Yisroel Baum
d195c6b37c
Imports the tide nixos module from the TIDE flake and configures it for tide.yisroelbaum.com (frontend) and apitide.yisroelbaum.com (backend), reusing the existing wildcard ACME cert. Secrets are pulled from sops-encrypted secrets/tide.yaml; replace the placeholder with real encrypted content before deploy.
29 lines
891 B
Nix
29 lines
891 B
Nix
{
|
|
domainName,
|
|
...
|
|
}:
|
|
{
|
|
services.tide = {
|
|
enable = true;
|
|
domain = "tide.${domainName}";
|
|
apiDomain = "apitide.${domainName}";
|
|
secretsFile = "/run/secrets/tide-env";
|
|
# Reuse the wildcard cert already issued for *.${domainName}
|
|
# in configuration.nix instead of requesting a new one per
|
|
# subdomain.
|
|
nginx.useACMEHost = domainName;
|
|
};
|
|
|
|
# Don't fail evaluation when secrets/tide.yaml is missing (e.g.
|
|
# before the operator has encrypted it on a fresh checkout).
|
|
# sops-install-secrets will still error at activation time if
|
|
# the file is absent, which is the right place for that failure.
|
|
sops.validateSopsFiles = false;
|
|
|
|
sops.secrets."tide-env" = {
|
|
sopsFile = ./secrets/tide.yaml;
|
|
# phpfpm reads this via EnvironmentFile, which runs as root
|
|
# before dropping to the tide user, so root readable is enough.
|
|
mode = "0400";
|
|
};
|
|
}
|