diff --git a/api/api.nix b/api/api.nix index 8451739..08d6a08 100644 --- a/api/api.nix +++ b/api/api.nix @@ -2,8 +2,8 @@ { services.selfprivacy-api = { enable = true; - enableSwagger = config.selfprivacy.userdata.api.enableSwagger; - b2Bucket = config.selfprivacy.userdata.backup.bucket; + enableSwagger = config.selfprivacy.api.enableSwagger; + b2Bucket = config.selfprivacy.backup.bucket; }; users.users."selfprivacy-api" = { diff --git a/backup/restic.nix b/backup/restic.nix index 7e43d2d..71b9534 100644 --- a/backup/restic.nix +++ b/backup/restic.nix @@ -1,6 +1,6 @@ { config, ... }: let - cfg = config.selfprivacy.userdata; + cfg = config.selfprivacy; in { services.restic.backups = { diff --git a/configuration.nix b/configuration.nix index cd9d9b4..bd43b47 100644 --- a/configuration.nix +++ b/configuration.nix @@ -37,11 +37,11 @@ }; }; - services.do-agent.enable = if config.selfprivacy.userdata.server.provider == "DIGITALOCEAN" then true else false; + services.do-agent.enable = if config.selfprivacy.server.provider == "DIGITALOCEAN" then true else false; boot.cleanTmpDir = true; networking = { - hostName = config.selfprivacy.userdata.hostname; + hostName = config.selfprivacy.hostname; usePredictableInterfaceNames = false; firewall = { allowedTCPPorts = lib.mkForce [ 22 25 80 143 443 465 587 993 4443 8443 ]; @@ -53,12 +53,12 @@ }; nameservers = [ "1.1.1.1" "1.0.0.1" ]; }; - time.timeZone = config.selfprivacy.userdata.timezone; + time.timeZone = config.selfprivacy.timezone; i18n.defaultLocale = "en_GB.UTF-8"; - users.users.root.openssh.authorizedKeys.keys = config.selfprivacy.userdata.ssh.rootKeys; + users.users.root.openssh.authorizedKeys.keys = config.selfprivacy.ssh.rootKeys; services.openssh = { - enable = config.selfprivacy.userdata.ssh.enable; - passwordAuthentication = config.selfprivacy.userdata.ssh.passwordAuthentication; + enable = config.selfprivacy.ssh.enable; + passwordAuthentication = config.selfprivacy.ssh.passwordAuthentication; permitRootLogin = "yes"; openFirewall = false; }; @@ -71,14 +71,14 @@ jq ]; environment.variables = { - DOMAIN = config.selfprivacy.userdata.domain; + DOMAIN = config.selfprivacy.domain; }; system.autoUpgrade = { - enable = config.selfprivacy.userdata.autoUpgrade.enable; - allowReboot = config.selfprivacy.userdata.autoUpgrade.allowReboot; + enable = config.selfprivacy.autoUpgrade.enable; + allowReboot = config.selfprivacy.autoUpgrade.allowReboot; channel = "https://channel.selfprivacy.org/nixos-selfpricacy"; }; - system.stateVersion = config.selfprivacy.userdata.stateVersion; + system.stateVersion = config.selfprivacy.stateVersion; nix = { optimise.automatic = true; gc = { diff --git a/files.nix b/files.nix index 7e08095..fb38310 100644 --- a/files.nix +++ b/files.nix @@ -1,6 +1,6 @@ { config, pkgs, ... }: let - cfg = config.selfprivacy.userdata; + cfg = config.selfprivacy; dnsCredentialsTemplates = { DIGITALOCEAN = "DO_AUTH_TOKEN=REPLACEME"; CLOUDFLARE = '' diff --git a/git/gitea.nix b/git/gitea.nix index 7046265..ebdd8b1 100644 --- a/git/gitea.nix +++ b/git/gitea.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: let - cfg = config.selfprivacy.userdata; + cfg = config.selfprivacy; in { fileSystems = lib.mkIf cfg.useBinds { diff --git a/letsencrypt/acme.nix b/letsencrypt/acme.nix index 1ead308..11bca99 100644 --- a/letsencrypt/acme.nix +++ b/letsencrypt/acme.nix @@ -1,6 +1,6 @@ { config, pkgs, lib, ... }: let - cfg = config.selfprivacy.userdata; + cfg = config.selfprivacy; in { users.groups.acmerecievers = { diff --git a/letsencrypt/resolve.nix b/letsencrypt/resolve.nix index 3b4985f..f1da07d 100644 --- a/letsencrypt/resolve.nix +++ b/letsencrypt/resolve.nix @@ -1,6 +1,6 @@ { config, pkgs, ... }: let - domain = config.selfprivacy.userdata.domain; + domain = config.selfprivacy.domain; in { systemd = { diff --git a/passmgr/bitwarden.nix b/passmgr/bitwarden.nix index 725b96f..532e170 100644 --- a/passmgr/bitwarden.nix +++ b/passmgr/bitwarden.nix @@ -1,6 +1,6 @@ { pkgs, lib, config, ... }: let - cfg = config.selfprivacy.userdata; + cfg = config.selfprivacy; in { fileSystems = lib.mkIf cfg.useBinds { diff --git a/social/pleroma.nix b/social/pleroma.nix index 873af38..c975ae7 100644 --- a/social/pleroma.nix +++ b/social/pleroma.nix @@ -1,6 +1,6 @@ { pkgs, lib, config, ... }: let - cfg = config.selfprivacy.userdata; + cfg = config.selfprivacy; in { fileSystems = lib.mkIf cfg.useBinds { diff --git a/sp-modules/nextcloud/config-paths-needed.json b/sp-modules/nextcloud/config-paths-needed.json index 7425822..5c2a9fc 100644 --- a/sp-modules/nextcloud/config-paths-needed.json +++ b/sp-modules/nextcloud/config-paths-needed.json @@ -1,5 +1,5 @@ [ - [ "selfprivacy", "userdata", "domain" ], - [ "selfprivacy", "userdata", "nextcloud" ], - [ "selfprivacy", "userdata", "useBinds" ] + [ "selfprivacy", "domain" ], + [ "selfprivacy", "useBinds" ], + [ "selfprivacy", "modules", "nextcloud" ] ] diff --git a/sp-modules/nextcloud/module.nix b/sp-modules/nextcloud/module.nix index 770c978..e8a06ba 100644 --- a/sp-modules/nextcloud/module.nix +++ b/sp-modules/nextcloud/module.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: { - options.selfprivacy.userdata.nextcloud = with lib; { + options.selfprivacy.modules.nextcloud = with lib; { enable = mkOption { type = types.nullOr types.bool; default = false; @@ -13,13 +13,13 @@ config = let - cfg = config.selfprivacy.userdata; - secrets-filepath = "/etc/nixos/userdata/userdata.json"; + sp = config.selfprivacy; + secrets-filepath = "/etc/selfprivacy/secrets.json"; db-pass-filepath = "/var/lib/nextcloud/db-pass"; admin-pass-filepath = "/var/lib/nextcloud/admin-pass"; - hostName = "cloud.${cfg.domain}"; + hostName = "cloud.${sp.domain}"; in - lib.mkIf cfg.nextcloud.enable + lib.mkIf sp.modules.nextcloud.enable { system.activationScripts.nextcloudSecrets = '' mkdir -p /var/lib/nextcloud @@ -31,9 +31,9 @@ chmod 0440 ${admin-pass-filepath} chown nextcloud:nextcloud ${admin-pass-filepath} ''; - fileSystems = lib.mkIf cfg.useBinds { + fileSystems = lib.mkIf sp.useBinds { "/var/lib/nextcloud" = { - device = "/volumes/${cfg.nextcloud.location}/nextcloud"; + device = "/volumes/${sp.modules.nextcloud.location}/nextcloud"; options = [ "bind" ]; }; }; @@ -64,8 +64,8 @@ }; }; services.nginx.virtualHosts.${hostName} = { - sslCertificate = "/var/lib/acme/${cfg.domain}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${cfg.domain}/key.pem"; + sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem"; forceSSL = true; extraConfig = '' add_header Strict-Transport-Security $hsts_header; @@ -86,7 +86,7 @@ } # FIXME do we really want to delete passwords on module deactivation!? // - lib.mkIf (!cfg.nextcloud.enable) { + lib.mkIf (!sp.modules.nextcloud.enable) { system.activationScripts.nextcloudSecrets = lib.trivial.warn ( diff --git a/sp-modules/simple-nixos-mailserver/config-paths-needed.json b/sp-modules/simple-nixos-mailserver/config-paths-needed.json index f58904f..2fad79c 100644 --- a/sp-modules/simple-nixos-mailserver/config-paths-needed.json +++ b/sp-modules/simple-nixos-mailserver/config-paths-needed.json @@ -1,16 +1,16 @@ [ [ "mailserver" ], - [ "selfprivacy", "userdata", "domain" ], - [ "selfprivacy", "userdata", "email" ], - [ "selfprivacy", "userdata", "hashedMasterPassword" ], - [ "selfprivacy", "userdata", "simple-nixos-mailserver" ], - [ "selfprivacy", "userdata", "useBinds" ], - [ "selfprivacy", "userdata", "username" ], - [ "selfprivacy", "userdata", "users" ], + [ "selfprivacy", "domain" ], + [ "selfprivacy", "email" ], + [ "selfprivacy", "hashedMasterPassword" ], + [ "selfprivacy", "useBinds" ], + [ "selfprivacy", "username" ], + [ "selfprivacy", "users" ], [ "services", "dovecot2" ], [ "services", "opendkim" ], [ "services", "postfix", "group" ], [ "services", "postfix", "user" ], [ "services", "redis" ], - [ "services", "rspamd" ] + [ "services", "rspamd" ], + [ "selfprivacy", "modules", "simple-nixos-mailserver" ] ] diff --git a/sp-modules/simple-nixos-mailserver/config.nix b/sp-modules/simple-nixos-mailserver/config.nix index e4ad443..8cc3364 100644 --- a/sp-modules/simple-nixos-mailserver/config.nix +++ b/sp-modules/simple-nixos-mailserver/config.nix @@ -1,37 +1,37 @@ { config, lib, ... }: let - cfg = config.selfprivacy.userdata; + sp = config.selfprivacy; in { - fileSystems = lib.mkIf - (cfg.simple-nixos-mailserver.enable && cfg.useBinds) - { - "/var/vmail" = { - device = "/volumes/${cfg.email.location}/vmail"; - options = [ "bind" ]; + fileSystems = + lib.mkIf (sp.modules.simple-nixos-mailserver.enable && sp.useBinds) + { + "/var/vmail" = { + device = "/volumes/${sp.email.location}/vmail"; + options = [ "bind" ]; + }; + "/var/sieve" = { + device = "/volumes/${sp.email.location}/sieve"; + options = [ "bind" ]; + }; }; - "/var/sieve" = { - device = "/volumes/${cfg.email.location}/sieve"; - options = [ "bind" ]; - }; - }; - users.users = lib.mkIf cfg.simple-nixos-mailserver.enable { + users.users = lib.mkIf sp.modules.simple-nixos-mailserver.enable { virtualMail = { isNormalUser = false; }; }; - selfprivacy.userdata.simple-nixos-mailserver = - lib.mkIf cfg.simple-nixos-mailserver.enable { - fqdn = cfg.domain; - domains = [ cfg.domain ]; + selfprivacy.modules.simple-nixos-mailserver = + lib.mkIf sp.modules.simple-nixos-mailserver.enable { + fqdn = sp.domain; + domains = [ sp.domain ]; # A list of all login accounts. To create the password hashes, use # mkpasswd -m sha-512 "super secret password" loginAccounts = { - "${cfg.username}@${cfg.domain}" = { - hashedPassword = cfg.hashedMasterPassword; + "${sp.username}@${sp.domain}" = { + hashedPassword = sp.hashedMasterPassword; sieveScript = '' require ["fileinto", "mailbox"]; if header :contains "Chat-Version" "1.0" @@ -43,7 +43,7 @@ in }; } // builtins.listToAttrs (builtins.map (user: { - name = "${user.username}@${cfg.domain}"; + name = "${user.username}@${sp.domain}"; value = { hashedPassword = user.hashedPassword; sieveScript = '' @@ -56,15 +56,15 @@ in ''; }; }) - cfg.users); + sp.users); extraVirtualAliases = { - "admin@${cfg.domain}" = "${cfg.username}@${cfg.domain}"; + "admin@${sp.domain}" = "${sp.username}@${sp.domain}"; }; certificateScheme = "manual"; - certificateFile = "/var/lib/acme/${cfg.domain}/fullchain.pem"; - keyFile = "/var/lib/acme/${cfg.domain}/key.pem"; + certificateFile = "/var/lib/acme/${sp.domain}/fullchain.pem"; + keyFile = "/var/lib/acme/${sp.domain}/key.pem"; # Enable IMAP and POP3 enableImap = true; diff --git a/sp-modules/simple-nixos-mailserver/flake.nix b/sp-modules/simple-nixos-mailserver/flake.nix index cdd915b..d0c6e18 100644 --- a/sp-modules/simple-nixos-mailserver/flake.nix +++ b/sp-modules/simple-nixos-mailserver/flake.nix @@ -13,10 +13,10 @@ module // { imports = module.imports ++ [ ./config.nix - { mailserver = config.selfprivacy.userdata.simple-nixos-mailserver; } + { mailserver = config.selfprivacy.modules.simple-nixos-mailserver; } ]; options = module.options // { - selfprivacy.userdata.simple-nixos-mailserver = + selfprivacy.modules.simple-nixos-mailserver = module.options.mailserver; }; }; diff --git a/userdata-variables.nix b/userdata-variables.nix index 317ed78..ebb1ff3 100644 --- a/userdata-variables.nix +++ b/userdata-variables.nix @@ -1,6 +1,6 @@ jsonData: { lib, ... }: { - selfprivacy.userdata = jsonData // { + selfprivacy = jsonData // { hostname = lib.attrsets.attrByPath [ "hostname" ] null jsonData; domain = lib.attrsets.attrByPath [ "domain" ] null jsonData; timezone = lib.attrsets.attrByPath [ "timezone" ] "Europe/Uzhgorod" jsonData; @@ -12,10 +12,6 @@ jsonData: { lib, ... }: username = lib.attrsets.attrByPath [ "username" ] null jsonData; hashedMasterPassword = lib.attrsets.attrByPath [ "hashedMasterPassword" ] null jsonData; sshKeys = lib.attrsets.attrByPath [ "sshKeys" ] [ ] jsonData; - api = { - enableSwagger = lib.attrsets.attrByPath [ "api" "enableSwagger" ] false jsonData; - skippedMigrations = lib.attrsets.attrByPath [ "api" "skippedMigrations" ] [ ] jsonData; - }; dns = { provider = lib.attrsets.attrByPath [ "dns" "provider" ] "CLOUDFLARE" jsonData; useStagingACME = lib.attrsets.attrByPath [ "dns" "useStagingACME" ] false jsonData; diff --git a/users.nix b/users.nix index bd3e9ca..4d25f02 100644 --- a/users.nix +++ b/users.nix @@ -1,6 +1,6 @@ -{ pkgs, config, ... }: +{ config, ... }: let - cfg = config.selfprivacy.userdata; + cfg = config.selfprivacy; in { users.mutableUsers = false; diff --git a/variables-module.nix b/variables-module.nix index dd47997..bdd4745 100644 --- a/variables-module.nix +++ b/variables-module.nix @@ -2,7 +2,7 @@ with lib; { - options.selfprivacy.userdata = { + options.selfprivacy = { # General server options hostname = mkOption { description = "The hostname of the server."; @@ -205,5 +205,9 @@ with lib; default = false; description = "Whether to bind-mount vmail and sieve folders"; }; + ############## + # Modules # + ############## + # modules = }; } diff --git a/videomeet/jitsi.nix b/videomeet/jitsi.nix index 77a7fc8..825df75 100644 --- a/videomeet/jitsi.nix +++ b/videomeet/jitsi.nix @@ -1,8 +1,8 @@ { config, ... }: { services.jitsi-meet = { - enable = config.selfprivacy.userdata.jitsi.enable; - hostName = "meet.${config.selfprivacy.userdata.domain}"; + enable = config.selfprivacy.jitsi.enable; + hostName = "meet.${config.selfprivacy.domain}"; nginx.enable = true; interfaceConfig = { SHOW_JITSI_WATERMARK = false; diff --git a/volumes.nix b/volumes.nix index ba0b4ef..f991579 100644 --- a/volumes.nix +++ b/volumes.nix @@ -1,6 +1,6 @@ { config, ... }: let - cfg = config.selfprivacy.userdata; + cfg = config.selfprivacy; in { fileSystems = builtins.listToAttrs (builtins.map diff --git a/vpn/ocserv.nix b/vpn/ocserv.nix index 91ffda7..f8af798 100644 --- a/vpn/ocserv.nix +++ b/vpn/ocserv.nix @@ -1,6 +1,6 @@ { config, ... }: let - domain = config.selfprivacy.userdata.domain; + domain = config.selfprivacy.domain; in { users.groups.ocserv = { @@ -13,7 +13,7 @@ in group = "ocserv"; }; services.ocserv = { - enable = config.selfprivacy.userdata.ocserv.enable; + enable = config.selfprivacy.ocserv.enable; config = '' socket-file = /var/run/ocserv-socket diff --git a/webserver/nginx.nix b/webserver/nginx.nix index 7cb19aa..5284a43 100644 --- a/webserver/nginx.nix +++ b/webserver/nginx.nix @@ -1,6 +1,6 @@ { config, lib, ... }: let - domain = config.selfprivacy.userdata.domain; + domain = config.selfprivacy.domain; in { services.nginx = {