Compare commits
13 Commits
inex/test-
...
flakes
Author | SHA1 | Date |
---|---|---|
Inex Code | ce3231774e | |
Inex Code | f8223192e5 | |
Alexander | 4c183d5b40 | |
Inex Code | 5e005dc436 | |
Inex Code | 6619760f47 | |
Inex Code | 3b4466b49d | |
Inex Code | 5d9c385d08 | |
Inex Code | 3a7876aeb4 | |
Inex Code | c7583bf501 | |
Alexander | ad43d31c0c | |
Inex Code | 2159c4cc6e | |
Inex Code | 3d6f47e0e7 | |
Inex Code | f103f708da |
16
flake.lock
16
flake.lock
|
@ -2,11 +2,11 @@
|
|||
"nodes": {
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1704420045,
|
||||
"narHash": "sha256-C36QmoJd5tdQ5R9MC1jM7fBkZW9zBUqbUCsgwS6j4QU=",
|
||||
"lastModified": 1714531828,
|
||||
"narHash": "sha256-ILsf3bdY/hNNI/Hu5bSt2/KbmHaAVhBbNUOdGztTHEg=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "c1be43e8e837b8dbee2b3665a007e761680f0c3d",
|
||||
"rev": "0638fe2715d998fa81d173aad264eb671ce2ebc1",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -28,11 +28,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1705313551,
|
||||
"narHash": "sha256-la/XZyI5bEgwMOO/v6kOb0gZgzfaOTD9wxPxGNL0N5M=",
|
||||
"ref": "refs/heads/master",
|
||||
"rev": "e3761a200c1ce244b285772a0c731a10e6169ef3",
|
||||
"revCount": 1169,
|
||||
"lastModified": 1709843377,
|
||||
"narHash": "sha256-lQGd4xtKWsIlD5vVurrA/xtNYxYFGfLGyev4oOUeMmY=",
|
||||
"ref": "master",
|
||||
"rev": "1f1fcc223be4c6ae65eef1d50918aed0826e5ad1",
|
||||
"revCount": 1259,
|
||||
"type": "git",
|
||||
"url": "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-rest-api.git"
|
||||
},
|
||||
|
|
|
@ -9,12 +9,17 @@ let
|
|||
CLOUDFLARE_ZONE_API_TOKEN=$TOKEN
|
||||
CLOUDFLARE_POLLING_INTERVAL=30
|
||||
'';
|
||||
DESEC = "DESEC_TOKEN=$TOKEN";
|
||||
DESEC = ''
|
||||
DESEC_TOKEN=$TOKEN
|
||||
DESEC_POLLING_INTERVAL=30
|
||||
DESEC_PROPAGATION_TIMEOUT=180
|
||||
DESEC_TTL=3600
|
||||
'';
|
||||
};
|
||||
dnsCredentialsTemplate = dnsCredentialsTemplates.${cfg.dns.provider};
|
||||
acme-env-filepath = "/var/lib/selfprivacy/acme-env";
|
||||
secrets-filepath = "/etc/selfprivacy/secrets.json";
|
||||
dnsPropagationCheckExceptions = [ "DIGITALOCEAN" ];
|
||||
dnsPropagationCheckExceptions = [ "DIGITALOCEAN" "DESEC" ];
|
||||
in
|
||||
{
|
||||
users.groups.acmereceivers.members = [ "nginx" ];
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
let
|
||||
secrets-filepath = "/etc/selfprivacy/secrets.json";
|
||||
backup-dir = "/var/lib/bitwarden/backup";
|
||||
cfg = sp.modules.bitwarden;
|
||||
inherit (import ./common.nix config) bitwarden-env sp;
|
||||
in
|
||||
{
|
||||
|
@ -13,12 +14,16 @@ in
|
|||
location = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
};
|
||||
subdomain = lib.mkOption {
|
||||
default = "password";
|
||||
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf config.selfprivacy.modules.bitwarden.enable {
|
||||
fileSystems = lib.mkIf sp.useBinds {
|
||||
"/var/lib/bitwarden" = {
|
||||
device = "/volumes/${sp.modules.bitwarden.location}/bitwarden";
|
||||
device = "/volumes/${cfg.location}/bitwarden";
|
||||
options = [
|
||||
"bind"
|
||||
"x-systemd.required-by=bitwarden-secrets.service"
|
||||
|
@ -30,7 +35,7 @@ in
|
|||
];
|
||||
};
|
||||
"/var/lib/bitwarden_rs" = {
|
||||
device = "/volumes/${sp.modules.bitwarden.location}/bitwarden_rs";
|
||||
device = "/volumes/${cfg.location}/bitwarden_rs";
|
||||
options = [
|
||||
"bind"
|
||||
"x-systemd.required-by=bitwarden-secrets.service"
|
||||
|
@ -48,7 +53,7 @@ in
|
|||
backupDir = backup-dir;
|
||||
environmentFile = "${bitwarden-env}";
|
||||
config = {
|
||||
domain = "https://password.${sp.domain}/";
|
||||
domain = "https://${cfg.subdomain}.${sp.domain}/";
|
||||
signupsAllowed = true;
|
||||
rocketPort = 8222;
|
||||
};
|
||||
|
@ -76,14 +81,14 @@ in
|
|||
<(printf "%s" "$bitwarden_env") ${bitwarden-env}
|
||||
'';
|
||||
};
|
||||
services.nginx.virtualHosts."password.${sp.domain}" = {
|
||||
services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {
|
||||
useACMEHost = sp.domain;
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
add_header Strict-Transport-Security $hsts_header;
|
||||
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||
add_header X-Frame-Options DENY;
|
||||
add_header X-Frame-Options SAMEORIGIN;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||
|
|
|
@ -3,8 +3,9 @@ let
|
|||
sp = config.selfprivacy;
|
||||
stateDir =
|
||||
if sp.useBinds
|
||||
then "/volumes/${sp.modules.gitea.location}/gitea"
|
||||
then "/volumes/${cfg.location}/gitea"
|
||||
else "/var/lib/gitea";
|
||||
cfg = sp.modules.gitea;
|
||||
in
|
||||
{
|
||||
options.selfprivacy.modules.gitea = {
|
||||
|
@ -15,12 +16,16 @@ in
|
|||
location = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
};
|
||||
subdomain = lib.mkOption {
|
||||
default = "git";
|
||||
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf config.selfprivacy.modules.gitea.enable {
|
||||
config = lib.mkIf cfg.enable {
|
||||
fileSystems = lib.mkIf sp.useBinds {
|
||||
"/var/lib/gitea" = {
|
||||
device = "/volumes/${sp.modules.gitea.location}/gitea";
|
||||
device = "/volumes/${cfg.location}/gitea";
|
||||
options = [ "bind" ];
|
||||
};
|
||||
};
|
||||
|
@ -53,8 +58,8 @@ in
|
|||
# cookieSecure = true;
|
||||
settings = {
|
||||
server = {
|
||||
DOMAIN = "git.${sp.domain}";
|
||||
ROOT_URL = "https://git.${sp.domain}/";
|
||||
DOMAIN = "${cfg.subdomain}.${sp.domain}";
|
||||
ROOT_URL = "https://${cfg.subdomain}.${sp.domain}/";
|
||||
HTTP_ADDR = "0.0.0.0";
|
||||
HTTP_PORT = 3000;
|
||||
};
|
||||
|
@ -83,7 +88,7 @@ in
|
|||
};
|
||||
};
|
||||
};
|
||||
services.nginx.virtualHosts."git.${sp.domain}" = {
|
||||
services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {
|
||||
useACMEHost = sp.domain;
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
|
@ -103,6 +108,6 @@ in
|
|||
};
|
||||
};
|
||||
systemd.services.gitea.unitConfig.RequiresMountsFor =
|
||||
lib.mkIf sp.useBinds "/volumes/${sp.modules.gitea.location}/gitea";
|
||||
lib.mkIf sp.useBinds "/volumes/${cfg.location}/gitea";
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
{ config, lib, ... }:
|
||||
let
|
||||
domain = config.selfprivacy.domain;
|
||||
cfg = config.selfprivacy.modules.jitsi-meet;
|
||||
in
|
||||
{
|
||||
options.selfprivacy.modules.jitsi-meet = {
|
||||
|
@ -8,19 +9,23 @@ in
|
|||
default = false;
|
||||
type = lib.types.bool;
|
||||
};
|
||||
subdomain = lib.mkOption {
|
||||
default = "meet";
|
||||
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf config.selfprivacy.modules.jitsi-meet.enable {
|
||||
config = lib.mkIf cfg.enable {
|
||||
services.jitsi-meet = {
|
||||
enable = true;
|
||||
hostName = "meet.${domain}";
|
||||
hostName = "${cfg.subdomain}.${domain}";
|
||||
nginx.enable = true;
|
||||
interfaceConfig = {
|
||||
SHOW_JITSI_WATERMARK = false;
|
||||
SHOW_WATERMARK_FOR_GUESTS = false;
|
||||
};
|
||||
};
|
||||
services.nginx.virtualHosts."meet.${domain}" = {
|
||||
services.nginx.virtualHosts."${cfg.subdomain}.${domain}" = {
|
||||
forceSSL = true;
|
||||
useACMEHost = domain;
|
||||
enableACME = false;
|
||||
|
|
|
@ -8,18 +8,23 @@
|
|||
location = mkOption {
|
||||
type = types.str;
|
||||
};
|
||||
subdomain = lib.mkOption {
|
||||
default = "cloud";
|
||||
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
|
||||
};
|
||||
};
|
||||
|
||||
config =
|
||||
let
|
||||
inherit (import ./common.nix config)
|
||||
sp secrets-filepath db-pass-filepath admin-pass-filepath;
|
||||
hostName = "cloud.${sp.domain}";
|
||||
cfg = sp.modules.nextcloud;
|
||||
hostName = "${cfg.subdomain}.${sp.domain}";
|
||||
in
|
||||
lib.mkIf sp.modules.nextcloud.enable {
|
||||
fileSystems = lib.mkIf sp.useBinds {
|
||||
"/var/lib/nextcloud" = {
|
||||
device = "/volumes/${sp.modules.nextcloud.location}/nextcloud";
|
||||
device = "/volumes/${cfg.location}/nextcloud";
|
||||
options = [
|
||||
"bind"
|
||||
"x-systemd.required-by=nextcloud-setup.service"
|
||||
|
|
|
@ -3,6 +3,7 @@ let
|
|||
domain = config.selfprivacy.domain;
|
||||
cert = "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
|
||||
key = "${config.security.acme.certs.${domain}.directory}/key.pem";
|
||||
cfg = config.selfprivacy.modules.ocserv;
|
||||
in
|
||||
{
|
||||
options.selfprivacy.modules.ocserv = {
|
||||
|
@ -10,9 +11,13 @@ in
|
|||
default = false;
|
||||
type = lib.types.bool;
|
||||
};
|
||||
subdomain = lib.mkOption {
|
||||
default = "vpn";
|
||||
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf config.selfprivacy.modules.ocserv.enable {
|
||||
config = lib.mkIf cfg.enable {
|
||||
users.groups.ocserv.members = [ "ocserv" ];
|
||||
users.users.ocserv = {
|
||||
isNormalUser = false;
|
||||
|
@ -43,7 +48,7 @@ in
|
|||
idle-timeout=1200
|
||||
mobile-idle-timeout=2400
|
||||
|
||||
default-domain = vpn.${domain}
|
||||
default-domain = ${cfg.subdomain}.${domain}
|
||||
|
||||
device = vpn0
|
||||
|
||||
|
@ -57,7 +62,7 @@ in
|
|||
route = default
|
||||
'';
|
||||
};
|
||||
services.nginx.virtualHosts."vpn.${domain}" = {
|
||||
services.nginx.virtualHosts."${cfg.subdomain}.${domain}" = {
|
||||
useACMEHost = domain;
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
secrets-filepath = "/etc/selfprivacy/secrets.json";
|
||||
cfg = config.selfprivacy.modules.pleroma;
|
||||
inherit (import ./common.nix config) secrets-exs sp;
|
||||
in
|
||||
{
|
||||
|
@ -12,11 +13,15 @@ in
|
|||
location = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
};
|
||||
subdomain = lib.mkOption {
|
||||
default = "social";
|
||||
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
|
||||
};
|
||||
};
|
||||
config = lib.mkIf config.selfprivacy.modules.pleroma.enable {
|
||||
config = lib.mkIf cfg.enable {
|
||||
fileSystems = lib.mkIf sp.useBinds {
|
||||
"/var/lib/pleroma" = {
|
||||
device = "/volumes/${sp.modules.pleroma.location}/pleroma";
|
||||
device = "/volumes/${cfg.location}/pleroma";
|
||||
options = [
|
||||
"bind"
|
||||
"x-systemd.required-by=pleroma-secrets.service"
|
||||
|
@ -26,7 +31,7 @@ in
|
|||
];
|
||||
};
|
||||
"/var/lib/postgresql" = {
|
||||
device = "/volumes/${sp.modules.pleroma.location}/postgresql";
|
||||
device = "/volumes/${cfg.location}/postgresql";
|
||||
options = [
|
||||
"bind"
|
||||
"x-systemd.required-by=pleroma-secrets.service"
|
||||
|
@ -102,9 +107,9 @@ in
|
|||
};
|
||||
# seems to be an upstream nixpkgs/nixos bug (missing hexdump)
|
||||
systemd.services.pleroma.path = [ pkgs.util-linux ];
|
||||
services.nginx.virtualHosts."social.${sp.domain}" = {
|
||||
useACMEHost = config.selfprivacy.domain;
|
||||
root = "/var/www/social.${sp.domain}";
|
||||
services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {
|
||||
useACMEHost = sp.domain;
|
||||
root = "/var/www/${cfg.subdomain}.${sp.domain}";
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
add_header Strict-Transport-Security $hsts_header;
|
||||
|
|
Loading…
Reference in New Issue