SelfPrivacy
/
selfprivacy-nixos-config
6
3
Fork 6
Code Issues 19 Pull Requests 1 Projects Releases Wiki Activity

Compare commits

base: SelfPrivacy:master
Branches Tags
SelfPrivacy:flakes
SelfPrivacy:inex/test-collect-garbage
SelfPrivacy:inex/test-autobackup
SelfPrivacy:inex/test-systemd-rebuild
SelfPrivacy:master
SelfPrivacy:pre-release
SelfPrivacy:flake-to-override-folder
SelfPrivacy:flake-to-override
SelfPrivacy:systemd-limits
SelfPrivacy:ldap
SelfPrivacy:api-redis
SelfPrivacy:pleroma-fixes
SelfPrivacy:development
SelfPrivacy:rolling-testing
houkime:houkime-providers-api
houkime:3rd-party-bumps/nextcloud-24
houkime:mailserver-22.05
houkime:master
houkime:volumes
houkime:pleroma-fixes
houkime:development
houkime:rolling-testing
houkime:jitsi-fixes
houkime:vpn-and-volume-fixes
houkime:vaultwarden-admin
houkime:b2-backups
houkime:aws-to-backblaze
..
compare: houkime:master
Branches Tags
houkime:houkime-providers-api
houkime:3rd-party-bumps/nextcloud-24
houkime:mailserver-22.05
houkime:master
houkime:volumes
houkime:pleroma-fixes
houkime:development
houkime:rolling-testing
houkime:jitsi-fixes
houkime:vpn-and-volume-fixes
houkime:vaultwarden-admin
houkime:b2-backups
houkime:aws-to-backblaze
SelfPrivacy:flakes
SelfPrivacy:inex/test-collect-garbage
SelfPrivacy:inex/test-autobackup
SelfPrivacy:inex/test-systemd-rebuild
SelfPrivacy:master
SelfPrivacy:pre-release
SelfPrivacy:flake-to-override-folder
SelfPrivacy:flake-to-override
SelfPrivacy:systemd-limits
SelfPrivacy:ldap
SelfPrivacy:api-redis
SelfPrivacy:pleroma-fixes
SelfPrivacy:development
SelfPrivacy:rolling-testing

No commits in common. "master" and "master" have entirely different histories.
master ... master

15 changed files with 133 additions and 163 deletions
Show Stats Expand all files Collapse all files

3
.gitignore vendored
View File

@ -1,5 +1,4 @@
userdata/userdata.json userdata/userdata.json
userdata/tokens.json userdata/tokens.json
hardware-configuration.nix hardware-configuration.nix
networking.nix networking.nix
/result

27
api/api-module.nix
View File

@ -18,6 +18,19 @@ in
Enable SelfPrivacy API service Enable SelfPrivacy API service
''; '';
}; };
enableSwagger = mkOption {
default = false;
type = types.bool;
description = ''
Enable Swagger UI
'';
};
b2Bucket = mkOption {
type = types.str;
description = ''
B2 bucket
'';
};
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
@ -27,6 +40,8 @@ in
inherit (config.environment.sessionVariables) NIX_PATH; inherit (config.environment.sessionVariables) NIX_PATH;
HOME = "/root"; HOME = "/root";
PYTHONUNBUFFERED = "1"; PYTHONUNBUFFERED = "1";
ENABLE_SWAGGER = (if cfg.enableSwagger then "1" else "0");
B2_BUCKET = cfg.b2Bucket;
} // config.networking.proxy.envVars; } // config.networking.proxy.envVars;
path = [ path = [
"/var/" "/var/"
@ -38,14 +53,11 @@ in
pkgs.gitMinimal pkgs.gitMinimal
config.nix.package.out config.nix.package.out
pkgs.nixos-rebuild pkgs.nixos-rebuild
pkgs.rclone
pkgs.restic pkgs.restic
pkgs.mkpasswd pkgs.mkpasswd
pkgs.util-linux pkgs.util-linux
pkgs.e2fsprogs pkgs.e2fsprogs
pkgs.iproute2 pkgs.iproute2
pkgs.fuse-overlayfs
pkgs.fuse
]; ];
after = [ "network-online.target" ]; after = [ "network-online.target" ];
wantedBy = [ "network-online.target" ]; wantedBy = [ "network-online.target" ];
@ -62,7 +74,9 @@ in
inherit (config.environment.sessionVariables) NIX_PATH; inherit (config.environment.sessionVariables) NIX_PATH;
HOME = "/root"; HOME = "/root";
PYTHONUNBUFFERED = "1"; PYTHONUNBUFFERED = "1";
PYTHONPATH = pkgs.selfprivacy-graphql-api.pythonPath + ":${pkgs.selfprivacy-graphql-api}/lib/python3.10/site-packages/"; ENABLE_SWAGGER = (if cfg.enableSwagger then "1" else "0");
B2_BUCKET = cfg.b2Bucket;
PYTHONPATH = pkgs.selfprivacy-graphql-api.pythonPath + ":${pkgs.selfprivacy-graphql-api}/lib/python3.9/site-packages/";
} // config.networking.proxy.envVars; } // config.networking.proxy.envVars;
path = [ path = [
"/var/" "/var/"
@ -74,20 +88,17 @@ in
pkgs.gitMinimal pkgs.gitMinimal
config.nix.package.out config.nix.package.out
pkgs.nixos-rebuild pkgs.nixos-rebuild
pkgs.rclone
pkgs.restic pkgs.restic
pkgs.mkpasswd pkgs.mkpasswd
pkgs.util-linux pkgs.util-linux
pkgs.e2fsprogs pkgs.e2fsprogs
pkgs.iproute2 pkgs.iproute2
pkgs.fuse-overlayfs
pkgs.fuse
]; ];
after = [ "network-online.target" ]; after = [ "network-online.target" ];
wantedBy = [ "network-online.target" ]; wantedBy = [ "network-online.target" ];
serviceConfig = { serviceConfig = {
User = "root"; User = "root";
ExecStart = "${pkgs.python310Packages.huey}/bin/huey_consumer.py selfprivacy_api.task_registry.huey"; ExecStart = "${pkgs.python39Packages.huey}/bin/huey_consumer.py selfprivacy_api.task_registry.huey";
Restart = "always"; Restart = "always";
RestartSec = "5"; RestartSec = "5";
}; };

2
api/api.nix
View File

@ -2,6 +2,8 @@
{ {
services.selfprivacy-api = { services.selfprivacy-api = {
enable = true; enable = true;
enableSwagger = config.services.userdata.api.enableSwagger;
b2Bucket = config.services.userdata.backblaze.bucket;
}; };
users.users."selfprivacy-api" = { users.users."selfprivacy-api" = {

29
backup/restic.nix Normal file
View File

@ -0,0 +1,29 @@
{ config, pkgs, ... }:
let
cfg = config.services.userdata;
in
{
services.restic.backups = {
options = {
passwordFile = "/etc/restic/resticPasswd";
repository = "s3:s3.anazonaws.com/${cfg.backblaze.bucket}";
initialize = true;
paths = [
"/var/dkim"
"/var/vmail"
];
timerConfig = {
OnCalendar = [ "daily" ];
};
user = "restic";
pruneOpts = [
"--keep-daily 5"
];
};
};
users.users.restic = {
isNormalUser = false;
isSystemUser = true;
group = "restic";
};
}

29
configuration.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let
url-overlay = "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nix-repo/archive/test-migration.tar.gz"; url-overlay = "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nix-repo/archive/master.tar.gz";
nix-overlay = (import (builtins.fetchTarball url-overlay)); nix-overlay = (import (builtins.fetchTarball url-overlay));
in in
{ {
@ -18,6 +18,7 @@ in
./social/pleroma.nix ./social/pleroma.nix
./letsencrypt/acme.nix ./letsencrypt/acme.nix
./letsencrypt/resolve.nix ./letsencrypt/resolve.nix
./backup/restic.nix
./passmgr/bitwarden.nix ./passmgr/bitwarden.nix
./webserver/nginx.nix ./webserver/nginx.nix
./webserver/memcached.nix ./webserver/memcached.nix
@ -29,26 +30,6 @@ in
nixpkgs.overlays = [ (nix-overlay) ]; nixpkgs.overlays = [ (nix-overlay) ];
services.redis.servers.sp-api = {
enable = true;
save = [
[
30
1
]
[
10
10
]
];
port = 0;
settings = {
notify-keyspace-events = "KEA";
};
};
services.do-agent.enable = if config.services.userdata.server.provider == "DIGITALOCEAN" then true else false;
boot.cleanTmpDir = true; boot.cleanTmpDir = true;
networking = { networking = {
hostName = config.services.userdata.hostname; hostName = config.services.userdata.hostname;
@ -73,7 +54,7 @@ in
openFirewall = false; openFirewall = false;
}; };
programs.ssh = { programs.ssh = {
pubkeyAcceptedKeyTypes = [ "ssh-ed25519" "ssh-rsa" "ecdsa-sha2-nistp256" ]; pubkeyAcceptedKeyTypes = [ "ssh-ed25519" "ssh-rsa" ];
hostKeyAlgorithms = [ "ssh-ed25519" "ssh-rsa" ]; hostKeyAlgorithms = [ "ssh-ed25519" "ssh-rsa" ];
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
@ -88,16 +69,12 @@ in
allowReboot = config.services.userdata.autoUpgrade.allowReboot; allowReboot = config.services.userdata.autoUpgrade.allowReboot;
channel = "https://channel.selfprivacy.org/nixos-selfpricacy"; channel = "https://channel.selfprivacy.org/nixos-selfpricacy";
}; };
system.stateVersion = config.services.userdata.stateVersion;
nix = { nix = {
optimise.automatic = true; optimise.automatic = true;
gc = { gc = {
automatic = true; automatic = true;
options = "--delete-older-than 7d"; options = "--delete-older-than 7d";
}; };
extraOptions = ''
experimental-features = nix-command flakes repl-flake
'';
}; };
services.journald.extraConfig = "SystemMaxUse=500M"; services.journald.extraConfig = "SystemMaxUse=500M";
boot.kernel.sysctl = { boot.kernel.sysctl = {

60
files.nix
View File

@ -1,16 +1,6 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
let let
cfg = config.services.userdata; cfg = config.services.userdata;
dnsCredentialsTemplates = {
DIGITALOCEAN = "DO_AUTH_TOKEN=REPLACEME";
CLOUDFLARE = ''
CF_API_KEY=REPLACEME
CLOUDFLARE_DNS_API_TOKEN=REPLACEME
CLOUDFLARE_ZONE_API_TOKEN=REPLACEME
'';
DESEC = "DESEC_TOKEN=REPLACEME";
};
dnsCredentialsTemplate = dnsCredentialsTemplates.${cfg.dns.provider};
in in
{ {
systemd.tmpfiles.rules = systemd.tmpfiles.rules =
@ -18,14 +8,12 @@ in
domain = builtins.replaceStrings [ "\n" "\"" "\\" "%" ] [ "\\n" "\\\"" "\\\\" "%%" ] cfg.domain; domain = builtins.replaceStrings [ "\n" "\"" "\\" "%" ] [ "\\n" "\\\"" "\\\\" "%%" ] cfg.domain;
in in
[ [
(if cfg.bitwarden.enable then "d /var/lib/bitwarden 0770 vaultwarden vaultwarden -" else "") (if cfg.bitwarden.enable then "d /var/lib/bitwarden 0777 vaultwarden vaultwarden -" else "")
(if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0770 vaultwarden vaultwarden -" else "") (if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0777 vaultwarden vaultwarden -" else "")
(if cfg.pleroma.enable then "d /var/lib/pleroma 0700 pleroma pleroma - -" else "") (if cfg.pleroma.enable then "d /var/lib/pleroma 0700 pleroma pleroma - -" else "")
(if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0750 pleroma pleroma - -" else "") "d /var/lib/restic 0600 restic - - -"
(if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "")
"f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}" "f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}"
(if cfg.bitwarden.enable then "f /var/lib/bitwarden/.env 0640 vaultwarden vaultwarden - -" else "")
"d /var/sieve 0770 virtualMail virtualMail - -"
"d /var/www/root 0750 nginx nginx - -"
]; ];
system.activationScripts = system.activationScripts =
let let
@ -52,11 +40,32 @@ in
mkdir -p /var/lib/cloudflare mkdir -p /var/lib/cloudflare
chmod 0440 /var/lib/cloudflare chmod 0440 /var/lib/cloudflare
chown nginx:acmerecievers /var/lib/cloudflare chown nginx:acmerecievers /var/lib/cloudflare
echo '${dnsCredentialsTemplate}' > /var/lib/cloudflare/Credentials.ini echo 'CF_API_KEY=REPLACEME' > /var/lib/cloudflare/Credentials.ini
${sed} -i "s/REPLACEME/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.dns.apiKey')/g" /var/lib/cloudflare/Credentials.ini echo 'CLOUDFLARE_DNS_API_TOKEN=REPLACEME' >> /var/lib/cloudflare/Credentials.ini
echo 'CLOUDFLARE_ZONE_API_TOKEN=REPLACEME' >> /var/lib/cloudflare/Credentials.ini
${sed} -i "s/REPLACEME/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.cloudflare.apiKey')/g" /var/lib/cloudflare/Credentials.ini
chmod 0440 /var/lib/cloudflare/Credentials.ini chmod 0440 /var/lib/cloudflare/Credentials.ini
chown nginx:acmerecievers /var/lib/cloudflare/Credentials.ini chown nginx:acmerecievers /var/lib/cloudflare/Credentials.ini
''; '';
resticCredentials = ''
mkdir -p /root/.config/rclone
chmod 0400 /root/.config/rclone
chown root:root /root/.config/rclone
echo '[backblaze]' > /root/.config/rclone/rclone.conf
echo 'type = b2' >> /root/.config/rclone/rclone.conf
echo 'account = REPLACEME1' >> /root/.config/rclone/rclone.conf
echo 'key = REPLACEME2' >> /root/.config/rclone/rclone.conf
${sed} -i "s/REPLACEME1/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backblaze.accountId')/g" /root/.config/rclone/rclone.conf
${sed} -i "s/REPLACEME2/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backblaze.accountKey')/g" /root/.config/rclone/rclone.conf
chmod 0400 /root/.config/rclone/rclone.conf
chown root:root /root/.config/rclone/rclone.conf
cat /etc/nixos/userdata/userdata.json | ${jq} -r '.resticPassword' > /var/lib/restic/pass
chmod 0400 /var/lib/restic/pass
chown restic /var/lib/restic/pass
'';
pleromaCredentials = pleromaCredentials =
if cfg.pleroma.enable then '' if cfg.pleroma.enable then ''
echo 'import Config' > /var/lib/pleroma/secrets.exs echo 'import Config' > /var/lib/pleroma/secrets.exs
@ -70,20 +79,5 @@ in
'' else '' '' else ''
rm -f /var/lib/pleroma/secrets.exs rm -f /var/lib/pleroma/secrets.exs
''; '';
bitwardenCredentials =
if cfg.bitwarden.enable then ''
mkdir -p /var/lib/bitwarden
token=$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.bitwarden.adminToken')
if [ "$token" == "null" ]; then
# If it's null, delete the contents of the file
> /var/lib/bitwarden/.env
else
echo "ADMIN_TOKEN=$token" > /var/lib/bitwarden/.env
fi
chmod 0640 /var/lib/bitwarden/.env
chown vaultwarden:vaultwarden /var/lib/bitwarden/.env
'' else ''
rm -f /var/lib/bitwarden/.env
'';
}; };
} }

28
git/gitea.nix
View File

@ -13,10 +13,10 @@ in
gitea = { gitea = {
enable = cfg.gitea.enable; enable = cfg.gitea.enable;
stateDir = "/var/lib/gitea"; stateDir = "/var/lib/gitea";
# log = { log = {
# rootPath = "/var/lib/gitea/log"; rootPath = "/var/lib/gitea/log";
# level = "Warn"; level = "Warn";
# }; };
user = "gitea"; user = "gitea";
database = { database = {
type = "sqlite3"; type = "sqlite3";
@ -26,10 +26,10 @@ in
path = "/var/lib/gitea/data/gitea.db"; path = "/var/lib/gitea/data/gitea.db";
createDatabase = true; createDatabase = true;
}; };
# ssh = { ssh = {
# enable = true; enable = true;
# clonePort = 22; clonePort = 22;
# }; };
lfs = { lfs = {
enable = true; enable = true;
contentDir = "/var/lib/gitea/lfs"; contentDir = "/var/lib/gitea/lfs";
@ -37,17 +37,16 @@ in
appName = "SelfPrivacy git Service"; appName = "SelfPrivacy git Service";
repositoryRoot = "/var/lib/gitea/repositories"; repositoryRoot = "/var/lib/gitea/repositories";
domain = "git.${cfg.domain}"; domain = "git.${cfg.domain}";
rootUrl = "https://git.${cfg.domain}/"; rootUrl = "https://${cfg.domain}/";
httpAddress = "0.0.0.0"; httpAddress = "0.0.0.0";
httpPort = 3000; httpPort = 3000;
# cookieSecure = true; cookieSecure = true;
settings = { settings = {
mailer = { mailer = {
ENABLED = false; ENABLED = false;
}; };
ui = { ui = {
DEFAULT_THEME = "arc-green"; DEFAULT_THEME = "arc-green";
SHOW_USER_EMAIL = false;
}; };
picture = { picture = {
DISABLE_GRAVATAR = true; DISABLE_GRAVATAR = true;
@ -58,13 +57,6 @@ in
repository = { repository = {
FORCE_PRIVATE = false; FORCE_PRIVATE = false;
}; };
session = {
COOKIE_SECURE = true;
};
log = {
ROOT_PATH = "/var/lib/gitea/log";
LEVEL = "Warn";
};
}; };
}; };
}; };

20
letsencrypt/acme.nix
View File

@ -1,7 +1,6 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let
cfg = config.services.userdata; cfg = config.services.userdata;
dnsPropagationCheckExceptions = [ "DIGITALOCEAN" ];
in in
{ {
users.groups.acmerecievers = { users.groups.acmerecievers = {
@ -9,23 +8,20 @@ in
}; };
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
defaults = { email = "${cfg.username}@${cfg.domain}";
email = "${cfg.username}@${cfg.domain}";
server = if cfg.dns.useStagingACME then "https://acme-staging-v02.api.letsencrypt.org/directory" else "https://acme-v02.api.letsencrypt.org/directory";
dnsPropagationCheck = if lib.elem cfg.dns.provider dnsPropagationCheckExceptions then false else true;
reloadServices = [ "nginx" ];
};
certs = lib.mkForce { certs = lib.mkForce {
"wildcard-${cfg.domain}" = { "${cfg.domain}" = {
domain = "*.${cfg.domain}"; domain = "*.${cfg.domain}";
extraDomainNames = [ "${cfg.domain}" ];
group = "acmerecievers"; group = "acmerecievers";
dnsProvider = lib.strings.toLower cfg.dns.provider; dnsProvider = "cloudflare";
credentialsFile = "/var/lib/cloudflare/Credentials.ini"; credentialsFile = "/var/lib/cloudflare/Credentials.ini";
}; };
"${cfg.domain}" = { "meet.${cfg.domain}" = {
domain = cfg.domain; domain = "meet.${cfg.domain}";
group = "acmerecievers"; group = "acmerecievers";
webroot = "/var/lib/acme/acme-challenge"; dnsProvider = "cloudflare";
credentialsFile = "/var/lib/cloudflare/Credentials.ini";
}; };
}; };
}; };

5
letsencrypt/resolve.nix
View File

@ -12,6 +12,11 @@ in
Restart = "on-failure"; Restart = "on-failure";
}; };
}; };
"nginx-config-reload" = {
serviceConfig = {
After = [ "acme-${domain}.service" ];
};
};
}; };
}; };
} }

4
mailserver/system/mailserver.nix
View File

@ -6,10 +6,10 @@ in
imports = [ imports = [
(builtins.fetchTarball { (builtins.fetchTarball {
# Pick a commit from the branch you are interested in # Pick a commit from the branch you are interested in
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/6d0d9fb9/nixos-mailserver-6d0d9fb9.tar.gz"; url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/5675b122/nixos-mailserver-5675b122.tar.gz";
# And set its hash # And set its hash
sha256 = "sha256:0h35al73p15z9v8zb6hi5nq987sfl5wp4rm5c8947nlzlnsjl61x"; sha256 = "1fwhb7a5v9c98nzhf3dyqf3a5ianqh7k50zizj8v5nmj3blxw4pi";
}) })
]; ];

2
nextcloud/nextcloud.nix
View File

@ -11,7 +11,7 @@ in
}; };
services.nextcloud = { services.nextcloud = {
enable = cfg.nextcloud.enable; enable = cfg.nextcloud.enable;
package = pkgs.nextcloud25; package = pkgs.nextcloud23;
hostName = "cloud.${cfg.domain}"; hostName = "cloud.${cfg.domain}";
# Use HTTPS for links # Use HTTPS for links

1
passmgr/bitwarden.nix
View File

@ -17,7 +17,6 @@ in
enable = cfg.bitwarden.enable; enable = cfg.bitwarden.enable;
dbBackend = "sqlite"; dbBackend = "sqlite";
backupDir = "/var/lib/bitwarden/backup"; backupDir = "/var/lib/bitwarden/backup";
environmentFile = "/var/lib/bitwarden/.env";
config = { config = {
domain = "https://password.${cfg.domain}/"; domain = "https://password.${cfg.domain}/";
signupsAllowed = true; signupsAllowed = true;

34
variables-module.nix
View File

@ -41,13 +41,6 @@ in
type = types.nullOr types.bool; type = types.nullOr types.bool;
}; };
}; };
stateVersion = mkOption {
description = ''
State version of the server
'';
type = types.str;
default = "22.11";
};
######################## ########################
# Server admin options # # Server admin options #
######################## ########################
@ -74,6 +67,13 @@ in
# API options # # API options #
############### ###############
api = { api = {
enableSwagger = mkOption {
default = true;
description = ''
Enable Swagger UI
'';
type = types.bool;
};
skippedMigrations = mkOption { skippedMigrations = mkOption {
default = [ ]; default = [ ];
description = '' description = ''
@ -85,28 +85,12 @@ in
############# #############
# Secrets # # Secrets #
############# #############
dns = { backblaze = {
provider = mkOption {
description = "DNS provider that was defined at the initial setup process. Default is ClOUDFLARE";
type = types.nullOr types.str;
};
useStagingACME = mkOption {
description = "Use staging ACME server. Default is false";
type = types.nullOr types.bool;
};
};
backup = {
bucket = mkOption { bucket = mkOption {
description = "Bucket name used for userdata backups"; description = "Bucket name used for userdata backups";
type = types.nullOr types.str; type = types.nullOr types.str;
}; };
}; };
server = {
provider = mkOption {
description = "Server provider that was defined at the initial setup process. Default is HETZNER";
type = types.nullOr types.str;
};
};
############## ##############
# Services # # Services #
############## ##############
@ -187,7 +171,7 @@ in
description = '' description = ''
Password authentication for SSH Password authentication for SSH
''; '';
default = false; default = true;
type = types.nullOr types.bool; type = types.nullOr types.bool;
}; };
}; };

13
variables.nix
View File

@ -7,7 +7,6 @@ in
hostname = lib.attrsets.attrByPath [ "hostname" ] null jsonData; hostname = lib.attrsets.attrByPath [ "hostname" ] null jsonData;
domain = lib.attrsets.attrByPath [ "domain" ] null jsonData; domain = lib.attrsets.attrByPath [ "domain" ] null jsonData;
timezone = lib.attrsets.attrByPath [ "timezone" ] "Europe/Uzhgorod" jsonData; timezone = lib.attrsets.attrByPath [ "timezone" ] "Europe/Uzhgorod" jsonData;
stateVersion = lib.attrsets.attrByPath [ "stateVersion" ] "22.05" jsonData;
autoUpgrade = { autoUpgrade = {
enable = lib.attrsets.attrByPath [ "autoUpgrade" "enable" ] true jsonData; enable = lib.attrsets.attrByPath [ "autoUpgrade" "enable" ] true jsonData;
allowReboot = lib.attrsets.attrByPath [ "autoUpgrade" "allowReboot" ] true jsonData; allowReboot = lib.attrsets.attrByPath [ "autoUpgrade" "allowReboot" ] true jsonData;
@ -16,17 +15,11 @@ in
hashedMasterPassword = lib.attrsets.attrByPath [ "hashedMasterPassword" ] null jsonData; hashedMasterPassword = lib.attrsets.attrByPath [ "hashedMasterPassword" ] null jsonData;
sshKeys = lib.attrsets.attrByPath [ "sshKeys" ] [ ] jsonData; sshKeys = lib.attrsets.attrByPath [ "sshKeys" ] [ ] jsonData;
api = { api = {
enableSwagger = lib.attrsets.attrByPath [ "api" "enableSwagger" ] false jsonData;
skippedMigrations = lib.attrsets.attrByPath [ "api" "skippedMigrations" ] [ ] jsonData; skippedMigrations = lib.attrsets.attrByPath [ "api" "skippedMigrations" ] [ ] jsonData;
}; };
dns = { backblaze = {
provider = lib.attrsets.attrByPath [ "dns" "provider" ] "CLOUDFLARE" jsonData; bucket = lib.attrsets.attrByPath [ "backblaze" "bucket" ] "" jsonData;
useStagingACME = lib.attrsets.attrByPath [ "dns" "useStagingACME" ] false jsonData;
};
backup = {
bucket = lib.attrsets.attrByPath [ "backup" "bucket" ] (lib.attrsets.attrByPath [ "backblaze" "bucket" ] "" jsonData) jsonData;
};
server = {
provider = lib.attrsets.attrByPath [ "server" "provider" ] "HETZNER" jsonData;
}; };
bitwarden = { bitwarden = {
enable = lib.attrsets.attrByPath [ "bitwarden" "enable" ] false jsonData; enable = lib.attrsets.attrByPath [ "bitwarden" "enable" ] false jsonData;

39
webserver/nginx.nix
View File

@ -20,7 +20,8 @@ in
virtualHosts = { virtualHosts = {
"${domain}" = { "${domain}" = {
enableACME = true; sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;
@ -32,15 +33,10 @@ in
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
expires 10m; expires 10m;
''; '';
locations = {
"/" = {
root = "/var/www/root";
};
};
}; };
"vpn.${domain}" = { "vpn.${domain}" = {
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem"; sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem"; sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;
@ -54,8 +50,8 @@ in
''; '';
}; };
"git.${domain}" = { "git.${domain}" = {
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem"; sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem"; sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;
@ -74,8 +70,8 @@ in
}; };
}; };
"cloud.${domain}" = { "cloud.${domain}" = {
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem"; sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem"; sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;
@ -94,8 +90,8 @@ in
}; };
}; };
"password.${domain}" = { "password.${domain}" = {
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem"; sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem"; sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;
@ -114,8 +110,8 @@ in
}; };
}; };
"api.${domain}" = { "api.${domain}" = {
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem"; sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem"; sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;
@ -135,8 +131,8 @@ in
}; };
}; };
"social.${domain}" = { "social.${domain}" = {
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem"; sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem"; sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
root = "/var/www/social.${domain}"; root = "/var/www/social.${domain}";
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''
@ -155,13 +151,6 @@ in
}; };
}; };
}; };
"meet.${domain}" = {
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
forceSSL = true;
useACMEHost = "wildcard-${domain}";
enableACME = false;
};
}; };
}; };
} }