63 lines
1.5 KiB
Nix
63 lines
1.5 KiB
Nix
{ lib, config, pkgs, ... }:
|
|
|
|
{
|
|
services = {
|
|
hydra = {
|
|
enable = true;
|
|
hydraURL = "hydra.home.opel-online.de";
|
|
listenHost = "localhost";
|
|
notificationSender = "hydra@localhost";
|
|
useSubstitutes = true;
|
|
};
|
|
nix-serve = {
|
|
enable = true;
|
|
port = 5001;
|
|
secretKeyFile = config.age.secrets."keys/nixsign".path;
|
|
};
|
|
nginx = {
|
|
enable = true;
|
|
virtualHosts = {
|
|
"${config.services.hydra.hydraURL}" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
listen = [ {
|
|
addr = "127.0.0.1"; port = 3000;
|
|
} ];
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
security.acme = {
|
|
defaults.email = "webmaster@kabtop.de";
|
|
defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
|
|
acceptTerms = true;
|
|
certs.${config.services.hydra.hydraURL} = {
|
|
dnsProvider = "netcup";
|
|
environmentFile = config.age.secrets."services/acme/opel-online".path;
|
|
webroot = null;
|
|
};
|
|
};
|
|
|
|
nix = {
|
|
settings.trusted-users = [
|
|
"hydra"
|
|
];
|
|
|
|
extraOptions = ''
|
|
secret-key-files = ${config.age.secrets."keys/nixsign".path}
|
|
'';
|
|
};
|
|
|
|
age.secrets."keys/nixsign" = {
|
|
file = ../../../secrets/keys/nixservepriv.age;
|
|
owner = "hydra";
|
|
};
|
|
age.secrets."services/acme/opel-online" = {
|
|
file = ../../../services/acme/opel-online.age;
|
|
owner = "acme";
|
|
};
|
|
|
|
|
|
}
|