mirror of
https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git
synced 2026-01-19 09:29:13 +01:00
53 lines
1.3 KiB
Nix
53 lines
1.3 KiB
Nix
{ config, lib, values, ... }:
|
|
let
|
|
cfg = config.services.journald.remote;
|
|
domainName = "journald.pvv.ntnu.no";
|
|
in
|
|
{
|
|
security.acme.certs.${domainName} = {
|
|
webroot = "/var/lib/acme/acme-challenge/";
|
|
group = config.services.nginx.group;
|
|
};
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
virtualHosts.${domainName} = {
|
|
forceSSL = true;
|
|
useACMEHost = "${domainName}";
|
|
locations."/.well-known/".root = "/var/lib/acme/acme-challenge/";
|
|
};
|
|
};
|
|
|
|
services.journald.upload.enable = lib.mkForce false;
|
|
|
|
services.journald.remote = {
|
|
enable = true;
|
|
settings.Remote = let
|
|
inherit (config.security.acme.certs.${domainName}) directory;
|
|
in {
|
|
ServerKeyFile = "/run/credentials/systemd-journal-remote.service/key.pem";
|
|
ServerCertificateFile = "/run/credentials/systemd-journal-remote.service/cert.pem";
|
|
TrustedCertificateFile = "-";
|
|
};
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [ cfg.port ];
|
|
|
|
systemd.sockets."systemd-journal-remote".socketConfig = {
|
|
IPAddressDeny = "any";
|
|
IPAddressAllow = [
|
|
"127.0.0.1"
|
|
"::1"
|
|
values.ipv4-space
|
|
values.ipv6-space
|
|
];
|
|
|
|
LoadCredential = let
|
|
inherit (config.security.acme.certs.${domainName}) directory;
|
|
in [
|
|
"key.pem:${directory}/key.pem"
|
|
"cert.pem:${directory}/cert.pem"
|
|
];
|
|
};
|
|
}
|