caddy files

Flake lock file updates:

• Updated input 'secrets':
    'git+ssh://git@git.caspervk.net/caspervk/nixos-secrets.git?ref=refs/heads/master&rev=84f9be99ee397303cb23dfc8713115088fa7a53d' (2024-04-23)
  → 'git+ssh://git@git.caspervk.net/caspervk/nixos-secrets.git?ref=refs/heads/master&rev=d73392f1e37da591bbc2700a37beba60c5bc4648' (2024-04-24)

flake.lock

@@ -165,11 +165,11 @@
     },
     "secrets": {
       "locked": {
-        "lastModified": 1713906026,
+        "lastModified": 1713917034,
-        "narHash": "sha256-pI2SocGL1Ev54UXizRL2L6t3UmBFVGGmcSgBmthSeJU=",
+        "narHash": "sha256-TcRTcrx6Y+qZpoOvCu+DNyHWGFOFxL4bDMCD2EvYNsg=",
         "ref": "refs/heads/master",
-        "rev": "84f9be99ee397303cb23dfc8713115088fa7a53d",
+        "rev": "d73392f1e37da591bbc2700a37beba60c5bc4648",
-        "revCount": 23,
+        "revCount": 25,
         "type": "git",
         "url": "ssh://git@git.caspervk.net/caspervk/nixos-secrets.git"
       },

hosts/alpha/acme.nix

@@ -1,14 +1,16 @@
 {lib, ...}: {
-  security.acme.certs."caspervk.net" = {
+  security.acme.certs = {
-    domain = "*.caspervk.net";
+    "caspervk.net" = {
-    reloadServices = [
+      domain = "*.caspervk.net";
-      "caddy.service"
+      reloadServices = [
-      "murmur.service"
+        "caddy.service"
-    ];
+        "murmur.service"
-    # The NixOS Caddy module is a little too clever and sets the cert's group
+      ];
-    # to 'caddy', which means other services can't load it. This is not needed
+      # The NixOS Caddy module is a little too clever and sets the cert's group
-    # since we handle the group membership manually.
+      # to 'caddy', which means other services can't load it. This is not needed
-    group = lib.mkForce "acme";
+      # since we handle the group membership manually.
+      group = lib.mkForce "acme";
+    };
   };
   users.groups.acme.members = [
     "caddy"

hosts/delta/acme.nix

@@ -1,10 +1,12 @@
 {...}: {
-  security.acme.certs."caspervk.net" = {
+  security.acme.certs = {
-    domain = "*.caspervk.net";
+    "caspervk.net" = {
-    reloadServices = [
+      domain = "*.caspervk.net";
-      "kresd@1.service"
+      reloadServices = [
-      "kresd@2.service"
+        "kresd@1.service"
-    ];
+        "kresd@2.service"
+      ];
+    };
   };
   users.groups.acme.members = [
     "knot-resolver"

hosts/sigma/acme.nix

@@ -1,13 +1,21 @@
 {lib, ...}: {
-  security.acme.certs."caspervk.net" = {
+  security.acme.certs = {
-    domain = "*.caspervk.net";
+    "caspervk.net" = {
-    reloadServices = [
+      domain = "*.caspervk.net";
-      "caddy.service"
+      reloadServices = [
-    ];
+        "caddy.service"
-    # The NixOS Caddy module is a little too clever and sets the cert's group
+      ];
-    # to 'caddy', which means other services can't load it. This is not needed
+      # The NixOS Caddy module is a little too clever and sets the cert's group
-    # since we handle the group membership manually.
+      # to 'caddy', which means other services can't load it. This is not needed
-    group = lib.mkForce "acme";
+      # since we handle the group membership manually.
+      group = lib.mkForce "acme";
+    };
+    "sudomail.org" = {
+      reloadServices = [
+        "caddy.service"
+      ];
+      group = lib.mkForce "acme";
+    };
   };
   users.groups.acme.members = [
     "caddy"

modules/server/caddy.nix

@@ -20,7 +20,7 @@ lib.mkIf (config.services.caddy.virtualHosts != {}) {
   environment.persistence."/nix/persist" = {
     directories = [
       {
-        directory = "/var/lib/caddy";
+        directory = "/var/www/html";
         user = "caddy";
         group = "caddy";
         mode = "0755";