SelfPrivacy
/
selfprivacy-nixos-config
6
3
Fork 6
Code Issues 19 Pull Requests 1 Projects Releases Wiki Activity

Compare commits

merge into: SelfPrivacy:inex/test-systemd-rebuild
Branches Tags
SelfPrivacy:flakes
SelfPrivacy:inex/test-collect-garbage
SelfPrivacy:inex/test-autobackup
SelfPrivacy:inex/test-systemd-rebuild
SelfPrivacy:master
SelfPrivacy:pre-release
SelfPrivacy:flake-to-override-folder
SelfPrivacy:flake-to-override
SelfPrivacy:systemd-limits
SelfPrivacy:ldap
SelfPrivacy:api-redis
SelfPrivacy:pleroma-fixes
SelfPrivacy:development
SelfPrivacy:rolling-testing
...
pull from: SelfPrivacy:flakes
Branches Tags
SelfPrivacy:flakes
SelfPrivacy:inex/test-collect-garbage
SelfPrivacy:inex/test-autobackup
SelfPrivacy:inex/test-systemd-rebuild
SelfPrivacy:master
SelfPrivacy:pre-release
SelfPrivacy:flake-to-override-folder
SelfPrivacy:flake-to-override
SelfPrivacy:systemd-limits
SelfPrivacy:ldap
SelfPrivacy:api-redis
SelfPrivacy:pleroma-fixes
SelfPrivacy:development
SelfPrivacy:rolling-testing

13 Commits
inex/test- ... flakes

Author SHA1 Message Date
Inex Code ce3231774e chore: update nixpkgs 2024-05-02 22:34:36 +03:00
Inex Code f8223192e5 fix: Add DeSEC to dnsPropagationCheckExceptions 
Probably a temp fix to #59
 2024-05-02 22:31:30 +03:00
Alexander 4c183d5b40 fix deSEC: DESEC_POLLING_INTERVAL=30, propagation timeout and TTL 2024-03-12 19:58:37 +04:00
Inex Code 5e005dc436 chore: update API 3.1.0 2024-03-07 23:52:30 +03:00
Inex Code 6619760f47 Revert "try fix" 
This reverts commit 3b4466b49d.
 2024-02-23 20:46:24 +03:00
Inex Code 3b4466b49d try fix 2024-02-23 20:45:38 +03:00
Inex Code 5d9c385d08 Revert "chore: update API 3.0.1" 
This reverts commit 3a7876aeb4.
 2024-02-23 20:40:26 +03:00
Inex Code 3a7876aeb4 chore: update API 3.0.1 2024-02-23 20:22:35 +03:00
Inex Code c7583bf501 Merge pull request 'modules: parameterize all subdomains' (#54) from subdomains into flakes 
Reviewed-on: #54
 2024-02-20 17:51:47 +02:00
Alexander ad43d31c0c modules: parameterize all subdomains 2024-02-20 14:42:37 +04:00
Inex Code 2159c4cc6e Merge pull request 'Bitwarden: Fix webauthn login' (#55) from fix-bitwarden into flakes 
Reviewed-on: #55
 2024-02-19 14:29:27 +02:00
Inex Code 3d6f47e0e7 chore: update nixpkgs 2024-02-19 15:23:38 +03:00
Inex Code f103f708da fix(bitwarden): Webauthn login didn't work 2024-02-19 15:23:25 +03:00
8 changed files with 71 additions and 36 deletions
Show Stats Expand all files Collapse all files

16
flake.lock
View File

@ -2,11 +2,11 @@
"nodes": {
"nixpkgs": {
"locked": {
"lastModified": 1704420045,
"narHash": "sha256-C36QmoJd5tdQ5R9MC1jM7fBkZW9zBUqbUCsgwS6j4QU=",
"lastModified": 1714531828,
"narHash": "sha256-ILsf3bdY/hNNI/Hu5bSt2/KbmHaAVhBbNUOdGztTHEg=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "c1be43e8e837b8dbee2b3665a007e761680f0c3d",
"rev": "0638fe2715d998fa81d173aad264eb671ce2ebc1",
"type": "github"
},
"original": {
@ -28,11 +28,11 @@
]
},
"locked": {
"lastModified": 1705313551,
"narHash": "sha256-la/XZyI5bEgwMOO/v6kOb0gZgzfaOTD9wxPxGNL0N5M=",
"ref": "refs/heads/master",
"rev": "e3761a200c1ce244b285772a0c731a10e6169ef3",
"revCount": 1169,
"lastModified": 1709843377,
"narHash": "sha256-lQGd4xtKWsIlD5vVurrA/xtNYxYFGfLGyev4oOUeMmY=",
"ref": "master",
"rev": "1f1fcc223be4c6ae65eef1d50918aed0826e5ad1",
"revCount": 1259,
"type": "git",
"url": "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-rest-api.git"
},

9
letsencrypt/acme.nix
View File

@ -9,12 +9,17 @@ let
CLOUDFLARE_ZONE_API_TOKEN=$TOKEN
CLOUDFLARE_POLLING_INTERVAL=30
'';
DESEC = "DESEC_TOKEN=$TOKEN";
DESEC = ''
DESEC_TOKEN=$TOKEN
DESEC_POLLING_INTERVAL=30
DESEC_PROPAGATION_TIMEOUT=180
DESEC_TTL=3600
'';
};
dnsCredentialsTemplate = dnsCredentialsTemplates.${cfg.dns.provider};
acme-env-filepath = "/var/lib/selfprivacy/acme-env";
secrets-filepath = "/etc/selfprivacy/secrets.json";
dnsPropagationCheckExceptions = [ "DIGITALOCEAN" ];
dnsPropagationCheckExceptions = [ "DIGITALOCEAN" "DESEC" ];
in
{
users.groups.acmereceivers.members = [ "nginx" ];

15
sp-modules/bitwarden/module.nix
View File

@ -2,6 +2,7 @@
let
secrets-filepath = "/etc/selfprivacy/secrets.json";
backup-dir = "/var/lib/bitwarden/backup";
cfg = sp.modules.bitwarden;
inherit (import ./common.nix config) bitwarden-env sp;
in
{
@ -13,12 +14,16 @@ in
location = lib.mkOption {
type = lib.types.str;
};
subdomain = lib.mkOption {
default = "password";
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
};
};
config = lib.mkIf config.selfprivacy.modules.bitwarden.enable {
fileSystems = lib.mkIf sp.useBinds {
"/var/lib/bitwarden" = {
device = "/volumes/${sp.modules.bitwarden.location}/bitwarden";
device = "/volumes/${cfg.location}/bitwarden";
options = [
"bind"
"x-systemd.required-by=bitwarden-secrets.service"
@ -30,7 +35,7 @@ in
];
};
"/var/lib/bitwarden_rs" = {
device = "/volumes/${sp.modules.bitwarden.location}/bitwarden_rs";
device = "/volumes/${cfg.location}/bitwarden_rs";
options = [
"bind"
"x-systemd.required-by=bitwarden-secrets.service"
@ -48,7 +53,7 @@ in
backupDir = backup-dir;
environmentFile = "${bitwarden-env}";
config = {
domain = "https://password.${sp.domain}/";
domain = "https://${cfg.subdomain}.${sp.domain}/";
signupsAllowed = true;
rocketPort = 8222;
};
@ -76,14 +81,14 @@ in
<(printf "%s" "$bitwarden_env") ${bitwarden-env}
'';
};
services.nginx.virtualHosts."password.${sp.domain}" = {
services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {
useACMEHost = sp.domain;
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";

19
sp-modules/gitea/module.nix
View File

@ -3,8 +3,9 @@ let
sp = config.selfprivacy;
stateDir =
if sp.useBinds
then "/volumes/${sp.modules.gitea.location}/gitea"
then "/volumes/${cfg.location}/gitea"
else "/var/lib/gitea";
cfg = sp.modules.gitea;
in
{
options.selfprivacy.modules.gitea = {
@ -15,12 +16,16 @@ in
location = lib.mkOption {
type = lib.types.str;
};
subdomain = lib.mkOption {
default = "git";
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
};
};
config = lib.mkIf config.selfprivacy.modules.gitea.enable {
config = lib.mkIf cfg.enable {
fileSystems = lib.mkIf sp.useBinds {
"/var/lib/gitea" = {
device = "/volumes/${sp.modules.gitea.location}/gitea";
device = "/volumes/${cfg.location}/gitea";
options = [ "bind" ];
};
};
@ -53,8 +58,8 @@ in
# cookieSecure = true;
settings = {
server = {
DOMAIN = "git.${sp.domain}";
ROOT_URL = "https://git.${sp.domain}/";
DOMAIN = "${cfg.subdomain}.${sp.domain}";
ROOT_URL = "https://${cfg.subdomain}.${sp.domain}/";
HTTP_ADDR = "0.0.0.0";
HTTP_PORT = 3000;
};
@ -83,7 +88,7 @@ in
};
};
};
services.nginx.virtualHosts."git.${sp.domain}" = {
services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {
useACMEHost = sp.domain;
forceSSL = true;
extraConfig = ''
@ -103,6 +108,6 @@ in
};
};
systemd.services.gitea.unitConfig.RequiresMountsFor =
lib.mkIf sp.useBinds "/volumes/${sp.modules.gitea.location}/gitea";
lib.mkIf sp.useBinds "/volumes/${cfg.location}/gitea";
};
}

11
sp-modules/jitsi-meet/module.nix
View File

@ -1,6 +1,7 @@
{ config, lib, ... }:
let
domain = config.selfprivacy.domain;
cfg = config.selfprivacy.modules.jitsi-meet;
in
{
options.selfprivacy.modules.jitsi-meet = {
@ -8,19 +9,23 @@ in
default = false;
type = lib.types.bool;
};
subdomain = lib.mkOption {
default = "meet";
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
};
};
config = lib.mkIf config.selfprivacy.modules.jitsi-meet.enable {
config = lib.mkIf cfg.enable {
services.jitsi-meet = {
enable = true;
hostName = "meet.${domain}";
hostName = "${cfg.subdomain}.${domain}";
nginx.enable = true;
interfaceConfig = {
SHOW_JITSI_WATERMARK = false;
SHOW_WATERMARK_FOR_GUESTS = false;
};
};
services.nginx.virtualHosts."meet.${domain}" = {
services.nginx.virtualHosts."${cfg.subdomain}.${domain}" = {
forceSSL = true;
useACMEHost = domain;
enableACME = false;

9
sp-modules/nextcloud/module.nix
View File

@ -8,18 +8,23 @@
location = mkOption {
type = types.str;
};
subdomain = lib.mkOption {
default = "cloud";
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
};
};
config =
let
inherit (import ./common.nix config)
sp secrets-filepath db-pass-filepath admin-pass-filepath;
hostName = "cloud.${sp.domain}";
cfg = sp.modules.nextcloud;
hostName = "${cfg.subdomain}.${sp.domain}";
in
lib.mkIf sp.modules.nextcloud.enable {
fileSystems = lib.mkIf sp.useBinds {
"/var/lib/nextcloud" = {
device = "/volumes/${sp.modules.nextcloud.location}/nextcloud";
device = "/volumes/${cfg.location}/nextcloud";
options = [
"bind"
"x-systemd.required-by=nextcloud-setup.service"

11
sp-modules/ocserv/module.nix
View File

@ -3,6 +3,7 @@ let
domain = config.selfprivacy.domain;
cert = "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
key = "${config.security.acme.certs.${domain}.directory}/key.pem";
cfg = config.selfprivacy.modules.ocserv;
in
{
options.selfprivacy.modules.ocserv = {
@ -10,9 +11,13 @@ in
default = false;
type = lib.types.bool;
};
subdomain = lib.mkOption {
default = "vpn";
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
};
};
config = lib.mkIf config.selfprivacy.modules.ocserv.enable {
config = lib.mkIf cfg.enable {
users.groups.ocserv.members = [ "ocserv" ];
users.users.ocserv = {
isNormalUser = false;
@ -43,7 +48,7 @@ in
idle-timeout=1200
mobile-idle-timeout=2400
default-domain = vpn.${domain}
default-domain = ${cfg.subdomain}.${domain}
device = vpn0
@ -57,7 +62,7 @@ in
route = default
'';
};
services.nginx.virtualHosts."vpn.${domain}" = {
services.nginx.virtualHosts."${cfg.subdomain}.${domain}" = {
useACMEHost = domain;
forceSSL = true;
extraConfig = ''

17
sp-modules/pleroma/module.nix
View File

@ -1,6 +1,7 @@
{ config, lib, pkgs, ... }:
let
secrets-filepath = "/etc/selfprivacy/secrets.json";
cfg = config.selfprivacy.modules.pleroma;
inherit (import ./common.nix config) secrets-exs sp;
in
{
@ -12,11 +13,15 @@ in
location = lib.mkOption {
type = lib.types.str;
};
subdomain = lib.mkOption {
default = "social";
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
};
};
config = lib.mkIf config.selfprivacy.modules.pleroma.enable {
config = lib.mkIf cfg.enable {
fileSystems = lib.mkIf sp.useBinds {
"/var/lib/pleroma" = {
device = "/volumes/${sp.modules.pleroma.location}/pleroma";
device = "/volumes/${cfg.location}/pleroma";
options = [
"bind"
"x-systemd.required-by=pleroma-secrets.service"
@ -26,7 +31,7 @@ in
];
};
"/var/lib/postgresql" = {
device = "/volumes/${sp.modules.pleroma.location}/postgresql";
device = "/volumes/${cfg.location}/postgresql";
options = [
"bind"
"x-systemd.required-by=pleroma-secrets.service"
@ -102,9 +107,9 @@ in
};
# seems to be an upstream nixpkgs/nixos bug (missing hexdump)
systemd.services.pleroma.path = [ pkgs.util-linux ];
services.nginx.virtualHosts."social.${sp.domain}" = {
useACMEHost = config.selfprivacy.domain;
root = "/var/www/social.${sp.domain}";
services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {
useACMEHost = sp.domain;
root = "/var/www/${cfg.subdomain}.${sp.domain}";
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;