diff --git a/api/api.nix b/api/api.nix index c966f70..e3bf3ec 100644 --- a/api/api.nix +++ b/api/api.nix @@ -3,7 +3,7 @@ services.selfprivacy-api = { enable = true; enableSwagger = config.services.userdata.api.enableSwagger; - b2Bucket = config.services.userdata.backblaze.bucket; + b2Bucket = config.services.userdata.backup.bucket; }; users.users."selfprivacy-api" = { diff --git a/backup/restic.nix b/backup/restic.nix index 55dd939..6b85e82 100644 --- a/backup/restic.nix +++ b/backup/restic.nix @@ -6,7 +6,7 @@ in services.restic.backups = { options = { passwordFile = "/etc/restic/resticPasswd"; - repository = "s3:s3.anazonaws.com/${cfg.backblaze.bucket}"; + repository = "s3:s3.anazonaws.com/${cfg.backup.bucket}"; initialize = true; paths = [ "/var/dkim" diff --git a/configuration.nix b/configuration.nix index 70c1263..91732e9 100644 --- a/configuration.nix +++ b/configuration.nix @@ -1,6 +1,6 @@ { config, pkgs, lib, ... }: let - url-overlay = "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nix-repo/archive/master.tar.gz"; + url-overlay = "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nix-repo/archive/redis.tar.gz"; nix-overlay = (import (builtins.fetchTarball url-overlay)); in { @@ -30,6 +30,26 @@ in nixpkgs.overlays = [ (nix-overlay) ]; + services.redis.servers.sp-api = { + enable = true; + save = [ + [ + 30 + 1 + ] + [ + 10 + 10 + ] + ]; + port = 0; + settings = { + notify-keyspace-events = "KEA"; + }; + }; + + services.do-agent.enable = if config.services.userdata.server.provider == "DIGITALOCEAN" then true else false; + boot.cleanTmpDir = true; networking = { hostName = config.services.userdata.hostname; diff --git a/files.nix b/files.nix index b3b2b74..37056f5 100644 --- a/files.nix +++ b/files.nix @@ -43,7 +43,7 @@ in echo 'CF_API_KEY=REPLACEME' > /var/lib/cloudflare/Credentials.ini echo 'CLOUDFLARE_DNS_API_TOKEN=REPLACEME' >> /var/lib/cloudflare/Credentials.ini echo 'CLOUDFLARE_ZONE_API_TOKEN=REPLACEME' >> /var/lib/cloudflare/Credentials.ini - ${sed} -i "s/REPLACEME/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.cloudflare.apiKey')/g" /var/lib/cloudflare/Credentials.ini + ${sed} -i "s/REPLACEME/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.dns.apiKey')/g" /var/lib/cloudflare/Credentials.ini chmod 0440 /var/lib/cloudflare/Credentials.ini chown nginx:acmerecievers /var/lib/cloudflare/Credentials.ini ''; @@ -56,8 +56,8 @@ in echo 'account = REPLACEME1' >> /root/.config/rclone/rclone.conf echo 'key = REPLACEME2' >> /root/.config/rclone/rclone.conf - ${sed} -i "s/REPLACEME1/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backblaze.accountId')/g" /root/.config/rclone/rclone.conf - ${sed} -i "s/REPLACEME2/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backblaze.accountKey')/g" /root/.config/rclone/rclone.conf + ${sed} -i "s/REPLACEME1/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backup.accountId')/g" /root/.config/rclone/rclone.conf + ${sed} -i "s/REPLACEME2/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backup.accountKey')/g" /root/.config/rclone/rclone.conf chmod 0400 /root/.config/rclone/rclone.conf chown root:root /root/.config/rclone/rclone.conf diff --git a/git/gitea.nix b/git/gitea.nix index 1590f01..534ab00 100644 --- a/git/gitea.nix +++ b/git/gitea.nix @@ -26,10 +26,10 @@ in path = "/var/lib/gitea/data/gitea.db"; createDatabase = true; }; - ssh = { - enable = true; - clonePort = 22; - }; + # ssh = { + # enable = true; + # clonePort = 22; + # }; lfs = { enable = true; contentDir = "/var/lib/gitea/lfs"; diff --git a/letsencrypt/acme.nix b/letsencrypt/acme.nix index ea2467e..892e762 100644 --- a/letsencrypt/acme.nix +++ b/letsencrypt/acme.nix @@ -8,7 +8,10 @@ in }; security.acme = { acceptTerms = true; - email = "${cfg.username}@${cfg.domain}"; + defaults = { + email = "${cfg.username}@${cfg.domain}"; + server = if cfg.dns.useStagingACME then "https://acme-staging-v02.api.letsencrypt.org/directory" else "https://acme-v02.api.letsencrypt.org/directory"; + }; certs = lib.mkForce { "${cfg.domain}" = { domain = "*.${cfg.domain}"; diff --git a/variables-module.nix b/variables-module.nix index 43bc7fd..6fd24f9 100644 --- a/variables-module.nix +++ b/variables-module.nix @@ -85,12 +85,28 @@ in ############# # Secrets # ############# - backblaze = { + dns = { + provider = mkOption { + description = "DNS provider that was defined at the initial setup process. Default is ClOUDFLARE"; + type = types.nullOr types.str; + }; + useStagingACME = mkOption { + description = "Use staging ACME server. Default is false"; + type = types.nullOr types.bool; + }; + }; + backup = { bucket = mkOption { description = "Bucket name used for userdata backups"; type = types.nullOr types.str; }; }; + server = { + provider = mkOption { + description = "Server provider that was defined at the initial setup process. Default is HETZNER"; + type = types.nullOr types.str; + }; + }; ############## # Services # ############## diff --git a/variables.nix b/variables.nix index 6651999..d129077 100644 --- a/variables.nix +++ b/variables.nix @@ -18,8 +18,15 @@ in enableSwagger = lib.attrsets.attrByPath [ "api" "enableSwagger" ] false jsonData; skippedMigrations = lib.attrsets.attrByPath [ "api" "skippedMigrations" ] [ ] jsonData; }; - backblaze = { - bucket = lib.attrsets.attrByPath [ "backblaze" "bucket" ] "" jsonData; + dns = { + provider = lib.attrsets.attrByPath [ "dns" "provider" ] "CLOUDFLARE" jsonData; + useStagingACME = lib.attrsets.attrByPath [ "dns" "useStagingACME" ] false jsonData; + }; + backup = { + bucket = lib.attrsets.attrByPath [ "backup" "bucket" ] (lib.attrsets.attrByPath [ "backblaze" "bucket" ] "" jsonData) jsonData; + }; + server = { + provider = lib.attrsets.attrByPath [ "server" "provider" ] "HETZNER" jsonData; }; bitwarden = { enable = lib.attrsets.attrByPath [ "bitwarden" "enable" ] false jsonData;