From 255ea374c0c6c984636b21f69933bb0b18a48403 Mon Sep 17 00:00:00 2001 From: Inex Code Date: Mon, 22 Nov 2021 19:53:43 +0300 Subject: [PATCH 1/7] API controlled timezone, autoupgrades and SSH keys --- configuration.nix | 4 +-- social/pleroma.nix | 6 ++--- userdata/schema.json | 17 +++++++++++++ users.nix | 2 ++ variables-module.nix | 59 +++++++++++++++++++++++++++++++++++++------- 5 files changed, 74 insertions(+), 14 deletions(-) diff --git a/configuration.nix b/configuration.nix index e33f4e8..1281ac4 100644 --- a/configuration.nix +++ b/configuration.nix @@ -59,8 +59,8 @@ in environment.variables = { DOMAIN = config.services.userdata.domain; }; - system.autoUpgrade.enable = true; - system.autoUpgrade.allowReboot = false; + system.autoUpgrade.enable = config.services.userdata.autoUpgrade.enable; + system.autoUpgrade.allowReboot = config.services.userdata.autoUpgrade.allowReboot; system.autoUpgrade.channel = https://nixos.org/channels/nixos-21.05-small; nix = { optimise.automatic = true; diff --git a/social/pleroma.nix b/social/pleroma.nix index ef4eeb9..8e918cf 100644 --- a/social/pleroma.nix +++ b/social/pleroma.nix @@ -15,9 +15,9 @@ in group = "pleroma"; configs = [ (builtins.replaceStrings - [ "$DOMAIN" "$LUSER" "$DB_PASSWORD" ] - [ cfg.domain cfg.username cfg.databasePassword ] - (builtins.readFile ./config.exs)) + [ "$DOMAIN" "$LUSER" "$DB_PASSWORD" ] + [ cfg.domain cfg.username cfg.databasePassword ] + (builtins.readFile ./config.exs)) ]; }; postgresql = { diff --git a/userdata/schema.json b/userdata/schema.json index b6548ff..5115459 100644 --- a/userdata/schema.json +++ b/userdata/schema.json @@ -3,6 +3,17 @@ "$id": "https://git.selfprivacy.org/inex/selfprivacy-nixos-config/raw/branch/master/userdata/schema.json", "type": "object", "properties": { + "autoUpgrade": { + "type": "object", + "properties": { + "enable": { + "type": "boolean" + }, + "allowReboot": { + "type": "boolean" + } + } + }, "hostname": { "type": "string" }, @@ -15,6 +26,12 @@ "hashedMasterPassword": { "type": "string" }, + "sshKeys": { + "type": "array", + "items": { + "type": "string" + } + }, "timezone": { "type": "string" }, diff --git a/users.nix b/users.nix index f1b825c..acc5636 100644 --- a/users.nix +++ b/users.nix @@ -9,6 +9,7 @@ in "${cfg.username}" = { isNormalUser = true; hashedPassword = cfg.hashedMasterPassword; + openssh.authorizedKeys.keys = cfg.sshKeys; }; } // builtins.listToAttrs (builtins.map (user: { @@ -16,6 +17,7 @@ in value = { isNormalUser = true; hashedPassword = user.hashedPassword; + openssh.authorizedKeys.keys = user.sshKeys; }; }) cfg.users); diff --git a/variables-module.nix b/variables-module.nix index ead690e..0f347a7 100644 --- a/variables-module.nix +++ b/variables-module.nix @@ -15,6 +15,7 @@ in default = true; type = types.nullOr types.bool; }; + # General server options hostname = mkOption { description = "The hostname of the server."; type = types.nullOr types.str; @@ -25,6 +26,28 @@ in ''; type = types.nullOr types.str; }; + timezone = mkOption { + description = '' + Timezone used by the server + ''; + type = types.nullOr types.str; + default = "Europe/Uzhgorod"; + }; + autoUpgrade = { + enable = mkOption { + description = "Enable auto-upgrade of the server."; + default = true; + type = types.nullOr types.bool; + }; + allowReboot = mkOption { + description = "Allow the server to reboot during the upgrade."; + default = false; + type = types.nullOr types.bool; + }; + }; + ######################## + # Server admin options # + ######################## username = mkOption { description = '' Username that was defined at the initial setup process @@ -37,6 +60,16 @@ in ''; type = types.nullOr types.str; }; + sshKeys = mkOption { + description = '' + SSH keys of the user that was defined at the initial setup process + ''; + type = types.nullOr types.str; + default = [ ]; + }; + ############### + # API options # + ############### api = { token = mkOption { description = '' @@ -52,6 +85,9 @@ in type = types.bool; }; }; + ############# + # Secrets # + ############# backblaze = { bucket = mkOption { description = "Bucket name used for userdata backups"; @@ -72,6 +108,9 @@ in type = types.nullOr types.str; }; }; + ############## + # Services # + ############## databasePassword = mkOption { description = '' Password for the database @@ -126,12 +165,18 @@ in type = types.nullOr types.bool; }; }; + ############# + # Backups # + ############# resticPassword = mkOption { description = '' Password for the restic ''; type = types.nullOr types.str; }; + ######### + # SSH # + ######### ssh = { enable = mkOption { default = true; @@ -142,7 +187,7 @@ in Root SSH Keys ''; type = types.nullOr (types.listOf types.str); - default = [""]; + default = [ "" ]; }; passwordAuthentication = mkOption { description = '' @@ -152,19 +197,15 @@ in type = types.nullOr types.bool; }; }; - timezone = mkOption { - description = '' - Timezone used by the server - ''; - type = types.nullOr types.str; - default = "Europe/Uzhgorod"; - }; + ########### + # Users # + ########### users = mkOption { description = '' Users that will be created on the server ''; type = types.nullOr (types.listOf (types.attrsOf types.anything)); - default = []; + default = [ ]; }; }; } From df2453a6fa689a690871cf43e37a39747d2b7dbd Mon Sep 17 00:00:00 2001 From: Illia Chub Date: Wed, 24 Nov 2021 07:53:46 +0200 Subject: [PATCH 2/7] Added rclone config creation --- files.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/files.nix b/files.nix index 5c59961..7be3576 100644 --- a/files.nix +++ b/files.nix @@ -14,6 +14,12 @@ in CLOUDFLARE_DNS_API_TOKEN=${cfg.cloudflare.apiKey} CLOUDFLARE_ZONE_API_TOKEN=${cfg.cloudflare.apiKey} ''; + rcloneConfig = builtins.replaceStrings [ "\n" "\"" "\\" ] [ "\\n" "\\\"" "\\\\" ] '' + [backblaze] + type = b2 + account = cfg.backblaze.accountId; + key = cfg.backblaze.accountKey; + ''; in [ (if cfg.bitwarden.enable then "d /var/lib/bitwarden 0777 bitwarden_rs bitwarden_rs -" else "") @@ -21,6 +27,7 @@ in (if cfg.pleroma.enable then "d /var/lib/pleroma 0600 pleroma pleroma - -" else "") "d /var/lib/restic 0600 restic - - -" "f /var/lib/restic/pass 0400 restic - - ${resticPass}" + "f /root/.config/rclone.conf 0400 root root - ${rcloneConfig}" (if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "") "f /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}" (if cfg.nextcloud.enable then "f /var/lib/nextcloud/db-pass 0440 nextcloud nextcloud - ${nextcloudDBPass}" else "") From b9d9af01e277036f7c7bc5e3ac1090f3d77dfb17 Mon Sep 17 00:00:00 2001 From: Inex Code Date: Mon, 29 Nov 2021 22:17:37 +0300 Subject: [PATCH 3/7] Fix wrong type of admin ssh keys --- variables-module.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variables-module.nix b/variables-module.nix index 0f347a7..2c465cc 100644 --- a/variables-module.nix +++ b/variables-module.nix @@ -64,7 +64,7 @@ in description = '' SSH keys of the user that was defined at the initial setup process ''; - type = types.nullOr types.str; + type = types.nullOr (types.listOf types.str); default = [ ]; }; ############### From 4c59657fc9093d46d118491c5a92c50f57eb0cee Mon Sep 17 00:00:00 2001 From: Inex Code Date: Tue, 30 Nov 2021 23:49:35 +0300 Subject: [PATCH 4/7] Fix rclone config --- files.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/files.nix b/files.nix index 7be3576..238e29d 100644 --- a/files.nix +++ b/files.nix @@ -15,10 +15,10 @@ in CLOUDFLARE_ZONE_API_TOKEN=${cfg.cloudflare.apiKey} ''; rcloneConfig = builtins.replaceStrings [ "\n" "\"" "\\" ] [ "\\n" "\\\"" "\\\\" ] '' - [backblaze] - type = b2 - account = cfg.backblaze.accountId; - key = cfg.backblaze.accountKey; + [backblaze] + type = b2 + account = ${cfg.backblaze.accountId} + key = ${cfg.backblaze.accountKey} ''; in [ From 1ba17b61e7c955579c2317c85ea42a989c095c75 Mon Sep 17 00:00:00 2001 From: Inex Code Date: Thu, 2 Dec 2021 18:16:16 +0300 Subject: [PATCH 5/7] Update API to properly support b2 --- api/api-module.nix | 7 +++++++ api/api.nix | 1 + files.nix | 2 +- 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/api/api-module.nix b/api/api-module.nix index 6b01d37..bd65ad6 100644 --- a/api/api-module.nix +++ b/api/api-module.nix @@ -43,6 +43,12 @@ in B2 account key ''; }; + b2Bucket = mkOption { + type = types.str; + description = '' + B2 bucket + ''; + }; resticPassword = mkOption { type = types.str; description = '' @@ -62,6 +68,7 @@ in ENABLE_SWAGGER = (if cfg.enableSwagger then "1" else "0"); B2_ACCOUNT_ID = cfg.b2AccountId; B2_ACCOUNT_KEY = cfg.b2AccountKey; + B2_BUCKET = cfg.b2Bucket; RESTIC_PASSWORD = cfg.resticPassword; } // config.networking.proxy.envVars; path = [ "/var/" "/var/dkim/" pkgs.coreutils pkgs.gnutar pkgs.xz.bin pkgs.gzip pkgs.gitMinimal config.nix.package.out pkgs.nixos-rebuild pkgs.restic pkgs.mkpasswd ]; diff --git a/api/api.nix b/api/api.nix index e503220..ff9c106 100644 --- a/api/api.nix +++ b/api/api.nix @@ -6,6 +6,7 @@ enableSwagger = config.services.userdata.api.enableSwagger; b2AccountId = config.services.userdata.backblaze.accountId; b2AccountKey = config.services.userdata.backblaze.accountKey; + b2Bucket = config.services.userdata.backblaze.bucket; resticPassword = config.services.userdata.resticPassword; }; diff --git a/files.nix b/files.nix index 238e29d..ee15e52 100644 --- a/files.nix +++ b/files.nix @@ -27,7 +27,7 @@ in (if cfg.pleroma.enable then "d /var/lib/pleroma 0600 pleroma pleroma - -" else "") "d /var/lib/restic 0600 restic - - -" "f /var/lib/restic/pass 0400 restic - - ${resticPass}" - "f /root/.config/rclone.conf 0400 root root - ${rcloneConfig}" + "f /root/.config/rclone/rclone.conf 0400 root root - ${rcloneConfig}" (if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "") "f /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}" (if cfg.nextcloud.enable then "f /var/lib/nextcloud/db-pass 0440 nextcloud nextcloud - ${nextcloudDBPass}" else "") From bfd2f696a2066149a1bd7e03548c651c05d64ccb Mon Sep 17 00:00:00 2001 From: Inex Code Date: Thu, 2 Dec 2021 23:30:53 +0300 Subject: [PATCH 6/7] Make config files in /var rewritable by Nix --- files.nix | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/files.nix b/files.nix index ee15e52..0083f70 100644 --- a/files.nix +++ b/files.nix @@ -26,12 +26,12 @@ in (if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0777 bitwarden_rs bitwarden_rs -" else "") (if cfg.pleroma.enable then "d /var/lib/pleroma 0600 pleroma pleroma - -" else "") "d /var/lib/restic 0600 restic - - -" - "f /var/lib/restic/pass 0400 restic - - ${resticPass}" - "f /root/.config/rclone/rclone.conf 0400 root root - ${rcloneConfig}" - (if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "") - "f /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}" - (if cfg.nextcloud.enable then "f /var/lib/nextcloud/db-pass 0440 nextcloud nextcloud - ${nextcloudDBPass}" else "") - (if cfg.nextcloud.enable then "f /var/lib/nextcloud/admin-pass 0440 nextcloud nextcloud - ${nextcloudAdminPass}" else "") - "f /var/lib/cloudflare/Credentials.ini 0440 nginx acmerecievers - ${cloudflareCredentials}" + "f+ /var/lib/restic/pass 0400 restic - - ${resticPass}" + "f+ /root/.config/rclone/rclone.conf 0400 root root - ${rcloneConfig}" + (if cfg.pleroma.enable then "f+ /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "") + "f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}" + (if cfg.nextcloud.enable then "f+ /var/lib/nextcloud/db-pass 0440 nextcloud nextcloud - ${nextcloudDBPass}" else "") + (if cfg.nextcloud.enable then "f+ /var/lib/nextcloud/admin-pass 0440 nextcloud nextcloud - ${nextcloudAdminPass}" else "") + "f+ /var/lib/cloudflare/Credentials.ini 0440 nginx acmerecievers - ${cloudflareCredentials}" ]; } From 0e60176b6e960df5c8335304fb40f1ff6f97a2a3 Mon Sep 17 00:00:00 2001 From: Inex Code Date: Mon, 6 Dec 2021 10:43:24 +0300 Subject: [PATCH 7/7] Overwrite nextcloud protocol to https --- nextcloud/nextcloud.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nextcloud/nextcloud.nix b/nextcloud/nextcloud.nix index e6a9a7a..2cacf85 100644 --- a/nextcloud/nextcloud.nix +++ b/nextcloud/nextcloud.nix @@ -18,7 +18,7 @@ in config = { # Further forces Nextcloud to use HTTPS - overwriteProtocol = "http"; + overwriteProtocol = "https"; # Nextcloud PostegreSQL database configuration, recommended over using SQLite dbtype = "sqlite";