From ad43d31c0cc16d74f0e453616b8e9eed0c9fc779 Mon Sep 17 00:00:00 2001 From: Alexander Tomokhov Date: Thu, 15 Feb 2024 13:56:12 +0400 Subject: [PATCH] modules: parameterize all subdomains --- sp-modules/bitwarden/module.nix | 13 +++++++++---- sp-modules/gitea/module.nix | 19 ++++++++++++------- sp-modules/jitsi-meet/module.nix | 11 ++++++++--- sp-modules/nextcloud/module.nix | 9 +++++++-- sp-modules/ocserv/module.nix | 11 ++++++++--- sp-modules/pleroma/module.nix | 17 +++++++++++------ 6 files changed, 55 insertions(+), 25 deletions(-) diff --git a/sp-modules/bitwarden/module.nix b/sp-modules/bitwarden/module.nix index 9b2d1c9..292601c 100644 --- a/sp-modules/bitwarden/module.nix +++ b/sp-modules/bitwarden/module.nix @@ -2,6 +2,7 @@ let secrets-filepath = "/etc/selfprivacy/secrets.json"; backup-dir = "/var/lib/bitwarden/backup"; + cfg = sp.modules.bitwarden; inherit (import ./common.nix config) bitwarden-env sp; in { @@ -13,12 +14,16 @@ in location = lib.mkOption { type = lib.types.str; }; + subdomain = lib.mkOption { + default = "password"; + type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]"; + }; }; config = lib.mkIf config.selfprivacy.modules.bitwarden.enable { fileSystems = lib.mkIf sp.useBinds { "/var/lib/bitwarden" = { - device = "/volumes/${sp.modules.bitwarden.location}/bitwarden"; + device = "/volumes/${cfg.location}/bitwarden"; options = [ "bind" "x-systemd.required-by=bitwarden-secrets.service" @@ -30,7 +35,7 @@ in ]; }; "/var/lib/bitwarden_rs" = { - device = "/volumes/${sp.modules.bitwarden.location}/bitwarden_rs"; + device = "/volumes/${cfg.location}/bitwarden_rs"; options = [ "bind" "x-systemd.required-by=bitwarden-secrets.service" @@ -48,7 +53,7 @@ in backupDir = backup-dir; environmentFile = "${bitwarden-env}"; config = { - domain = "https://password.${sp.domain}/"; + domain = "https://${cfg.subdomain}.${sp.domain}/"; signupsAllowed = true; rocketPort = 8222; }; @@ -76,7 +81,7 @@ in <(printf "%s" "$bitwarden_env") ${bitwarden-env} ''; }; - services.nginx.virtualHosts."password.${sp.domain}" = { + services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = { useACMEHost = sp.domain; forceSSL = true; extraConfig = '' diff --git a/sp-modules/gitea/module.nix b/sp-modules/gitea/module.nix index c076a8c..51e28e1 100644 --- a/sp-modules/gitea/module.nix +++ b/sp-modules/gitea/module.nix @@ -3,8 +3,9 @@ let sp = config.selfprivacy; stateDir = if sp.useBinds - then "/volumes/${sp.modules.gitea.location}/gitea" + then "/volumes/${cfg.location}/gitea" else "/var/lib/gitea"; + cfg = sp.modules.gitea; in { options.selfprivacy.modules.gitea = { @@ -15,12 +16,16 @@ in location = lib.mkOption { type = lib.types.str; }; + subdomain = lib.mkOption { + default = "git"; + type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]"; + }; }; - config = lib.mkIf config.selfprivacy.modules.gitea.enable { + config = lib.mkIf cfg.enable { fileSystems = lib.mkIf sp.useBinds { "/var/lib/gitea" = { - device = "/volumes/${sp.modules.gitea.location}/gitea"; + device = "/volumes/${cfg.location}/gitea"; options = [ "bind" ]; }; }; @@ -53,8 +58,8 @@ in # cookieSecure = true; settings = { server = { - DOMAIN = "git.${sp.domain}"; - ROOT_URL = "https://git.${sp.domain}/"; + DOMAIN = "${cfg.subdomain}.${sp.domain}"; + ROOT_URL = "https://${cfg.subdomain}.${sp.domain}/"; HTTP_ADDR = "0.0.0.0"; HTTP_PORT = 3000; }; @@ -83,7 +88,7 @@ in }; }; }; - services.nginx.virtualHosts."git.${sp.domain}" = { + services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = { useACMEHost = sp.domain; forceSSL = true; extraConfig = '' @@ -103,6 +108,6 @@ in }; }; systemd.services.gitea.unitConfig.RequiresMountsFor = - lib.mkIf sp.useBinds "/volumes/${sp.modules.gitea.location}/gitea"; + lib.mkIf sp.useBinds "/volumes/${cfg.location}/gitea"; }; } diff --git a/sp-modules/jitsi-meet/module.nix b/sp-modules/jitsi-meet/module.nix index 57957e9..20db52f 100644 --- a/sp-modules/jitsi-meet/module.nix +++ b/sp-modules/jitsi-meet/module.nix @@ -1,6 +1,7 @@ { config, lib, ... }: let domain = config.selfprivacy.domain; + cfg = config.selfprivacy.modules.jitsi-meet; in { options.selfprivacy.modules.jitsi-meet = { @@ -8,19 +9,23 @@ in default = false; type = lib.types.bool; }; + subdomain = lib.mkOption { + default = "meet"; + type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]"; + }; }; - config = lib.mkIf config.selfprivacy.modules.jitsi-meet.enable { + config = lib.mkIf cfg.enable { services.jitsi-meet = { enable = true; - hostName = "meet.${domain}"; + hostName = "${cfg.subdomain}.${domain}"; nginx.enable = true; interfaceConfig = { SHOW_JITSI_WATERMARK = false; SHOW_WATERMARK_FOR_GUESTS = false; }; }; - services.nginx.virtualHosts."meet.${domain}" = { + services.nginx.virtualHosts."${cfg.subdomain}.${domain}" = { forceSSL = true; useACMEHost = domain; enableACME = false; diff --git a/sp-modules/nextcloud/module.nix b/sp-modules/nextcloud/module.nix index db8105e..0781fa8 100644 --- a/sp-modules/nextcloud/module.nix +++ b/sp-modules/nextcloud/module.nix @@ -8,18 +8,23 @@ location = mkOption { type = types.str; }; + subdomain = lib.mkOption { + default = "cloud"; + type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]"; + }; }; config = let inherit (import ./common.nix config) sp secrets-filepath db-pass-filepath admin-pass-filepath; - hostName = "cloud.${sp.domain}"; + cfg = sp.modules.nextcloud; + hostName = "${cfg.subdomain}.${sp.domain}"; in lib.mkIf sp.modules.nextcloud.enable { fileSystems = lib.mkIf sp.useBinds { "/var/lib/nextcloud" = { - device = "/volumes/${sp.modules.nextcloud.location}/nextcloud"; + device = "/volumes/${cfg.location}/nextcloud"; options = [ "bind" "x-systemd.required-by=nextcloud-setup.service" diff --git a/sp-modules/ocserv/module.nix b/sp-modules/ocserv/module.nix index fc52c54..e1e8c97 100644 --- a/sp-modules/ocserv/module.nix +++ b/sp-modules/ocserv/module.nix @@ -3,6 +3,7 @@ let domain = config.selfprivacy.domain; cert = "${config.security.acme.certs.${domain}.directory}/fullchain.pem"; key = "${config.security.acme.certs.${domain}.directory}/key.pem"; + cfg = config.selfprivacy.modules.ocserv; in { options.selfprivacy.modules.ocserv = { @@ -10,9 +11,13 @@ in default = false; type = lib.types.bool; }; + subdomain = lib.mkOption { + default = "vpn"; + type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]"; + }; }; - config = lib.mkIf config.selfprivacy.modules.ocserv.enable { + config = lib.mkIf cfg.enable { users.groups.ocserv.members = [ "ocserv" ]; users.users.ocserv = { isNormalUser = false; @@ -43,7 +48,7 @@ in idle-timeout=1200 mobile-idle-timeout=2400 - default-domain = vpn.${domain} + default-domain = ${cfg.subdomain}.${domain} device = vpn0 @@ -57,7 +62,7 @@ in route = default ''; }; - services.nginx.virtualHosts."vpn.${domain}" = { + services.nginx.virtualHosts."${cfg.subdomain}.${domain}" = { useACMEHost = domain; forceSSL = true; extraConfig = '' diff --git a/sp-modules/pleroma/module.nix b/sp-modules/pleroma/module.nix index d69534f..191c3d7 100644 --- a/sp-modules/pleroma/module.nix +++ b/sp-modules/pleroma/module.nix @@ -1,6 +1,7 @@ { config, lib, pkgs, ... }: let secrets-filepath = "/etc/selfprivacy/secrets.json"; + cfg = config.selfprivacy.modules.pleroma; inherit (import ./common.nix config) secrets-exs sp; in { @@ -12,11 +13,15 @@ in location = lib.mkOption { type = lib.types.str; }; + subdomain = lib.mkOption { + default = "social"; + type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]"; + }; }; - config = lib.mkIf config.selfprivacy.modules.pleroma.enable { + config = lib.mkIf cfg.enable { fileSystems = lib.mkIf sp.useBinds { "/var/lib/pleroma" = { - device = "/volumes/${sp.modules.pleroma.location}/pleroma"; + device = "/volumes/${cfg.location}/pleroma"; options = [ "bind" "x-systemd.required-by=pleroma-secrets.service" @@ -26,7 +31,7 @@ in ]; }; "/var/lib/postgresql" = { - device = "/volumes/${sp.modules.pleroma.location}/postgresql"; + device = "/volumes/${cfg.location}/postgresql"; options = [ "bind" "x-systemd.required-by=pleroma-secrets.service" @@ -102,9 +107,9 @@ in }; # seems to be an upstream nixpkgs/nixos bug (missing hexdump) systemd.services.pleroma.path = [ pkgs.util-linux ]; - services.nginx.virtualHosts."social.${sp.domain}" = { - useACMEHost = config.selfprivacy.domain; - root = "/var/www/social.${sp.domain}"; + services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = { + useACMEHost = sp.domain; + root = "/var/www/${cfg.subdomain}.${sp.domain}"; forceSSL = true; extraConfig = '' add_header Strict-Transport-Security $hsts_header;