66 lines
No EOL
1.9 KiB
Nix
66 lines
No EOL
1.9 KiB
Nix
{ config, ... }:
|
|
|
|
let
|
|
UID = 1100;
|
|
in {
|
|
desu.secrets.license-servers-env.owner = "license-servers";
|
|
desu.secrets.forgejo-packages-token = {};
|
|
desu.secrets.cloudflare-email.owner = "acme";
|
|
desu.secrets.cloudflare-token.owner = "acme";
|
|
|
|
users.groups.acme.gid = 993;
|
|
users.users.license-servers = {
|
|
isNormalUser = true;
|
|
extraGroups = [ "acme" ];
|
|
uid = UID;
|
|
};
|
|
|
|
virtualisation.oci-containers.containers.license-servers = {
|
|
image = "git.stupid.fish/zachem/license-servers:latest";
|
|
login = {
|
|
registry = "https://git.stupid.fish";
|
|
username = "teidesu";
|
|
passwordFile = config.desu.secrets.forgejo-packages-token.path;
|
|
};
|
|
environment = {
|
|
PUBLIC_HOSTNAME = "license.stupid.fish";
|
|
|
|
TLS_KEY_FILE = "/mnt/acme/key.pem";
|
|
TLS_CERT_FILE = "/mnt/acme/cert.pem";
|
|
};
|
|
environmentFiles = [
|
|
config.desu.secrets.license-servers-env.path
|
|
];
|
|
user = builtins.toString UID;
|
|
extraOptions = [
|
|
"--group-add=${builtins.toString config.users.groups.acme.gid}"
|
|
"--mount=type=bind,source=/srv/license-servers/certs,target=/app/certs"
|
|
"--mount=type=bind,source=/var/lib/acme/license.stupid.fish,target=/mnt/acme"
|
|
];
|
|
ports = [
|
|
"80:80"
|
|
"443:443"
|
|
];
|
|
};
|
|
|
|
systemd.services.docker-license-servers.requires = [ "acme-finished-license.stupid.fish.target" ];
|
|
|
|
systemd.tmpfiles.rules = [
|
|
"d /srv/license-servers/certs 0700 ${builtins.toString UID} ${builtins.toString UID} -"
|
|
];
|
|
|
|
security.acme.acceptTerms = true;
|
|
security.acme.defaults = {
|
|
email = "alina@tei.su";
|
|
dnsProvider = "cloudflare";
|
|
credentialFiles = {
|
|
"CLOUDFLARE_EMAIL_FILE" = config.desu.secrets.cloudflare-email.path;
|
|
"CLOUDFLARE_API_KEY_FILE" = config.desu.secrets.cloudflare-token.path;
|
|
};
|
|
};
|
|
security.acme.certs = {
|
|
"license.stupid.fish" = {};
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
} |