diff options
| author | Mel <mel@rnrd.eu> | 2025-04-19 05:03:08 +0200 |
|---|---|---|
| committer | Mel <mel@rnrd.eu> | 2025-04-19 05:03:08 +0200 |
| commit | e5a55144aae9b487c8ce97022508be0c1f6d6e04 (patch) | |
| tree | 47e7ad850e953eac8e05132b7a6930b611d78e8f /modules/foundation | |
| parent | b0865ada5b4dffa0471f046cf8420ed34c587131 (diff) | |
| download | network-e5a55144aae9b487c8ce97022508be0c1f6d6e04.tar.zst network-e5a55144aae9b487c8ce97022508be0c1f6d6e04.zip | |
Remove cyclic service dependency between tailnet certificate and Nginx
Signed-off-by: Mel <mel@rnrd.eu>
Diffstat (limited to 'modules/foundation')
| -rw-r--r-- | modules/foundation/www/tailnet.nix | 79 |
1 files changed, 43 insertions, 36 deletions
diff --git a/modules/foundation/www/tailnet.nix b/modules/foundation/www/tailnet.nix index b361fef..90c21e2 100644 --- a/modules/foundation/www/tailnet.nix +++ b/modules/foundation/www/tailnet.nix @@ -76,47 +76,54 @@ in tailnet = lib.mkEnableOption "tailnet internal host"; }; - config = - lib.mkIf (cfg.enable && cfg.tailnet) { - foundation.tailnetServices = [ - "nginx" - "acme-${me.tailscale.domain}" - ]; + config = lib.mkIf (cfg.enable && cfg.tailnet) { + security.acme.certs.${me.tailscale.domain} = { + # since we replace the renew script, the dns provider is not important, + # however, we can't have the configuration thinking that the acme + # renewal service depends on nginx, so instead it's a "dns certificate". + dnsProvider = "dummy"; + webroot = null; + }; - # overwrite default acme behaviour with tailscale - systemd.services."acme-${me.tailscale.domain}" = { - serviceConfig.ExecStart = lib.mkForce "+${tailscaleRenewScript}"; - }; + # overwrite default acme behaviour with tailscale + systemd.services."acme-${me.tailscale.domain}" = { + serviceConfig.ExecStart = lib.mkForce "+${tailscaleRenewScript}"; + }; - # tailnet internal vhost - services.nginx.virtualHosts = { - # mostly superceded - tailnet = { - forceSSL = true; - enableACME = true; - serverName = me.tailscale.domain; - listenAddresses = [ me.tailscale.ip ]; - # point to the default page, for now! - locations."/" = { - alias = "${cfg.defaultPage}/"; - }; - extraConfig = '' - access_log /var/log/nginx/tailnet.access.log json_combined; - ''; + # tailnet internal vhost + services.nginx.virtualHosts = { + # mostly superceded + tailnet = { + forceSSL = true; + enableACME = true; + serverName = me.tailscale.domain; + listenAddresses = [ me.tailscale.ip ]; + # point to the default page, for now! + locations."/" = { + alias = "${cfg.defaultPage}/"; }; + extraConfig = '' + access_log /var/log/nginx/tailnet.access.log json_combined; + ''; + }; - # default page for the `rnrd.fyi` internal domain - ${rnrdInternalUrl} = { - useACMEHost = "rnrd.fyi"; - forceSSL = true; - listenAddresses = [ me.tailscale.ip ]; - locations."/" = { - alias = "${cfg.defaultPage}/"; - }; - extraConfig = '' - access_log /var/log/nginx/tailnet.access.log json_combined; - ''; + # default page for the `rnrd.fyi` internal domain + ${rnrdInternalUrl} = { + useACMEHost = "rnrd.fyi"; + forceSSL = true; + listenAddresses = [ me.tailscale.ip ]; + locations."/" = { + alias = "${cfg.defaultPage}/"; }; + extraConfig = '' + access_log /var/log/nginx/tailnet.access.log json_combined; + ''; }; }; + + foundation.tailnetServices = [ + "nginx" + "acme-${me.tailscale.domain}" + ]; + }; } |