37 lines
981 B
Nix
37 lines
981 B
Nix
{
|
|
config,
|
|
service_configs,
|
|
lib,
|
|
...
|
|
}:
|
|
{
|
|
imports = [
|
|
(lib.serviceMountWithZpool "mollysocket" service_configs.zpool_ssds [
|
|
"/var/lib/private/mollysocket"
|
|
])
|
|
(lib.serviceFilePerms "mollysocket" [
|
|
"Z /var/lib/private/mollysocket 0700 root root"
|
|
])
|
|
];
|
|
|
|
services.mollysocket = {
|
|
enable = true;
|
|
|
|
settings = {
|
|
host = "127.0.0.1";
|
|
port = service_configs.ports.private.mollysocket.port;
|
|
|
|
# Explicitly allow our self-hosted ntfy instance.
|
|
# Local-network endpoints are denied by default for security.
|
|
allowed_endpoints = [ "https://${service_configs.ntfy.domain}" ];
|
|
# allowed_uuids set via MOLLY_ALLOWED_UUIDS in environmentFile
|
|
};
|
|
|
|
environmentFile = config.age.secrets.mollysocket-env.path;
|
|
};
|
|
|
|
services.caddy.virtualHosts."${service_configs.mollysocket.domain}".extraConfig = ''
|
|
reverse_proxy h2c://127.0.0.1:${builtins.toString service_configs.ports.private.mollysocket.port}
|
|
'';
|
|
}
|