ashie/nixos-vps
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

docs: fix remaining spec issues

Browse source 
- Remove unused tmpfiles rule (using named volume)
- Remove redundant firewall config (nginx module handles 443)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
ashisgreat22 2026-03-18 19:03:00 +01:00
parent 70016fe9c4
commit fd5d3f3a7c
1 changed files with 1 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

13
docs/superpowers/specs/2026-03-18-adguard-home-design.md
View file

@ -166,15 +166,7 @@ virtualisation.oci-containers.containers."adguard" = {
**Notes:** **Notes:**
- Container runs with minimal capabilities (`--cap-drop=ALL`) - Container runs with minimal capabilities (`--cap-drop=ALL`)
- Config file is read-only (managed by Nix/SOPS) - Config file is read-only (managed by Nix/SOPS)
- `adguard-data` volume persists stats and query logs - `adguard-data` named volume persists stats and query logs (no host directory needed)
### Data Directory
```nix
systemd.tmpfiles.rules = [
"d /var/lib/adguard 0755 root root -"
];
```
### SOPS Template for AdGuardHome.yaml ### SOPS Template for AdGuardHome.yaml
@ -276,9 +268,6 @@ services.nginx.virtualHosts."${cfg.domain}" = {
# Ensure nginx user can access ACME certs # Ensure nginx user can access ACME certs
users.users.nginx.extraGroups = [ "acme" ]; users.users.nginx.extraGroups = [ "acme" ];
# Open HTTPS port
networking.firewall.allowedTCPPorts = [ 443 ];
``` ```
**Security Notes:** **Security Notes:**