Compare commits
13 Commits
inex/test-
...
flakes
Author | SHA1 | Date |
---|---|---|
Inex Code | ce3231774e | |
Inex Code | f8223192e5 | |
Alexander | 4c183d5b40 | |
Inex Code | 5e005dc436 | |
Inex Code | 6619760f47 | |
Inex Code | 3b4466b49d | |
Inex Code | 5d9c385d08 | |
Inex Code | 3a7876aeb4 | |
Inex Code | c7583bf501 | |
Alexander | ad43d31c0c | |
Inex Code | 2159c4cc6e | |
Inex Code | 3d6f47e0e7 | |
Inex Code | f103f708da |
16
flake.lock
16
flake.lock
|
@ -2,11 +2,11 @@
|
||||||
"nodes": {
|
"nodes": {
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1704420045,
|
"lastModified": 1714531828,
|
||||||
"narHash": "sha256-C36QmoJd5tdQ5R9MC1jM7fBkZW9zBUqbUCsgwS6j4QU=",
|
"narHash": "sha256-ILsf3bdY/hNNI/Hu5bSt2/KbmHaAVhBbNUOdGztTHEg=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "c1be43e8e837b8dbee2b3665a007e761680f0c3d",
|
"rev": "0638fe2715d998fa81d173aad264eb671ce2ebc1",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -28,11 +28,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1705313551,
|
"lastModified": 1709843377,
|
||||||
"narHash": "sha256-la/XZyI5bEgwMOO/v6kOb0gZgzfaOTD9wxPxGNL0N5M=",
|
"narHash": "sha256-lQGd4xtKWsIlD5vVurrA/xtNYxYFGfLGyev4oOUeMmY=",
|
||||||
"ref": "refs/heads/master",
|
"ref": "master",
|
||||||
"rev": "e3761a200c1ce244b285772a0c731a10e6169ef3",
|
"rev": "1f1fcc223be4c6ae65eef1d50918aed0826e5ad1",
|
||||||
"revCount": 1169,
|
"revCount": 1259,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-rest-api.git"
|
"url": "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-rest-api.git"
|
||||||
},
|
},
|
||||||
|
|
|
@ -9,12 +9,17 @@ let
|
||||||
CLOUDFLARE_ZONE_API_TOKEN=$TOKEN
|
CLOUDFLARE_ZONE_API_TOKEN=$TOKEN
|
||||||
CLOUDFLARE_POLLING_INTERVAL=30
|
CLOUDFLARE_POLLING_INTERVAL=30
|
||||||
'';
|
'';
|
||||||
DESEC = "DESEC_TOKEN=$TOKEN";
|
DESEC = ''
|
||||||
|
DESEC_TOKEN=$TOKEN
|
||||||
|
DESEC_POLLING_INTERVAL=30
|
||||||
|
DESEC_PROPAGATION_TIMEOUT=180
|
||||||
|
DESEC_TTL=3600
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
dnsCredentialsTemplate = dnsCredentialsTemplates.${cfg.dns.provider};
|
dnsCredentialsTemplate = dnsCredentialsTemplates.${cfg.dns.provider};
|
||||||
acme-env-filepath = "/var/lib/selfprivacy/acme-env";
|
acme-env-filepath = "/var/lib/selfprivacy/acme-env";
|
||||||
secrets-filepath = "/etc/selfprivacy/secrets.json";
|
secrets-filepath = "/etc/selfprivacy/secrets.json";
|
||||||
dnsPropagationCheckExceptions = [ "DIGITALOCEAN" ];
|
dnsPropagationCheckExceptions = [ "DIGITALOCEAN" "DESEC" ];
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
users.groups.acmereceivers.members = [ "nginx" ];
|
users.groups.acmereceivers.members = [ "nginx" ];
|
||||||
|
|
|
@ -2,6 +2,7 @@
|
||||||
let
|
let
|
||||||
secrets-filepath = "/etc/selfprivacy/secrets.json";
|
secrets-filepath = "/etc/selfprivacy/secrets.json";
|
||||||
backup-dir = "/var/lib/bitwarden/backup";
|
backup-dir = "/var/lib/bitwarden/backup";
|
||||||
|
cfg = sp.modules.bitwarden;
|
||||||
inherit (import ./common.nix config) bitwarden-env sp;
|
inherit (import ./common.nix config) bitwarden-env sp;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
@ -13,12 +14,16 @@ in
|
||||||
location = lib.mkOption {
|
location = lib.mkOption {
|
||||||
type = lib.types.str;
|
type = lib.types.str;
|
||||||
};
|
};
|
||||||
|
subdomain = lib.mkOption {
|
||||||
|
default = "password";
|
||||||
|
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = lib.mkIf config.selfprivacy.modules.bitwarden.enable {
|
config = lib.mkIf config.selfprivacy.modules.bitwarden.enable {
|
||||||
fileSystems = lib.mkIf sp.useBinds {
|
fileSystems = lib.mkIf sp.useBinds {
|
||||||
"/var/lib/bitwarden" = {
|
"/var/lib/bitwarden" = {
|
||||||
device = "/volumes/${sp.modules.bitwarden.location}/bitwarden";
|
device = "/volumes/${cfg.location}/bitwarden";
|
||||||
options = [
|
options = [
|
||||||
"bind"
|
"bind"
|
||||||
"x-systemd.required-by=bitwarden-secrets.service"
|
"x-systemd.required-by=bitwarden-secrets.service"
|
||||||
|
@ -30,7 +35,7 @@ in
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
"/var/lib/bitwarden_rs" = {
|
"/var/lib/bitwarden_rs" = {
|
||||||
device = "/volumes/${sp.modules.bitwarden.location}/bitwarden_rs";
|
device = "/volumes/${cfg.location}/bitwarden_rs";
|
||||||
options = [
|
options = [
|
||||||
"bind"
|
"bind"
|
||||||
"x-systemd.required-by=bitwarden-secrets.service"
|
"x-systemd.required-by=bitwarden-secrets.service"
|
||||||
|
@ -48,7 +53,7 @@ in
|
||||||
backupDir = backup-dir;
|
backupDir = backup-dir;
|
||||||
environmentFile = "${bitwarden-env}";
|
environmentFile = "${bitwarden-env}";
|
||||||
config = {
|
config = {
|
||||||
domain = "https://password.${sp.domain}/";
|
domain = "https://${cfg.subdomain}.${sp.domain}/";
|
||||||
signupsAllowed = true;
|
signupsAllowed = true;
|
||||||
rocketPort = 8222;
|
rocketPort = 8222;
|
||||||
};
|
};
|
||||||
|
@ -76,14 +81,14 @@ in
|
||||||
<(printf "%s" "$bitwarden_env") ${bitwarden-env}
|
<(printf "%s" "$bitwarden_env") ${bitwarden-env}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
services.nginx.virtualHosts."password.${sp.domain}" = {
|
services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {
|
||||||
useACMEHost = sp.domain;
|
useACMEHost = sp.domain;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
add_header Strict-Transport-Security $hsts_header;
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||||
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||||
add_header X-Frame-Options DENY;
|
add_header X-Frame-Options SAMEORIGIN;
|
||||||
add_header X-Content-Type-Options nosniff;
|
add_header X-Content-Type-Options nosniff;
|
||||||
add_header X-XSS-Protection "1; mode=block";
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||||
|
|
|
@ -3,8 +3,9 @@ let
|
||||||
sp = config.selfprivacy;
|
sp = config.selfprivacy;
|
||||||
stateDir =
|
stateDir =
|
||||||
if sp.useBinds
|
if sp.useBinds
|
||||||
then "/volumes/${sp.modules.gitea.location}/gitea"
|
then "/volumes/${cfg.location}/gitea"
|
||||||
else "/var/lib/gitea";
|
else "/var/lib/gitea";
|
||||||
|
cfg = sp.modules.gitea;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.selfprivacy.modules.gitea = {
|
options.selfprivacy.modules.gitea = {
|
||||||
|
@ -15,12 +16,16 @@ in
|
||||||
location = lib.mkOption {
|
location = lib.mkOption {
|
||||||
type = lib.types.str;
|
type = lib.types.str;
|
||||||
};
|
};
|
||||||
|
subdomain = lib.mkOption {
|
||||||
|
default = "git";
|
||||||
|
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = lib.mkIf config.selfprivacy.modules.gitea.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
fileSystems = lib.mkIf sp.useBinds {
|
fileSystems = lib.mkIf sp.useBinds {
|
||||||
"/var/lib/gitea" = {
|
"/var/lib/gitea" = {
|
||||||
device = "/volumes/${sp.modules.gitea.location}/gitea";
|
device = "/volumes/${cfg.location}/gitea";
|
||||||
options = [ "bind" ];
|
options = [ "bind" ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -53,8 +58,8 @@ in
|
||||||
# cookieSecure = true;
|
# cookieSecure = true;
|
||||||
settings = {
|
settings = {
|
||||||
server = {
|
server = {
|
||||||
DOMAIN = "git.${sp.domain}";
|
DOMAIN = "${cfg.subdomain}.${sp.domain}";
|
||||||
ROOT_URL = "https://git.${sp.domain}/";
|
ROOT_URL = "https://${cfg.subdomain}.${sp.domain}/";
|
||||||
HTTP_ADDR = "0.0.0.0";
|
HTTP_ADDR = "0.0.0.0";
|
||||||
HTTP_PORT = 3000;
|
HTTP_PORT = 3000;
|
||||||
};
|
};
|
||||||
|
@ -83,7 +88,7 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
services.nginx.virtualHosts."git.${sp.domain}" = {
|
services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {
|
||||||
useACMEHost = sp.domain;
|
useACMEHost = sp.domain;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
|
@ -103,6 +108,6 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
systemd.services.gitea.unitConfig.RequiresMountsFor =
|
systemd.services.gitea.unitConfig.RequiresMountsFor =
|
||||||
lib.mkIf sp.useBinds "/volumes/${sp.modules.gitea.location}/gitea";
|
lib.mkIf sp.useBinds "/volumes/${cfg.location}/gitea";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
{ config, lib, ... }:
|
{ config, lib, ... }:
|
||||||
let
|
let
|
||||||
domain = config.selfprivacy.domain;
|
domain = config.selfprivacy.domain;
|
||||||
|
cfg = config.selfprivacy.modules.jitsi-meet;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.selfprivacy.modules.jitsi-meet = {
|
options.selfprivacy.modules.jitsi-meet = {
|
||||||
|
@ -8,19 +9,23 @@ in
|
||||||
default = false;
|
default = false;
|
||||||
type = lib.types.bool;
|
type = lib.types.bool;
|
||||||
};
|
};
|
||||||
|
subdomain = lib.mkOption {
|
||||||
|
default = "meet";
|
||||||
|
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = lib.mkIf config.selfprivacy.modules.jitsi-meet.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
services.jitsi-meet = {
|
services.jitsi-meet = {
|
||||||
enable = true;
|
enable = true;
|
||||||
hostName = "meet.${domain}";
|
hostName = "${cfg.subdomain}.${domain}";
|
||||||
nginx.enable = true;
|
nginx.enable = true;
|
||||||
interfaceConfig = {
|
interfaceConfig = {
|
||||||
SHOW_JITSI_WATERMARK = false;
|
SHOW_JITSI_WATERMARK = false;
|
||||||
SHOW_WATERMARK_FOR_GUESTS = false;
|
SHOW_WATERMARK_FOR_GUESTS = false;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
services.nginx.virtualHosts."meet.${domain}" = {
|
services.nginx.virtualHosts."${cfg.subdomain}.${domain}" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
useACMEHost = domain;
|
useACMEHost = domain;
|
||||||
enableACME = false;
|
enableACME = false;
|
||||||
|
|
|
@ -8,18 +8,23 @@
|
||||||
location = mkOption {
|
location = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
};
|
};
|
||||||
|
subdomain = lib.mkOption {
|
||||||
|
default = "cloud";
|
||||||
|
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config =
|
config =
|
||||||
let
|
let
|
||||||
inherit (import ./common.nix config)
|
inherit (import ./common.nix config)
|
||||||
sp secrets-filepath db-pass-filepath admin-pass-filepath;
|
sp secrets-filepath db-pass-filepath admin-pass-filepath;
|
||||||
hostName = "cloud.${sp.domain}";
|
cfg = sp.modules.nextcloud;
|
||||||
|
hostName = "${cfg.subdomain}.${sp.domain}";
|
||||||
in
|
in
|
||||||
lib.mkIf sp.modules.nextcloud.enable {
|
lib.mkIf sp.modules.nextcloud.enable {
|
||||||
fileSystems = lib.mkIf sp.useBinds {
|
fileSystems = lib.mkIf sp.useBinds {
|
||||||
"/var/lib/nextcloud" = {
|
"/var/lib/nextcloud" = {
|
||||||
device = "/volumes/${sp.modules.nextcloud.location}/nextcloud";
|
device = "/volumes/${cfg.location}/nextcloud";
|
||||||
options = [
|
options = [
|
||||||
"bind"
|
"bind"
|
||||||
"x-systemd.required-by=nextcloud-setup.service"
|
"x-systemd.required-by=nextcloud-setup.service"
|
||||||
|
|
|
@ -3,6 +3,7 @@ let
|
||||||
domain = config.selfprivacy.domain;
|
domain = config.selfprivacy.domain;
|
||||||
cert = "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
|
cert = "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
|
||||||
key = "${config.security.acme.certs.${domain}.directory}/key.pem";
|
key = "${config.security.acme.certs.${domain}.directory}/key.pem";
|
||||||
|
cfg = config.selfprivacy.modules.ocserv;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.selfprivacy.modules.ocserv = {
|
options.selfprivacy.modules.ocserv = {
|
||||||
|
@ -10,9 +11,13 @@ in
|
||||||
default = false;
|
default = false;
|
||||||
type = lib.types.bool;
|
type = lib.types.bool;
|
||||||
};
|
};
|
||||||
|
subdomain = lib.mkOption {
|
||||||
|
default = "vpn";
|
||||||
|
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = lib.mkIf config.selfprivacy.modules.ocserv.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
users.groups.ocserv.members = [ "ocserv" ];
|
users.groups.ocserv.members = [ "ocserv" ];
|
||||||
users.users.ocserv = {
|
users.users.ocserv = {
|
||||||
isNormalUser = false;
|
isNormalUser = false;
|
||||||
|
@ -43,7 +48,7 @@ in
|
||||||
idle-timeout=1200
|
idle-timeout=1200
|
||||||
mobile-idle-timeout=2400
|
mobile-idle-timeout=2400
|
||||||
|
|
||||||
default-domain = vpn.${domain}
|
default-domain = ${cfg.subdomain}.${domain}
|
||||||
|
|
||||||
device = vpn0
|
device = vpn0
|
||||||
|
|
||||||
|
@ -57,7 +62,7 @@ in
|
||||||
route = default
|
route = default
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
services.nginx.virtualHosts."vpn.${domain}" = {
|
services.nginx.virtualHosts."${cfg.subdomain}.${domain}" = {
|
||||||
useACMEHost = domain;
|
useACMEHost = domain;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
let
|
let
|
||||||
secrets-filepath = "/etc/selfprivacy/secrets.json";
|
secrets-filepath = "/etc/selfprivacy/secrets.json";
|
||||||
|
cfg = config.selfprivacy.modules.pleroma;
|
||||||
inherit (import ./common.nix config) secrets-exs sp;
|
inherit (import ./common.nix config) secrets-exs sp;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
@ -12,11 +13,15 @@ in
|
||||||
location = lib.mkOption {
|
location = lib.mkOption {
|
||||||
type = lib.types.str;
|
type = lib.types.str;
|
||||||
};
|
};
|
||||||
|
subdomain = lib.mkOption {
|
||||||
|
default = "social";
|
||||||
|
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
config = lib.mkIf config.selfprivacy.modules.pleroma.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
fileSystems = lib.mkIf sp.useBinds {
|
fileSystems = lib.mkIf sp.useBinds {
|
||||||
"/var/lib/pleroma" = {
|
"/var/lib/pleroma" = {
|
||||||
device = "/volumes/${sp.modules.pleroma.location}/pleroma";
|
device = "/volumes/${cfg.location}/pleroma";
|
||||||
options = [
|
options = [
|
||||||
"bind"
|
"bind"
|
||||||
"x-systemd.required-by=pleroma-secrets.service"
|
"x-systemd.required-by=pleroma-secrets.service"
|
||||||
|
@ -26,7 +31,7 @@ in
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
"/var/lib/postgresql" = {
|
"/var/lib/postgresql" = {
|
||||||
device = "/volumes/${sp.modules.pleroma.location}/postgresql";
|
device = "/volumes/${cfg.location}/postgresql";
|
||||||
options = [
|
options = [
|
||||||
"bind"
|
"bind"
|
||||||
"x-systemd.required-by=pleroma-secrets.service"
|
"x-systemd.required-by=pleroma-secrets.service"
|
||||||
|
@ -102,9 +107,9 @@ in
|
||||||
};
|
};
|
||||||
# seems to be an upstream nixpkgs/nixos bug (missing hexdump)
|
# seems to be an upstream nixpkgs/nixos bug (missing hexdump)
|
||||||
systemd.services.pleroma.path = [ pkgs.util-linux ];
|
systemd.services.pleroma.path = [ pkgs.util-linux ];
|
||||||
services.nginx.virtualHosts."social.${sp.domain}" = {
|
services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {
|
||||||
useACMEHost = config.selfprivacy.domain;
|
useACMEHost = sp.domain;
|
||||||
root = "/var/www/social.${sp.domain}";
|
root = "/var/www/${cfg.subdomain}.${sp.domain}";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
add_header Strict-Transport-Security $hsts_header;
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
|
Loading…
Reference in New Issue