diff --git a/api/api-module.nix b/api/api-module.nix index 8ae3c59..c2ec863 100644 --- a/api/api-module.nix +++ b/api/api-module.nix @@ -12,18 +12,12 @@ in { options.services.selfprivacy-api = { enable = mkOption { - default = false; + default = true; type = types.bool; description = '' Enable SelfPrivacy API service ''; }; - token = mkOption { - type = types.str; - description = '' - SelfPrivacy API token - ''; - }; enableSwagger = mkOption { default = false; type = types.bool; @@ -37,12 +31,6 @@ in B2 bucket ''; }; - resticPassword = mkOption { - type = types.str; - description = '' - Restic password - ''; - }; }; config = lib.mkIf cfg.enable { @@ -52,10 +40,8 @@ in inherit (config.environment.sessionVariables) NIX_PATH; HOME = "/root"; PYTHONUNBUFFERED = "1"; - AUTH_TOKEN = cfg.token; ENABLE_SWAGGER = (if cfg.enableSwagger then "1" else "0"); B2_BUCKET = cfg.b2Bucket; - RESTIC_PASSWORD = cfg.resticPassword; } // config.networking.proxy.envVars; path = [ "/var/" "/var/dkim/" pkgs.coreutils pkgs.gnutar pkgs.xz.bin pkgs.gzip pkgs.gitMinimal config.nix.package.out pkgs.nixos-rebuild pkgs.restic pkgs.mkpasswd ]; after = [ "network-online.target" ]; diff --git a/api/api.nix b/api/api.nix index 0c18686..c966f70 100644 --- a/api/api.nix +++ b/api/api.nix @@ -2,10 +2,8 @@ { services.selfprivacy-api = { enable = true; - token = config.services.userdata.api.token; enableSwagger = config.services.userdata.api.enableSwagger; b2Bucket = config.services.userdata.backblaze.bucket; - resticPassword = config.services.userdata.resticPassword; }; users.users."selfprivacy-api" = { diff --git a/files.nix b/files.nix index da3fe85..5d2ee81 100644 --- a/files.nix +++ b/files.nix @@ -15,48 +15,62 @@ in (if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "") "f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}" ]; - system.activationScripts = let - jq = "${pkgs.jq}/bin/jq"; - sed = "${pkgs.gnused}/bin/sed"; - in - { - nextcloudSecrets = - if cfg.nextcloud.enable then '' - cat /etc/nixos/userdata/userdata.json | ${jq} -r '.nextcloud.databasePassword' > /var/lib/nextcloud/db-pass - chmod 0440 /var/lib/nextcloud/db-pass - chown nextcloud:nextcloud /var/lib/nextcloud/db-pass + system.activationScripts = + let + jq = "${pkgs.jq}/bin/jq"; + sed = "${pkgs.gnused}/bin/sed"; + in + { + nextcloudSecrets = + if cfg.nextcloud.enable then '' + cat /etc/nixos/userdata/userdata.json | ${jq} -r '.nextcloud.databasePassword' > /var/lib/nextcloud/db-pass + chmod 0440 /var/lib/nextcloud/db-pass + chown nextcloud:nextcloud /var/lib/nextcloud/db-pass - cat /etc/nixos/userdata/userdata.json | ${jq} -r '.nextcloud.adminPassword' > /var/lib/nextcloud/admin-pass - chmod 0440 /var/lib/nextcloud/admin-pass - chown nextcloud:nextcloud /var/lib/nextcloud/admin-pass - '' - else '' - rm -f /var/lib/nextcloud/db-pass - rm -f /var/lib/nextcloud/admin-pass + cat /etc/nixos/userdata/userdata.json | ${jq} -r '.nextcloud.adminPassword' > /var/lib/nextcloud/admin-pass + chmod 0440 /var/lib/nextcloud/admin-pass + chown nextcloud:nextcloud /var/lib/nextcloud/admin-pass + '' + else '' + rm -f /var/lib/nextcloud/db-pass + rm -f /var/lib/nextcloud/admin-pass + ''; + cloudflareCredentials = '' + echo 'CF_API_KEY=REPLACEME' > /var/lib/cloudflare/Credentials.ini + echo 'CLOUDFLARE_DNS_API_TOKEN=REPLACEME' >> /var/lib/cloudflare/Credentials.ini + echo 'CLOUDFLARE_ZONE_API_TOKEN=REPLACEME' >> /var/lib/cloudflare/Credentials.ini + ${sed} -i "s/REPLACEME/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.cloudflare.apiKey')/g" /var/lib/cloudflare/Credentials.ini + chmod 0440 /var/lib/cloudflare/Credentials.ini + chown nginx:acmerecievers /var/lib/cloudflare/Credentials.ini ''; - cloudflareCredentials = '' - echo 'CF_API_KEY=REPLACEME' > /var/lib/cloudflare/Credentials.ini - echo 'CLOUDFLARE_DNS_API_TOKEN=REPLACEME' >> /var/lib/cloudflare/Credentials.ini - echo 'CLOUDFLARE_ZONE_API_TOKEN=REPLACEME' >> /var/lib/cloudflare/Credentials.ini - ${sed} -i "s/REPLACEME/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.cloudflare.apiKey')/g" /var/lib/cloudflare/Credentials.ini - chmod 0440 /var/lib/cloudflare/Credentials.ini - chown nginx:acmerecievers /var/lib/cloudflare/Credentials.ini - ''; - resticCredentials = '' - echo '[backblaze]' > /root/.config/rclone/rclone.conf - echo 'type = b2' >> /root/.config/rclone/rclone.conf - echo 'account = REPLACEME1' >> /root/.config/rclone/rclone.conf - echo 'key = REPLACEME2' >> /root/.config/rclone/rclone.conf + resticCredentials = '' + echo '[backblaze]' > /root/.config/rclone/rclone.conf + echo 'type = b2' >> /root/.config/rclone/rclone.conf + echo 'account = REPLACEME1' >> /root/.config/rclone/rclone.conf + echo 'key = REPLACEME2' >> /root/.config/rclone/rclone.conf - ${sed} -i "s/REPLACEME1/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backblaze.accountId')/g" /root/.config/rclone/rclone.conf - ${sed} -i "s/REPLACEME2/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backblaze.accountKey')/g" /root/.config/rclone/rclone.conf + ${sed} -i "s/REPLACEME1/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backblaze.accountId')/g" /root/.config/rclone/rclone.conf + ${sed} -i "s/REPLACEME2/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backblaze.accountKey')/g" /root/.config/rclone/rclone.conf - chmod 0400 /root/.config/rclone/rclone.conf - chown root:root /root/.config/rclone/rclone.conf + chmod 0400 /root/.config/rclone/rclone.conf + chown root:root /root/.config/rclone/rclone.conf - cat /etc/nixos/userdata/userdata.json | ${jq} -r '.resticPassword' > /var/lib/restic/pass - chmod 0400 /var/lib/restic/pass - chown restic /var/lib/restic/pass - ''; - }; + cat /etc/nixos/userdata/userdata.json | ${jq} -r '.resticPassword' > /var/lib/restic/pass + chmod 0400 /var/lib/restic/pass + chown restic /var/lib/restic/pass + ''; + pleromaCredentials = + if cfg.pleroma.enable then '' + echo 'import Config' > /var/lib/pleroma/secrets.exs + echo 'config :pleroma, Pleroma.Repo,' >> /var/lib/pleroma/secrets.exs + echo ' password: "REPLACEME",' >> /var/lib/pleroma/secrets.exs + + ${sed} -i "s/REPLACEME/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.databasePassword')/g" /var/lib/pleroma/secrets.exs + + chmod 0750 /var/lib/pleroma/secrets.exs + chown pleroma:pleroma /var/lib/pleroma/secrets.exs + '' else '' + rm -f /var/lib/pleroma/secrets.exs + ''; + }; } diff --git a/social/config.exs b/social/config.exs index 8782dea..340c4e8 100644 --- a/social/config.exs +++ b/social/config.exs @@ -22,9 +22,8 @@ config :pleroma, :media_proxy, config :pleroma, Pleroma.Repo, adapter: Ecto.Adapters.Postgres, username: "pleroma", - password: "$DB_PASSWORD", database: "pleroma", - hostname: "localhost", + socket_dir: "/run/postgresql", pool_size: 10 #config :web_push_encryption, :vapid_details, @@ -41,4 +40,4 @@ config :pleroma, :http_security, #config :joken, default_signer: "" -config :pleroma, configurable_from_database: false +config :pleroma, configurable_from_database: true diff --git a/social/pleroma.nix b/social/pleroma.nix index 7066fd6..9bc645f 100644 --- a/social/pleroma.nix +++ b/social/pleroma.nix @@ -10,8 +10,8 @@ in group = "pleroma"; configs = [ (builtins.replaceStrings - [ "$DOMAIN" "$LUSER" "$DB_PASSWORD" ] - [ cfg.domain cfg.username cfg.databasePassword ] + [ "$DOMAIN" "$LUSER" ] + [ cfg.domain cfg.username ] (builtins.readFile ./config.exs)) ]; }; @@ -19,11 +19,20 @@ in enable = true; package = pkgs.postgresql_12; initialScript = "/etc/setup.psql"; + ensureDatabases = [ + "pleroma" + ]; + ensureUsers = [ + { + name = "pleroma"; + ensurePermissions = { + "DATABASE pleroma" = "ALL PRIVILEGES"; + }; + }; + ]; }; }; environment.etc."setup.psql".text = '' - CREATE USER pleroma WITH ENCRYPTED PASSWORD '${cfg.databasePassword}'; - CREATE DATABASE pleroma OWNER pleroma; \c pleroma; --Extensions made by ecto.migrate that need superuser access CREATE EXTENSION IF NOT EXISTS citext; diff --git a/userdata/tokens_schema.json b/userdata/tokens_schema.json new file mode 100644 index 0000000..2e85065 --- /dev/null +++ b/userdata/tokens_schema.json @@ -0,0 +1,72 @@ +{ + "$schema": "http://json-schema.org/schema#", + "$id": "https://git.selfprivacy.org/inex/selfprivacy-nixos-config/raw/branch/master/userdata/tokens_schema.json", + "type": "object", + "properties": { + "tokens": { + "type": "array", + "items": { + "type": "object", + "properties": { + "token": { + "type": "string" + }, + "name": { + "type": "string" + }, + "date": { + "type": "string" + } + }, + "required": [ + "token", + "name", + "date" + ] + } + }, + "recovery_token": { + "type": "object", + "properties": { + "token": { + "type": "string" + }, + "date": { + "type": "string" + }, + "expiration": { + "type": "string" + }, + "uses_left": { + "type": "integer" + } + }, + "required": [ + "token", + "date" + ] + }, + "new_device": { + "type": "object", + "properties": { + "token": { + "type": "string" + }, + "date": { + "type": "string" + }, + "expiration": { + "type": "string" + } + }, + "required": [ + "token", + "date", + "expiration" + ] + } + }, + "required": [ + "tokens" + ] +} \ No newline at end of file diff --git a/variables-module.nix b/variables-module.nix index c14fe2c..2b0a7ea 100644 --- a/variables-module.nix +++ b/variables-module.nix @@ -67,12 +67,6 @@ in # API options # ############### api = { - token = mkOption { - description = '' - API token used to authenticate with the server - ''; - type = types.nullOr types.str; - }; enableSwagger = mkOption { default = true; description = '' @@ -97,21 +91,9 @@ in type = types.nullOr types.str; }; }; - cloudflare = { - apiKey = mkOption { - description = "Cloudflare API Key."; - type = types.nullOr types.str; - }; - }; ############## # Services # ############## - databasePassword = mkOption { - description = '' - Password for the database - ''; - type = types.nullOr types.str; - }; bitwarden = { enable = mkOption { default = false; @@ -129,18 +111,6 @@ in default = true; type = types.nullOr types.bool; }; - # databasePassword = mkOption { - # description = '' - # Password for the nextcloud database - # ''; - # type = types.nullOr types.str; - # }; - adminPassword = mkOption { - description = '' - Password for the nextcloud admin user - ''; - type = types.nullOr types.str; - }; }; pleroma = { enable = mkOption { @@ -160,15 +130,6 @@ in type = types.nullOr types.bool; }; }; - ############# - # Backups # - ############# - resticPassword = mkOption { - description = '' - Password for the restic - ''; - type = types.nullOr types.str; - }; ######### # SSH # ######### diff --git a/variables.nix b/variables.nix index f163bf5..b69ccfe 100644 --- a/variables.nix +++ b/variables.nix @@ -15,17 +15,12 @@ in hashedMasterPassword = lib.attrsets.attrByPath [ "hashedMasterPassword" ] null jsonData; sshKeys = lib.attrsets.attrByPath [ "sshKeys" ] [] jsonData; api = { - token = jsonData.api.token; enableSwagger = lib.attrsets.attrByPath [ "api" "enableSwagger" ] false jsonData; skippedMigrations = lib.attrsets.attrByPath [ "api" "skippedMigrations" ] [] jsonData; }; backblaze = { bucket = lib.attrsets.attrByPath [ "backblaze" "bucket" ] "" jsonData; }; - cloudflare = { - apiKey = lib.attrsets.attrByPath [ "cloudflare" "apiKey" ] "" jsonData; - }; - databasePassword = lib.attrsets.attrByPath [ "databasePassword" ] null jsonData; bitwarden = { enable = lib.attrsets.attrByPath [ "bitwarden" "enable" ] false jsonData; }; @@ -34,7 +29,6 @@ in }; nextcloud = { enable = lib.attrsets.attrByPath [ "nextcloud" "enable" ] false jsonData; - adminPassword = lib.attrsets.attrByPath [ "nextcloud" "adminPassword" ] "" jsonData; }; pleroma = { enable = lib.attrsets.attrByPath [ "pleroma" "enable" ] false jsonData; @@ -45,7 +39,6 @@ in ocserv = { enable = lib.attrsets.attrByPath [ "ocserv" "enable" ] false jsonData; }; - resticPassword = lib.attrsets.attrByPath [ "resticPassword" ] null jsonData; ssh = { enable = lib.attrsets.attrByPath [ "ssh" "enable" ] true jsonData; rootKeys = lib.attrsets.attrByPath [ "ssh" "rootKeys" ] [ "" ] jsonData;