Test new volumes system #20
|
@ -1,3 +1,4 @@
|
|||
userdata/userdata.json
|
||||
userdata/tokens.json
|
||||
hardware-configuration.nix
|
||||
networking.nix
|
|
@ -12,18 +12,12 @@ in
|
|||
{
|
||||
options.services.selfprivacy-api = {
|
||||
enable = mkOption {
|
||||
default = false;
|
||||
default = true;
|
||||
type = types.bool;
|
||||
description = ''
|
||||
Enable SelfPrivacy API service
|
||||
'';
|
||||
};
|
||||
token = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
SelfPrivacy API token
|
||||
'';
|
||||
};
|
||||
enableSwagger = mkOption {
|
||||
default = false;
|
||||
type = types.bool;
|
||||
|
@ -31,30 +25,12 @@ in
|
|||
Enable Swagger UI
|
||||
'';
|
||||
};
|
||||
b2AccountId = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
B2 account ID
|
||||
'';
|
||||
};
|
||||
b2AccountKey = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
B2 account key
|
||||
'';
|
||||
};
|
||||
b2Bucket = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
B2 bucket
|
||||
'';
|
||||
};
|
||||
resticPassword = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
Restic password
|
||||
'';
|
||||
};
|
||||
};
|
||||
config = lib.mkIf cfg.enable {
|
||||
|
||||
|
@ -64,19 +40,65 @@ in
|
|||
inherit (config.environment.sessionVariables) NIX_PATH;
|
||||
HOME = "/root";
|
||||
PYTHONUNBUFFERED = "1";
|
||||
AUTH_TOKEN = cfg.token;
|
||||
ENABLE_SWAGGER = (if cfg.enableSwagger then "1" else "0");
|
||||
B2_ACCOUNT_ID = cfg.b2AccountId;
|
||||
B2_ACCOUNT_KEY = cfg.b2AccountKey;
|
||||
B2_BUCKET = cfg.b2Bucket;
|
||||
RESTIC_PASSWORD = cfg.resticPassword;
|
||||
} // config.networking.proxy.envVars;
|
||||
path = [ "/var/" "/var/dkim/" pkgs.coreutils pkgs.gnutar pkgs.xz.bin pkgs.gzip pkgs.gitMinimal config.nix.package.out pkgs.nixos-rebuild pkgs.restic pkgs.mkpasswd ];
|
||||
path = [
|
||||
"/var/"
|
||||
"/var/dkim/"
|
||||
pkgs.coreutils
|
||||
pkgs.gnutar
|
||||
pkgs.xz.bin
|
||||
pkgs.gzip
|
||||
pkgs.gitMinimal
|
||||
config.nix.package.out
|
||||
pkgs.nixos-rebuild
|
||||
pkgs.restic
|
||||
pkgs.mkpasswd
|
||||
pkgs.util-linux
|
||||
pkgs.e2fsprogs
|
||||
pkgs.iproute2
|
||||
];
|
||||
after = [ "network-online.target" ];
|
||||
wantedBy = [ "network-online.target" ];
|
||||
serviceConfig = {
|
||||
User = "root";
|
||||
ExecStart = "${pkgs.selfprivacy-api}/bin/app.py";
|
||||
ExecStart = "${pkgs.selfprivacy-graphql-api}/bin/app.py";
|
||||
Restart = "always";
|
||||
RestartSec = "5";
|
||||
};
|
||||
};
|
||||
systemd.services.selfprivacy-api-worker = {
|
||||
description = "Task worker for SelfPrivacy API";
|
||||
environment = config.nix.envVars // {
|
||||
inherit (config.environment.sessionVariables) NIX_PATH;
|
||||
HOME = "/root";
|
||||
PYTHONUNBUFFERED = "1";
|
||||
ENABLE_SWAGGER = (if cfg.enableSwagger then "1" else "0");
|
||||
B2_BUCKET = cfg.b2Bucket;
|
||||
PYTHONPATH = pkgs.selfprivacy-graphql-api.pythonPath + ":${pkgs.selfprivacy-graphql-api}/lib/python3.9/site-packages/";
|
||||
} // config.networking.proxy.envVars;
|
||||
path = [
|
||||
"/var/"
|
||||
"/var/dkim/"
|
||||
pkgs.coreutils
|
||||
pkgs.gnutar
|
||||
pkgs.xz.bin
|
||||
pkgs.gzip
|
||||
pkgs.gitMinimal
|
||||
config.nix.package.out
|
||||
pkgs.nixos-rebuild
|
||||
pkgs.restic
|
||||
pkgs.mkpasswd
|
||||
pkgs.util-linux
|
||||
pkgs.e2fsprogs
|
||||
pkgs.iproute2
|
||||
];
|
||||
after = [ "network-online.target" ];
|
||||
wantedBy = [ "network-online.target" ];
|
||||
serviceConfig = {
|
||||
User = "root";
|
||||
ExecStart = "${pkgs.python39Packages.huey}/bin/huey_consumer.py selfprivacy_api.task_registry.huey";
|
||||
Restart = "always";
|
||||
RestartSec = "5";
|
||||
};
|
||||
|
@ -92,6 +114,8 @@ in
|
|||
serviceConfig = {
|
||||
User = "root";
|
||||
ExecStart = "${pkgs.nixos-rebuild}/bin/nixos-rebuild switch";
|
||||
KillMode = "none";
|
||||
SendSIGKILL = "no";
|
||||
};
|
||||
};
|
||||
# One shot systemd service to upgrade NixOS using nixos-rebuild
|
||||
|
@ -105,6 +129,8 @@ in
|
|||
serviceConfig = {
|
||||
User = "root";
|
||||
ExecStart = "${pkgs.nixos-rebuild}/bin/nixos-rebuild switch --upgrade";
|
||||
KillMode = "none";
|
||||
SendSIGKILL = "no";
|
||||
};
|
||||
};
|
||||
# One shot systemd service to rollback NixOS using nixos-rebuild
|
||||
|
@ -118,6 +144,8 @@ in
|
|||
serviceConfig = {
|
||||
User = "root";
|
||||
ExecStart = "${pkgs.nixos-rebuild}/bin/nixos-rebuild switch --rollback";
|
||||
KillMode = "none";
|
||||
SendSIGKILL = "no";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -2,18 +2,15 @@
|
|||
{
|
||||
services.selfprivacy-api = {
|
||||
enable = true;
|
||||
token = config.services.userdata.api.token;
|
||||
enableSwagger = config.services.userdata.api.enableSwagger;
|
||||
b2AccountId = config.services.userdata.backblaze.accountId;
|
||||
b2AccountKey = config.services.userdata.backblaze.accountKey;
|
||||
b2Bucket = config.services.userdata.backblaze.bucket;
|
||||
resticPassword = config.services.userdata.resticPassword;
|
||||
};
|
||||
|
||||
users.users."selfprivacy-api" = {
|
||||
isNormalUser = false;
|
||||
isSystemUser = true;
|
||||
extraGroups = [ "opendkim" ];
|
||||
group = "selfprivacy-api";
|
||||
};
|
||||
users.groups."selfprivacy-api" = {
|
||||
members = [ "selfprivacy-api" ];
|
||||
|
|
|
@ -24,12 +24,6 @@ in
|
|||
users.users.restic = {
|
||||
isNormalUser = false;
|
||||
isSystemUser = true;
|
||||
group = "restic";
|
||||
};
|
||||
environment.etc."restic/resticPasswd".text = ''
|
||||
${cfg.resticPassword}
|
||||
'';
|
||||
environment.etc."restic/s3Passwd".text = ''
|
||||
AWS_ACCESS_KEY_ID=${cfg.backblaze.accountId}
|
||||
AWS_SECRET_ACCESS_KEY=${cfg.backblaze.accountKey}
|
||||
'';
|
||||
}
|
||||
|
|
|
@ -9,9 +9,9 @@ in
|
|||
./variables-module.nix
|
||||
./variables.nix
|
||||
./files.nix
|
||||
./volumes.nix
|
||||
./users.nix
|
||||
./mailserver/system/mailserver.nix
|
||||
./mailserver/system/alps.nix
|
||||
./vpn/ocserv.nix
|
||||
./api/api.nix
|
||||
./api/api-module.nix
|
||||
|
@ -59,13 +59,16 @@ in
|
|||
};
|
||||
environment.systemPackages = with pkgs; [
|
||||
git
|
||||
jq
|
||||
];
|
||||
environment.variables = {
|
||||
DOMAIN = config.services.userdata.domain;
|
||||
};
|
||||
system.autoUpgrade.enable = config.services.userdata.autoUpgrade.enable;
|
||||
system.autoUpgrade.allowReboot = config.services.userdata.autoUpgrade.allowReboot;
|
||||
system.autoUpgrade.channel = https://nixos.org/channels/nixos-21.05-small;
|
||||
system.autoUpgrade = {
|
||||
enable = config.services.userdata.autoUpgrade.enable;
|
||||
allowReboot = config.services.userdata.autoUpgrade.allowReboot;
|
||||
channel = "https://channel.selfprivacy.org/nixos-selfpricacy";
|
||||
};
|
||||
nix = {
|
||||
optimise.automatic = true;
|
||||
gc = {
|
||||
|
@ -73,6 +76,7 @@ in
|
|||
options = "--delete-older-than 7d";
|
||||
};
|
||||
};
|
||||
services.journald.extraConfig = "SystemMaxUse=500M";
|
||||
boot.kernel.sysctl = {
|
||||
"net.ipv4.ip_forward" = 1;
|
||||
};
|
||||
|
|
89
files.nix
89
files.nix
|
@ -5,33 +5,78 @@ in
|
|||
{
|
||||
systemd.tmpfiles.rules =
|
||||
let
|
||||
nextcloudDBPass = builtins.replaceStrings [ "\n" "\"" "\\" ] [ "\\n" "\\\"" "\\\\" ] cfg.nextcloud.databasePassword;
|
||||
nextcloudAdminPass = builtins.replaceStrings [ "\n" "\"" "\\" ] [ "\\n" "\\\"" "\\\\" ] cfg.nextcloud.adminPassword;
|
||||
resticPass = builtins.replaceStrings [ "\n" "\"" "\\" ] [ "\\n" "\\\"" "\\\\" ] cfg.resticPassword;
|
||||
domain = builtins.replaceStrings [ "\n" "\"" "\\" ] [ "\\n" "\\\"" "\\\\" ] cfg.domain;
|
||||
cloudflareCredentials = builtins.replaceStrings [ "\n" "\"" "\\" ] [ "\\n" "\\\"" "\\\\" ] ''
|
||||
CF_API_KEY=${cfg.cloudflare.apiKey}
|
||||
CLOUDFLARE_DNS_API_TOKEN=${cfg.cloudflare.apiKey}
|
||||
CLOUDFLARE_ZONE_API_TOKEN=${cfg.cloudflare.apiKey}
|
||||
'';
|
||||
rcloneConfig = builtins.replaceStrings [ "\n" "\"" "\\" ] [ "\\n" "\\\"" "\\\\" ] ''
|
||||
[backblaze]
|
||||
type = b2
|
||||
account = ${cfg.backblaze.accountId}
|
||||
key = ${cfg.backblaze.accountKey}
|
||||
'';
|
||||
domain = builtins.replaceStrings [ "\n" "\"" "\\" "%" ] [ "\\n" "\\\"" "\\\\" "%%" ] cfg.domain;
|
||||
in
|
||||
[
|
||||
(if cfg.bitwarden.enable then "d /var/lib/bitwarden 0777 bitwarden_rs bitwarden_rs -" else "")
|
||||
(if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0777 bitwarden_rs bitwarden_rs -" else "")
|
||||
(if cfg.bitwarden.enable then "d /var/lib/bitwarden 0777 vaultwarden vaultwarden -" else "")
|
||||
(if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0777 vaultwarden vaultwarden -" else "")
|
||||
(if cfg.pleroma.enable then "d /var/lib/pleroma 0700 pleroma pleroma - -" else "")
|
||||
"d /var/lib/restic 0600 restic - - -"
|
||||
"f+ /var/lib/restic/pass 0400 restic - - ${resticPass}"
|
||||
"f+ /root/.config/rclone/rclone.conf 0400 root root - ${rcloneConfig}"
|
||||
(if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "")
|
||||
"f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}"
|
||||
(if cfg.nextcloud.enable then "f+ /var/lib/nextcloud/db-pass 0440 nextcloud nextcloud - ${nextcloudDBPass}" else "")
|
||||
(if cfg.nextcloud.enable then "f+ /var/lib/nextcloud/admin-pass 0440 nextcloud nextcloud - ${nextcloudAdminPass}" else "")
|
||||
"f+ /var/lib/cloudflare/Credentials.ini 0440 nginx acmerecievers - ${cloudflareCredentials}"
|
||||
];
|
||||
system.activationScripts =
|
||||
let
|
||||
jq = "${pkgs.jq}/bin/jq";
|
||||
sed = "${pkgs.gnused}/bin/sed";
|
||||
in
|
||||
{
|
||||
nextcloudSecrets =
|
||||
if cfg.nextcloud.enable then ''
|
||||
cat /etc/nixos/userdata/userdata.json | ${jq} -r '.nextcloud.databasePassword' > /var/lib/nextcloud/db-pass
|
||||
chmod 0440 /var/lib/nextcloud/db-pass
|
||||
chown nextcloud:nextcloud /var/lib/nextcloud/db-pass
|
||||
|
||||
cat /etc/nixos/userdata/userdata.json | ${jq} -r '.nextcloud.adminPassword' > /var/lib/nextcloud/admin-pass
|
||||
chmod 0440 /var/lib/nextcloud/admin-pass
|
||||
chown nextcloud:nextcloud /var/lib/nextcloud/admin-pass
|
||||
''
|
||||
else ''
|
||||
rm -f /var/lib/nextcloud/db-pass
|
||||
rm -f /var/lib/nextcloud/admin-pass
|
||||
'';
|
||||
cloudflareCredentials = ''
|
||||
mkdir -p /var/lib/cloudflare
|
||||
chmod 0440 /var/lib/cloudflare
|
||||
chown nginx:acmerecievers /var/lib/cloudflare
|
||||
echo 'CF_API_KEY=REPLACEME' > /var/lib/cloudflare/Credentials.ini
|
||||
echo 'CLOUDFLARE_DNS_API_TOKEN=REPLACEME' >> /var/lib/cloudflare/Credentials.ini
|
||||
echo 'CLOUDFLARE_ZONE_API_TOKEN=REPLACEME' >> /var/lib/cloudflare/Credentials.ini
|
||||
${sed} -i "s/REPLACEME/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.cloudflare.apiKey')/g" /var/lib/cloudflare/Credentials.ini
|
||||
chmod 0440 /var/lib/cloudflare/Credentials.ini
|
||||
chown nginx:acmerecievers /var/lib/cloudflare/Credentials.ini
|
||||
'';
|
||||
resticCredentials = ''
|
||||
mkdir -p /root/.config/rclone
|
||||
chmod 0400 /root/.config/rclone
|
||||
chown root:root /root/.config/rclone
|
||||
echo '[backblaze]' > /root/.config/rclone/rclone.conf
|
||||
echo 'type = b2' >> /root/.config/rclone/rclone.conf
|
||||
echo 'account = REPLACEME1' >> /root/.config/rclone/rclone.conf
|
||||
echo 'key = REPLACEME2' >> /root/.config/rclone/rclone.conf
|
||||
|
||||
${sed} -i "s/REPLACEME1/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backblaze.accountId')/g" /root/.config/rclone/rclone.conf
|
||||
${sed} -i "s/REPLACEME2/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backblaze.accountKey')/g" /root/.config/rclone/rclone.conf
|
||||
|
||||
chmod 0400 /root/.config/rclone/rclone.conf
|
||||
chown root:root /root/.config/rclone/rclone.conf
|
||||
|
||||
cat /etc/nixos/userdata/userdata.json | ${jq} -r '.resticPassword' > /var/lib/restic/pass
|
||||
chmod 0400 /var/lib/restic/pass
|
||||
chown restic /var/lib/restic/pass
|
||||
'';
|
||||
pleromaCredentials =
|
||||
if cfg.pleroma.enable then ''
|
||||
echo 'import Config' > /var/lib/pleroma/secrets.exs
|
||||
echo 'config :pleroma, Pleroma.Repo,' >> /var/lib/pleroma/secrets.exs
|
||||
echo ' password: "REPLACEME"' >> /var/lib/pleroma/secrets.exs
|
||||
|
||||
${sed} -i "s/REPLACEME/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.databasePassword')/g" /var/lib/pleroma/secrets.exs
|
||||
|
||||
chmod 0750 /var/lib/pleroma/secrets.exs
|
||||
chown pleroma:pleroma /var/lib/pleroma/secrets.exs
|
||||
'' else ''
|
||||
rm -f /var/lib/pleroma/secrets.exs
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,8 +1,14 @@
|
|||
{ config, pkgs, ... }:
|
||||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
cfg = config.services.userdata;
|
||||
in
|
||||
{
|
||||
fileSystems = lib.mkIf cfg.useBinds {
|
||||
"/var/lib/gitea" = {
|
||||
device = "/volumes/${cfg.gitea.location}/gitea";
|
||||
options = [ "bind" ];
|
||||
};
|
||||
};
|
||||
services = {
|
||||
gitea = {
|
||||
enable = cfg.gitea.enable;
|
||||
|
|
|
@ -1,30 +0,0 @@
|
|||
{ lib, fetchgit, buildGoModule, ... }:
|
||||
buildGoModule rec {
|
||||
pname = "alps";
|
||||
version = "v1.0.0"; # latest available tag at the moment
|
||||
|
||||
src = fetchGit {
|
||||
url = "https://git.selfprivacy.org/ilchub/selfprivacy-alps";
|
||||
rev = "dc2109ca2fdabfbda5d924faa4947f5694d5d758";
|
||||
};
|
||||
|
||||
vendorSha256 = "0bqg0qjam4mvh07wfil6l5spz32mk5a7kfxxnwfyva805pzmn6dk";
|
||||
|
||||
deleteVendor = false;
|
||||
runVend = true;
|
||||
|
||||
buildPhase = ''
|
||||
go build ./cmd/alps
|
||||
'';
|
||||
|
||||
installPhase = ''
|
||||
mkdir -p $out/bin
|
||||
cp -r * $out/bin
|
||||
'';
|
||||
|
||||
meta = with lib; {
|
||||
description = "Webmail application for the dovecot/postfix mailserver";
|
||||
homepage = "https://git.selfprivacy.org/ilchub/selfprivacy-alps";
|
||||
license = licenses.mit;
|
||||
};
|
||||
}
|
|
@ -1,18 +0,0 @@
|
|||
{ pkgs, config, lib, fetchgit, buildGoModule, ... }:
|
||||
let domain = config.services.userdata.domain;
|
||||
in
|
||||
{
|
||||
nixpkgs.overlays =
|
||||
[ (self: super: { alps = self.callPackage ./alps-package.nix { }; }) ];
|
||||
|
||||
systemd.services = {
|
||||
alps = {
|
||||
path = [ pkgs.alps pkgs.coreutils ];
|
||||
serviceConfig = {
|
||||
ExecStart =
|
||||
"${pkgs.alps}/bin/alps -theme sourcehut imaps://${domain}:993 smtps://${domain}:465";
|
||||
WorkingDirectory = "${pkgs.alps}/bin";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -13,6 +13,17 @@ in
|
|||
})
|
||||
];
|
||||
|
||||
fileSystems = lib.mkIf cfg.useBinds {
|
||||
"/var/vmail" = {
|
||||
device = "/volumes/${cfg.email.location}/vmail";
|
||||
options = [ "bind" ];
|
||||
};
|
||||
"/var/sieve" = {
|
||||
device = "/volumes/${cfg.email.location}/sieve";
|
||||
options = [ "bind" ];
|
||||
};
|
||||
};
|
||||
|
||||
users.users = {
|
||||
virtualMail = {
|
||||
isNormalUser = false;
|
||||
|
|
|
@ -1,11 +1,17 @@
|
|||
{ pkgs, config, ... }:
|
||||
{ pkgs, lib, config, ... }:
|
||||
let
|
||||
cfg = config.services.userdata;
|
||||
in
|
||||
{
|
||||
fileSystems = lib.mkIf cfg.useBinds {
|
||||
"/var/lib/nextcloud" = {
|
||||
device = "/volumes/${cfg.nextcloud.location}/nextcloud";
|
||||
options = [ "bind" ];
|
||||
};
|
||||
};
|
||||
services.nextcloud = {
|
||||
enable = cfg.nextcloud.enable;
|
||||
package = pkgs.nextcloud22;
|
||||
package = pkgs.nextcloud23;
|
||||
hostName = "cloud.${cfg.domain}";
|
||||
|
||||
# Use HTTPS for links
|
||||
|
|
|
@ -1,9 +1,19 @@
|
|||
{ pkgs, config, ... }:
|
||||
{ pkgs, lib, config, ... }:
|
||||
let
|
||||
cfg = config.services.userdata;
|
||||
in
|
||||
{
|
||||
services.bitwarden_rs = {
|
||||
fileSystems = lib.mkIf cfg.useBinds {
|
||||
"/var/lib/bitwarden" = {
|
||||
device = "/volumes/${cfg.bitwarden.location}/bitwarden";
|
||||
options = [ "bind" ];
|
||||
};
|
||||
"/var/lib/bitwarden_rs" = {
|
||||
device = "/volumes/${cfg.bitwarden.location}/bitwarden_rs";
|
||||
options = [ "bind" ];
|
||||
};
|
||||
};
|
||||
services.vaultwarden = {
|
||||
enable = cfg.bitwarden.enable;
|
||||
dbBackend = "sqlite";
|
||||
backupDir = "/var/lib/bitwarden/backup";
|
||||
|
|
|
@ -22,9 +22,8 @@ config :pleroma, :media_proxy,
|
|||
config :pleroma, Pleroma.Repo,
|
||||
adapter: Ecto.Adapters.Postgres,
|
||||
username: "pleroma",
|
||||
password: "$DB_PASSWORD",
|
||||
database: "pleroma",
|
||||
hostname: "localhost",
|
||||
socket_dir: "/run/postgresql",
|
||||
pool_size: 10
|
||||
|
||||
#config :web_push_encryption, :vapid_details,
|
||||
|
@ -41,4 +40,4 @@ config :pleroma, :http_security,
|
|||
|
||||
#config :joken, default_signer: ""
|
||||
|
||||
config :pleroma, configurable_from_database: false
|
||||
config :pleroma, configurable_from_database: true
|
||||
|
|
|
@ -1,133 +0,0 @@
|
|||
{ config, options, lib, pkgs, stdenv, ... }:
|
||||
let
|
||||
cfg = config.services.pleroma;
|
||||
in
|
||||
{
|
||||
options = {
|
||||
services.pleroma = with lib; {
|
||||
enable = mkEnableOption "pleroma";
|
||||
|
||||
package = mkOption {
|
||||
type = types.package;
|
||||
default = pkgs.pleroma-otp;
|
||||
description = "Pleroma package to use.";
|
||||
};
|
||||
|
||||
user = mkOption {
|
||||
type = types.str;
|
||||
default = "pleroma";
|
||||
description = "User account under which pleroma runs.";
|
||||
};
|
||||
|
||||
group = mkOption {
|
||||
type = types.str;
|
||||
default = "pleroma";
|
||||
description = "Group account under which pleroma runs.";
|
||||
};
|
||||
|
||||
stateDir = mkOption {
|
||||
type = types.str;
|
||||
default = "/var/lib/pleroma";
|
||||
readOnly = true;
|
||||
description = "Directory where the pleroma service will save the uploads and static files.";
|
||||
};
|
||||
|
||||
configs = mkOption {
|
||||
type = with types; listOf str;
|
||||
description = ''
|
||||
Pleroma public configuration.
|
||||
This list gets appended from left to
|
||||
right into /etc/pleroma/config.exs. Elixir evaluates its
|
||||
configuration imperatively, meaning you can override a
|
||||
setting by appending a new str to this NixOS option list.
|
||||
<emphasis>DO NOT STORE ANY PLEROMA SECRET
|
||||
HERE</emphasis>, use
|
||||
<link linkend="opt-services.pleroma.secretConfigFile">services.pleroma.secretConfigFile</link>
|
||||
instead.
|
||||
This setting is going to be stored in a file part of
|
||||
the Nix store. The Nix store being world-readable, it's not
|
||||
the right place to store any secret
|
||||
Have a look to Pleroma section in the NixOS manual for more
|
||||
informations.
|
||||
'';
|
||||
};
|
||||
|
||||
secretConfigFile = mkOption {
|
||||
type = types.str;
|
||||
default = "/var/lib/pleroma/secrets.exs";
|
||||
description = ''
|
||||
Path to the file containing your secret pleroma configuration.
|
||||
<emphasis>DO NOT POINT THIS OPTION TO THE NIX
|
||||
STORE</emphasis>, the store being world-readable, it'll
|
||||
compromise all your secrets.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
users = {
|
||||
users."${cfg.user}" = {
|
||||
description = "Pleroma user";
|
||||
home = cfg.stateDir;
|
||||
extraGroups = [ cfg.group ];
|
||||
};
|
||||
groups."${cfg.group}" = { };
|
||||
};
|
||||
|
||||
environment.systemPackages = [ cfg.package ];
|
||||
|
||||
environment.etc."/pleroma/config.exs".text = ''
|
||||
${lib.concatMapStrings (x: "${x}") cfg.configs}
|
||||
# The lau/tzdata library is trying to download the latest
|
||||
# timezone database in the OTP priv directory by default.
|
||||
# This directory being in the store, it's read-only.
|
||||
# Setting that up to a more appropriate location.
|
||||
config :tzdata, :data_dir, "/var/lib/pleroma/elixir_tzdata_data"
|
||||
import_config "${cfg.secretConfigFile}"
|
||||
'';
|
||||
|
||||
systemd.services.pleroma = {
|
||||
description = "Pleroma social network";
|
||||
after = [ "network-online.target" "postgresql.service" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
restartTriggers = [ config.environment.etc."/pleroma/config.exs".source ];
|
||||
serviceConfig = {
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
Type = "exec";
|
||||
WorkingDirectory = "~";
|
||||
StateDirectory = "pleroma pleroma/static pleroma/uploads";
|
||||
StateDirectoryMode = "700";
|
||||
|
||||
# Checking the conf file is there then running the database
|
||||
# migration before each service start, just in case there are
|
||||
# some pending ones.
|
||||
#
|
||||
# It's sub-optimal as we'll always run this, even if pleroma
|
||||
# has not been updated. But the no-op process is pretty fast.
|
||||
# Better be safe than sorry migration-wise.
|
||||
ExecStartPre =
|
||||
let preScript = pkgs.writers.writeBashBin "pleromaStartPre"
|
||||
"${cfg.package}/bin/pleroma_ctl migrate";
|
||||
in "${preScript}/bin/pleromaStartPre";
|
||||
|
||||
ExecStart = "${cfg.package}/bin/pleroma start";
|
||||
ExecStop = "${cfg.package}/bin/pleroma stop";
|
||||
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
||||
|
||||
# Systemd sandboxing directives.
|
||||
# Taken from the upstream contrib systemd service at
|
||||
# pleroma/installation/pleroma.service
|
||||
PrivateTmp = true;
|
||||
ProtectHome = true;
|
||||
ProtectSystem = "full";
|
||||
PrivateDevices = false;
|
||||
NoNewPrivileges = true;
|
||||
CapabilityBoundingSet = "~CAP_SYS_ADMIN";
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
meta.maintainers = with lib.maintainers; [ ninjatrappeur ];
|
||||
}
|
|
@ -1,69 +0,0 @@
|
|||
{ lib
|
||||
, stdenv
|
||||
, autoPatchelfHook
|
||||
, fetchurl
|
||||
, file
|
||||
, makeWrapper
|
||||
, ncurses
|
||||
, nixosTests
|
||||
, openssl
|
||||
, unzip
|
||||
, zlib
|
||||
}:
|
||||
stdenv.mkDerivation {
|
||||
pname = "pleroma-otp";
|
||||
version = "2.3.0";
|
||||
|
||||
# To find the latest binary release stable link, have a look at
|
||||
# the CI pipeline for the latest commit of the stable branch
|
||||
# https://git.pleroma.social/pleroma/pleroma/-/tree/stable
|
||||
src = {
|
||||
aarch64-linux = fetchurl {
|
||||
url = "https://git.pleroma.social/pleroma/pleroma/-/jobs/182392/artifacts/download";
|
||||
sha256 = "1drpd6xh7m2damxi5impb8jwvjl6m3qv5yxynl12i8g66vi3rbwf";
|
||||
};
|
||||
x86_64-linux = fetchurl {
|
||||
url = "https://git.pleroma.social/pleroma/pleroma/-/jobs/182388/artifacts/download";
|
||||
sha256 = "1c6l04gga9iigm249ywwcrjg6wzy8iiid652mws3j9dnl71w2sim";
|
||||
};
|
||||
}."${stdenv.hostPlatform.system}";
|
||||
|
||||
nativeBuildInputs = [ unzip ];
|
||||
|
||||
buildInputs = [
|
||||
autoPatchelfHook
|
||||
file
|
||||
makeWrapper
|
||||
ncurses
|
||||
openssl
|
||||
zlib
|
||||
];
|
||||
|
||||
# mkDerivation fails to detect the zip nature of $src due to the
|
||||
# missing .zip extension.
|
||||
# Let's unpack the archive explicitely.
|
||||
unpackCmd = "unzip $curSrc";
|
||||
|
||||
installPhase = ''
|
||||
mkdir $out
|
||||
cp -r * $out'';
|
||||
|
||||
# Pleroma is using the project's root path (here the store path)
|
||||
# as its TMPDIR.
|
||||
# Patching it to move the tmp dir to the actual tmpdir
|
||||
postFixup = ''
|
||||
wrapProgram $out/bin/pleroma --set-default RELEASE_TMP "/tmp"
|
||||
wrapProgram $out/bin/pleroma_ctl --set-default RELEASE_TMP "/tmp"'';
|
||||
|
||||
passthru.tests = {
|
||||
pleroma = nixosTests.pleroma;
|
||||
};
|
||||
|
||||
meta = with lib; {
|
||||
description = "ActivityPub microblogging server";
|
||||
homepage = https://git.pleroma.social/pleroma/pleroma;
|
||||
license = licenses.agpl3;
|
||||
maintainers = with maintainers; [ ninjatrappeur ];
|
||||
platforms = [ "x86_64-linux" "aarch64-linux" ];
|
||||
};
|
||||
}
|
|
@ -1,13 +1,18 @@
|
|||
{ pkgs, config, ... }:
|
||||
{ pkgs, lib, config, ... }:
|
||||
let
|
||||
cfg = config.services.userdata;
|
||||
in
|
||||
{
|
||||
nixpkgs.overlays = [
|
||||
(self: super: {
|
||||
pleroma-otp = self.callPackage ./pleroma-package.nix { };
|
||||
})
|
||||
];
|
||||
fileSystems = lib.mkIf cfg.useBinds {
|
||||
"/var/lib/pleroma" = {
|
||||
device = "/volumes/${cfg.pleroma.location}/pleroma";
|
||||
options = [ "bind" ];
|
||||
};
|
||||
"/var/lib/postgresql" = {
|
||||
device = "/volumes/${cfg.pleroma.location}/postgresql";
|
||||
options = [ "bind" ];
|
||||
};
|
||||
};
|
||||
services = {
|
||||
pleroma = {
|
||||
enable = cfg.pleroma.enable;
|
||||
|
@ -15,8 +20,8 @@ in
|
|||
group = "pleroma";
|
||||
configs = [
|
||||
(builtins.replaceStrings
|
||||
[ "$DOMAIN" "$LUSER" "$DB_PASSWORD" ]
|
||||
[ cfg.domain cfg.username cfg.databasePassword ]
|
||||
[ "$DOMAIN" "$LUSER" ]
|
||||
[ cfg.domain cfg.username ]
|
||||
(builtins.readFile ./config.exs))
|
||||
];
|
||||
};
|
||||
|
@ -24,10 +29,21 @@ in
|
|||
enable = true;
|
||||
package = pkgs.postgresql_12;
|
||||
initialScript = "/etc/setup.psql";
|
||||
ensureDatabases = [
|
||||
"pleroma"
|
||||
];
|
||||
ensureUsers = [
|
||||
{
|
||||
name = "pleroma";
|
||||
ensurePermissions = {
|
||||
"DATABASE pleroma" = "ALL PRIVILEGES";
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
environment.etc."setup.psql".text = ''
|
||||
CREATE USER pleroma WITH ENCRYPTED PASSWORD '${cfg.databasePassword}';
|
||||
CREATE USER pleroma;
|
||||
CREATE DATABASE pleroma OWNER pleroma;
|
||||
\c pleroma;
|
||||
--Extensions made by ecto.migrate that need superuser access
|
||||
|
@ -39,5 +55,6 @@ in
|
|||
extraGroups = [ "postgres" ];
|
||||
isNormalUser = false;
|
||||
isSystemUser = true;
|
||||
group = "pleroma";
|
||||
};
|
||||
}
|
||||
|
|
|
@ -0,0 +1,72 @@
|
|||
{
|
||||
"$schema": "http://json-schema.org/schema#",
|
||||
"$id": "https://git.selfprivacy.org/inex/selfprivacy-nixos-config/raw/branch/master/userdata/tokens_schema.json",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"tokens": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"token": {
|
||||
"type": "string"
|
||||
},
|
||||
"name": {
|
||||
"type": "string"
|
||||
},
|
||||
"date": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"required": [
|
||||
"token",
|
||||
"name",
|
||||
"date"
|
||||
]
|
||||
}
|
||||
},
|
||||
"recovery_token": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"token": {
|
||||
"type": "string"
|
||||
},
|
||||
"date": {
|
||||
"type": "string"
|
||||
},
|
||||
"expiration": {
|
||||
"type": "string"
|
||||
},
|
||||
"uses_left": {
|
||||
"type": "integer"
|
||||
}
|
||||
},
|
||||
"required": [
|
||||
"token",
|
||||
"date"
|
||||
]
|
||||
},
|
||||
"new_device": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"token": {
|
||||
"type": "string"
|
||||
},
|
||||
"date": {
|
||||
"type": "string"
|
||||
},
|
||||
"expiration": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"required": [
|
||||
"token",
|
||||
"date",
|
||||
"expiration"
|
||||
]
|
||||
}
|
||||
},
|
||||
"required": [
|
||||
"tokens"
|
||||
]
|
||||
}
|
|
@ -17,7 +17,7 @@ in
|
|||
value = {
|
||||
isNormalUser = true;
|
||||
hashedPassword = user.hashedPassword;
|
||||
openssh.authorizedKeys.keys = (if user ? sshKeys then user.sshKeys else []);
|
||||
openssh.authorizedKeys.keys = (if user ? sshKeys then user.sshKeys else [ ]);
|
||||
};
|
||||
})
|
||||
cfg.users);
|
||||
|
|
|
@ -11,10 +11,6 @@ let
|
|||
in
|
||||
{
|
||||
options.services.userdata = {
|
||||
enable = mkOption {
|
||||
default = true;
|
||||
type = types.nullOr types.bool;
|
||||
};
|
||||
# General server options
|
||||
hostname = mkOption {
|
||||
description = "The hostname of the server.";
|
||||
|
@ -71,12 +67,6 @@ in
|
|||
# API options #
|
||||
###############
|
||||
api = {
|
||||
token = mkOption {
|
||||
description = ''
|
||||
API token used to authenticate with the server
|
||||
'';
|
||||
type = types.nullOr types.str;
|
||||
};
|
||||
enableSwagger = mkOption {
|
||||
default = true;
|
||||
description = ''
|
||||
|
@ -100,57 +90,43 @@ in
|
|||
description = "Bucket name used for userdata backups";
|
||||
type = types.nullOr types.str;
|
||||
};
|
||||
accountId = mkOption {
|
||||
description = "Backblaze B2 Account ID";
|
||||
type = types.nullOr types.str;
|
||||
};
|
||||
accountKey = mkOption {
|
||||
description = "Backblaze B2 Account Key.";
|
||||
type = types.nullOr types.str;
|
||||
};
|
||||
};
|
||||
cloudflare = {
|
||||
apiKey = mkOption {
|
||||
description = "Cloudflare API Key.";
|
||||
type = types.nullOr types.str;
|
||||
};
|
||||
};
|
||||
##############
|
||||
# Services #
|
||||
##############
|
||||
databasePassword = mkOption {
|
||||
description = ''
|
||||
Password for the database
|
||||
'';
|
||||
type = types.nullOr types.str;
|
||||
};
|
||||
bitwarden = {
|
||||
enable = mkOption {
|
||||
default = false;
|
||||
type = types.nullOr types.bool;
|
||||
};
|
||||
location = mkOption {
|
||||
default = "sda1";
|
||||
type = types.nullOr types.str;
|
||||
};
|
||||
};
|
||||
email = {
|
||||
location = mkOption {
|
||||
default = "sda1";
|
||||
type = types.nullOr types.str;
|
||||
};
|
||||
};
|
||||
gitea = {
|
||||
enable = mkOption {
|
||||
default = false;
|
||||
type = types.nullOr types.bool;
|
||||
};
|
||||
location = mkOption {
|
||||
default = "sda1";
|
||||
type = types.nullOr types.str;
|
||||
};
|
||||
};
|
||||
nextcloud = {
|
||||
enable = mkOption {
|
||||
default = true;
|
||||
type = types.nullOr types.bool;
|
||||
};
|
||||
databasePassword = mkOption {
|
||||
description = ''
|
||||
Password for the nextcloud database
|
||||
'';
|
||||
type = types.nullOr types.str;
|
||||
};
|
||||
adminPassword = mkOption {
|
||||
description = ''
|
||||
Password for the nextcloud admin user
|
||||
'';
|
||||
location = mkOption {
|
||||
default = "sda1";
|
||||
type = types.nullOr types.str;
|
||||
};
|
||||
};
|
||||
|
@ -159,6 +135,10 @@ in
|
|||
default = false;
|
||||
type = types.nullOr types.bool;
|
||||
};
|
||||
location = mkOption {
|
||||
default = "sda1";
|
||||
type = types.nullOr types.str;
|
||||
};
|
||||
};
|
||||
jitsi = {
|
||||
enable = mkOption {
|
||||
|
@ -172,15 +152,6 @@ in
|
|||
type = types.nullOr types.bool;
|
||||
};
|
||||
};
|
||||
#############
|
||||
# Backups #
|
||||
#############
|
||||
resticPassword = mkOption {
|
||||
description = ''
|
||||
Password for the restic
|
||||
'';
|
||||
type = types.nullOr types.str;
|
||||
};
|
||||
#########
|
||||
# SSH #
|
||||
#########
|
||||
|
@ -214,5 +185,19 @@ in
|
|||
type = types.nullOr (types.listOf (types.attrsOf types.anything));
|
||||
default = [ ];
|
||||
};
|
||||
##############
|
||||
# Volumes #
|
||||
##############
|
||||
volumes = mkOption {
|
||||
description = ''
|
||||
Volumes that will be created on the server
|
||||
'';
|
||||
type = types.nullOr (types.listOf (types.attrsOf types.anything));
|
||||
default = [ ];
|
||||
};
|
||||
useBinds = mkOption {
|
||||
type = types.nullOr types.bool;
|
||||
default = false;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,6 +1,58 @@
|
|||
{ pkgs, ... }:
|
||||
{ pkgs, lib, ... }:
|
||||
let
|
||||
jsonData = builtins.fromJSON (builtins.readFile ./userdata/userdata.json);
|
||||
in
|
||||
{
|
||||
services = {
|
||||
userdata = builtins.fromJSON (builtins.readFile ./userdata/userdata.json);
|
||||
services.userdata = {
|
||||
hostname = lib.attrsets.attrByPath [ "hostname" ] null jsonData;
|
||||
domain = lib.attrsets.attrByPath [ "domain" ] null jsonData;
|
||||
timezone = lib.attrsets.attrByPath [ "timezone" ] "Europe/Uzhgorod" jsonData;
|
||||
autoUpgrade = {
|
||||
enable = lib.attrsets.attrByPath [ "autoUpgrade" "enable" ] true jsonData;
|
||||
allowReboot = lib.attrsets.attrByPath [ "autoUpgrade" "allowReboot" ] true jsonData;
|
||||
};
|
||||
username = lib.attrsets.attrByPath [ "username" ] null jsonData;
|
||||
hashedMasterPassword = lib.attrsets.attrByPath [ "hashedMasterPassword" ] null jsonData;
|
||||
sshKeys = lib.attrsets.attrByPath [ "sshKeys" ] [ ] jsonData;
|
||||
api = {
|
||||
enableSwagger = lib.attrsets.attrByPath [ "api" "enableSwagger" ] false jsonData;
|
||||
skippedMigrations = lib.attrsets.attrByPath [ "api" "skippedMigrations" ] [ ] jsonData;
|
||||
};
|
||||
backblaze = {
|
||||
bucket = lib.attrsets.attrByPath [ "backblaze" "bucket" ] "" jsonData;
|
||||
};
|
||||
bitwarden = {
|
||||
enable = lib.attrsets.attrByPath [ "bitwarden" "enable" ] false jsonData;
|
||||
location = lib.attrsets.attrByPath [ "bitwarden" "location" ] "sda1" jsonData;
|
||||
};
|
||||
gitea = {
|
||||
enable = lib.attrsets.attrByPath [ "gitea" "enable" ] false jsonData;
|
||||
location = lib.attrsets.attrByPath [ "gitea" "location" ] "sda1" jsonData;
|
||||
};
|
||||
nextcloud = {
|
||||
enable = lib.attrsets.attrByPath [ "nextcloud" "enable" ] false jsonData;
|
||||
location = lib.attrsets.attrByPath [ "nextcloud" "location" ] "sda1" jsonData;
|
||||
};
|
||||
pleroma = {
|
||||
enable = lib.attrsets.attrByPath [ "pleroma" "enable" ] false jsonData;
|
||||
location = lib.attrsets.attrByPath [ "pleroma" "location" ] "sda1" jsonData;
|
||||
};
|
||||
jitsi = {
|
||||
enable = lib.attrsets.attrByPath [ "jitsi" "enable" ] false jsonData;
|
||||
};
|
||||
ocserv = {
|
||||
enable = lib.attrsets.attrByPath [ "ocserv" "enable" ] false jsonData;
|
||||
};
|
||||
ssh = {
|
||||
enable = lib.attrsets.attrByPath [ "ssh" "enable" ] true jsonData;
|
||||
rootKeys = lib.attrsets.attrByPath [ "ssh" "rootKeys" ] [ "" ] jsonData;
|
||||
passwordAuthentication = lib.attrsets.attrByPath [ "ssh" "passwordAuthentication" ] true jsonData;
|
||||
};
|
||||
email = {
|
||||
location = lib.attrsets.attrByPath [ "email" "location" ] "sda1" jsonData;
|
||||
};
|
||||
users = lib.attrsets.attrByPath [ "users" ] [ ] jsonData;
|
||||
volumes = lib.attrsets.attrByPath [ "volumes" ] [ ] jsonData;
|
||||
useBinds = lib.attrsets.attrByPath [ "useBinds" ] false jsonData;
|
||||
};
|
||||
}
|
||||
|
|
|
@ -0,0 +1,15 @@
|
|||
{ pkgs, config, ... }:
|
||||
let
|
||||
cfg = config.services.userdata;
|
||||
in
|
||||
{
|
||||
fileSystems = { } // builtins.listToAttrs (builtins.map
|
||||
(volume: {
|
||||
name = "${volume.mountPoint}";
|
||||
value = {
|
||||
device = "${volume.device}";
|
||||
fsType = "${volume.fsType}";
|
||||
};
|
||||
})
|
||||
cfg.volumes);
|
||||
}
|
|
@ -10,6 +10,7 @@ in
|
|||
isNormalUser = false;
|
||||
isSystemUser = true;
|
||||
extraGroups = [ "ocserv" "acmerecievers" ];
|
||||
group = "ocserv";
|
||||
};
|
||||
services.ocserv = {
|
||||
enable = config.services.userdata.ocserv.enable;
|
||||
|
|
|
@ -126,6 +126,7 @@ in
|
|||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://127.0.0.1:5050";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
Loading…
Reference in New Issue