add script, which prints SP API token

chore: update API 3.2.1 and update nixpkgs
chore: update API 3.2.0 and update nixpkgs
2024-05-30 04:11:41 +04:00 · 2024-05-24 22:54:45 +03:00 · 2024-05-22 11:40:21 +03:00 · 2024-05-02 22:34:36 +03:00 · 2024-05-02 22:31:30 +03:00 · 2024-03-12 19:58:37 +04:00
9 changed files with 89 additions and 37 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -1,4 +1,20 @@
 { config, pkgs, lib, ... }:
+let
+  redis-sp-api-srv-name = "sp-api";
+  sp-print-api-token = pkgs.writeShellApplication {
+    name = "sp-print-api-token";
+    runtimeInputs = with pkgs; [ redis ];
+    text = ''
+      hash_token="$(redis-cli -s /run/redis-${redis-sp-api-srv-name}/redis.sock keys "token_repo:tokens:*" | head -n 1)"
+      hash_token="''${hash_token#"token_repo:tokens:"}"
+
+      token="$(redis-cli -s /run/redis-${redis-sp-api-srv-name}/redis.sock HGETALL "token_repo:tokens:$hash_token")"
+      token="$(echo "$token" | sed -n '2p')"
+
+      echo "$token"
+    '';
+  };
+in
 {
  imports = [
    ./selfprivacy-module.nix
@ -15,7 +31,7 @@

  services.selfprivacy-api.enable = true;

-  services.redis.servers.sp-api = {
+  services.redis.servers.${redis-sp-api-srv-name} = {
    enable = true;
    save = [
      [
@ -68,6 +84,7 @@
  environment.systemPackages = with pkgs; [
    git
    jq
+    sp-print-api-token
  ];
  # consider environment.defaultPackages = lib.mkForce [];
  documentation.enable = false; # no {man,info}-pages & docs, etc to save space
--- a/flake.lock
+++ b/flake.lock
@ -2,11 +2,11 @@
  "nodes": {
    "nixpkgs": {
      "locked": {
-        "lastModified": 1704420045,
-        "narHash": "sha256-C36QmoJd5tdQ5R9MC1jM7fBkZW9zBUqbUCsgwS6j4QU=",
+        "lastModified": 1716361217,
+        "narHash": "sha256-mzZDr00WUiUXVm1ujBVv6A0qRd8okaITyUp4ezYRgc4=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "c1be43e8e837b8dbee2b3665a007e761680f0c3d",
+        "rev": "46397778ef1f73414b03ed553a3368f0e7e33c2f",
        "type": "github"
      },
      "original": {
@ -28,11 +28,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1705313551,
-        "narHash": "sha256-la/XZyI5bEgwMOO/v6kOb0gZgzfaOTD9wxPxGNL0N5M=",
-        "ref": "refs/heads/master",
-        "rev": "e3761a200c1ce244b285772a0c731a10e6169ef3",
-        "revCount": 1169,
+        "lastModified": 1716580438,
+        "narHash": "sha256-wWKhCiRmjrFgnHUgcxBb2mtBy9uTrY93yxpMYh/wpVY=",
+        "ref": "master",
+        "rev": "4f1d44ce74432e745f0be3b192f8cc4ae06fd169",
+        "revCount": 1304,
        "type": "git",
        "url": "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-rest-api.git"
      },
--- a/letsencrypt/acme.nix
+++ b/letsencrypt/acme.nix
@ -9,12 +9,17 @@ let
      CLOUDFLARE_ZONE_API_TOKEN=$TOKEN
      CLOUDFLARE_POLLING_INTERVAL=30
    '';
-    DESEC = "DESEC_TOKEN=$TOKEN";
+    DESEC = ''
+      DESEC_TOKEN=$TOKEN
+      DESEC_POLLING_INTERVAL=30
+      DESEC_PROPAGATION_TIMEOUT=180
+      DESEC_TTL=3600
+    '';
  };
  dnsCredentialsTemplate = dnsCredentialsTemplates.${cfg.dns.provider};
  acme-env-filepath = "/var/lib/selfprivacy/acme-env";
  secrets-filepath = "/etc/selfprivacy/secrets.json";
-  dnsPropagationCheckExceptions = [ "DIGITALOCEAN" ];
+  dnsPropagationCheckExceptions = [ "DIGITALOCEAN" "DESEC" ];
 in
 {
  users.groups.acmereceivers.members = [ "nginx" ];
--- a/sp-modules/bitwarden/module.nix
+++ b/sp-modules/bitwarden/module.nix
@ -2,6 +2,7 @@
 let
  secrets-filepath = "/etc/selfprivacy/secrets.json";
  backup-dir = "/var/lib/bitwarden/backup";
+  cfg = sp.modules.bitwarden;
  inherit (import ./common.nix config) bitwarden-env sp;
 in
 {
@ -13,12 +14,16 @@ in
    location = lib.mkOption {
      type = lib.types.str;
    };
+    subdomain = lib.mkOption {
+      default = "password";
+      type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
+    };
  };

  config = lib.mkIf config.selfprivacy.modules.bitwarden.enable {
    fileSystems = lib.mkIf sp.useBinds {
      "/var/lib/bitwarden" = {
-        device = "/volumes/${sp.modules.bitwarden.location}/bitwarden";
+        device = "/volumes/${cfg.location}/bitwarden";
        options = [
          "bind"
          "x-systemd.required-by=bitwarden-secrets.service"
@ -30,7 +35,7 @@ in
        ];
      };
      "/var/lib/bitwarden_rs" = {
-        device = "/volumes/${sp.modules.bitwarden.location}/bitwarden_rs";
+        device = "/volumes/${cfg.location}/bitwarden_rs";
        options = [
          "bind"
          "x-systemd.required-by=bitwarden-secrets.service"
@ -48,7 +53,7 @@ in
      backupDir = backup-dir;
      environmentFile = "${bitwarden-env}";
      config = {
-        domain = "https://password.${sp.domain}/";
+        domain = "https://${cfg.subdomain}.${sp.domain}/";
        signupsAllowed = true;
        rocketPort = 8222;
      };
@ -76,14 +81,14 @@ in
        <(printf "%s" "$bitwarden_env") ${bitwarden-env}
      '';
    };
-    services.nginx.virtualHosts."password.${sp.domain}" = {
+    services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {
      useACMEHost = sp.domain;
      forceSSL = true;
      extraConfig = ''
        add_header Strict-Transport-Security $hsts_header;
        #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
        add_header 'Referrer-Policy' 'origin-when-cross-origin';
-        add_header X-Frame-Options DENY;
+        add_header X-Frame-Options SAMEORIGIN;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
--- a/sp-modules/gitea/module.nix
+++ b/sp-modules/gitea/module.nix
@ -3,8 +3,9 @@ let
  sp = config.selfprivacy;
  stateDir =
    if sp.useBinds
-    then "/volumes/${sp.modules.gitea.location}/gitea"
+    then "/volumes/${cfg.location}/gitea"
    else "/var/lib/gitea";
+  cfg = sp.modules.gitea;
 in
 {
  options.selfprivacy.modules.gitea = {
@ -15,12 +16,16 @@ in
    location = lib.mkOption {
      type = lib.types.str;
    };
+    subdomain = lib.mkOption {
+      default = "git";
+      type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
+    };
  };

-  config = lib.mkIf config.selfprivacy.modules.gitea.enable {
+  config = lib.mkIf cfg.enable {
    fileSystems = lib.mkIf sp.useBinds {
      "/var/lib/gitea" = {
-        device = "/volumes/${sp.modules.gitea.location}/gitea";
+        device = "/volumes/${cfg.location}/gitea";
        options = [ "bind" ];
      };
    };
@ -53,8 +58,8 @@ in
      #      cookieSecure = true;
      settings = {
        server = {
-          DOMAIN = "git.${sp.domain}";
-          ROOT_URL = "https://git.${sp.domain}/";
+          DOMAIN = "${cfg.subdomain}.${sp.domain}";
+          ROOT_URL = "https://${cfg.subdomain}.${sp.domain}/";
          HTTP_ADDR = "0.0.0.0";
          HTTP_PORT = 3000;
        };
@ -83,7 +88,7 @@ in
        };
      };
    };
-    services.nginx.virtualHosts."git.${sp.domain}" = {
+    services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {
      useACMEHost = sp.domain;
      forceSSL = true;
      extraConfig = ''
@ -103,6 +108,6 @@ in
      };
    };
    systemd.services.gitea.unitConfig.RequiresMountsFor =
-      lib.mkIf sp.useBinds "/volumes/${sp.modules.gitea.location}/gitea";
+      lib.mkIf sp.useBinds "/volumes/${cfg.location}/gitea";
  };
 }
--- a/sp-modules/jitsi-meet/module.nix
+++ b/sp-modules/jitsi-meet/module.nix
@ -1,6 +1,7 @@
 { config, lib, ... }:
 let
  domain = config.selfprivacy.domain;
+  cfg = config.selfprivacy.modules.jitsi-meet;
 in
 {
  options.selfprivacy.modules.jitsi-meet = {
@ -8,19 +9,23 @@ in
      default = false;
      type = lib.types.bool;
    };
+    subdomain = lib.mkOption {
+      default = "meet";
+      type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
+    };
  };

-  config = lib.mkIf config.selfprivacy.modules.jitsi-meet.enable {
+  config = lib.mkIf cfg.enable {
    services.jitsi-meet = {
      enable = true;
-      hostName = "meet.${domain}";
+      hostName = "${cfg.subdomain}.${domain}";
      nginx.enable = true;
      interfaceConfig = {
        SHOW_JITSI_WATERMARK = false;
        SHOW_WATERMARK_FOR_GUESTS = false;
      };
    };
-    services.nginx.virtualHosts."meet.${domain}" = {
+    services.nginx.virtualHosts."${cfg.subdomain}.${domain}" = {
      forceSSL = true;
      useACMEHost = domain;
      enableACME = false;
--- a/sp-modules/nextcloud/module.nix
+++ b/sp-modules/nextcloud/module.nix
@ -8,18 +8,23 @@
    location = mkOption {
      type = types.str;
    };
+    subdomain = lib.mkOption {
+      default = "cloud";
+      type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
+    };
  };

  config =
    let
      inherit (import ./common.nix config)
        sp secrets-filepath db-pass-filepath admin-pass-filepath;
-      hostName = "cloud.${sp.domain}";
+      cfg = sp.modules.nextcloud;
+      hostName = "${cfg.subdomain}.${sp.domain}";
    in
    lib.mkIf sp.modules.nextcloud.enable {
      fileSystems = lib.mkIf sp.useBinds {
        "/var/lib/nextcloud" = {
-          device = "/volumes/${sp.modules.nextcloud.location}/nextcloud";
+          device = "/volumes/${cfg.location}/nextcloud";
          options = [
            "bind"
            "x-systemd.required-by=nextcloud-setup.service"
--- a/sp-modules/ocserv/module.nix
+++ b/sp-modules/ocserv/module.nix
@ -3,6 +3,7 @@ let
  domain = config.selfprivacy.domain;
  cert = "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
  key = "${config.security.acme.certs.${domain}.directory}/key.pem";
+  cfg = config.selfprivacy.modules.ocserv;
 in
 {
  options.selfprivacy.modules.ocserv = {
@ -10,9 +11,13 @@ in
      default = false;
      type = lib.types.bool;
    };
+    subdomain = lib.mkOption {
+      default = "vpn";
+      type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
+    };
  };

-  config = lib.mkIf config.selfprivacy.modules.ocserv.enable {
+  config = lib.mkIf cfg.enable {
    users.groups.ocserv.members = [ "ocserv" ];
    users.users.ocserv = {
      isNormalUser = false;
@ -43,7 +48,7 @@ in
        idle-timeout=1200
        mobile-idle-timeout=2400

-        default-domain = vpn.${domain}
+        default-domain = ${cfg.subdomain}.${domain}

        device = vpn0

@ -57,7 +62,7 @@ in
        route = default
      '';
    };
-    services.nginx.virtualHosts."vpn.${domain}" = {
+    services.nginx.virtualHosts."${cfg.subdomain}.${domain}" = {
      useACMEHost = domain;
      forceSSL = true;
      extraConfig = ''
--- a/sp-modules/pleroma/module.nix
+++ b/sp-modules/pleroma/module.nix
@ -1,6 +1,7 @@
 { config, lib, pkgs, ... }:
 let
  secrets-filepath = "/etc/selfprivacy/secrets.json";
+  cfg = config.selfprivacy.modules.pleroma;
  inherit (import ./common.nix config) secrets-exs sp;
 in
 {
@ -12,11 +13,15 @@ in
    location = lib.mkOption {
      type = lib.types.str;
    };
+    subdomain = lib.mkOption {
+      default = "social";
+      type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
+    };
  };
-  config = lib.mkIf config.selfprivacy.modules.pleroma.enable {
+  config = lib.mkIf cfg.enable {
    fileSystems = lib.mkIf sp.useBinds {
      "/var/lib/pleroma" = {
-        device = "/volumes/${sp.modules.pleroma.location}/pleroma";
+        device = "/volumes/${cfg.location}/pleroma";
        options = [
          "bind"
          "x-systemd.required-by=pleroma-secrets.service"
@ -26,7 +31,7 @@ in
        ];
      };
      "/var/lib/postgresql" = {
-        device = "/volumes/${sp.modules.pleroma.location}/postgresql";
+        device = "/volumes/${cfg.location}/postgresql";
        options = [
          "bind"
          "x-systemd.required-by=pleroma-secrets.service"
@ -102,9 +107,9 @@ in
    };
    # seems to be an upstream nixpkgs/nixos bug (missing hexdump)
    systemd.services.pleroma.path = [ pkgs.util-linux ];
-    services.nginx.virtualHosts."social.${sp.domain}" = {
-      useACMEHost = config.selfprivacy.domain;
-      root = "/var/www/social.${sp.domain}";
+    services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {
+      useACMEHost = sp.domain;
+      root = "/var/www/${cfg.subdomain}.${sp.domain}";
      forceSSL = true;
      extraConfig = ''
        add_header Strict-Transport-Security $hsts_header;
Author	SHA1	Message	Date
Alexander	94d016e5f5	add script, which prints SP API token	2024-05-30 04:11:41 +04:00
Inex Code	132b6724cd	chore: update API 3.2.1 and update nixpkgs	2024-05-24 22:54:45 +03:00
Inex Code	86182f0799	chore: update API 3.2.0 and update nixpkgs	2024-05-22 11:40:21 +03:00
Inex Code	ce3231774e	chore: update nixpkgs	2024-05-02 22:34:36 +03:00
Inex Code	f8223192e5	fix: Add DeSEC to dnsPropagationCheckExceptions Probably a temp fix to #59	2024-05-02 22:31:30 +03:00
Alexander	4c183d5b40	fix deSEC: DESEC_POLLING_INTERVAL=30, propagation timeout and TTL	2024-03-12 19:58:37 +04:00
Inex Code	5e005dc436	chore: update API 3.1.0	2024-03-07 23:52:30 +03:00
Inex Code	6619760f47	Revert "try fix" This reverts commit `3b4466b49d`.	2024-02-23 20:46:24 +03:00
Inex Code	3b4466b49d	try fix	2024-02-23 20:45:38 +03:00
Inex Code	5d9c385d08	Revert "chore: update API 3.0.1" This reverts commit `3a7876aeb4`.	2024-02-23 20:40:26 +03:00
Inex Code	3a7876aeb4	chore: update API 3.0.1	2024-02-23 20:22:35 +03:00
Inex Code	c7583bf501	Merge pull request 'modules: parameterize all subdomains' (#54 ) from subdomains into flakes Reviewed-on: #54	2024-02-20 17:51:47 +02:00
Alexander	ad43d31c0c	modules: parameterize all subdomains	2024-02-20 14:42:37 +04:00
Inex Code	2159c4cc6e	Merge pull request 'Bitwarden: Fix webauthn login' (#55 ) from fix-bitwarden into flakes Reviewed-on: #55	2024-02-19 14:29:27 +02:00
Inex Code	3d6f47e0e7	chore: update nixpkgs	2024-02-19 15:23:38 +03:00
Inex Code	f103f708da	fix(bitwarden): Webauthn login didn't work	2024-02-19 15:23:25 +03:00