SelfPrivacy
/
selfprivacy-nixos-config
6
3
Fork 6
Code Issues 17 Pull Requests 1 Projects Releases Wiki Activity

selfprivacy.userdata -> selfprivacy; SP modules -> selfprivacy.modules

pull/55/head
Alexander Tomokhov 2023-11-16 04:00:11 +04:00
parent f4fb0a9ce8
commit 80447abb2e
21 changed files with 80 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
api/api.nix
View File

@ -2,8 +2,8 @@
{
services.selfprivacy-api = {
enable = true;
enableSwagger = config.selfprivacy.userdata.api.enableSwagger;
b2Bucket = config.selfprivacy.userdata.backup.bucket;
enableSwagger = config.selfprivacy.api.enableSwagger;
b2Bucket = config.selfprivacy.backup.bucket;
};
users.users."selfprivacy-api" = {

2
backup/restic.nix
View File

@ -1,6 +1,6 @@
{ config, ... }:
let
cfg = config.selfprivacy.userdata;
cfg = config.selfprivacy;
in
{
services.restic.backups = {

20
configuration.nix
View File

@ -37,11 +37,11 @@
};
};
services.do-agent.enable = if config.selfprivacy.userdata.server.provider == "DIGITALOCEAN" then true else false;
services.do-agent.enable = if config.selfprivacy.server.provider == "DIGITALOCEAN" then true else false;
boot.cleanTmpDir = true;
networking = {
hostName = config.selfprivacy.userdata.hostname;
hostName = config.selfprivacy.hostname;
usePredictableInterfaceNames = false;
firewall = {
allowedTCPPorts = lib.mkForce [ 22 25 80 143 443 465 587 993 4443 8443 ];
@ -53,12 +53,12 @@
};
nameservers = [ "1.1.1.1" "1.0.0.1" ];
};
time.timeZone = config.selfprivacy.userdata.timezone;
time.timeZone = config.selfprivacy.timezone;
i18n.defaultLocale = "en_GB.UTF-8";
users.users.root.openssh.authorizedKeys.keys = config.selfprivacy.userdata.ssh.rootKeys;
users.users.root.openssh.authorizedKeys.keys = config.selfprivacy.ssh.rootKeys;
services.openssh = {
enable = config.selfprivacy.userdata.ssh.enable;
passwordAuthentication = config.selfprivacy.userdata.ssh.passwordAuthentication;
enable = config.selfprivacy.ssh.enable;
passwordAuthentication = config.selfprivacy.ssh.passwordAuthentication;
permitRootLogin = "yes";
openFirewall = false;
};
@ -71,14 +71,14 @@
jq
];
environment.variables = {
DOMAIN = config.selfprivacy.userdata.domain;
DOMAIN = config.selfprivacy.domain;
};
system.autoUpgrade = {
enable = config.selfprivacy.userdata.autoUpgrade.enable;
allowReboot = config.selfprivacy.userdata.autoUpgrade.allowReboot;
enable = config.selfprivacy.autoUpgrade.enable;
allowReboot = config.selfprivacy.autoUpgrade.allowReboot;
channel = "https://channel.selfprivacy.org/nixos-selfpricacy";
};
system.stateVersion = config.selfprivacy.userdata.stateVersion;
system.stateVersion = config.selfprivacy.stateVersion;
nix = {
optimise.automatic = true;
gc = {

2
files.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, ... }:
let
cfg = config.selfprivacy.userdata;
cfg = config.selfprivacy;
dnsCredentialsTemplates = {
DIGITALOCEAN = "DO_AUTH_TOKEN=REPLACEME";
CLOUDFLARE = ''

2
git/gitea.nix
View File

@ -1,6 +1,6 @@
{ config, lib, pkgs, ... }:
let
cfg = config.selfprivacy.userdata;
cfg = config.selfprivacy;
in
{
fileSystems = lib.mkIf cfg.useBinds {

2
letsencrypt/acme.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, lib, ... }:
let
cfg = config.selfprivacy.userdata;
cfg = config.selfprivacy;
in
{
users.groups.acmerecievers = {

2
letsencrypt/resolve.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, ... }:
let
domain = config.selfprivacy.userdata.domain;
domain = config.selfprivacy.domain;
in
{
systemd = {

2
passmgr/bitwarden.nix
View File

@ -1,6 +1,6 @@
{ pkgs, lib, config, ... }:
let
cfg = config.selfprivacy.userdata;
cfg = config.selfprivacy;
in
{
fileSystems = lib.mkIf cfg.useBinds {

2
social/pleroma.nix
View File

@ -1,6 +1,6 @@
{ pkgs, lib, config, ... }:
let
cfg = config.selfprivacy.userdata;
cfg = config.selfprivacy;
in
{
fileSystems = lib.mkIf cfg.useBinds {

6
sp-modules/nextcloud/config-paths-needed.json
View File

@ -1,5 +1,5 @@
[
[ "selfprivacy", "userdata", "domain" ],
[ "selfprivacy", "userdata", "nextcloud" ],
[ "selfprivacy", "userdata", "useBinds" ]
[ "selfprivacy", "domain" ],
[ "selfprivacy", "useBinds" ],
[ "selfprivacy", "modules", "nextcloud" ]
]

20
sp-modules/nextcloud/module.nix
View File

@ -1,6 +1,6 @@
{ config, lib, pkgs, ... }:
{
options.selfprivacy.userdata.nextcloud = with lib; {
options.selfprivacy.modules.nextcloud = with lib; {
enable = mkOption {
type = types.nullOr types.bool;
default = false;
@ -13,13 +13,13 @@
config =
let
cfg = config.selfprivacy.userdata;
secrets-filepath = "/etc/nixos/userdata/userdata.json";
sp = config.selfprivacy;
secrets-filepath = "/etc/selfprivacy/secrets.json";
db-pass-filepath = "/var/lib/nextcloud/db-pass";
admin-pass-filepath = "/var/lib/nextcloud/admin-pass";
hostName = "cloud.${cfg.domain}";
hostName = "cloud.${sp.domain}";
in
lib.mkIf cfg.nextcloud.enable
lib.mkIf sp.modules.nextcloud.enable
{
system.activationScripts.nextcloudSecrets = ''
mkdir -p /var/lib/nextcloud
@ -31,9 +31,9 @@
chmod 0440 ${admin-pass-filepath}
chown nextcloud:nextcloud ${admin-pass-filepath}
'';
fileSystems = lib.mkIf cfg.useBinds {
fileSystems = lib.mkIf sp.useBinds {
"/var/lib/nextcloud" = {
device = "/volumes/${cfg.nextcloud.location}/nextcloud";
device = "/volumes/${sp.modules.nextcloud.location}/nextcloud";
options = [ "bind" ];
};
};
@ -64,8 +64,8 @@
};
};
services.nginx.virtualHosts.${hostName} = {
sslCertificate = "/var/lib/acme/${cfg.domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${cfg.domain}/key.pem";
sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
@ -86,7 +86,7 @@
}
# FIXME do we really want to delete passwords on module deactivation!?
//
lib.mkIf (!cfg.nextcloud.enable) {
lib.mkIf (!sp.modules.nextcloud.enable) {
system.activationScripts.nextcloudSecrets =
lib.trivial.warn
(

16
sp-modules/simple-nixos-mailserver/config-paths-needed.json
View File

@ -1,16 +1,16 @@
[
[ "mailserver" ],
[ "selfprivacy", "userdata", "domain" ],
[ "selfprivacy", "userdata", "email" ],
[ "selfprivacy", "userdata", "hashedMasterPassword" ],
[ "selfprivacy", "userdata", "simple-nixos-mailserver" ],
[ "selfprivacy", "userdata", "useBinds" ],
[ "selfprivacy", "userdata", "username" ],
[ "selfprivacy", "userdata", "users" ],
[ "selfprivacy", "domain" ],
[ "selfprivacy", "email" ],
[ "selfprivacy", "hashedMasterPassword" ],
[ "selfprivacy", "useBinds" ],
[ "selfprivacy", "username" ],
[ "selfprivacy", "users" ],
[ "services", "dovecot2" ],
[ "services", "opendkim" ],
[ "services", "postfix", "group" ],
[ "services", "postfix", "user" ],
[ "services", "redis" ],
[ "services", "rspamd" ]
[ "services", "rspamd" ],
[ "selfprivacy", "modules", "simple-nixos-mailserver" ]
]

48
sp-modules/simple-nixos-mailserver/config.nix
View File

@ -1,37 +1,37 @@
{ config, lib, ... }:
let
cfg = config.selfprivacy.userdata;
sp = config.selfprivacy;
in
{
fileSystems = lib.mkIf
(cfg.simple-nixos-mailserver.enable && cfg.useBinds)
{
"/var/vmail" = {
device = "/volumes/${cfg.email.location}/vmail";
options = [ "bind" ];
fileSystems =
lib.mkIf (sp.modules.simple-nixos-mailserver.enable && sp.useBinds)
{
"/var/vmail" = {
device = "/volumes/${sp.email.location}/vmail";
options = [ "bind" ];
};
"/var/sieve" = {
device = "/volumes/${sp.email.location}/sieve";
options = [ "bind" ];
};
};
"/var/sieve" = {
device = "/volumes/${cfg.email.location}/sieve";
options = [ "bind" ];
};
};
users.users = lib.mkIf cfg.simple-nixos-mailserver.enable {
users.users = lib.mkIf sp.modules.simple-nixos-mailserver.enable {
virtualMail = {
isNormalUser = false;
};
};
selfprivacy.userdata.simple-nixos-mailserver =
lib.mkIf cfg.simple-nixos-mailserver.enable {
fqdn = cfg.domain;
domains = [ cfg.domain ];
selfprivacy.modules.simple-nixos-mailserver =
lib.mkIf sp.modules.simple-nixos-mailserver.enable {
fqdn = sp.domain;
domains = [ sp.domain ];
# A list of all login accounts. To create the password hashes, use
# mkpasswd -m sha-512 "super secret password"
loginAccounts = {
"${cfg.username}@${cfg.domain}" = {
hashedPassword = cfg.hashedMasterPassword;
"${sp.username}@${sp.domain}" = {
hashedPassword = sp.hashedMasterPassword;
sieveScript = ''
require ["fileinto", "mailbox"];
if header :contains "Chat-Version" "1.0"
@ -43,7 +43,7 @@ in
};
} // builtins.listToAttrs (builtins.map
(user: {
name = "${user.username}@${cfg.domain}";
name = "${user.username}@${sp.domain}";
value = {
hashedPassword = user.hashedPassword;
sieveScript = ''
@ -56,15 +56,15 @@ in
'';
};
})
cfg.users);
sp.users);
extraVirtualAliases = {
"admin@${cfg.domain}" = "${cfg.username}@${cfg.domain}";
"admin@${sp.domain}" = "${sp.username}@${sp.domain}";
};
certificateScheme = "manual";
certificateFile = "/var/lib/acme/${cfg.domain}/fullchain.pem";
keyFile = "/var/lib/acme/${cfg.domain}/key.pem";
certificateFile = "/var/lib/acme/${sp.domain}/fullchain.pem";
keyFile = "/var/lib/acme/${sp.domain}/key.pem";
# Enable IMAP and POP3
enableImap = true;

4
sp-modules/simple-nixos-mailserver/flake.nix
View File

@ -13,10 +13,10 @@
module // {
imports = module.imports ++ [
./config.nix
{ mailserver = config.selfprivacy.userdata.simple-nixos-mailserver; }
{ mailserver = config.selfprivacy.modules.simple-nixos-mailserver; }
];
options = module.options // {
selfprivacy.userdata.simple-nixos-mailserver =
selfprivacy.modules.simple-nixos-mailserver =
module.options.mailserver;
};
};

6
userdata-variables.nix
View File

@ -1,6 +1,6 @@
jsonData: { lib, ... }:
{
selfprivacy.userdata = jsonData // {
selfprivacy = jsonData // {
hostname = lib.attrsets.attrByPath [ "hostname" ] null jsonData;
domain = lib.attrsets.attrByPath [ "domain" ] null jsonData;
timezone = lib.attrsets.attrByPath [ "timezone" ] "Europe/Uzhgorod" jsonData;
@ -12,10 +12,6 @@ jsonData: { lib, ... }:
username = lib.attrsets.attrByPath [ "username" ] null jsonData;
hashedMasterPassword = lib.attrsets.attrByPath [ "hashedMasterPassword" ] null jsonData;
sshKeys = lib.attrsets.attrByPath [ "sshKeys" ] [ ] jsonData;
api = {
enableSwagger = lib.attrsets.attrByPath [ "api" "enableSwagger" ] false jsonData;
skippedMigrations = lib.attrsets.attrByPath [ "api" "skippedMigrations" ] [ ] jsonData;
};
dns = {
provider = lib.attrsets.attrByPath [ "dns" "provider" ] "CLOUDFLARE" jsonData;
useStagingACME = lib.attrsets.attrByPath [ "dns" "useStagingACME" ] false jsonData;

4
users.nix
View File

@ -1,6 +1,6 @@
{ pkgs, config, ... }:
{ config, ... }:
let
cfg = config.selfprivacy.userdata;
cfg = config.selfprivacy;
in
{
users.mutableUsers = false;

6
variables-module.nix
View File

@ -2,7 +2,7 @@
with lib;
{
options.selfprivacy.userdata = {
options.selfprivacy = {
# General server options
hostname = mkOption {
description = "The hostname of the server.";
@ -205,5 +205,9 @@ with lib;
default = false;
description = "Whether to bind-mount vmail and sieve folders";
};
##############
# Modules #
##############
# modules =
};
}

4
videomeet/jitsi.nix
View File

@ -1,8 +1,8 @@
{ config, ... }:
{
services.jitsi-meet = {
enable = config.selfprivacy.userdata.jitsi.enable;
hostName = "meet.${config.selfprivacy.userdata.domain}";
enable = config.selfprivacy.jitsi.enable;
hostName = "meet.${config.selfprivacy.domain}";
nginx.enable = true;
interfaceConfig = {
SHOW_JITSI_WATERMARK = false;

2
volumes.nix
View File

@ -1,6 +1,6 @@
{ config, ... }:
let
cfg = config.selfprivacy.userdata;
cfg = config.selfprivacy;
in
{
fileSystems = builtins.listToAttrs (builtins.map

4
vpn/ocserv.nix
View File

@ -1,6 +1,6 @@
{ config, ... }:
let
domain = config.selfprivacy.userdata.domain;
domain = config.selfprivacy.domain;
in
{
users.groups.ocserv = {
@ -13,7 +13,7 @@ in
group = "ocserv";
};
services.ocserv = {
enable = config.selfprivacy.userdata.ocserv.enable;
enable = config.selfprivacy.ocserv.enable;
config = ''
socket-file = /var/run/ocserv-socket

2
webserver/nginx.nix
View File

@ -1,6 +1,6 @@
{ config, lib, ... }:
let
domain = config.selfprivacy.userdata.domain;
domain = config.selfprivacy.domain;
in
{
services.nginx = {