From 2db344f91f27dbefaf211aaf1ad6f4370b1d18cb Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 13 Apr 2026 22:52:35 +0000 Subject: [PATCH 1/2] Initial plan From b86fe94d82cc0780263a577e4b2a813cacdfed96 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 13 Apr 2026 22:55:37 +0000 Subject: [PATCH 2/2] Fix: BTCPay off by default in Node role, Caddy conditional ACME/ports Agent-Logs-Url: https://github.com/naturallaw777/staging_alpha/sessions/2e2b84a8-c5e9-4eea-8bee-fc587bb3a6fa Co-authored-by: naturallaw777 <99053422+naturallaw777@users.noreply.github.com> --- app/sovran_systemsos_web/server.py | 2 +- configuration.nix | 4 ++-- modules/bitcoinecosystem.nix | 2 +- modules/core/caddy.nix | 24 +++++++++++++++++++++++- modules/core/role-logic.nix | 1 + modules/core/roles.nix | 2 +- 6 files changed, 29 insertions(+), 6 deletions(-) diff --git a/app/sovran_systemsos_web/server.py b/app/sovran_systemsos_web/server.py index 19b698b..6500e7e 100644 --- a/app/sovran_systemsos_web/server.py +++ b/app/sovran_systemsos_web/server.py @@ -291,7 +291,7 @@ _PORTS_ELEMENT_CALLING = _PORTS_WEB + [ SERVICE_PORT_REQUIREMENTS: dict[str, list[dict]] = { # Infrastructure - "caddy.service": _PORTS_WEB, + "caddy.service": [], # Communication "matrix-synapse.service": _PORTS_MATRIX_FEDERATION, "livekit.service": _PORTS_ELEMENT_CALLING, diff --git a/configuration.nix b/configuration.nix index 55032cc..2f2686d 100644 --- a/configuration.nix +++ b/configuration.nix @@ -31,8 +31,8 @@ networking.hostName = "nixos"; networking.networkmanager.enable = true; networking.firewall.enable = true; - networking.firewall.allowedTCPPorts = [ 80 443 8448 3051 ]; - networking.firewall.allowedUDPPorts = [ 80 443 8448 3051 5353 ]; + networking.firewall.allowedTCPPorts = [ 8448 3051 ]; + networking.firewall.allowedUDPPorts = [ 8448 3051 5353 ]; # ── Avahi (mDNS) ─────────────────────────────────────────── services.avahi = { diff --git a/modules/bitcoinecosystem.nix b/modules/bitcoinecosystem.nix index c40a8a4..76f4166 100755 --- a/modules/bitcoinecosystem.nix +++ b/modules/bitcoinecosystem.nix @@ -55,7 +55,7 @@ lib.mkIf config.sovran_systemsOS.services.bitcoin { }; services.btcpayserver = { - enable = true; + enable = config.sovran_systemsOS.web.btcpayserver; }; services.btcpayserver.lightningBackend = "lnd"; diff --git a/modules/core/caddy.nix b/modules/core/caddy.nix index 1736e6c..7d032d3 100755 --- a/modules/core/caddy.nix +++ b/modules/core/caddy.nix @@ -3,6 +3,16 @@ let exposeBtcpay = config.sovran_systemsOS.web.btcpayserver; extraVhosts = config.sovran_systemsOS.caddy.extraVirtualHosts; + + # True when any service needs HTTPS/ACME (domain-based vhosts) + needsHttpsPorts = + config.sovran_systemsOS.web.btcpayserver + || config.sovran_systemsOS.services.synapse + || config.sovran_systemsOS.services.wordpress + || config.sovran_systemsOS.services.nextcloud + || config.sovran_systemsOS.services.vaultwarden + || config.sovran_systemsOS.features.haven + || config.sovran_systemsOS.features.element-calling; in { services.caddy = { @@ -11,6 +21,10 @@ in group = "root"; }; + # Only open ports 80/443 when at least one domain-based service is active + networking.firewall.allowedTCPPorts = lib.mkIf needsHttpsPorts [ 80 443 ]; + networking.firewall.allowedUDPPorts = lib.mkIf needsHttpsPorts [ 80 443 ]; + systemd.tmpfiles.rules = [ "d /var/lib/domains 0755 caddy root -" ]; @@ -55,12 +69,20 @@ in HAVEN=$(read_domain haven) ACME_EMAIL=$(read_domain sslemail) - # Start with global config + # Start with global config — use ACME only when domain-based services are active + ${if needsHttpsPorts then '' cat > /run/caddy/Caddyfile < /run/caddy/Caddyfile <