| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| | |
| |
| |
| |
| |
| | |
Without this option all changes done with Caddy API are lost after reboot.
Current service is not supporting Caddy --resume parameter. There is reference to original unit https://github.com/caddyserver/dist/blob/master/init/caddy.service which also mentions --resume and that it should be used if new Caddy API will be used.
|
| | | |
|
| |\ \
| |/
|/| |
nixos/caddy: update ca option
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The generated json configuration returns this warning:
the 'issuer' field is deprecated and will be removed in the future; use 'issuers' instead
Updated the config to use "issuers" instead of "issuer"
Also, now it's possible to set the ca option null to not inject
automatically any ca. This is useful if you don't want to generate any
certificates or if you want to define a more fine-graned ca config
manually (e.g.: use different ca per domain)
|
| | | |
|
| |\ \
| |/
|/| |
|
| | |
| |
| |
| |
| |
| | |
This allows the user to manually specify the addresses nginx shoud
listen on, while still having the convinience to use the *SSL options
and have the ports automatically applied
|
| | | |
|
| |/
|
|
|
|
|
| |
Some ACME providers (like Buypass) are using a different certificate
to sign OCSP responses than for server certificates. Therefore,
sslTrustedCertificate should be provided by the user and we need to
allow that.
|
| |\ |
|
| | |\
| | |
| | | |
nixos/minio: replace deprecated variables
|
| | | | |
|
| |\| | |
|
| | |\ \ |
|
| | | | | |
|
| |/ / / |
|
| |\| | |
|
| | |/ |
|
| | | |
|
| |/ |
|
| | |
|
| |\
| |
| | |
treewide: remove duplicates SystemCallFilters
|
| | | |
|
| | |
| |
| |
| |
| | |
As of 67a5d66 this is no longer true, since acme postRun runs as root.
The idea of the service is good so reword a comment a bit.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
`allowKeysForGroup` is no longer available so this drops
```
security.acme.certs."example.com".allowKeysForGroup = true;
```
line. `SupplementaryGroups` should be enough for
allowing access to certificates.
|
| |\ \
| | |
| | | |
nixos/nginx: add option to change proxy timeouts
|
| | | | |
|
| |\ \ \
| |/ /
|/| | |
treewide: remove gnidorah
|
| | | |
| | |
| | |
| | | |
due to github account removal/deletion and not other mean of contact.
|
| |\ \ \
| | | |
| | | | |
nixos/caddy: support user and group options
|
| | | |/
| |/| |
|
| |\ \ \
| |/ /
|/| | |
nixos/httpd: provide a stable path stable path to the configuration f…
|
| | |/
| |
| |
| | |
reloads
|
| |\ \
| | |
| | | |
nixos/trafficserver: init
|
| | | | |
|
| | |/
|/|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- Set an explicit umask that allows u+rwx and g+r.
- Adds `ProtectControlGroups` and `ProtectKernelLogs`, there should be
no need to access either.
- Adds `ProtectClock` to prevent write-access to the system clock.
- `ProtectProc` hides processes from other users within the /proc
filesystem and `ProcSubSet` hides all files/directories unrelated to
the process management of the units process.
- Sets `RemoveIPC`, as there is no SysV or POSIX IPC within nginx that I
know of.
- Restricts the creation of arbitrary namespaces
- Adds a reasonable `SystemCallFilter` preventing calls to @privileged,
@obsolete and others.
And finally applies some sorting based on the order these options appear
in systemd.exec(5).
|
| |\ \
| | |
| | | |
nixos/nginx: set isSystemUser
|
| | | | |
|
| |/ /
| |
| |
| | |
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* nixos/nginx: add upstreams examples
I am not fully sure if they are fully correct but they deployed the right syntax.
* nixos/nginx: use literal example
* Update nixos/modules/services/web-servers/nginx/default.nix
* Update nixos/modules/services/web-servers/nginx/default.nix
|
| | |
| |
| |
| | |
This reverts commit 2d3200e010cc4c6fae62d9f6c31357cb97d606d4.
|
| |\ \
| | |
| | | |
nixos/minio: allow multiple data directories for erasure coding
|
| | |/ |
|
| |\ \
| |/
|/| |
|
| | |
| |
| |
| | |
This allows http keep-alive by default which requires http 1.1.
|
| |\ \
| | |
| | | |
discourse: Add package and NixOS module
|
| | | | |
|
| | |/
|/|
| |
| |
| | |
useACMEHost doesn't work properly, because I forgot to actually define
the variable that is being relied upon here. Oops.
|
| | |
| |
| |
| |
| |
| | |
According to the nginx documentation [1] those values cannot usually exceed 75 seconds.
The defaults are 60s and should probably be lowered to something reasonable like 20 or 30 seconds.
[1] https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_connect_timeout
|
| | | |
|