From 83e8f6e8a1d530670d056c02823814e3055b3552 Mon Sep 17 00:00:00 2001 From: Alexander Tomokhov Date: Sat, 16 Dec 2023 09:39:22 +0400 Subject: [PATCH] get rid of files.nix; ACME/credentialsFile and other cleanup --- configuration.nix | 7 +++++++ files.nix | 46 ------------------------------------------ flake.lock | 8 ++++---- flake.nix | 12 +++++++++-- letsencrypt/acme.nix | 34 +++++++++++++++++++++++++++++-- selfprivacy-module.nix | 40 ++++-------------------------------- 6 files changed, 57 insertions(+), 90 deletions(-) delete mode 100644 files.nix diff --git a/configuration.nix b/configuration.nix index 221d424..b198a04 100644 --- a/configuration.nix +++ b/configuration.nix @@ -13,6 +13,8 @@ fileSystems."/".options = [ "noatime" ]; + services.selfprivacy-api.enable = true; + services.redis.servers.sp-api = { enable = true; save = [ @@ -36,6 +38,7 @@ boot.cleanTmpDir = true; networking = { hostName = config.selfprivacy.hostname; + domain = config.selfprivacy.domain; usePredictableInterfaceNames = false; firewall = { allowedTCPPorts = lib.mkForce [ 22 25 80 143 443 465 587 993 4443 8443 ]; @@ -69,6 +72,10 @@ DOMAIN = config.selfprivacy.domain; }; documentation.enable = false; # no {man,info}-pages & docs, etc to save space + systemd.tmpfiles.rules = [ + "# Completely remove remnants of NIXOS_LUSTRATE." + "R! /old-root" + ]; system.autoUpgrade = { enable = config.selfprivacy.autoUpgrade.enable; allowReboot = config.selfprivacy.autoUpgrade.allowReboot; diff --git a/files.nix b/files.nix deleted file mode 100644 index 90ba031..0000000 --- a/files.nix +++ /dev/null @@ -1,46 +0,0 @@ -nixos-config-source: { config, pkgs, ... }: -let - cfg = config.selfprivacy; - dnsCredentialsTemplates = { - DIGITALOCEAN = "DO_AUTH_TOKEN=REPLACEME"; - CLOUDFLARE = '' - CF_API_KEY=REPLACEME - CLOUDFLARE_DNS_API_TOKEN=REPLACEME - CLOUDFLARE_ZONE_API_TOKEN=REPLACEME - ''; - DESEC = "DESEC_TOKEN=REPLACEME"; - }; - dnsCredentialsTemplate = dnsCredentialsTemplates.${cfg.dns.provider}; -in -{ - systemd.tmpfiles.rules = - let - domain = builtins.replaceStrings [ "\n" "\"" "\\" "%" ] [ "\\n" "\\\"" "\\\\" "%%" ] cfg.domain; - in - [ - "f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}" - ]; - system.activationScripts = - let - jq = "${pkgs.jq}/bin/jq"; - sed = "${pkgs.gnused}/bin/sed"; - in - { - nixos-lustrate = '' - rm -rf /old-root - ''; - selfprivacy-nixos-configuration-source = '' - rm -rf /etc/nixos/{*,.[!.]*} - cp -r --no-preserve=all ${nixos-config-source}/ -T /etc/nixos/ - ''; - cloudflareCredentials = '' - mkdir -p /var/lib/cloudflare - chmod 0440 /var/lib/cloudflare - chown nginx:acmereceivers /var/lib/cloudflare - echo '${dnsCredentialsTemplate}' > /var/lib/cloudflare/Credentials.ini - ${sed} -i "s/REPLACEME/$(cat /etc/selfprivacy/secrets.json | ${jq} -r '.dns.apiKey')/g" /var/lib/cloudflare/Credentials.ini - chmod 0440 /var/lib/cloudflare/Credentials.ini - chown nginx:acmereceivers /var/lib/cloudflare/Credentials.ini - ''; - }; -} diff --git a/flake.lock b/flake.lock index 4f397d9..bb139b2 100644 --- a/flake.lock +++ b/flake.lock @@ -28,11 +28,11 @@ ] }, "locked": { - "lastModified": 1702381323, - "narHash": "sha256-jPDDlY2thQgJqY8I3Ef3QeojHci7UikMjMVZ5P7pjt4=", + "lastModified": 1702870693, + "narHash": "sha256-ZtoeXTzQ52wn8chX/0PsLCFuc32m5zpDJpPdpWlrxwU=", "ref": "userdata", - "rev": "2bdb73d348d1a8b85a71aa480ab1c08fafb2c9ba", - "revCount": 1044, + "rev": "789a1c579c5c8f2431cff2baed45713ab791ca7c", + "revCount": 1046, "type": "git", "url": "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-rest-api.git" }, diff --git a/flake.nix b/flake.nix index bce9d7a..866e152 100644 --- a/flake.nix +++ b/flake.nix @@ -24,20 +24,28 @@ hardware-configuration deployment ./configuration.nix - (import ./files.nix top-level-flake.outPath) selfprivacy-api.nixosModules.default { # pass userdata (parsed from JSON) options to selfprivacy module selfprivacy = userdata; + # embed top-level flake source folder into the build environment.etc."selfprivacy/nixos-config-source".source = - top-level-flake.outPath; + top-level-flake; + # for running "nix search nixpkgs", etc nix.registry.nixpkgs.flake = nixpkgs; + # embed commit sha1 for `nixos-version --configuration-revision` system.configurationRevision = self.rev or "@${self.lastModifiedDate}"; # for development # TODO assertion to forbid dirty builds caused by top-level-flake + + # reset contents of /etc/nixos to match running NixOS generation + system.activationScripts.selfprivacy-nixos-config-source = '' + rm -rf /etc/nixos/{*,.[!.]*} + cp -r --no-preserve=all ${top-level-flake}/ -T /etc/nixos/ + ''; } ] ++ diff --git a/letsencrypt/acme.nix b/letsencrypt/acme.nix index f419178..9ad69ca 100644 --- a/letsencrypt/acme.nix +++ b/letsencrypt/acme.nix @@ -1,6 +1,18 @@ -{ config, pkgs, lib, ... }: +{ config, lib, pkgs, ... }: let cfg = config.selfprivacy; + dnsCredentialsTemplates = { + DIGITALOCEAN = "DO_AUTH_TOKEN=$TOKEN"; + CLOUDFLARE = '' + CF_API_KEY=$TOKEN + CLOUDFLARE_DNS_API_TOKEN=$TOKEN + CLOUDFLARE_ZONE_API_TOKEN=$TOKEN + ''; + DESEC = "DESEC_TOKEN=$TOKEN"; + }; + dnsCredentialsTemplate = dnsCredentialsTemplates.${cfg.dns.provider}; + acme-env-filepath = "/var/lib/selfprivacy/acme-env"; + secrets-filepath = "/etc/selfprivacy/secrets.json"; in { users.groups.acmereceivers.members = [ "nginx" ]; @@ -18,8 +30,26 @@ in extraDomainNames = [ "${cfg.domain}" ]; group = "acmereceivers"; dnsProvider = lib.strings.toLower cfg.dns.provider; - credentialsFile = "/var/lib/cloudflare/Credentials.ini"; + credentialsFile = acme-env-filepath; }; }; }; + systemd.services.acme-secrets = { + before = [ "acme-${cfg.domain}.service" ]; + requiredBy = [ "acme-${cfg.domain}.service" ]; + serviceConfig.Type = "oneshot"; + path = with pkgs; [ coreutils jq ]; + script = '' + set -o nounset + + TOKEN="$(jq -re '.dns.apiKey' ${secrets-filepath})" + filecontents=$(cat <<- EOF + ${dnsCredentialsTemplate} + EOF + ) + + install -m 0440 -o root -g acmereceivers -DT \ + <(printf "%s\n" "$filecontents") ${acme-env-filepath} + ''; + }; } diff --git a/selfprivacy-module.nix b/selfprivacy-module.nix index 95508fe..a7d1c36 100644 --- a/selfprivacy-module.nix +++ b/selfprivacy-module.nix @@ -12,7 +12,8 @@ with lib; description = '' Domain used by the server ''; - type = types.nullOr types.str; + # see: https://regexr.com/7p7ep, https://stackoverflow.com/a/26987741 + type = lib.types.strMatching ''^(xn--)?[a-z0-9][a-z0-9_-]{0,61}[a-z0-9]{0,1}\.(xn--)?([a-z0-9\-]{1,61}|[a-z0-9-]{1,30}\.[a-z]{2,})$''; }; timezone = mkOption { description = '' @@ -33,13 +34,6 @@ with lib; type = types.nullOr types.bool; }; }; - stateVersion = mkOption { - description = '' - State version of the server - ''; - type = types.str; - default = "22.11"; - }; ######################## # Server admin options # ######################## @@ -62,27 +56,8 @@ with lib; type = types.nullOr (types.listOf types.str); default = [ ]; }; - ############### - # API options # - ############### - api = { - enableSwagger = mkOption { - default = true; - description = '' - Enable Swagger UI - ''; - type = types.bool; - }; - skippedMigrations = mkOption { - default = [ ]; - description = '' - List of migrations that should be skipped - ''; - type = types.listOf types.str; - }; - }; ############# - # Secrets # + # DNS # ############# dns = { provider = mkOption { @@ -95,17 +70,10 @@ with lib; default = false; }; }; - backup = { - bucket = mkOption { - description = "Bucket name used for userdata backups"; - type = types.nullOr types.str; - default = ""; - }; - }; server = { provider = mkOption { description = "Server provider that was defined at the initial setup process."; - type = types.nullOr types.str; + type = types.str; }; }; #########