Compare commits
No commits in common. "master" and "master" have entirely different histories.
|
@ -1,5 +1,4 @@
|
||||||
userdata/userdata.json
|
userdata/userdata.json
|
||||||
userdata/tokens.json
|
userdata/tokens.json
|
||||||
hardware-configuration.nix
|
hardware-configuration.nix
|
||||||
networking.nix
|
networking.nix
|
||||||
/result
|
|
|
@ -18,6 +18,19 @@ in
|
||||||
Enable SelfPrivacy API service
|
Enable SelfPrivacy API service
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
enableSwagger = mkOption {
|
||||||
|
default = false;
|
||||||
|
type = types.bool;
|
||||||
|
description = ''
|
||||||
|
Enable Swagger UI
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
b2Bucket = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
description = ''
|
||||||
|
B2 bucket
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
|
|
||||||
|
@ -27,6 +40,8 @@ in
|
||||||
inherit (config.environment.sessionVariables) NIX_PATH;
|
inherit (config.environment.sessionVariables) NIX_PATH;
|
||||||
HOME = "/root";
|
HOME = "/root";
|
||||||
PYTHONUNBUFFERED = "1";
|
PYTHONUNBUFFERED = "1";
|
||||||
|
ENABLE_SWAGGER = (if cfg.enableSwagger then "1" else "0");
|
||||||
|
B2_BUCKET = cfg.b2Bucket;
|
||||||
} // config.networking.proxy.envVars;
|
} // config.networking.proxy.envVars;
|
||||||
path = [
|
path = [
|
||||||
"/var/"
|
"/var/"
|
||||||
|
@ -38,14 +53,11 @@ in
|
||||||
pkgs.gitMinimal
|
pkgs.gitMinimal
|
||||||
config.nix.package.out
|
config.nix.package.out
|
||||||
pkgs.nixos-rebuild
|
pkgs.nixos-rebuild
|
||||||
pkgs.rclone
|
|
||||||
pkgs.restic
|
pkgs.restic
|
||||||
pkgs.mkpasswd
|
pkgs.mkpasswd
|
||||||
pkgs.util-linux
|
pkgs.util-linux
|
||||||
pkgs.e2fsprogs
|
pkgs.e2fsprogs
|
||||||
pkgs.iproute2
|
pkgs.iproute2
|
||||||
pkgs.fuse-overlayfs
|
|
||||||
pkgs.fuse
|
|
||||||
];
|
];
|
||||||
after = [ "network-online.target" ];
|
after = [ "network-online.target" ];
|
||||||
wantedBy = [ "network-online.target" ];
|
wantedBy = [ "network-online.target" ];
|
||||||
|
@ -62,7 +74,9 @@ in
|
||||||
inherit (config.environment.sessionVariables) NIX_PATH;
|
inherit (config.environment.sessionVariables) NIX_PATH;
|
||||||
HOME = "/root";
|
HOME = "/root";
|
||||||
PYTHONUNBUFFERED = "1";
|
PYTHONUNBUFFERED = "1";
|
||||||
PYTHONPATH = pkgs.selfprivacy-graphql-api.pythonPath + ":${pkgs.selfprivacy-graphql-api}/lib/python3.10/site-packages/";
|
ENABLE_SWAGGER = (if cfg.enableSwagger then "1" else "0");
|
||||||
|
B2_BUCKET = cfg.b2Bucket;
|
||||||
|
PYTHONPATH = pkgs.selfprivacy-graphql-api.pythonPath + ":${pkgs.selfprivacy-graphql-api}/lib/python3.9/site-packages/";
|
||||||
} // config.networking.proxy.envVars;
|
} // config.networking.proxy.envVars;
|
||||||
path = [
|
path = [
|
||||||
"/var/"
|
"/var/"
|
||||||
|
@ -74,20 +88,17 @@ in
|
||||||
pkgs.gitMinimal
|
pkgs.gitMinimal
|
||||||
config.nix.package.out
|
config.nix.package.out
|
||||||
pkgs.nixos-rebuild
|
pkgs.nixos-rebuild
|
||||||
pkgs.rclone
|
|
||||||
pkgs.restic
|
pkgs.restic
|
||||||
pkgs.mkpasswd
|
pkgs.mkpasswd
|
||||||
pkgs.util-linux
|
pkgs.util-linux
|
||||||
pkgs.e2fsprogs
|
pkgs.e2fsprogs
|
||||||
pkgs.iproute2
|
pkgs.iproute2
|
||||||
pkgs.fuse-overlayfs
|
|
||||||
pkgs.fuse
|
|
||||||
];
|
];
|
||||||
after = [ "network-online.target" ];
|
after = [ "network-online.target" ];
|
||||||
wantedBy = [ "network-online.target" ];
|
wantedBy = [ "network-online.target" ];
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
User = "root";
|
User = "root";
|
||||||
ExecStart = "${pkgs.python310Packages.huey}/bin/huey_consumer.py selfprivacy_api.task_registry.huey";
|
ExecStart = "${pkgs.python39Packages.huey}/bin/huey_consumer.py selfprivacy_api.task_registry.huey";
|
||||||
Restart = "always";
|
Restart = "always";
|
||||||
RestartSec = "5";
|
RestartSec = "5";
|
||||||
};
|
};
|
||||||
|
|
|
@ -2,6 +2,8 @@
|
||||||
{
|
{
|
||||||
services.selfprivacy-api = {
|
services.selfprivacy-api = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
enableSwagger = config.services.userdata.api.enableSwagger;
|
||||||
|
b2Bucket = config.services.userdata.backblaze.bucket;
|
||||||
};
|
};
|
||||||
|
|
||||||
users.users."selfprivacy-api" = {
|
users.users."selfprivacy-api" = {
|
||||||
|
|
|
@ -0,0 +1,29 @@
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.services.userdata;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
services.restic.backups = {
|
||||||
|
options = {
|
||||||
|
passwordFile = "/etc/restic/resticPasswd";
|
||||||
|
repository = "s3:s3.anazonaws.com/${cfg.backblaze.bucket}";
|
||||||
|
initialize = true;
|
||||||
|
paths = [
|
||||||
|
"/var/dkim"
|
||||||
|
"/var/vmail"
|
||||||
|
];
|
||||||
|
timerConfig = {
|
||||||
|
OnCalendar = [ "daily" ];
|
||||||
|
};
|
||||||
|
user = "restic";
|
||||||
|
pruneOpts = [
|
||||||
|
"--keep-daily 5"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
users.users.restic = {
|
||||||
|
isNormalUser = false;
|
||||||
|
isSystemUser = true;
|
||||||
|
group = "restic";
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,6 +1,6 @@
|
||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
let
|
let
|
||||||
url-overlay = "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nix-repo/archive/test-migration.tar.gz";
|
url-overlay = "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nix-repo/archive/master.tar.gz";
|
||||||
nix-overlay = (import (builtins.fetchTarball url-overlay));
|
nix-overlay = (import (builtins.fetchTarball url-overlay));
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
@ -18,6 +18,7 @@ in
|
||||||
./social/pleroma.nix
|
./social/pleroma.nix
|
||||||
./letsencrypt/acme.nix
|
./letsencrypt/acme.nix
|
||||||
./letsencrypt/resolve.nix
|
./letsencrypt/resolve.nix
|
||||||
|
./backup/restic.nix
|
||||||
./passmgr/bitwarden.nix
|
./passmgr/bitwarden.nix
|
||||||
./webserver/nginx.nix
|
./webserver/nginx.nix
|
||||||
./webserver/memcached.nix
|
./webserver/memcached.nix
|
||||||
|
@ -29,26 +30,6 @@ in
|
||||||
|
|
||||||
nixpkgs.overlays = [ (nix-overlay) ];
|
nixpkgs.overlays = [ (nix-overlay) ];
|
||||||
|
|
||||||
services.redis.servers.sp-api = {
|
|
||||||
enable = true;
|
|
||||||
save = [
|
|
||||||
[
|
|
||||||
30
|
|
||||||
1
|
|
||||||
]
|
|
||||||
[
|
|
||||||
10
|
|
||||||
10
|
|
||||||
]
|
|
||||||
];
|
|
||||||
port = 0;
|
|
||||||
settings = {
|
|
||||||
notify-keyspace-events = "KEA";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.do-agent.enable = if config.services.userdata.server.provider == "DIGITALOCEAN" then true else false;
|
|
||||||
|
|
||||||
boot.cleanTmpDir = true;
|
boot.cleanTmpDir = true;
|
||||||
networking = {
|
networking = {
|
||||||
hostName = config.services.userdata.hostname;
|
hostName = config.services.userdata.hostname;
|
||||||
|
@ -73,7 +54,7 @@ in
|
||||||
openFirewall = false;
|
openFirewall = false;
|
||||||
};
|
};
|
||||||
programs.ssh = {
|
programs.ssh = {
|
||||||
pubkeyAcceptedKeyTypes = [ "ssh-ed25519" "ssh-rsa" "ecdsa-sha2-nistp256" ];
|
pubkeyAcceptedKeyTypes = [ "ssh-ed25519" "ssh-rsa" ];
|
||||||
hostKeyAlgorithms = [ "ssh-ed25519" "ssh-rsa" ];
|
hostKeyAlgorithms = [ "ssh-ed25519" "ssh-rsa" ];
|
||||||
};
|
};
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
|
@ -88,16 +69,12 @@ in
|
||||||
allowReboot = config.services.userdata.autoUpgrade.allowReboot;
|
allowReboot = config.services.userdata.autoUpgrade.allowReboot;
|
||||||
channel = "https://channel.selfprivacy.org/nixos-selfpricacy";
|
channel = "https://channel.selfprivacy.org/nixos-selfpricacy";
|
||||||
};
|
};
|
||||||
system.stateVersion = config.services.userdata.stateVersion;
|
|
||||||
nix = {
|
nix = {
|
||||||
optimise.automatic = true;
|
optimise.automatic = true;
|
||||||
gc = {
|
gc = {
|
||||||
automatic = true;
|
automatic = true;
|
||||||
options = "--delete-older-than 7d";
|
options = "--delete-older-than 7d";
|
||||||
};
|
};
|
||||||
extraOptions = ''
|
|
||||||
experimental-features = nix-command flakes repl-flake
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
services.journald.extraConfig = "SystemMaxUse=500M";
|
services.journald.extraConfig = "SystemMaxUse=500M";
|
||||||
boot.kernel.sysctl = {
|
boot.kernel.sysctl = {
|
||||||
|
|
60
files.nix
60
files.nix
|
@ -1,16 +1,6 @@
|
||||||
{ config, pkgs, ... }:
|
{ config, pkgs, ... }:
|
||||||
let
|
let
|
||||||
cfg = config.services.userdata;
|
cfg = config.services.userdata;
|
||||||
dnsCredentialsTemplates = {
|
|
||||||
DIGITALOCEAN = "DO_AUTH_TOKEN=REPLACEME";
|
|
||||||
CLOUDFLARE = ''
|
|
||||||
CF_API_KEY=REPLACEME
|
|
||||||
CLOUDFLARE_DNS_API_TOKEN=REPLACEME
|
|
||||||
CLOUDFLARE_ZONE_API_TOKEN=REPLACEME
|
|
||||||
'';
|
|
||||||
DESEC = "DESEC_TOKEN=REPLACEME";
|
|
||||||
};
|
|
||||||
dnsCredentialsTemplate = dnsCredentialsTemplates.${cfg.dns.provider};
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
systemd.tmpfiles.rules =
|
systemd.tmpfiles.rules =
|
||||||
|
@ -18,14 +8,12 @@ in
|
||||||
domain = builtins.replaceStrings [ "\n" "\"" "\\" "%" ] [ "\\n" "\\\"" "\\\\" "%%" ] cfg.domain;
|
domain = builtins.replaceStrings [ "\n" "\"" "\\" "%" ] [ "\\n" "\\\"" "\\\\" "%%" ] cfg.domain;
|
||||||
in
|
in
|
||||||
[
|
[
|
||||||
(if cfg.bitwarden.enable then "d /var/lib/bitwarden 0770 vaultwarden vaultwarden -" else "")
|
(if cfg.bitwarden.enable then "d /var/lib/bitwarden 0777 vaultwarden vaultwarden -" else "")
|
||||||
(if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0770 vaultwarden vaultwarden -" else "")
|
(if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0777 vaultwarden vaultwarden -" else "")
|
||||||
(if cfg.pleroma.enable then "d /var/lib/pleroma 0700 pleroma pleroma - -" else "")
|
(if cfg.pleroma.enable then "d /var/lib/pleroma 0700 pleroma pleroma - -" else "")
|
||||||
(if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0750 pleroma pleroma - -" else "")
|
"d /var/lib/restic 0600 restic - - -"
|
||||||
|
(if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "")
|
||||||
"f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}"
|
"f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}"
|
||||||
(if cfg.bitwarden.enable then "f /var/lib/bitwarden/.env 0640 vaultwarden vaultwarden - -" else "")
|
|
||||||
"d /var/sieve 0770 virtualMail virtualMail - -"
|
|
||||||
"d /var/www/root 0750 nginx nginx - -"
|
|
||||||
];
|
];
|
||||||
system.activationScripts =
|
system.activationScripts =
|
||||||
let
|
let
|
||||||
|
@ -52,11 +40,32 @@ in
|
||||||
mkdir -p /var/lib/cloudflare
|
mkdir -p /var/lib/cloudflare
|
||||||
chmod 0440 /var/lib/cloudflare
|
chmod 0440 /var/lib/cloudflare
|
||||||
chown nginx:acmerecievers /var/lib/cloudflare
|
chown nginx:acmerecievers /var/lib/cloudflare
|
||||||
echo '${dnsCredentialsTemplate}' > /var/lib/cloudflare/Credentials.ini
|
echo 'CF_API_KEY=REPLACEME' > /var/lib/cloudflare/Credentials.ini
|
||||||
${sed} -i "s/REPLACEME/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.dns.apiKey')/g" /var/lib/cloudflare/Credentials.ini
|
echo 'CLOUDFLARE_DNS_API_TOKEN=REPLACEME' >> /var/lib/cloudflare/Credentials.ini
|
||||||
|
echo 'CLOUDFLARE_ZONE_API_TOKEN=REPLACEME' >> /var/lib/cloudflare/Credentials.ini
|
||||||
|
${sed} -i "s/REPLACEME/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.cloudflare.apiKey')/g" /var/lib/cloudflare/Credentials.ini
|
||||||
chmod 0440 /var/lib/cloudflare/Credentials.ini
|
chmod 0440 /var/lib/cloudflare/Credentials.ini
|
||||||
chown nginx:acmerecievers /var/lib/cloudflare/Credentials.ini
|
chown nginx:acmerecievers /var/lib/cloudflare/Credentials.ini
|
||||||
'';
|
'';
|
||||||
|
resticCredentials = ''
|
||||||
|
mkdir -p /root/.config/rclone
|
||||||
|
chmod 0400 /root/.config/rclone
|
||||||
|
chown root:root /root/.config/rclone
|
||||||
|
echo '[backblaze]' > /root/.config/rclone/rclone.conf
|
||||||
|
echo 'type = b2' >> /root/.config/rclone/rclone.conf
|
||||||
|
echo 'account = REPLACEME1' >> /root/.config/rclone/rclone.conf
|
||||||
|
echo 'key = REPLACEME2' >> /root/.config/rclone/rclone.conf
|
||||||
|
|
||||||
|
${sed} -i "s/REPLACEME1/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backblaze.accountId')/g" /root/.config/rclone/rclone.conf
|
||||||
|
${sed} -i "s/REPLACEME2/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backblaze.accountKey')/g" /root/.config/rclone/rclone.conf
|
||||||
|
|
||||||
|
chmod 0400 /root/.config/rclone/rclone.conf
|
||||||
|
chown root:root /root/.config/rclone/rclone.conf
|
||||||
|
|
||||||
|
cat /etc/nixos/userdata/userdata.json | ${jq} -r '.resticPassword' > /var/lib/restic/pass
|
||||||
|
chmod 0400 /var/lib/restic/pass
|
||||||
|
chown restic /var/lib/restic/pass
|
||||||
|
'';
|
||||||
pleromaCredentials =
|
pleromaCredentials =
|
||||||
if cfg.pleroma.enable then ''
|
if cfg.pleroma.enable then ''
|
||||||
echo 'import Config' > /var/lib/pleroma/secrets.exs
|
echo 'import Config' > /var/lib/pleroma/secrets.exs
|
||||||
|
@ -70,20 +79,5 @@ in
|
||||||
'' else ''
|
'' else ''
|
||||||
rm -f /var/lib/pleroma/secrets.exs
|
rm -f /var/lib/pleroma/secrets.exs
|
||||||
'';
|
'';
|
||||||
bitwardenCredentials =
|
|
||||||
if cfg.bitwarden.enable then ''
|
|
||||||
mkdir -p /var/lib/bitwarden
|
|
||||||
token=$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.bitwarden.adminToken')
|
|
||||||
if [ "$token" == "null" ]; then
|
|
||||||
# If it's null, delete the contents of the file
|
|
||||||
> /var/lib/bitwarden/.env
|
|
||||||
else
|
|
||||||
echo "ADMIN_TOKEN=$token" > /var/lib/bitwarden/.env
|
|
||||||
fi
|
|
||||||
chmod 0640 /var/lib/bitwarden/.env
|
|
||||||
chown vaultwarden:vaultwarden /var/lib/bitwarden/.env
|
|
||||||
'' else ''
|
|
||||||
rm -f /var/lib/bitwarden/.env
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -13,10 +13,10 @@ in
|
||||||
gitea = {
|
gitea = {
|
||||||
enable = cfg.gitea.enable;
|
enable = cfg.gitea.enable;
|
||||||
stateDir = "/var/lib/gitea";
|
stateDir = "/var/lib/gitea";
|
||||||
# log = {
|
log = {
|
||||||
# rootPath = "/var/lib/gitea/log";
|
rootPath = "/var/lib/gitea/log";
|
||||||
# level = "Warn";
|
level = "Warn";
|
||||||
# };
|
};
|
||||||
user = "gitea";
|
user = "gitea";
|
||||||
database = {
|
database = {
|
||||||
type = "sqlite3";
|
type = "sqlite3";
|
||||||
|
@ -26,10 +26,10 @@ in
|
||||||
path = "/var/lib/gitea/data/gitea.db";
|
path = "/var/lib/gitea/data/gitea.db";
|
||||||
createDatabase = true;
|
createDatabase = true;
|
||||||
};
|
};
|
||||||
# ssh = {
|
ssh = {
|
||||||
# enable = true;
|
enable = true;
|
||||||
# clonePort = 22;
|
clonePort = 22;
|
||||||
# };
|
};
|
||||||
lfs = {
|
lfs = {
|
||||||
enable = true;
|
enable = true;
|
||||||
contentDir = "/var/lib/gitea/lfs";
|
contentDir = "/var/lib/gitea/lfs";
|
||||||
|
@ -37,17 +37,16 @@ in
|
||||||
appName = "SelfPrivacy git Service";
|
appName = "SelfPrivacy git Service";
|
||||||
repositoryRoot = "/var/lib/gitea/repositories";
|
repositoryRoot = "/var/lib/gitea/repositories";
|
||||||
domain = "git.${cfg.domain}";
|
domain = "git.${cfg.domain}";
|
||||||
rootUrl = "https://git.${cfg.domain}/";
|
rootUrl = "https://${cfg.domain}/";
|
||||||
httpAddress = "0.0.0.0";
|
httpAddress = "0.0.0.0";
|
||||||
httpPort = 3000;
|
httpPort = 3000;
|
||||||
# cookieSecure = true;
|
cookieSecure = true;
|
||||||
settings = {
|
settings = {
|
||||||
mailer = {
|
mailer = {
|
||||||
ENABLED = false;
|
ENABLED = false;
|
||||||
};
|
};
|
||||||
ui = {
|
ui = {
|
||||||
DEFAULT_THEME = "arc-green";
|
DEFAULT_THEME = "arc-green";
|
||||||
SHOW_USER_EMAIL = false;
|
|
||||||
};
|
};
|
||||||
picture = {
|
picture = {
|
||||||
DISABLE_GRAVATAR = true;
|
DISABLE_GRAVATAR = true;
|
||||||
|
@ -58,13 +57,6 @@ in
|
||||||
repository = {
|
repository = {
|
||||||
FORCE_PRIVATE = false;
|
FORCE_PRIVATE = false;
|
||||||
};
|
};
|
||||||
session = {
|
|
||||||
COOKIE_SECURE = true;
|
|
||||||
};
|
|
||||||
log = {
|
|
||||||
ROOT_PATH = "/var/lib/gitea/log";
|
|
||||||
LEVEL = "Warn";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,7 +1,6 @@
|
||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
let
|
let
|
||||||
cfg = config.services.userdata;
|
cfg = config.services.userdata;
|
||||||
dnsPropagationCheckExceptions = [ "DIGITALOCEAN" ];
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
users.groups.acmerecievers = {
|
users.groups.acmerecievers = {
|
||||||
|
@ -9,23 +8,20 @@ in
|
||||||
};
|
};
|
||||||
security.acme = {
|
security.acme = {
|
||||||
acceptTerms = true;
|
acceptTerms = true;
|
||||||
defaults = {
|
email = "${cfg.username}@${cfg.domain}";
|
||||||
email = "${cfg.username}@${cfg.domain}";
|
|
||||||
server = if cfg.dns.useStagingACME then "https://acme-staging-v02.api.letsencrypt.org/directory" else "https://acme-v02.api.letsencrypt.org/directory";
|
|
||||||
dnsPropagationCheck = if lib.elem cfg.dns.provider dnsPropagationCheckExceptions then false else true;
|
|
||||||
reloadServices = [ "nginx" ];
|
|
||||||
};
|
|
||||||
certs = lib.mkForce {
|
certs = lib.mkForce {
|
||||||
"wildcard-${cfg.domain}" = {
|
"${cfg.domain}" = {
|
||||||
domain = "*.${cfg.domain}";
|
domain = "*.${cfg.domain}";
|
||||||
|
extraDomainNames = [ "${cfg.domain}" ];
|
||||||
group = "acmerecievers";
|
group = "acmerecievers";
|
||||||
dnsProvider = lib.strings.toLower cfg.dns.provider;
|
dnsProvider = "cloudflare";
|
||||||
credentialsFile = "/var/lib/cloudflare/Credentials.ini";
|
credentialsFile = "/var/lib/cloudflare/Credentials.ini";
|
||||||
};
|
};
|
||||||
"${cfg.domain}" = {
|
"meet.${cfg.domain}" = {
|
||||||
domain = cfg.domain;
|
domain = "meet.${cfg.domain}";
|
||||||
group = "acmerecievers";
|
group = "acmerecievers";
|
||||||
webroot = "/var/lib/acme/acme-challenge";
|
dnsProvider = "cloudflare";
|
||||||
|
credentialsFile = "/var/lib/cloudflare/Credentials.ini";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -12,6 +12,11 @@ in
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
"nginx-config-reload" = {
|
||||||
|
serviceConfig = {
|
||||||
|
After = [ "acme-${domain}.service" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -6,10 +6,10 @@ in
|
||||||
imports = [
|
imports = [
|
||||||
(builtins.fetchTarball {
|
(builtins.fetchTarball {
|
||||||
# Pick a commit from the branch you are interested in
|
# Pick a commit from the branch you are interested in
|
||||||
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/6d0d9fb9/nixos-mailserver-6d0d9fb9.tar.gz";
|
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/5675b122/nixos-mailserver-5675b122.tar.gz";
|
||||||
|
|
||||||
# And set its hash
|
# And set its hash
|
||||||
sha256 = "sha256:0h35al73p15z9v8zb6hi5nq987sfl5wp4rm5c8947nlzlnsjl61x";
|
sha256 = "1fwhb7a5v9c98nzhf3dyqf3a5ianqh7k50zizj8v5nmj3blxw4pi";
|
||||||
})
|
})
|
||||||
];
|
];
|
||||||
|
|
||||||
|
|
|
@ -11,7 +11,7 @@ in
|
||||||
};
|
};
|
||||||
services.nextcloud = {
|
services.nextcloud = {
|
||||||
enable = cfg.nextcloud.enable;
|
enable = cfg.nextcloud.enable;
|
||||||
package = pkgs.nextcloud25;
|
package = pkgs.nextcloud23;
|
||||||
hostName = "cloud.${cfg.domain}";
|
hostName = "cloud.${cfg.domain}";
|
||||||
|
|
||||||
# Use HTTPS for links
|
# Use HTTPS for links
|
||||||
|
|
|
@ -17,7 +17,6 @@ in
|
||||||
enable = cfg.bitwarden.enable;
|
enable = cfg.bitwarden.enable;
|
||||||
dbBackend = "sqlite";
|
dbBackend = "sqlite";
|
||||||
backupDir = "/var/lib/bitwarden/backup";
|
backupDir = "/var/lib/bitwarden/backup";
|
||||||
environmentFile = "/var/lib/bitwarden/.env";
|
|
||||||
config = {
|
config = {
|
||||||
domain = "https://password.${cfg.domain}/";
|
domain = "https://password.${cfg.domain}/";
|
||||||
signupsAllowed = true;
|
signupsAllowed = true;
|
||||||
|
|
|
@ -41,13 +41,6 @@ in
|
||||||
type = types.nullOr types.bool;
|
type = types.nullOr types.bool;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
stateVersion = mkOption {
|
|
||||||
description = ''
|
|
||||||
State version of the server
|
|
||||||
'';
|
|
||||||
type = types.str;
|
|
||||||
default = "22.11";
|
|
||||||
};
|
|
||||||
########################
|
########################
|
||||||
# Server admin options #
|
# Server admin options #
|
||||||
########################
|
########################
|
||||||
|
@ -74,6 +67,13 @@ in
|
||||||
# API options #
|
# API options #
|
||||||
###############
|
###############
|
||||||
api = {
|
api = {
|
||||||
|
enableSwagger = mkOption {
|
||||||
|
default = true;
|
||||||
|
description = ''
|
||||||
|
Enable Swagger UI
|
||||||
|
'';
|
||||||
|
type = types.bool;
|
||||||
|
};
|
||||||
skippedMigrations = mkOption {
|
skippedMigrations = mkOption {
|
||||||
default = [ ];
|
default = [ ];
|
||||||
description = ''
|
description = ''
|
||||||
|
@ -85,28 +85,12 @@ in
|
||||||
#############
|
#############
|
||||||
# Secrets #
|
# Secrets #
|
||||||
#############
|
#############
|
||||||
dns = {
|
backblaze = {
|
||||||
provider = mkOption {
|
|
||||||
description = "DNS provider that was defined at the initial setup process. Default is ClOUDFLARE";
|
|
||||||
type = types.nullOr types.str;
|
|
||||||
};
|
|
||||||
useStagingACME = mkOption {
|
|
||||||
description = "Use staging ACME server. Default is false";
|
|
||||||
type = types.nullOr types.bool;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
backup = {
|
|
||||||
bucket = mkOption {
|
bucket = mkOption {
|
||||||
description = "Bucket name used for userdata backups";
|
description = "Bucket name used for userdata backups";
|
||||||
type = types.nullOr types.str;
|
type = types.nullOr types.str;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
server = {
|
|
||||||
provider = mkOption {
|
|
||||||
description = "Server provider that was defined at the initial setup process. Default is HETZNER";
|
|
||||||
type = types.nullOr types.str;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
##############
|
##############
|
||||||
# Services #
|
# Services #
|
||||||
##############
|
##############
|
||||||
|
@ -187,7 +171,7 @@ in
|
||||||
description = ''
|
description = ''
|
||||||
Password authentication for SSH
|
Password authentication for SSH
|
||||||
'';
|
'';
|
||||||
default = false;
|
default = true;
|
||||||
type = types.nullOr types.bool;
|
type = types.nullOr types.bool;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -7,7 +7,6 @@ in
|
||||||
hostname = lib.attrsets.attrByPath [ "hostname" ] null jsonData;
|
hostname = lib.attrsets.attrByPath [ "hostname" ] null jsonData;
|
||||||
domain = lib.attrsets.attrByPath [ "domain" ] null jsonData;
|
domain = lib.attrsets.attrByPath [ "domain" ] null jsonData;
|
||||||
timezone = lib.attrsets.attrByPath [ "timezone" ] "Europe/Uzhgorod" jsonData;
|
timezone = lib.attrsets.attrByPath [ "timezone" ] "Europe/Uzhgorod" jsonData;
|
||||||
stateVersion = lib.attrsets.attrByPath [ "stateVersion" ] "22.05" jsonData;
|
|
||||||
autoUpgrade = {
|
autoUpgrade = {
|
||||||
enable = lib.attrsets.attrByPath [ "autoUpgrade" "enable" ] true jsonData;
|
enable = lib.attrsets.attrByPath [ "autoUpgrade" "enable" ] true jsonData;
|
||||||
allowReboot = lib.attrsets.attrByPath [ "autoUpgrade" "allowReboot" ] true jsonData;
|
allowReboot = lib.attrsets.attrByPath [ "autoUpgrade" "allowReboot" ] true jsonData;
|
||||||
|
@ -16,17 +15,11 @@ in
|
||||||
hashedMasterPassword = lib.attrsets.attrByPath [ "hashedMasterPassword" ] null jsonData;
|
hashedMasterPassword = lib.attrsets.attrByPath [ "hashedMasterPassword" ] null jsonData;
|
||||||
sshKeys = lib.attrsets.attrByPath [ "sshKeys" ] [ ] jsonData;
|
sshKeys = lib.attrsets.attrByPath [ "sshKeys" ] [ ] jsonData;
|
||||||
api = {
|
api = {
|
||||||
|
enableSwagger = lib.attrsets.attrByPath [ "api" "enableSwagger" ] false jsonData;
|
||||||
skippedMigrations = lib.attrsets.attrByPath [ "api" "skippedMigrations" ] [ ] jsonData;
|
skippedMigrations = lib.attrsets.attrByPath [ "api" "skippedMigrations" ] [ ] jsonData;
|
||||||
};
|
};
|
||||||
dns = {
|
backblaze = {
|
||||||
provider = lib.attrsets.attrByPath [ "dns" "provider" ] "CLOUDFLARE" jsonData;
|
bucket = lib.attrsets.attrByPath [ "backblaze" "bucket" ] "" jsonData;
|
||||||
useStagingACME = lib.attrsets.attrByPath [ "dns" "useStagingACME" ] false jsonData;
|
|
||||||
};
|
|
||||||
backup = {
|
|
||||||
bucket = lib.attrsets.attrByPath [ "backup" "bucket" ] (lib.attrsets.attrByPath [ "backblaze" "bucket" ] "" jsonData) jsonData;
|
|
||||||
};
|
|
||||||
server = {
|
|
||||||
provider = lib.attrsets.attrByPath [ "server" "provider" ] "HETZNER" jsonData;
|
|
||||||
};
|
};
|
||||||
bitwarden = {
|
bitwarden = {
|
||||||
enable = lib.attrsets.attrByPath [ "bitwarden" "enable" ] false jsonData;
|
enable = lib.attrsets.attrByPath [ "bitwarden" "enable" ] false jsonData;
|
||||||
|
|
|
@ -20,7 +20,8 @@ in
|
||||||
|
|
||||||
virtualHosts = {
|
virtualHosts = {
|
||||||
"${domain}" = {
|
"${domain}" = {
|
||||||
enableACME = true;
|
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||||
|
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
add_header Strict-Transport-Security $hsts_header;
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
@ -32,15 +33,10 @@ in
|
||||||
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||||
expires 10m;
|
expires 10m;
|
||||||
'';
|
'';
|
||||||
locations = {
|
|
||||||
"/" = {
|
|
||||||
root = "/var/www/root";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
"vpn.${domain}" = {
|
"vpn.${domain}" = {
|
||||||
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
|
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||||
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
|
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
add_header Strict-Transport-Security $hsts_header;
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
@ -54,8 +50,8 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
"git.${domain}" = {
|
"git.${domain}" = {
|
||||||
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
|
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||||
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
|
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
add_header Strict-Transport-Security $hsts_header;
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
@ -74,8 +70,8 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
"cloud.${domain}" = {
|
"cloud.${domain}" = {
|
||||||
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
|
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||||
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
|
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
add_header Strict-Transport-Security $hsts_header;
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
@ -94,8 +90,8 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
"password.${domain}" = {
|
"password.${domain}" = {
|
||||||
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
|
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||||
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
|
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
add_header Strict-Transport-Security $hsts_header;
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
@ -114,8 +110,8 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
"api.${domain}" = {
|
"api.${domain}" = {
|
||||||
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
|
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||||
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
|
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
add_header Strict-Transport-Security $hsts_header;
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
|
@ -135,8 +131,8 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
"social.${domain}" = {
|
"social.${domain}" = {
|
||||||
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
|
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
|
||||||
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
|
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
|
||||||
root = "/var/www/social.${domain}";
|
root = "/var/www/social.${domain}";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
|
@ -155,13 +151,6 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
"meet.${domain}" = {
|
|
||||||
sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
|
|
||||||
sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
|
|
||||||
forceSSL = true;
|
|
||||||
useACMEHost = "wildcard-${domain}";
|
|
||||||
enableACME = false;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue