SelfPrivacy
/
selfprivacy-nixos-config
6
3
Fork 6
Code Issues 19 Pull Requests 1 Projects Releases Wiki Activity

Compare commits

base: SelfPrivacy:flakes
Branches Tags
SelfPrivacy:flakes
SelfPrivacy:inex/test-collect-garbage
SelfPrivacy:inex/test-autobackup
SelfPrivacy:inex/test-systemd-rebuild
SelfPrivacy:master
SelfPrivacy:pre-release
SelfPrivacy:flake-to-override-folder
SelfPrivacy:flake-to-override
SelfPrivacy:systemd-limits
SelfPrivacy:ldap
SelfPrivacy:api-redis
SelfPrivacy:pleroma-fixes
SelfPrivacy:development
SelfPrivacy:rolling-testing
..
compare: SelfPrivacy:inex/test-systemd-rebuild
Branches Tags
SelfPrivacy:flakes
SelfPrivacy:inex/test-collect-garbage
SelfPrivacy:inex/test-autobackup
SelfPrivacy:inex/test-systemd-rebuild
SelfPrivacy:master
SelfPrivacy:pre-release
SelfPrivacy:flake-to-override-folder
SelfPrivacy:flake-to-override
SelfPrivacy:systemd-limits
SelfPrivacy:ldap
SelfPrivacy:api-redis
SelfPrivacy:pleroma-fixes
SelfPrivacy:development
SelfPrivacy:rolling-testing

11 Commits
flakes ... inex/test-

Author SHA1 Message Date
Inex Code 6d4f85bb06 test updated nixpkgs 2024-02-19 15:21:27 +03:00
Inex Code 1dcf1f78ba test frame options 2024-02-19 15:12:17 +03:00
Inex Code cafcd697f9 update 2024-02-12 18:58:38 +03:00
Inex Code 7d4f3be89d update 2024-02-12 18:54:42 +03:00
Inex Code efe563372b update 2024-02-12 18:53:25 +03:00
Inex Code e52a6e4178 update 2024-02-12 18:47:54 +03:00
Inex Code 7ec11dd56f update 2024-02-12 18:41:48 +03:00
Inex Code 42c11a39a3 update 2024-02-12 18:35:07 +03:00
Inex Code 2708dfa468 update 2024-02-12 18:27:42 +03:00
Inex Code 383c5371fc update 2024-02-12 18:25:07 +03:00
Inex Code 7c4b85669d test 2024-02-12 18:22:28 +03:00
8 changed files with 35 additions and 70 deletions
Show Stats Expand all files Collapse all files

16
flake.lock
View File

@ -2,11 +2,11 @@
"nodes": { "nodes": {
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1714531828, "lastModified": 1708161998,
"narHash": "sha256-ILsf3bdY/hNNI/Hu5bSt2/KbmHaAVhBbNUOdGztTHEg=", "narHash": "sha256-6KnemmUorCvlcAvGziFosAVkrlWZGIc6UNT9GUYr0jQ=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "0638fe2715d998fa81d173aad264eb671ce2ebc1", "rev": "84d981bae8b5e783b3b548de505b22880559515f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -28,11 +28,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1709843377, "lastModified": 1707753507,
"narHash": "sha256-lQGd4xtKWsIlD5vVurrA/xtNYxYFGfLGyev4oOUeMmY=", "narHash": "sha256-kVxHN027PZeXk/EX2EPT2Mw+ozusRUwMjVBxgslsKAw=",
"ref": "master", "ref": "system-rebuild-tracking",
"rev": "1f1fcc223be4c6ae65eef1d50918aed0826e5ad1", "rev": "25c691104f323655c5e8ff4cf96fa2cdaa87193c",
"revCount": 1259, "revCount": 1186,
"type": "git", "type": "git",
"url": "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-rest-api.git" "url": "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-rest-api.git"
}, },

9
letsencrypt/acme.nix
View File

@ -9,17 +9,12 @@ let
CLOUDFLARE_ZONE_API_TOKEN=$TOKEN CLOUDFLARE_ZONE_API_TOKEN=$TOKEN
CLOUDFLARE_POLLING_INTERVAL=30 CLOUDFLARE_POLLING_INTERVAL=30
''; '';
DESEC = '' DESEC = "DESEC_TOKEN=$TOKEN";
DESEC_TOKEN=$TOKEN
DESEC_POLLING_INTERVAL=30
DESEC_PROPAGATION_TIMEOUT=180
DESEC_TTL=3600
'';
}; };
dnsCredentialsTemplate = dnsCredentialsTemplates.${cfg.dns.provider}; dnsCredentialsTemplate = dnsCredentialsTemplates.${cfg.dns.provider};
acme-env-filepath = "/var/lib/selfprivacy/acme-env"; acme-env-filepath = "/var/lib/selfprivacy/acme-env";
secrets-filepath = "/etc/selfprivacy/secrets.json"; secrets-filepath = "/etc/selfprivacy/secrets.json";
dnsPropagationCheckExceptions = [ "DIGITALOCEAN" "DESEC" ]; dnsPropagationCheckExceptions = [ "DIGITALOCEAN" ];
in in
{ {
users.groups.acmereceivers.members = [ "nginx" ]; users.groups.acmereceivers.members = [ "nginx" ];

13
sp-modules/bitwarden/module.nix
View File

@ -2,7 +2,6 @@
let let
secrets-filepath = "/etc/selfprivacy/secrets.json"; secrets-filepath = "/etc/selfprivacy/secrets.json";
backup-dir = "/var/lib/bitwarden/backup"; backup-dir = "/var/lib/bitwarden/backup";
cfg = sp.modules.bitwarden;
inherit (import ./common.nix config) bitwarden-env sp; inherit (import ./common.nix config) bitwarden-env sp;
in in
{ {
@ -14,16 +13,12 @@ in
location = lib.mkOption { location = lib.mkOption {
type = lib.types.str; type = lib.types.str;
}; };
subdomain = lib.mkOption {
default = "password";
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
};
}; };
config = lib.mkIf config.selfprivacy.modules.bitwarden.enable { config = lib.mkIf config.selfprivacy.modules.bitwarden.enable {
fileSystems = lib.mkIf sp.useBinds { fileSystems = lib.mkIf sp.useBinds {
"/var/lib/bitwarden" = { "/var/lib/bitwarden" = {
device = "/volumes/${cfg.location}/bitwarden"; device = "/volumes/${sp.modules.bitwarden.location}/bitwarden";
options = [ options = [
"bind" "bind"
"x-systemd.required-by=bitwarden-secrets.service" "x-systemd.required-by=bitwarden-secrets.service"
@ -35,7 +30,7 @@ in
]; ];
}; };
"/var/lib/bitwarden_rs" = { "/var/lib/bitwarden_rs" = {
device = "/volumes/${cfg.location}/bitwarden_rs"; device = "/volumes/${sp.modules.bitwarden.location}/bitwarden_rs";
options = [ options = [
"bind" "bind"
"x-systemd.required-by=bitwarden-secrets.service" "x-systemd.required-by=bitwarden-secrets.service"
@ -53,7 +48,7 @@ in
backupDir = backup-dir; backupDir = backup-dir;
environmentFile = "${bitwarden-env}"; environmentFile = "${bitwarden-env}";
config = { config = {
domain = "https://${cfg.subdomain}.${sp.domain}/"; domain = "https://password.${sp.domain}/";
signupsAllowed = true; signupsAllowed = true;
rocketPort = 8222; rocketPort = 8222;
}; };
@ -81,7 +76,7 @@ in
<(printf "%s" "$bitwarden_env") ${bitwarden-env} <(printf "%s" "$bitwarden_env") ${bitwarden-env}
''; '';
}; };
services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = { services.nginx.virtualHosts."password.${sp.domain}" = {
useACMEHost = sp.domain; useACMEHost = sp.domain;
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''

19
sp-modules/gitea/module.nix
View File

@ -3,9 +3,8 @@ let
sp = config.selfprivacy; sp = config.selfprivacy;
stateDir = stateDir =
if sp.useBinds if sp.useBinds
then "/volumes/${cfg.location}/gitea" then "/volumes/${sp.modules.gitea.location}/gitea"
else "/var/lib/gitea"; else "/var/lib/gitea";
cfg = sp.modules.gitea;
in in
{ {
options.selfprivacy.modules.gitea = { options.selfprivacy.modules.gitea = {
@ -16,16 +15,12 @@ in
location = lib.mkOption { location = lib.mkOption {
type = lib.types.str; type = lib.types.str;
}; };
subdomain = lib.mkOption {
default = "git";
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
};
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf config.selfprivacy.modules.gitea.enable {
fileSystems = lib.mkIf sp.useBinds { fileSystems = lib.mkIf sp.useBinds {
"/var/lib/gitea" = { "/var/lib/gitea" = {
device = "/volumes/${cfg.location}/gitea"; device = "/volumes/${sp.modules.gitea.location}/gitea";
options = [ "bind" ]; options = [ "bind" ];
}; };
}; };
@ -58,8 +53,8 @@ in
# cookieSecure = true; # cookieSecure = true;
settings = { settings = {
server = { server = {
DOMAIN = "${cfg.subdomain}.${sp.domain}"; DOMAIN = "git.${sp.domain}";
ROOT_URL = "https://${cfg.subdomain}.${sp.domain}/"; ROOT_URL = "https://git.${sp.domain}/";
HTTP_ADDR = "0.0.0.0"; HTTP_ADDR = "0.0.0.0";
HTTP_PORT = 3000; HTTP_PORT = 3000;
}; };
@ -88,7 +83,7 @@ in
}; };
}; };
}; };
services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = { services.nginx.virtualHosts."git.${sp.domain}" = {
useACMEHost = sp.domain; useACMEHost = sp.domain;
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''
@ -108,6 +103,6 @@ in
}; };
}; };
systemd.services.gitea.unitConfig.RequiresMountsFor = systemd.services.gitea.unitConfig.RequiresMountsFor =
lib.mkIf sp.useBinds "/volumes/${cfg.location}/gitea"; lib.mkIf sp.useBinds "/volumes/${sp.modules.gitea.location}/gitea";
}; };
} }

11
sp-modules/jitsi-meet/module.nix
View File

@ -1,7 +1,6 @@
{ config, lib, ... }: { config, lib, ... }:
let let
domain = config.selfprivacy.domain; domain = config.selfprivacy.domain;
cfg = config.selfprivacy.modules.jitsi-meet;
in in
{ {
options.selfprivacy.modules.jitsi-meet = { options.selfprivacy.modules.jitsi-meet = {
@ -9,23 +8,19 @@ in
default = false; default = false;
type = lib.types.bool; type = lib.types.bool;
}; };
subdomain = lib.mkOption {
default = "meet";
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
};
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf config.selfprivacy.modules.jitsi-meet.enable {
services.jitsi-meet = { services.jitsi-meet = {
enable = true; enable = true;
hostName = "${cfg.subdomain}.${domain}"; hostName = "meet.${domain}";
nginx.enable = true; nginx.enable = true;
interfaceConfig = { interfaceConfig = {
SHOW_JITSI_WATERMARK = false; SHOW_JITSI_WATERMARK = false;
SHOW_WATERMARK_FOR_GUESTS = false; SHOW_WATERMARK_FOR_GUESTS = false;
}; };
}; };
services.nginx.virtualHosts."${cfg.subdomain}.${domain}" = { services.nginx.virtualHosts."meet.${domain}" = {
forceSSL = true; forceSSL = true;
useACMEHost = domain; useACMEHost = domain;
enableACME = false; enableACME = false;

9
sp-modules/nextcloud/module.nix
View File

@ -8,23 +8,18 @@
location = mkOption { location = mkOption {
type = types.str; type = types.str;
}; };
subdomain = lib.mkOption {
default = "cloud";
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
};
}; };
config = config =
let let
inherit (import ./common.nix config) inherit (import ./common.nix config)
sp secrets-filepath db-pass-filepath admin-pass-filepath; sp secrets-filepath db-pass-filepath admin-pass-filepath;
cfg = sp.modules.nextcloud; hostName = "cloud.${sp.domain}";
hostName = "${cfg.subdomain}.${sp.domain}";
in in
lib.mkIf sp.modules.nextcloud.enable { lib.mkIf sp.modules.nextcloud.enable {
fileSystems = lib.mkIf sp.useBinds { fileSystems = lib.mkIf sp.useBinds {
"/var/lib/nextcloud" = { "/var/lib/nextcloud" = {
device = "/volumes/${cfg.location}/nextcloud"; device = "/volumes/${sp.modules.nextcloud.location}/nextcloud";
options = [ options = [
"bind" "bind"
"x-systemd.required-by=nextcloud-setup.service" "x-systemd.required-by=nextcloud-setup.service"

11
sp-modules/ocserv/module.nix
View File

@ -3,7 +3,6 @@ let
domain = config.selfprivacy.domain; domain = config.selfprivacy.domain;
cert = "${config.security.acme.certs.${domain}.directory}/fullchain.pem"; cert = "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
key = "${config.security.acme.certs.${domain}.directory}/key.pem"; key = "${config.security.acme.certs.${domain}.directory}/key.pem";
cfg = config.selfprivacy.modules.ocserv;
in in
{ {
options.selfprivacy.modules.ocserv = { options.selfprivacy.modules.ocserv = {
@ -11,13 +10,9 @@ in
default = false; default = false;
type = lib.types.bool; type = lib.types.bool;
}; };
subdomain = lib.mkOption {
default = "vpn";
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
};
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf config.selfprivacy.modules.ocserv.enable {
users.groups.ocserv.members = [ "ocserv" ]; users.groups.ocserv.members = [ "ocserv" ];
users.users.ocserv = { users.users.ocserv = {
isNormalUser = false; isNormalUser = false;
@ -48,7 +43,7 @@ in
idle-timeout=1200 idle-timeout=1200
mobile-idle-timeout=2400 mobile-idle-timeout=2400
default-domain = ${cfg.subdomain}.${domain} default-domain = vpn.${domain}
device = vpn0 device = vpn0
@ -62,7 +57,7 @@ in
route = default route = default
''; '';
}; };
services.nginx.virtualHosts."${cfg.subdomain}.${domain}" = { services.nginx.virtualHosts."vpn.${domain}" = {
useACMEHost = domain; useACMEHost = domain;
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''

17
sp-modules/pleroma/module.nix
View File

@ -1,7 +1,6 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
secrets-filepath = "/etc/selfprivacy/secrets.json"; secrets-filepath = "/etc/selfprivacy/secrets.json";
cfg = config.selfprivacy.modules.pleroma;
inherit (import ./common.nix config) secrets-exs sp; inherit (import ./common.nix config) secrets-exs sp;
in in
{ {
@ -13,15 +12,11 @@ in
location = lib.mkOption { location = lib.mkOption {
type = lib.types.str; type = lib.types.str;
}; };
subdomain = lib.mkOption {
default = "social";
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
};
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf config.selfprivacy.modules.pleroma.enable {
fileSystems = lib.mkIf sp.useBinds { fileSystems = lib.mkIf sp.useBinds {
"/var/lib/pleroma" = { "/var/lib/pleroma" = {
device = "/volumes/${cfg.location}/pleroma"; device = "/volumes/${sp.modules.pleroma.location}/pleroma";
options = [ options = [
"bind" "bind"
"x-systemd.required-by=pleroma-secrets.service" "x-systemd.required-by=pleroma-secrets.service"
@ -31,7 +26,7 @@ in
]; ];
}; };
"/var/lib/postgresql" = { "/var/lib/postgresql" = {
device = "/volumes/${cfg.location}/postgresql"; device = "/volumes/${sp.modules.pleroma.location}/postgresql";
options = [ options = [
"bind" "bind"
"x-systemd.required-by=pleroma-secrets.service" "x-systemd.required-by=pleroma-secrets.service"
@ -107,9 +102,9 @@ in
}; };
# seems to be an upstream nixpkgs/nixos bug (missing hexdump) # seems to be an upstream nixpkgs/nixos bug (missing hexdump)
systemd.services.pleroma.path = [ pkgs.util-linux ]; systemd.services.pleroma.path = [ pkgs.util-linux ];
services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = { services.nginx.virtualHosts."social.${sp.domain}" = {
useACMEHost = sp.domain; useACMEHost = config.selfprivacy.domain;
root = "/var/www/${cfg.subdomain}.${sp.domain}"; root = "/var/www/social.${sp.domain}";
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;