Compare commits
11 Commits
flakes
...
inex/test-
Author | SHA1 | Date |
---|---|---|
Inex Code | 6d4f85bb06 | |
Inex Code | 1dcf1f78ba | |
Inex Code | cafcd697f9 | |
Inex Code | 7d4f3be89d | |
Inex Code | efe563372b | |
Inex Code | e52a6e4178 | |
Inex Code | 7ec11dd56f | |
Inex Code | 42c11a39a3 | |
Inex Code | 2708dfa468 | |
Inex Code | 383c5371fc | |
Inex Code | 7c4b85669d |
16
flake.lock
16
flake.lock
|
@ -2,11 +2,11 @@
|
|||
"nodes": {
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1714531828,
|
||||
"narHash": "sha256-ILsf3bdY/hNNI/Hu5bSt2/KbmHaAVhBbNUOdGztTHEg=",
|
||||
"lastModified": 1708161998,
|
||||
"narHash": "sha256-6KnemmUorCvlcAvGziFosAVkrlWZGIc6UNT9GUYr0jQ=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "0638fe2715d998fa81d173aad264eb671ce2ebc1",
|
||||
"rev": "84d981bae8b5e783b3b548de505b22880559515f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -28,11 +28,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1709843377,
|
||||
"narHash": "sha256-lQGd4xtKWsIlD5vVurrA/xtNYxYFGfLGyev4oOUeMmY=",
|
||||
"ref": "master",
|
||||
"rev": "1f1fcc223be4c6ae65eef1d50918aed0826e5ad1",
|
||||
"revCount": 1259,
|
||||
"lastModified": 1707753507,
|
||||
"narHash": "sha256-kVxHN027PZeXk/EX2EPT2Mw+ozusRUwMjVBxgslsKAw=",
|
||||
"ref": "system-rebuild-tracking",
|
||||
"rev": "25c691104f323655c5e8ff4cf96fa2cdaa87193c",
|
||||
"revCount": 1186,
|
||||
"type": "git",
|
||||
"url": "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-rest-api.git"
|
||||
},
|
||||
|
|
|
@ -9,17 +9,12 @@ let
|
|||
CLOUDFLARE_ZONE_API_TOKEN=$TOKEN
|
||||
CLOUDFLARE_POLLING_INTERVAL=30
|
||||
'';
|
||||
DESEC = ''
|
||||
DESEC_TOKEN=$TOKEN
|
||||
DESEC_POLLING_INTERVAL=30
|
||||
DESEC_PROPAGATION_TIMEOUT=180
|
||||
DESEC_TTL=3600
|
||||
'';
|
||||
DESEC = "DESEC_TOKEN=$TOKEN";
|
||||
};
|
||||
dnsCredentialsTemplate = dnsCredentialsTemplates.${cfg.dns.provider};
|
||||
acme-env-filepath = "/var/lib/selfprivacy/acme-env";
|
||||
secrets-filepath = "/etc/selfprivacy/secrets.json";
|
||||
dnsPropagationCheckExceptions = [ "DIGITALOCEAN" "DESEC" ];
|
||||
dnsPropagationCheckExceptions = [ "DIGITALOCEAN" ];
|
||||
in
|
||||
{
|
||||
users.groups.acmereceivers.members = [ "nginx" ];
|
||||
|
|
|
@ -2,7 +2,6 @@
|
|||
let
|
||||
secrets-filepath = "/etc/selfprivacy/secrets.json";
|
||||
backup-dir = "/var/lib/bitwarden/backup";
|
||||
cfg = sp.modules.bitwarden;
|
||||
inherit (import ./common.nix config) bitwarden-env sp;
|
||||
in
|
||||
{
|
||||
|
@ -14,16 +13,12 @@ in
|
|||
location = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
};
|
||||
subdomain = lib.mkOption {
|
||||
default = "password";
|
||||
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf config.selfprivacy.modules.bitwarden.enable {
|
||||
fileSystems = lib.mkIf sp.useBinds {
|
||||
"/var/lib/bitwarden" = {
|
||||
device = "/volumes/${cfg.location}/bitwarden";
|
||||
device = "/volumes/${sp.modules.bitwarden.location}/bitwarden";
|
||||
options = [
|
||||
"bind"
|
||||
"x-systemd.required-by=bitwarden-secrets.service"
|
||||
|
@ -35,7 +30,7 @@ in
|
|||
];
|
||||
};
|
||||
"/var/lib/bitwarden_rs" = {
|
||||
device = "/volumes/${cfg.location}/bitwarden_rs";
|
||||
device = "/volumes/${sp.modules.bitwarden.location}/bitwarden_rs";
|
||||
options = [
|
||||
"bind"
|
||||
"x-systemd.required-by=bitwarden-secrets.service"
|
||||
|
@ -53,7 +48,7 @@ in
|
|||
backupDir = backup-dir;
|
||||
environmentFile = "${bitwarden-env}";
|
||||
config = {
|
||||
domain = "https://${cfg.subdomain}.${sp.domain}/";
|
||||
domain = "https://password.${sp.domain}/";
|
||||
signupsAllowed = true;
|
||||
rocketPort = 8222;
|
||||
};
|
||||
|
@ -81,7 +76,7 @@ in
|
|||
<(printf "%s" "$bitwarden_env") ${bitwarden-env}
|
||||
'';
|
||||
};
|
||||
services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {
|
||||
services.nginx.virtualHosts."password.${sp.domain}" = {
|
||||
useACMEHost = sp.domain;
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
|
|
|
@ -3,9 +3,8 @@ let
|
|||
sp = config.selfprivacy;
|
||||
stateDir =
|
||||
if sp.useBinds
|
||||
then "/volumes/${cfg.location}/gitea"
|
||||
then "/volumes/${sp.modules.gitea.location}/gitea"
|
||||
else "/var/lib/gitea";
|
||||
cfg = sp.modules.gitea;
|
||||
in
|
||||
{
|
||||
options.selfprivacy.modules.gitea = {
|
||||
|
@ -16,16 +15,12 @@ in
|
|||
location = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
};
|
||||
subdomain = lib.mkOption {
|
||||
default = "git";
|
||||
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
config = lib.mkIf config.selfprivacy.modules.gitea.enable {
|
||||
fileSystems = lib.mkIf sp.useBinds {
|
||||
"/var/lib/gitea" = {
|
||||
device = "/volumes/${cfg.location}/gitea";
|
||||
device = "/volumes/${sp.modules.gitea.location}/gitea";
|
||||
options = [ "bind" ];
|
||||
};
|
||||
};
|
||||
|
@ -58,8 +53,8 @@ in
|
|||
# cookieSecure = true;
|
||||
settings = {
|
||||
server = {
|
||||
DOMAIN = "${cfg.subdomain}.${sp.domain}";
|
||||
ROOT_URL = "https://${cfg.subdomain}.${sp.domain}/";
|
||||
DOMAIN = "git.${sp.domain}";
|
||||
ROOT_URL = "https://git.${sp.domain}/";
|
||||
HTTP_ADDR = "0.0.0.0";
|
||||
HTTP_PORT = 3000;
|
||||
};
|
||||
|
@ -88,7 +83,7 @@ in
|
|||
};
|
||||
};
|
||||
};
|
||||
services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {
|
||||
services.nginx.virtualHosts."git.${sp.domain}" = {
|
||||
useACMEHost = sp.domain;
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
|
@ -108,6 +103,6 @@ in
|
|||
};
|
||||
};
|
||||
systemd.services.gitea.unitConfig.RequiresMountsFor =
|
||||
lib.mkIf sp.useBinds "/volumes/${cfg.location}/gitea";
|
||||
lib.mkIf sp.useBinds "/volumes/${sp.modules.gitea.location}/gitea";
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,7 +1,6 @@
|
|||
{ config, lib, ... }:
|
||||
let
|
||||
domain = config.selfprivacy.domain;
|
||||
cfg = config.selfprivacy.modules.jitsi-meet;
|
||||
in
|
||||
{
|
||||
options.selfprivacy.modules.jitsi-meet = {
|
||||
|
@ -9,23 +8,19 @@ in
|
|||
default = false;
|
||||
type = lib.types.bool;
|
||||
};
|
||||
subdomain = lib.mkOption {
|
||||
default = "meet";
|
||||
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
config = lib.mkIf config.selfprivacy.modules.jitsi-meet.enable {
|
||||
services.jitsi-meet = {
|
||||
enable = true;
|
||||
hostName = "${cfg.subdomain}.${domain}";
|
||||
hostName = "meet.${domain}";
|
||||
nginx.enable = true;
|
||||
interfaceConfig = {
|
||||
SHOW_JITSI_WATERMARK = false;
|
||||
SHOW_WATERMARK_FOR_GUESTS = false;
|
||||
};
|
||||
};
|
||||
services.nginx.virtualHosts."${cfg.subdomain}.${domain}" = {
|
||||
services.nginx.virtualHosts."meet.${domain}" = {
|
||||
forceSSL = true;
|
||||
useACMEHost = domain;
|
||||
enableACME = false;
|
||||
|
|
|
@ -8,23 +8,18 @@
|
|||
location = mkOption {
|
||||
type = types.str;
|
||||
};
|
||||
subdomain = lib.mkOption {
|
||||
default = "cloud";
|
||||
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
|
||||
};
|
||||
};
|
||||
|
||||
config =
|
||||
let
|
||||
inherit (import ./common.nix config)
|
||||
sp secrets-filepath db-pass-filepath admin-pass-filepath;
|
||||
cfg = sp.modules.nextcloud;
|
||||
hostName = "${cfg.subdomain}.${sp.domain}";
|
||||
hostName = "cloud.${sp.domain}";
|
||||
in
|
||||
lib.mkIf sp.modules.nextcloud.enable {
|
||||
fileSystems = lib.mkIf sp.useBinds {
|
||||
"/var/lib/nextcloud" = {
|
||||
device = "/volumes/${cfg.location}/nextcloud";
|
||||
device = "/volumes/${sp.modules.nextcloud.location}/nextcloud";
|
||||
options = [
|
||||
"bind"
|
||||
"x-systemd.required-by=nextcloud-setup.service"
|
||||
|
|
|
@ -3,7 +3,6 @@ let
|
|||
domain = config.selfprivacy.domain;
|
||||
cert = "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
|
||||
key = "${config.security.acme.certs.${domain}.directory}/key.pem";
|
||||
cfg = config.selfprivacy.modules.ocserv;
|
||||
in
|
||||
{
|
||||
options.selfprivacy.modules.ocserv = {
|
||||
|
@ -11,13 +10,9 @@ in
|
|||
default = false;
|
||||
type = lib.types.bool;
|
||||
};
|
||||
subdomain = lib.mkOption {
|
||||
default = "vpn";
|
||||
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
config = lib.mkIf config.selfprivacy.modules.ocserv.enable {
|
||||
users.groups.ocserv.members = [ "ocserv" ];
|
||||
users.users.ocserv = {
|
||||
isNormalUser = false;
|
||||
|
@ -48,7 +43,7 @@ in
|
|||
idle-timeout=1200
|
||||
mobile-idle-timeout=2400
|
||||
|
||||
default-domain = ${cfg.subdomain}.${domain}
|
||||
default-domain = vpn.${domain}
|
||||
|
||||
device = vpn0
|
||||
|
||||
|
@ -62,7 +57,7 @@ in
|
|||
route = default
|
||||
'';
|
||||
};
|
||||
services.nginx.virtualHosts."${cfg.subdomain}.${domain}" = {
|
||||
services.nginx.virtualHosts."vpn.${domain}" = {
|
||||
useACMEHost = domain;
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
|
|
|
@ -1,7 +1,6 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
secrets-filepath = "/etc/selfprivacy/secrets.json";
|
||||
cfg = config.selfprivacy.modules.pleroma;
|
||||
inherit (import ./common.nix config) secrets-exs sp;
|
||||
in
|
||||
{
|
||||
|
@ -13,15 +12,11 @@ in
|
|||
location = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
};
|
||||
subdomain = lib.mkOption {
|
||||
default = "social";
|
||||
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
|
||||
};
|
||||
};
|
||||
config = lib.mkIf cfg.enable {
|
||||
config = lib.mkIf config.selfprivacy.modules.pleroma.enable {
|
||||
fileSystems = lib.mkIf sp.useBinds {
|
||||
"/var/lib/pleroma" = {
|
||||
device = "/volumes/${cfg.location}/pleroma";
|
||||
device = "/volumes/${sp.modules.pleroma.location}/pleroma";
|
||||
options = [
|
||||
"bind"
|
||||
"x-systemd.required-by=pleroma-secrets.service"
|
||||
|
@ -31,7 +26,7 @@ in
|
|||
];
|
||||
};
|
||||
"/var/lib/postgresql" = {
|
||||
device = "/volumes/${cfg.location}/postgresql";
|
||||
device = "/volumes/${sp.modules.pleroma.location}/postgresql";
|
||||
options = [
|
||||
"bind"
|
||||
"x-systemd.required-by=pleroma-secrets.service"
|
||||
|
@ -107,9 +102,9 @@ in
|
|||
};
|
||||
# seems to be an upstream nixpkgs/nixos bug (missing hexdump)
|
||||
systemd.services.pleroma.path = [ pkgs.util-linux ];
|
||||
services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {
|
||||
useACMEHost = sp.domain;
|
||||
root = "/var/www/${cfg.subdomain}.${sp.domain}";
|
||||
services.nginx.virtualHosts."social.${sp.domain}" = {
|
||||
useACMEHost = config.selfprivacy.domain;
|
||||
root = "/var/www/social.${sp.domain}";
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
add_header Strict-Transport-Security $hsts_header;
|
||||
|
|
Loading…
Reference in New Issue