wip
This commit is contained in:
parent
31bb508d8f
commit
005b8e62e5
3 changed files with 4 additions and 2 deletions
|
|
@ -99,3 +99,4 @@ Note: `secrets/default.nix` is the agenix recipients file. Agenix looks for `sec
|
||||||
- `gitea-runner` is a `DynamicUser` in the systemd service, so it has no persistent uid. Setting `age.secrets.forgejo-runner-token.owner = "gitea-runner"` causes a chown error at activation; use `owner = "root"` instead (the service reads it via `EnvironmentFile` which runs as root before privilege drop).
|
- `gitea-runner` is a `DynamicUser` in the systemd service, so it has no persistent uid. Setting `age.secrets.forgejo-runner-token.owner = "gitea-runner"` causes a chown error at activation; use `owner = "root"` instead (the service reads it via `EnvironmentFile` which runs as root before privilege drop).
|
||||||
- `secrets/default.nix` must have the public key from `keys/mainframe.pub` as the recipient — if the host SSH keys change, you must also update `mainframe.pub` and re-key all secrets.
|
- `secrets/default.nix` must have the public key from `keys/mainframe.pub` as the recipient — if the host SSH keys change, you must also update `mainframe.pub` and re-key all secrets.
|
||||||
- `pullomatic` uses `/root/.ssh/id_rsa.pem` (a PEM-format SSH key) to pull private git repos.
|
- `pullomatic` uses `/root/.ssh/id_rsa.pem` (a PEM-format SSH key) to pull private git repos.
|
||||||
|
- **ACME cyclic dependency list**: `linux.nix` has a `systemd.services.nginx.after = lib.mkForce [...]` list that breaks a systemd cycle between nginx and ACME services. Every new domain added with `enableACME = true` in `nginx.nix` **must** also have its `acme-selfsigned-<domain>.service` added to this list in `linux.nix`, otherwise nixos-rebuild will fail with a cyclic dependency error.
|
||||||
|
|
|
||||||
|
|
@ -377,6 +377,7 @@ in {
|
||||||
"acme-selfsigned-coldairnetworks.com.service"
|
"acme-selfsigned-coldairnetworks.com.service"
|
||||||
"acme-selfsigned-fbksdigital.com.service"
|
"acme-selfsigned-fbksdigital.com.service"
|
||||||
"acme-selfsigned-forge.quinefoundation.com.service"
|
"acme-selfsigned-forge.quinefoundation.com.service"
|
||||||
|
"acme-selfsigned-hyper.quineglobal.com.service"
|
||||||
"acme-selfsigned-pdxdestiny.com.service"
|
"acme-selfsigned-pdxdestiny.com.service"
|
||||||
"acme-selfsigned-philippeterson.com.service"
|
"acme-selfsigned-philippeterson.com.service"
|
||||||
"acme-selfsigned-riverside.coldairnetworks.com.service"
|
"acme-selfsigned-riverside.coldairnetworks.com.service"
|
||||||
|
|
|
||||||
|
|
@ -149,9 +149,9 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
"hyper.quineglobal.com" = {
|
"hyper.quineglobal.com" = {
|
||||||
enableACME = false;
|
enableACME = true;
|
||||||
forceSSL = false;
|
forceSSL = false;
|
||||||
addSSL = false;
|
addSSL = true;
|
||||||
|
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://127.0.0.1:3013/";
|
proxyPass = "http://127.0.0.1:3013/";
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue