Merge pull request 'fix: Reloading nginx after ACME' (#34 ) from nginx-reload-fix into master

Reviewed-on: SelfPrivacy/selfprivacy-nixos-config#34
fix: Reloading nginx after ACME
2023-06-14 19:19:56 +03:00 · 2023-06-14 19:19:49 +03:00 · 2023-06-09 16:01:09 +03:00 · 2023-06-09 15:59:15 +03:00 · 2023-06-09 15:57:19 +03:00 · 2023-06-09 14:06:22 +03:00
5 changed files with 38 additions and 15 deletions
--- a/files.nix
+++ b/files.nix
@ -1,6 +1,16 @@
 { config, pkgs, ... }:
 let
  cfg = config.services.userdata;
+  dnsCredentialsTemplates = {
+    DIGITALOCEAN = "DO_AUTH_TOKEN=REPLACEME";
+    CLOUDFLARE = ''
+      CF_API_KEY=REPLACEME
+      CLOUDFLARE_DNS_API_TOKEN=REPLACEME
+      CLOUDFLARE_ZONE_API_TOKEN=REPLACEME
+    '';
+    DESEC = "DESEC_TOKEN=REPLACEME";
+  };
+  dnsCredentialsTemplate = dnsCredentialsTemplates.${cfg.dns.provider};
 in
 {
  systemd.tmpfiles.rules =
@ -14,6 +24,7 @@ in
      "d /var/lib/restic 0600 restic - - -"
      (if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "")
      "f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}"
+      (if cfg.bitwarden.enable then "f /var/lib/bitwarden/.env 0640 vaultwarden vaultwarden - -" else "")
    ];
  system.activationScripts =
    let
@ -40,9 +51,7 @@ in
        mkdir -p /var/lib/cloudflare
        chmod 0440 /var/lib/cloudflare
        chown nginx:acmerecievers /var/lib/cloudflare
-        echo 'CF_API_KEY=REPLACEME' > /var/lib/cloudflare/Credentials.ini
-        echo 'CLOUDFLARE_DNS_API_TOKEN=REPLACEME' >> /var/lib/cloudflare/Credentials.ini
-        echo 'CLOUDFLARE_ZONE_API_TOKEN=REPLACEME' >> /var/lib/cloudflare/Credentials.ini
+        echo '${dnsCredentialsTemplate}' > /var/lib/cloudflare/Credentials.ini
        ${sed} -i "s/REPLACEME/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.dns.apiKey')/g" /var/lib/cloudflare/Credentials.ini
        chmod 0440 /var/lib/cloudflare/Credentials.ini
        chown nginx:acmerecievers /var/lib/cloudflare/Credentials.ini
@ -79,5 +88,20 @@ in
        '' else ''
          rm -f /var/lib/pleroma/secrets.exs
        '';
+      bitwardenCredentials =
+        if cfg.bitwarden.enable then ''
+          mkdir -p /var/lib/bitwarden
+          token=$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.bitwarden.adminToken')
+          if [ "$token" == "null" ]; then
+            # If it's null, delete the contents of the file
+            > /var/lib/bitwarden/.env
+          else
+            echo "ADMIN_TOKEN=$token" > /var/lib/bitwarden/.env
+          fi
+          chmod 0640 /var/lib/bitwarden/.env
+          chown vaultwarden:vaultwarden /var/lib/bitwarden/.env
+        '' else ''
+          rm -f /var/lib/bitwarden/.env
+        '';
    };
 }
--- a/letsencrypt/acme.nix
+++ b/letsencrypt/acme.nix
@ -11,19 +11,15 @@ in
    defaults = {
      email = "${cfg.username}@${cfg.domain}";
      server = if cfg.dns.useStagingACME then "https://acme-staging-v02.api.letsencrypt.org/directory" else "https://acme-v02.api.letsencrypt.org/directory";
+      dnsPropagationCheck = false;
+      reloadServices = [ "nginx" ];
    };
    certs = lib.mkForce {
      "${cfg.domain}" = {
        domain = "*.${cfg.domain}";
        extraDomainNames = [ "${cfg.domain}" ];
        group = "acmerecievers";
-        dnsProvider = "cloudflare";
-        credentialsFile = "/var/lib/cloudflare/Credentials.ini";
-      };
-      "meet.${cfg.domain}" = {
-        domain = "meet.${cfg.domain}";
-        group = "acmerecievers";
-        dnsProvider = "cloudflare";
+        dnsProvider = lib.strings.toLower cfg.dns.provider;
        credentialsFile = "/var/lib/cloudflare/Credentials.ini";
      };
    };
--- a/letsencrypt/resolve.nix
+++ b/letsencrypt/resolve.nix
@ -12,11 +12,6 @@ in
          Restart = "on-failure";
        };
      };
-      "nginx-config-reload" = {
-        serviceConfig = {
-          After = [ "acme-${domain}.service" ];
-        };
-      };
    };
  };
 }
--- a/passmgr/bitwarden.nix
+++ b/passmgr/bitwarden.nix
@ -17,6 +17,7 @@ in
    enable = cfg.bitwarden.enable;
    dbBackend = "sqlite";
    backupDir = "/var/lib/bitwarden/backup";
+    environmentFile = "/var/lib/bitwarden/.env";
    config = {
      domain = "https://password.${cfg.domain}/";
      signupsAllowed = true;
--- a/webserver/nginx.nix
+++ b/webserver/nginx.nix
@ -151,6 +151,13 @@ in
          };
        };
      };
+      "meet.${domain}" = {
+        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
+        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
+        forceSSL = true;
+        useACMEHost = domain;
+        enableACME = false;
+      };
    };
  };
 }
Author	SHA1	Message	Date
Inex Code	65b5a19777	Merge pull request 'fix: Reloading nginx after ACME' (#34 ) from nginx-reload-fix into master Reviewed-on: SelfPrivacy/selfprivacy-nixos-config#34	2023-06-14 19:19:56 +03:00
Inex Code	60dd766846	fix: Reloading nginx after ACME	2023-06-14 19:19:49 +03:00
Inex Code	8006f83257	Merge pull request 'refactor(jitsi): Use the common TLS cert for Jitsi' (#33 ) from jitsi-tls-fix into master Reviewed-on: SelfPrivacy/selfprivacy-nixos-config#33	2023-06-09 16:01:09 +03:00
Inex Code	74d35b16f2	fix(jitsi): disable gettings tls certs	2023-06-09 15:59:15 +03:00
Inex Code	dd020c3a7d	fix(acme): Disable DNS propagation check	2023-06-09 15:57:19 +03:00
Inex Code	ba1695c642	fix(jitsi): Use the common TLS cert	2023-06-09 14:06:22 +03:00
Inex Code	bc5778fdea	feat(dns): Add support for DigitalOcean DNS and DeSEC DNS (#31 ) Co-authored-by: inexcode <inex.code@selfprivacy.org> Co-authored-by: NaiJi ✨ <naiji@udongein.xyz> Reviewed-on: SelfPrivacy/selfprivacy-nixos-config#31	2023-06-05 15:45:07 +03:00
Inex Code	8d99d1c78a	fix: Make bitwarden read the env file	2023-05-14 17:22:09 +03:00
Inex Code	5e64b08381	feat(bitwarden): Add admin token support	2023-05-03 10:48:57 +03:00