Fix: BTCPay off by default in Node role, Caddy conditional ACME/ports

Agent-Logs-Url: https://github.com/naturallaw777/staging_alpha/sessions/2e2b84a8-c5e9-4eea-8bee-fc587bb3a6fa Co-authored-by: naturallaw777 <99053422+naturallaw777@users.noreply.github.com>
2026-04-13 22:55:37 +00:00
parent 2db344f91f
commit b86fe94d82
6 changed files with 29 additions and 6 deletions
--- a/modules/core/caddy.nix
+++ b/modules/core/caddy.nix
@@ -3,6 +3,16 @@
 let
  exposeBtcpay = config.sovran_systemsOS.web.btcpayserver;
  extraVhosts = config.sovran_systemsOS.caddy.extraVirtualHosts;
+
+  # True when any service needs HTTPS/ACME (domain-based vhosts)
+  needsHttpsPorts =
+    config.sovran_systemsOS.web.btcpayserver
+    || config.sovran_systemsOS.services.synapse
+    || config.sovran_systemsOS.services.wordpress
+    || config.sovran_systemsOS.services.nextcloud
+    || config.sovran_systemsOS.services.vaultwarden
+    || config.sovran_systemsOS.features.haven
+    || config.sovran_systemsOS.features.element-calling;
 in
 {
  services.caddy = {
@@ -11,6 +21,10 @@ in
    group = "root";
  };

+  # Only open ports 80/443 when at least one domain-based service is active
+  networking.firewall.allowedTCPPorts = lib.mkIf needsHttpsPorts [ 80 443 ];
+  networking.firewall.allowedUDPPorts = lib.mkIf needsHttpsPorts [ 80 443 ];
+
  systemd.tmpfiles.rules = [
    "d /var/lib/domains 0755 caddy root -"
  ];
@@ -55,12 +69,20 @@ in
      HAVEN=$(read_domain haven)
      ACME_EMAIL=$(read_domain sslemail)

-      # Start with global config
+      # Start with global config — use ACME only when domain-based services are active
+      ${if needsHttpsPorts then ''
      cat > /run/caddy/Caddyfile <<EOF
 {
  email $ACME_EMAIL
 }
 EOF
+      '' else ''
+      cat > /run/caddy/Caddyfile <<EOF
+{
+  auto_https off
+}
+EOF
+      ''}

      # ── Matrix ──────────────────────────────────────
      if [ -n "$MATRIX" ]; then
--- a/modules/core/role-logic.nix
+++ b/modules/core/role-logic.nix
@@ -5,6 +5,7 @@

    # ── Server+Desktop Role (default) ─────────────────────────
    (lib.mkIf config.sovran_systemsOS.roles.server_plus_desktop {
+      sovran_systemsOS.web.btcpayserver = lib.mkDefault true;
    })

    # ── Desktop Only Role ─────────────────────────────────────
--- a/modules/core/roles.nix
+++ b/modules/core/roles.nix
@@ -55,7 +55,7 @@
    web = {
      btcpayserver = lib.mkOption {
        type = lib.types.bool;
-        default = true;
+        default = false;
        description = "Expose BTCPay Server via Caddy";
      };
    };