titaniumtown/nixos
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

site-config: dedupe cross-host values, fix stale dark-reader urls, drop desktop 1g hugepages

Browse Source 
new site-config.nix holds values previously duplicated across hosts:
  domain, old_domain, contact_email, timezone, binary_cache (url + pubkey),
  dns_servers, lan (cidr + gateway), hosts.{muffin,yarn} (ip/alias/ssh_host_key),
  ssh_keys.{laptop,desktop,ci_deploy}.

threaded through specialArgs on all three hosts + home-manager extraSpecialArgs +
homeConfigurations.primary + serverLib. service-configs.nix now takes
{ site_config } as a function arg and drops its https namespace; per-service
domains (gitea/matrix/ntfy/mollysocket/livekit/firefox-sync/grafana) are
derived from site_config.domain. ~15 service files and 6 vm tests migrated.

breakage fixes rolled in:
 - home/progs/zen/dark-reader.nix: 5 stale *.gardling.com entries in
   disabledFor rewritten to *.sigkill.computer (caddy 301s the old names so
   these never fired and the new sigkill urls were getting dark-reader applied)
 - modules/desktop-common.nix: drop unused hugepagesz=1G/hugepages=3
   kernelParams (no consumer on mreow or yarn; xmrig on muffin still reserves
   its own via services/monero/xmrig.nix)

verification: muffin toplevel is bit-identical to pre-refactor baseline.
mreow/yarn toplevels differ only in boot.json kernelParams + darkreader
storage.js (nix-diff verified). deployGuardTest and fail2banVaultwardenTest
(latter exercises site_config.domain via bitwarden.nix) pass.
This commit is contained in:
Simon Gardling
2026-04-22 20:48:29 -04:00
parent 8cdb9c4381
commit d00ff42e8e
28 changed files with 190 additions and 100 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
services/caddy/caddy.nix
View File

@@ -1,5 +1,6 @@
{
config,
site_config,
service_configs,
pkgs,
lib,
@@ -42,8 +43,8 @@ let
'';
};
newDomain = service_configs.https.domain;
oldDomain = service_configs.https.old_domain;
newDomain = site_config.domain;
oldDomain = site_config.old_domain;
in
{
imports = [
@@ -54,7 +55,7 @@ in
services.caddy = {
enable = true;
email = "titaniumtown@proton.me";
email = site_config.contact_email;
# Build with Njalla DNS provider for DNS-01 ACME challenges (wildcard certs)
package = pkgs.caddy.withPlugins {
@@ -146,8 +147,9 @@ in
# defaults: maxretry=5, findtime=10m, bantime=10m
# Ignore local network IPs - NAT hairpinning causes all LAN traffic to
# appear from the router IP (192.168.1.1). Banning it blocks all internal access.
ignoreip = "127.0.0.1/8 ::1 192.168.1.0/24";
# appear from the router IP (site_config.lan.gateway). Banning it
# blocks all internal access.
ignoreip = "127.0.0.1/8 ::1 ${site_config.lan.cidr}";
};
filter.Definition = {
# Only match 401s where an Authorization header was actually sent.