domainOptions = { 12 domainOptions = {
13 options = { 13 options = {
14 wildcard = mkOption { 14 wildcard = mkOption {
@@ -34,10 +34,10 @@ in {
34 }; 34 };
35 }; 35 };
36 }; 36 };
37 37
38 config = { 38 config = {
39 security.acme.domains = genAttrs ["dirty-haskell.org" "141.li" "xmpp.li" "synapse.li" "yggdrasil.li" "praseodym.org" "rheperire.org" "kleen.li" "nights.email" "bouncy.email"] (domain: { wildcard = true; }); 39 security.acme.domains = genAttrs ["dirty-haskell.org" "141.li" "xmpp.li" "synapse.li" "yggdrasil.li" "praseodym.org" "rheperire.org" "kleen.li" "nights.email" "bouncy.email"] (domain: { wildcard = true; });
40 40
41 fileSystems."/var/lib/acme" = 41 fileSystems."/var/lib/acme" =
42 { device = "surtr/safe/var-lib-acme"; 42 { device = "surtr/safe/var-lib-acme";
43 fsType = "zfs"; 43 fsType = "zfs";