From 399790e2026f35d486d5bb856dca281195f74f47 Mon Sep 17 00:00:00 2001 From: inexcode Date: Fri, 28 Oct 2022 11:52:47 +0300 Subject: [PATCH 01/10] chore(nextcloud): Upgrade Nextcloud to v24 --- nextcloud/nextcloud.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nextcloud/nextcloud.nix b/nextcloud/nextcloud.nix index 5bebca0..5c5fad4 100644 --- a/nextcloud/nextcloud.nix +++ b/nextcloud/nextcloud.nix @@ -11,7 +11,7 @@ in }; services.nextcloud = { enable = cfg.nextcloud.enable; - package = pkgs.nextcloud23; + package = pkgs.nextcloud24; hostName = "cloud.${cfg.domain}"; # Use HTTPS for links From aeeffe42b1ae359b15f4045df6de83f1ac812134 Mon Sep 17 00:00:00 2001 From: inexcode Date: Fri, 4 Nov 2022 11:57:00 +0300 Subject: [PATCH 02/10] feat: a redis database for SelfPrivacy API --- configuration.nix | 19 +++++++++++++++++++ git/gitea.nix | 8 ++++---- 2 files changed, 23 insertions(+), 4 deletions(-) diff --git a/configuration.nix b/configuration.nix index 70c1263..6417d8c 100644 --- a/configuration.nix +++ b/configuration.nix @@ -30,6 +30,25 @@ in nixpkgs.overlays = [ (nix-overlay) ]; + services.redis.servers.sp-api = { + enable = true; + save = [ + [ + 30 + 1 + ] + [ + 10 + 10 + ] + ]; + port = 0; + settings = { + notify-keyspace-events = "KEA"; + }; + }; + + boot.cleanTmpDir = true; networking = { hostName = config.services.userdata.hostname; diff --git a/git/gitea.nix b/git/gitea.nix index 961e9b2..8d8fa29 100644 --- a/git/gitea.nix +++ b/git/gitea.nix @@ -26,10 +26,10 @@ in path = "/var/lib/gitea/data/gitea.db"; createDatabase = true; }; - ssh = { - enable = true; - clonePort = 22; - }; + # ssh = { + # enable = true; + # clonePort = 22; + # }; lfs = { enable = true; contentDir = "/var/lib/gitea/lfs"; From 7a6f57def8859586bee74722b7d86d8612912fa5 Mon Sep 17 00:00:00 2001 From: Inex Code Date: Tue, 8 Nov 2022 01:44:09 +0300 Subject: [PATCH 03/10] feat(userdata): Support for newer JSON schema of provider --- files.nix | 6 +++--- variables-module.nix | 14 +++++++++++++- variables.nix | 10 ++++++++-- 3 files changed, 24 insertions(+), 6 deletions(-) diff --git a/files.nix b/files.nix index b3b2b74..37056f5 100644 --- a/files.nix +++ b/files.nix @@ -43,7 +43,7 @@ in echo 'CF_API_KEY=REPLACEME' > /var/lib/cloudflare/Credentials.ini echo 'CLOUDFLARE_DNS_API_TOKEN=REPLACEME' >> /var/lib/cloudflare/Credentials.ini echo 'CLOUDFLARE_ZONE_API_TOKEN=REPLACEME' >> /var/lib/cloudflare/Credentials.ini - ${sed} -i "s/REPLACEME/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.cloudflare.apiKey')/g" /var/lib/cloudflare/Credentials.ini + ${sed} -i "s/REPLACEME/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.dns.apiKey')/g" /var/lib/cloudflare/Credentials.ini chmod 0440 /var/lib/cloudflare/Credentials.ini chown nginx:acmerecievers /var/lib/cloudflare/Credentials.ini ''; @@ -56,8 +56,8 @@ in echo 'account = REPLACEME1' >> /root/.config/rclone/rclone.conf echo 'key = REPLACEME2' >> /root/.config/rclone/rclone.conf - ${sed} -i "s/REPLACEME1/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backblaze.accountId')/g" /root/.config/rclone/rclone.conf - ${sed} -i "s/REPLACEME2/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backblaze.accountKey')/g" /root/.config/rclone/rclone.conf + ${sed} -i "s/REPLACEME1/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backup.accountId')/g" /root/.config/rclone/rclone.conf + ${sed} -i "s/REPLACEME2/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backup.accountKey')/g" /root/.config/rclone/rclone.conf chmod 0400 /root/.config/rclone/rclone.conf chown root:root /root/.config/rclone/rclone.conf diff --git a/variables-module.nix b/variables-module.nix index 43bc7fd..1e1c01f 100644 --- a/variables-module.nix +++ b/variables-module.nix @@ -85,12 +85,24 @@ in ############# # Secrets # ############# - backblaze = { + dns = { + provider = mkOption { + description = "DNS provider that was defined at the initial setup process. Default is ClOUDFLARE"; + type = types.nullOr types.str; + }; + }; + backup = { bucket = mkOption { description = "Bucket name used for userdata backups"; type = types.nullOr types.str; }; }; + server = { + provider = mkOption { + description = "Server provider that was defined at the initial setup process. Default is HETZNER"; + type = types.nullOr types.str; + }; + }; ############## # Services # ############## diff --git a/variables.nix b/variables.nix index 6651999..bd7e3f0 100644 --- a/variables.nix +++ b/variables.nix @@ -18,8 +18,14 @@ in enableSwagger = lib.attrsets.attrByPath [ "api" "enableSwagger" ] false jsonData; skippedMigrations = lib.attrsets.attrByPath [ "api" "skippedMigrations" ] [ ] jsonData; }; - backblaze = { - bucket = lib.attrsets.attrByPath [ "backblaze" "bucket" ] "" jsonData; + dns = { + provider = lib.attrsets.attrByPath [ "dns" "provider" ] "CLOUDFLARE" jsonData; + }; + backup = { + bucket = lib.attrsets.attrByPath [ "backup" "bucket" ] (lib.attrsets.attrByPath [ "backblaze" "bucket" ] "" jsonData) jsonData; + }; + server = { + provider = lib.attrsets.attrByPath [ "server" "provider" ] "HETZNER" jsonData; }; bitwarden = { enable = lib.attrsets.attrByPath [ "bitwarden" "enable" ] false jsonData; From a59fbef22ab98c97b0d5f9749864b166673eb882 Mon Sep 17 00:00:00 2001 From: Inex Code Date: Tue, 8 Nov 2022 01:44:28 +0300 Subject: [PATCH 04/10] feat: Enable Digital Ocean agent when on DO --- configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/configuration.nix b/configuration.nix index 6417d8c..8211e57 100644 --- a/configuration.nix +++ b/configuration.nix @@ -48,6 +48,7 @@ in }; }; + services.do-agent.enable = if config.server.provider == "DIGITALOCEAN" then true else false; boot.cleanTmpDir = true; networking = { From eab3d1e76186fac9bce552a6ba1decc3db6f006a Mon Sep 17 00:00:00 2001 From: Inex Code Date: Tue, 8 Nov 2022 02:41:18 +0300 Subject: [PATCH 05/10] fix: path of the provider info --- configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configuration.nix b/configuration.nix index 8211e57..6ec1d78 100644 --- a/configuration.nix +++ b/configuration.nix @@ -48,7 +48,7 @@ in }; }; - services.do-agent.enable = if config.server.provider == "DIGITALOCEAN" then true else false; + services.do-agent.enable = if config.services.userdata.server.provider == "DIGITALOCEAN" then true else false; boot.cleanTmpDir = true; networking = { From 5210e610dffec801a84c34c55dcffc3eae778b9a Mon Sep 17 00:00:00 2001 From: Inex Code Date: Tue, 8 Nov 2022 02:49:12 +0300 Subject: [PATCH 06/10] fix: path to backup backet --- backup/restic.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backup/restic.nix b/backup/restic.nix index 55dd939..6b85e82 100644 --- a/backup/restic.nix +++ b/backup/restic.nix @@ -6,7 +6,7 @@ in services.restic.backups = { options = { passwordFile = "/etc/restic/resticPasswd"; - repository = "s3:s3.anazonaws.com/${cfg.backblaze.bucket}"; + repository = "s3:s3.anazonaws.com/${cfg.backup.bucket}"; initialize = true; paths = [ "/var/dkim" From 895a816ef5a380f028005cb2f0e989c6f82d4250 Mon Sep 17 00:00:00 2001 From: Inex Code Date: Tue, 8 Nov 2022 02:55:26 +0300 Subject: [PATCH 07/10] fix: one more path to backups data --- api/api.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/api/api.nix b/api/api.nix index c966f70..e3bf3ec 100644 --- a/api/api.nix +++ b/api/api.nix @@ -3,7 +3,7 @@ services.selfprivacy-api = { enable = true; enableSwagger = config.services.userdata.api.enableSwagger; - b2Bucket = config.services.userdata.backblaze.bucket; + b2Bucket = config.services.userdata.backup.bucket; }; users.users."selfprivacy-api" = { From 3dd8ff18211de63431287769e8365e6e6bae9537 Mon Sep 17 00:00:00 2001 From: Inex Code Date: Wed, 16 Nov 2022 11:02:20 +0300 Subject: [PATCH 08/10] feat: add dns.useStagingACME option Used for testing environments, so we don't stumble upon ACME rate limits. --- letsencrypt/acme.nix | 5 ++++- variables-module.nix | 4 ++++ variables.nix | 1 + 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/letsencrypt/acme.nix b/letsencrypt/acme.nix index ea2467e..892e762 100644 --- a/letsencrypt/acme.nix +++ b/letsencrypt/acme.nix @@ -8,7 +8,10 @@ in }; security.acme = { acceptTerms = true; - email = "${cfg.username}@${cfg.domain}"; + defaults = { + email = "${cfg.username}@${cfg.domain}"; + server = if cfg.dns.useStagingACME then "https://acme-staging-v02.api.letsencrypt.org/directory" else "https://acme-v02.api.letsencrypt.org/directory"; + }; certs = lib.mkForce { "${cfg.domain}" = { domain = "*.${cfg.domain}"; diff --git a/variables-module.nix b/variables-module.nix index 1e1c01f..6fd24f9 100644 --- a/variables-module.nix +++ b/variables-module.nix @@ -90,6 +90,10 @@ in description = "DNS provider that was defined at the initial setup process. Default is ClOUDFLARE"; type = types.nullOr types.str; }; + useStagingACME = mkOption { + description = "Use staging ACME server. Default is false"; + type = types.nullOr types.bool; + }; }; backup = { bucket = mkOption { diff --git a/variables.nix b/variables.nix index bd7e3f0..d129077 100644 --- a/variables.nix +++ b/variables.nix @@ -20,6 +20,7 @@ in }; dns = { provider = lib.attrsets.attrByPath [ "dns" "provider" ] "CLOUDFLARE" jsonData; + useStagingACME = lib.attrsets.attrByPath [ "dns" "useStagingACME" ] false jsonData; }; backup = { bucket = lib.attrsets.attrByPath [ "backup" "bucket" ] (lib.attrsets.attrByPath [ "backblaze" "bucket" ] "" jsonData) jsonData; From 0d3e8c890c03820cb5a892ca17565fd099847fed Mon Sep 17 00:00:00 2001 From: Inex Code Date: Sun, 20 Nov 2022 17:12:20 +0300 Subject: [PATCH 09/10] Switch API branch to develop --- configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configuration.nix b/configuration.nix index 6ec1d78..3f23c1b 100644 --- a/configuration.nix +++ b/configuration.nix @@ -1,6 +1,6 @@ { config, pkgs, lib, ... }: let - url-overlay = "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nix-repo/archive/master.tar.gz"; + url-overlay = "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nix-repo/archive/develop.tar.gz"; nix-overlay = (import (builtins.fetchTarball url-overlay)); in { From bfe0d1809041dbdca2307aaf01f7b298ecb139ae Mon Sep 17 00:00:00 2001 From: Inex Code Date: Fri, 30 Dec 2022 21:34:23 +0300 Subject: [PATCH 10/10] chore: Switch to API 2.1.0 --- configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configuration.nix b/configuration.nix index 3f23c1b..91732e9 100644 --- a/configuration.nix +++ b/configuration.nix @@ -1,6 +1,6 @@ { config, pkgs, lib, ... }: let - url-overlay = "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nix-repo/archive/develop.tar.gz"; + url-overlay = "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nix-repo/archive/redis.tar.gz"; nix-overlay = (import (builtins.fetchTarball url-overlay)); in {