SelfPrivacy
/
selfprivacy-nixos-config
6
3
Fork 6
Code Issues 19 Pull Requests 1 Projects Releases Wiki Activity

selfprivacy.userdata -> selfprivacy; SP modules -> selfprivacy.modules

pull/55/head
Alexander Tomokhov 2023-11-16 04:00:11 +04:00
parent f4fb0a9ce8
commit 80447abb2e
21 changed files with 80 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
api/api.nix
View File

@ -2,8 +2,8 @@
{ {
services.selfprivacy-api = { services.selfprivacy-api = {
enable = true; enable = true;
enableSwagger = config.selfprivacy.userdata.api.enableSwagger; enableSwagger = config.selfprivacy.api.enableSwagger;
b2Bucket = config.selfprivacy.userdata.backup.bucket; b2Bucket = config.selfprivacy.backup.bucket;
}; };
users.users."selfprivacy-api" = { users.users."selfprivacy-api" = {

2
backup/restic.nix
View File

@ -1,6 +1,6 @@
{ config, ... }: { config, ... }:
let let
cfg = config.selfprivacy.userdata; cfg = config.selfprivacy;
in in
{ {
services.restic.backups = { services.restic.backups = {

20
configuration.nix
View File

@ -37,11 +37,11 @@
}; };
}; };
services.do-agent.enable = if config.selfprivacy.userdata.server.provider == "DIGITALOCEAN" then true else false; services.do-agent.enable = if config.selfprivacy.server.provider == "DIGITALOCEAN" then true else false;
boot.cleanTmpDir = true; boot.cleanTmpDir = true;
networking = { networking = {
hostName = config.selfprivacy.userdata.hostname; hostName = config.selfprivacy.hostname;
usePredictableInterfaceNames = false; usePredictableInterfaceNames = false;
firewall = { firewall = {
allowedTCPPorts = lib.mkForce [ 22 25 80 143 443 465 587 993 4443 8443 ]; allowedTCPPorts = lib.mkForce [ 22 25 80 143 443 465 587 993 4443 8443 ];
@ -53,12 +53,12 @@
}; };
nameservers = [ "1.1.1.1" "1.0.0.1" ]; nameservers = [ "1.1.1.1" "1.0.0.1" ];
}; };
time.timeZone = config.selfprivacy.userdata.timezone; time.timeZone = config.selfprivacy.timezone;
i18n.defaultLocale = "en_GB.UTF-8"; i18n.defaultLocale = "en_GB.UTF-8";
users.users.root.openssh.authorizedKeys.keys = config.selfprivacy.userdata.ssh.rootKeys; users.users.root.openssh.authorizedKeys.keys = config.selfprivacy.ssh.rootKeys;
services.openssh = { services.openssh = {
enable = config.selfprivacy.userdata.ssh.enable; enable = config.selfprivacy.ssh.enable;
passwordAuthentication = config.selfprivacy.userdata.ssh.passwordAuthentication; passwordAuthentication = config.selfprivacy.ssh.passwordAuthentication;
permitRootLogin = "yes"; permitRootLogin = "yes";
openFirewall = false; openFirewall = false;
}; };
@ -71,14 +71,14 @@
jq jq
]; ];
environment.variables = { environment.variables = {
DOMAIN = config.selfprivacy.userdata.domain; DOMAIN = config.selfprivacy.domain;
}; };
system.autoUpgrade = { system.autoUpgrade = {
enable = config.selfprivacy.userdata.autoUpgrade.enable; enable = config.selfprivacy.autoUpgrade.enable;
allowReboot = config.selfprivacy.userdata.autoUpgrade.allowReboot; allowReboot = config.selfprivacy.autoUpgrade.allowReboot;
channel = "https://channel.selfprivacy.org/nixos-selfpricacy"; channel = "https://channel.selfprivacy.org/nixos-selfpricacy";
}; };
system.stateVersion = config.selfprivacy.userdata.stateVersion; system.stateVersion = config.selfprivacy.stateVersion;
nix = { nix = {
optimise.automatic = true; optimise.automatic = true;
gc = { gc = {

2
files.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
let let
cfg = config.selfprivacy.userdata; cfg = config.selfprivacy;
dnsCredentialsTemplates = { dnsCredentialsTemplates = {
DIGITALOCEAN = "DO_AUTH_TOKEN=REPLACEME"; DIGITALOCEAN = "DO_AUTH_TOKEN=REPLACEME";
CLOUDFLARE = '' CLOUDFLARE = ''

2
git/gitea.nix
View File

@ -1,6 +1,6 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
cfg = config.selfprivacy.userdata; cfg = config.selfprivacy;
in in
{ {
fileSystems = lib.mkIf cfg.useBinds { fileSystems = lib.mkIf cfg.useBinds {

2
letsencrypt/acme.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let
cfg = config.selfprivacy.userdata; cfg = config.selfprivacy;
in in
{ {
users.groups.acmerecievers = { users.groups.acmerecievers = {

2
letsencrypt/resolve.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
let let
domain = config.selfprivacy.userdata.domain; domain = config.selfprivacy.domain;
in in
{ {
systemd = { systemd = {

2
passmgr/bitwarden.nix
View File

@ -1,6 +1,6 @@
{ pkgs, lib, config, ... }: { pkgs, lib, config, ... }:
let let
cfg = config.selfprivacy.userdata; cfg = config.selfprivacy;
in in
{ {
fileSystems = lib.mkIf cfg.useBinds { fileSystems = lib.mkIf cfg.useBinds {

2
social/pleroma.nix
View File

@ -1,6 +1,6 @@
{ pkgs, lib, config, ... }: { pkgs, lib, config, ... }:
let let
cfg = config.selfprivacy.userdata; cfg = config.selfprivacy;
in in
{ {
fileSystems = lib.mkIf cfg.useBinds { fileSystems = lib.mkIf cfg.useBinds {

6
sp-modules/nextcloud/config-paths-needed.json
View File

@ -1,5 +1,5 @@
[ [
[ "selfprivacy", "userdata", "domain" ], [ "selfprivacy", "domain" ],
[ "selfprivacy", "userdata", "nextcloud" ], [ "selfprivacy", "useBinds" ],
[ "selfprivacy", "userdata", "useBinds" ] [ "selfprivacy", "modules", "nextcloud" ]
] ]

20
sp-modules/nextcloud/module.nix
View File

@ -1,6 +1,6 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
{ {
options.selfprivacy.userdata.nextcloud = with lib; { options.selfprivacy.modules.nextcloud = with lib; {
enable = mkOption { enable = mkOption {
type = types.nullOr types.bool; type = types.nullOr types.bool;
default = false; default = false;
@ -13,13 +13,13 @@
config = config =
let let
cfg = config.selfprivacy.userdata; sp = config.selfprivacy;
secrets-filepath = "/etc/nixos/userdata/userdata.json"; secrets-filepath = "/etc/selfprivacy/secrets.json";
db-pass-filepath = "/var/lib/nextcloud/db-pass"; db-pass-filepath = "/var/lib/nextcloud/db-pass";
admin-pass-filepath = "/var/lib/nextcloud/admin-pass"; admin-pass-filepath = "/var/lib/nextcloud/admin-pass";
hostName = "cloud.${cfg.domain}"; hostName = "cloud.${sp.domain}";
in in
lib.mkIf cfg.nextcloud.enable lib.mkIf sp.modules.nextcloud.enable
{ {
system.activationScripts.nextcloudSecrets = '' system.activationScripts.nextcloudSecrets = ''
mkdir -p /var/lib/nextcloud mkdir -p /var/lib/nextcloud
@ -31,9 +31,9 @@
chmod 0440 ${admin-pass-filepath} chmod 0440 ${admin-pass-filepath}
chown nextcloud:nextcloud ${admin-pass-filepath} chown nextcloud:nextcloud ${admin-pass-filepath}
''; '';
fileSystems = lib.mkIf cfg.useBinds { fileSystems = lib.mkIf sp.useBinds {
"/var/lib/nextcloud" = { "/var/lib/nextcloud" = {
device = "/volumes/${cfg.nextcloud.location}/nextcloud"; device = "/volumes/${sp.modules.nextcloud.location}/nextcloud";
options = [ "bind" ]; options = [ "bind" ];
}; };
}; };
@ -64,8 +64,8 @@
}; };
}; };
services.nginx.virtualHosts.${hostName} = { services.nginx.virtualHosts.${hostName} = {
sslCertificate = "/var/lib/acme/${cfg.domain}/fullchain.pem"; sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${cfg.domain}/key.pem"; sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;
@ -86,7 +86,7 @@
} }
# FIXME do we really want to delete passwords on module deactivation!? # FIXME do we really want to delete passwords on module deactivation!?
// //
lib.mkIf (!cfg.nextcloud.enable) { lib.mkIf (!sp.modules.nextcloud.enable) {
system.activationScripts.nextcloudSecrets = system.activationScripts.nextcloudSecrets =
lib.trivial.warn lib.trivial.warn
( (

16
sp-modules/simple-nixos-mailserver/config-paths-needed.json
View File

@ -1,16 +1,16 @@
[ [
[ "mailserver" ], [ "mailserver" ],
[ "selfprivacy", "userdata", "domain" ], [ "selfprivacy", "domain" ],
[ "selfprivacy", "userdata", "email" ], [ "selfprivacy", "email" ],
[ "selfprivacy", "userdata", "hashedMasterPassword" ], [ "selfprivacy", "hashedMasterPassword" ],
[ "selfprivacy", "userdata", "simple-nixos-mailserver" ], [ "selfprivacy", "useBinds" ],
[ "selfprivacy", "userdata", "useBinds" ], [ "selfprivacy", "username" ],
[ "selfprivacy", "userdata", "username" ], [ "selfprivacy", "users" ],
[ "selfprivacy", "userdata", "users" ],
[ "services", "dovecot2" ], [ "services", "dovecot2" ],
[ "services", "opendkim" ], [ "services", "opendkim" ],
[ "services", "postfix", "group" ], [ "services", "postfix", "group" ],
[ "services", "postfix", "user" ], [ "services", "postfix", "user" ],
[ "services", "redis" ], [ "services", "redis" ],
[ "services", "rspamd" ] [ "services", "rspamd" ],
[ "selfprivacy", "modules", "simple-nixos-mailserver" ]
] ]

48
sp-modules/simple-nixos-mailserver/config.nix
View File

@ -1,37 +1,37 @@
{ config, lib, ... }: { config, lib, ... }:
let let
cfg = config.selfprivacy.userdata; sp = config.selfprivacy;
in in
{ {
fileSystems = lib.mkIf fileSystems =
(cfg.simple-nixos-mailserver.enable && cfg.useBinds) lib.mkIf (sp.modules.simple-nixos-mailserver.enable && sp.useBinds)
{ {
"/var/vmail" = { "/var/vmail" = {
device = "/volumes/${cfg.email.location}/vmail"; device = "/volumes/${sp.email.location}/vmail";
options = [ "bind" ]; options = [ "bind" ];
};
"/var/sieve" = {
device = "/volumes/${sp.email.location}/sieve";
options = [ "bind" ];
};
}; };
"/var/sieve" = {
device = "/volumes/${cfg.email.location}/sieve";
options = [ "bind" ];
};
};
users.users = lib.mkIf cfg.simple-nixos-mailserver.enable { users.users = lib.mkIf sp.modules.simple-nixos-mailserver.enable {
virtualMail = { virtualMail = {
isNormalUser = false; isNormalUser = false;
}; };
}; };
selfprivacy.userdata.simple-nixos-mailserver = selfprivacy.modules.simple-nixos-mailserver =
lib.mkIf cfg.simple-nixos-mailserver.enable { lib.mkIf sp.modules.simple-nixos-mailserver.enable {
fqdn = cfg.domain; fqdn = sp.domain;
domains = [ cfg.domain ]; domains = [ sp.domain ];
# A list of all login accounts. To create the password hashes, use # A list of all login accounts. To create the password hashes, use
# mkpasswd -m sha-512 "super secret password" # mkpasswd -m sha-512 "super secret password"
loginAccounts = { loginAccounts = {
"${cfg.username}@${cfg.domain}" = { "${sp.username}@${sp.domain}" = {
hashedPassword = cfg.hashedMasterPassword; hashedPassword = sp.hashedMasterPassword;
sieveScript = '' sieveScript = ''
require ["fileinto", "mailbox"]; require ["fileinto", "mailbox"];
if header :contains "Chat-Version" "1.0" if header :contains "Chat-Version" "1.0"
@ -43,7 +43,7 @@ in
}; };
} // builtins.listToAttrs (builtins.map } // builtins.listToAttrs (builtins.map
(user: { (user: {
name = "${user.username}@${cfg.domain}"; name = "${user.username}@${sp.domain}";
value = { value = {
hashedPassword = user.hashedPassword; hashedPassword = user.hashedPassword;
sieveScript = '' sieveScript = ''
@ -56,15 +56,15 @@ in
''; '';
}; };
}) })
cfg.users); sp.users);
extraVirtualAliases = { extraVirtualAliases = {
"admin@${cfg.domain}" = "${cfg.username}@${cfg.domain}"; "admin@${sp.domain}" = "${sp.username}@${sp.domain}";
}; };
certificateScheme = "manual"; certificateScheme = "manual";
certificateFile = "/var/lib/acme/${cfg.domain}/fullchain.pem"; certificateFile = "/var/lib/acme/${sp.domain}/fullchain.pem";
keyFile = "/var/lib/acme/${cfg.domain}/key.pem"; keyFile = "/var/lib/acme/${sp.domain}/key.pem";
# Enable IMAP and POP3 # Enable IMAP and POP3
enableImap = true; enableImap = true;

4
sp-modules/simple-nixos-mailserver/flake.nix
View File

@ -13,10 +13,10 @@
module // { module // {
imports = module.imports ++ [ imports = module.imports ++ [
./config.nix ./config.nix
{ mailserver = config.selfprivacy.userdata.simple-nixos-mailserver; } { mailserver = config.selfprivacy.modules.simple-nixos-mailserver; }
]; ];
options = module.options // { options = module.options // {
selfprivacy.userdata.simple-nixos-mailserver = selfprivacy.modules.simple-nixos-mailserver =
module.options.mailserver; module.options.mailserver;
}; };
}; };

6
userdata-variables.nix
View File

@ -1,6 +1,6 @@
jsonData: { lib, ... }: jsonData: { lib, ... }:
{ {
selfprivacy.userdata = jsonData // { selfprivacy = jsonData // {
hostname = lib.attrsets.attrByPath [ "hostname" ] null jsonData; hostname = lib.attrsets.attrByPath [ "hostname" ] null jsonData;
domain = lib.attrsets.attrByPath [ "domain" ] null jsonData; domain = lib.attrsets.attrByPath [ "domain" ] null jsonData;
timezone = lib.attrsets.attrByPath [ "timezone" ] "Europe/Uzhgorod" jsonData; timezone = lib.attrsets.attrByPath [ "timezone" ] "Europe/Uzhgorod" jsonData;
@ -12,10 +12,6 @@ jsonData: { lib, ... }:
username = lib.attrsets.attrByPath [ "username" ] null jsonData; username = lib.attrsets.attrByPath [ "username" ] null jsonData;
hashedMasterPassword = lib.attrsets.attrByPath [ "hashedMasterPassword" ] null jsonData; hashedMasterPassword = lib.attrsets.attrByPath [ "hashedMasterPassword" ] null jsonData;
sshKeys = lib.attrsets.attrByPath [ "sshKeys" ] [ ] jsonData; sshKeys = lib.attrsets.attrByPath [ "sshKeys" ] [ ] jsonData;
api = {
enableSwagger = lib.attrsets.attrByPath [ "api" "enableSwagger" ] false jsonData;
skippedMigrations = lib.attrsets.attrByPath [ "api" "skippedMigrations" ] [ ] jsonData;
};
dns = { dns = {
provider = lib.attrsets.attrByPath [ "dns" "provider" ] "CLOUDFLARE" jsonData; provider = lib.attrsets.attrByPath [ "dns" "provider" ] "CLOUDFLARE" jsonData;
useStagingACME = lib.attrsets.attrByPath [ "dns" "useStagingACME" ] false jsonData; useStagingACME = lib.attrsets.attrByPath [ "dns" "useStagingACME" ] false jsonData;

4
users.nix
View File

@ -1,6 +1,6 @@
{ pkgs, config, ... }: { config, ... }:
let let
cfg = config.selfprivacy.userdata; cfg = config.selfprivacy;
in in
{ {
users.mutableUsers = false; users.mutableUsers = false;

6
variables-module.nix
View File

@ -2,7 +2,7 @@
with lib; with lib;
{ {
options.selfprivacy.userdata = { options.selfprivacy = {
# General server options # General server options
hostname = mkOption { hostname = mkOption {
description = "The hostname of the server."; description = "The hostname of the server.";
@ -205,5 +205,9 @@ with lib;
default = false; default = false;
description = "Whether to bind-mount vmail and sieve folders"; description = "Whether to bind-mount vmail and sieve folders";
}; };
##############
# Modules #
##############
# modules =
}; };
} }

4
videomeet/jitsi.nix
View File

@ -1,8 +1,8 @@
{ config, ... }: { config, ... }:
{ {
services.jitsi-meet = { services.jitsi-meet = {
enable = config.selfprivacy.userdata.jitsi.enable; enable = config.selfprivacy.jitsi.enable;
hostName = "meet.${config.selfprivacy.userdata.domain}"; hostName = "meet.${config.selfprivacy.domain}";
nginx.enable = true; nginx.enable = true;
interfaceConfig = { interfaceConfig = {
SHOW_JITSI_WATERMARK = false; SHOW_JITSI_WATERMARK = false;

2
volumes.nix
View File

@ -1,6 +1,6 @@
{ config, ... }: { config, ... }:
let let
cfg = config.selfprivacy.userdata; cfg = config.selfprivacy;
in in
{ {
fileSystems = builtins.listToAttrs (builtins.map fileSystems = builtins.listToAttrs (builtins.map

4
vpn/ocserv.nix
View File

@ -1,6 +1,6 @@
{ config, ... }: { config, ... }:
let let
domain = config.selfprivacy.userdata.domain; domain = config.selfprivacy.domain;
in in
{ {
users.groups.ocserv = { users.groups.ocserv = {
@ -13,7 +13,7 @@ in
group = "ocserv"; group = "ocserv";
}; };
services.ocserv = { services.ocserv = {
enable = config.selfprivacy.userdata.ocserv.enable; enable = config.selfprivacy.ocserv.enable;
config = '' config = ''
socket-file = /var/run/ocserv-socket socket-file = /var/run/ocserv-socket

2
webserver/nginx.nix
View File

@ -1,6 +1,6 @@
{ config, lib, ... }: { config, lib, ... }:
let let
domain = config.selfprivacy.userdata.domain; domain = config.selfprivacy.domain;
in in
{ {
services.nginx = { services.nginx = {