feat: Migrate to flakes

Merge pull request 'add nix experimental-features for flakes' (#49 ) from experimental-features into master
Reviewed-on: SelfPrivacy/selfprivacy-nixos-config#49 Reviewed-by: Inex Code <inex.code@selfprivacy.org>
2024-01-19 14:50:25 +03:00 · 2023-11-09 15:43:17 +02:00 · 2023-11-09 17:35:24 +04:00 · 2023-10-31 18:28:19 +02:00 · 2023-10-31 17:27:46 +03:00 · 2023-10-31 17:22:15 +03:00
15 changed files with 163 additions and 133 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,4 +1,5 @@
 userdata/userdata.json
 userdata/tokens.json
 hardware-configuration.nix
-networking.nix
+networking.nix
+/result
--- a/api/api-module.nix
+++ b/api/api-module.nix
@ -18,19 +18,6 @@ in
        Enable SelfPrivacy API service
      '';
    };
-    enableSwagger = mkOption {
-      default = false;
-      type = types.bool;
-      description = ''
-        Enable Swagger UI
-      '';
-    };
-    b2Bucket = mkOption {
-      type = types.str;
-      description = ''
-        B2 bucket
-      '';
-    };
  };
  config = lib.mkIf cfg.enable {

@ -40,8 +27,6 @@ in
        inherit (config.environment.sessionVariables) NIX_PATH;
        HOME = "/root";
        PYTHONUNBUFFERED = "1";
-        ENABLE_SWAGGER = (if cfg.enableSwagger then "1" else "0");
-        B2_BUCKET = cfg.b2Bucket;
      } // config.networking.proxy.envVars;
      path = [
        "/var/"
@ -53,11 +38,14 @@ in
        pkgs.gitMinimal
        config.nix.package.out
        pkgs.nixos-rebuild
+        pkgs.rclone
        pkgs.restic
        pkgs.mkpasswd
        pkgs.util-linux
        pkgs.e2fsprogs
        pkgs.iproute2
+        pkgs.fuse-overlayfs
+        pkgs.fuse
      ];
      after = [ "network-online.target" ];
      wantedBy = [ "network-online.target" ];
@ -74,9 +62,7 @@ in
        inherit (config.environment.sessionVariables) NIX_PATH;
        HOME = "/root";
        PYTHONUNBUFFERED = "1";
-        ENABLE_SWAGGER = (if cfg.enableSwagger then "1" else "0");
-        B2_BUCKET = cfg.b2Bucket;
-        PYTHONPATH = pkgs.selfprivacy-graphql-api.pythonPath + ":${pkgs.selfprivacy-graphql-api}/lib/python3.9/site-packages/";
+        PYTHONPATH = pkgs.selfprivacy-graphql-api.pythonPath + ":${pkgs.selfprivacy-graphql-api}/lib/python3.10/site-packages/";
      } // config.networking.proxy.envVars;
      path = [
        "/var/"
@ -88,17 +74,20 @@ in
        pkgs.gitMinimal
        config.nix.package.out
        pkgs.nixos-rebuild
+        pkgs.rclone
        pkgs.restic
        pkgs.mkpasswd
        pkgs.util-linux
        pkgs.e2fsprogs
        pkgs.iproute2
+        pkgs.fuse-overlayfs
+        pkgs.fuse
      ];
      after = [ "network-online.target" ];
      wantedBy = [ "network-online.target" ];
      serviceConfig = {
        User = "root";
-        ExecStart = "${pkgs.python39Packages.huey}/bin/huey_consumer.py selfprivacy_api.task_registry.huey";
+        ExecStart = "${pkgs.python310Packages.huey}/bin/huey_consumer.py selfprivacy_api.task_registry.huey";
        Restart = "always";
        RestartSec = "5";
      };
--- a/api/api.nix
+++ b/api/api.nix
@ -2,8 +2,6 @@
 {
  services.selfprivacy-api = {
    enable = true;
-    enableSwagger = config.services.userdata.api.enableSwagger;
-    b2Bucket = config.services.userdata.backblaze.bucket;
  };

  users.users."selfprivacy-api" = {
--- a/backup/restic.nix
+++ b/backup/restic.nix
@ -1,29 +0,0 @@
-{ config, pkgs, ... }:
-let
-  cfg = config.services.userdata;
-in
-{
-  services.restic.backups = {
-    options = {
-      passwordFile = "/etc/restic/resticPasswd";
-      repository = "s3:s3.anazonaws.com/${cfg.backblaze.bucket}";
-      initialize = true;
-      paths = [
-        "/var/dkim"
-        "/var/vmail"
-      ];
-      timerConfig = {
-        OnCalendar = [ "daily" ];
-      };
-      user = "restic";
-      pruneOpts = [
-        "--keep-daily 5"
-      ];
-    };
-  };
-  users.users.restic = {
-    isNormalUser = false;
-    isSystemUser = true;
-    group = "restic";
-  };
-}
--- a/configuration.nix
+++ b/configuration.nix
@ -1,6 +1,6 @@
 { config, pkgs, lib, ... }:
 let
-  url-overlay = "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nix-repo/archive/master.tar.gz";
+  url-overlay = "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nix-repo/archive/test-migration.tar.gz";
  nix-overlay = (import (builtins.fetchTarball url-overlay));
 in
 {
@ -18,7 +18,6 @@ in
    ./social/pleroma.nix
    ./letsencrypt/acme.nix
    ./letsencrypt/resolve.nix
-    ./backup/restic.nix
    ./passmgr/bitwarden.nix
    ./webserver/nginx.nix
    ./webserver/memcached.nix
@ -30,6 +29,26 @@ in

  nixpkgs.overlays = [ (nix-overlay) ];

+  services.redis.servers.sp-api = {
+    enable = true;
+    save = [
+      [
+        30
+        1
+      ]
+      [
+        10
+        10
+      ]
+    ];
+    port = 0;
+    settings = {
+      notify-keyspace-events = "KEA";
+    };
+  };
+
+  services.do-agent.enable = if config.services.userdata.server.provider == "DIGITALOCEAN" then true else false;
+
  boot.cleanTmpDir = true;
  networking = {
    hostName = config.services.userdata.hostname;
@ -54,7 +73,7 @@ in
    openFirewall = false;
  };
  programs.ssh = {
-    pubkeyAcceptedKeyTypes = [ "ssh-ed25519" "ssh-rsa" ];
+    pubkeyAcceptedKeyTypes = [ "ssh-ed25519" "ssh-rsa" "ecdsa-sha2-nistp256" ];
    hostKeyAlgorithms = [ "ssh-ed25519" "ssh-rsa" ];
  };
  environment.systemPackages = with pkgs; [
@ -69,12 +88,16 @@ in
    allowReboot = config.services.userdata.autoUpgrade.allowReboot;
    channel = "https://channel.selfprivacy.org/nixos-selfpricacy";
  };
+  system.stateVersion = config.services.userdata.stateVersion;
  nix = {
    optimise.automatic = true;
    gc = {
      automatic = true;
      options = "--delete-older-than 7d";
    };
+    extraOptions = ''
+      experimental-features = nix-command flakes repl-flake
+    '';
  };
  services.journald.extraConfig = "SystemMaxUse=500M";
  boot.kernel.sysctl = {
--- a/files.nix
+++ b/files.nix
@ -1,6 +1,16 @@
 { config, pkgs, ... }:
 let
  cfg = config.services.userdata;
+  dnsCredentialsTemplates = {
+    DIGITALOCEAN = "DO_AUTH_TOKEN=REPLACEME";
+    CLOUDFLARE = ''
+      CF_API_KEY=REPLACEME
+      CLOUDFLARE_DNS_API_TOKEN=REPLACEME
+      CLOUDFLARE_ZONE_API_TOKEN=REPLACEME
+    '';
+    DESEC = "DESEC_TOKEN=REPLACEME";
+  };
+  dnsCredentialsTemplate = dnsCredentialsTemplates.${cfg.dns.provider};
 in
 {
  systemd.tmpfiles.rules =
@ -8,12 +18,14 @@ in
      domain = builtins.replaceStrings [ "\n" "\"" "\\" "%" ] [ "\\n" "\\\"" "\\\\" "%%" ] cfg.domain;
    in
    [
-      (if cfg.bitwarden.enable then "d /var/lib/bitwarden 0777 vaultwarden vaultwarden -" else "")
-      (if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0777 vaultwarden vaultwarden -" else "")
+      (if cfg.bitwarden.enable then "d /var/lib/bitwarden 0770 vaultwarden vaultwarden -" else "")
+      (if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0770 vaultwarden vaultwarden -" else "")
      (if cfg.pleroma.enable then "d /var/lib/pleroma 0700 pleroma pleroma - -" else "")
-      "d /var/lib/restic 0600 restic - - -"
-      (if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "")
+      (if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0750 pleroma pleroma - -" else "")
      "f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}"
+      (if cfg.bitwarden.enable then "f /var/lib/bitwarden/.env 0640 vaultwarden vaultwarden - -" else "")
+      "d /var/sieve 0770 virtualMail virtualMail - -"
+      "d /var/www/root 0750 nginx nginx - -"
    ];
  system.activationScripts =
    let
@ -40,32 +52,11 @@ in
        mkdir -p /var/lib/cloudflare
        chmod 0440 /var/lib/cloudflare
        chown nginx:acmerecievers /var/lib/cloudflare
-        echo 'CF_API_KEY=REPLACEME' > /var/lib/cloudflare/Credentials.ini
-        echo 'CLOUDFLARE_DNS_API_TOKEN=REPLACEME' >> /var/lib/cloudflare/Credentials.ini
-        echo 'CLOUDFLARE_ZONE_API_TOKEN=REPLACEME' >> /var/lib/cloudflare/Credentials.ini
-        ${sed} -i "s/REPLACEME/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.cloudflare.apiKey')/g" /var/lib/cloudflare/Credentials.ini
+        echo '${dnsCredentialsTemplate}' > /var/lib/cloudflare/Credentials.ini
+        ${sed} -i "s/REPLACEME/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.dns.apiKey')/g" /var/lib/cloudflare/Credentials.ini
        chmod 0440 /var/lib/cloudflare/Credentials.ini
        chown nginx:acmerecievers /var/lib/cloudflare/Credentials.ini
      '';
-      resticCredentials = ''
-        mkdir -p /root/.config/rclone
-        chmod 0400 /root/.config/rclone
-        chown root:root /root/.config/rclone
-        echo '[backblaze]' > /root/.config/rclone/rclone.conf
-        echo 'type = b2' >> /root/.config/rclone/rclone.conf
-        echo 'account = REPLACEME1' >> /root/.config/rclone/rclone.conf
-        echo 'key = REPLACEME2' >> /root/.config/rclone/rclone.conf
-
-        ${sed} -i "s/REPLACEME1/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backblaze.accountId')/g" /root/.config/rclone/rclone.conf
-        ${sed} -i "s/REPLACEME2/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backblaze.accountKey')/g" /root/.config/rclone/rclone.conf
-
-        chmod 0400 /root/.config/rclone/rclone.conf
-        chown root:root /root/.config/rclone/rclone.conf
-
-        cat /etc/nixos/userdata/userdata.json | ${jq} -r '.resticPassword' > /var/lib/restic/pass
-        chmod 0400 /var/lib/restic/pass
-        chown restic /var/lib/restic/pass
-      '';
      pleromaCredentials =
        if cfg.pleroma.enable then ''
          echo 'import Config' > /var/lib/pleroma/secrets.exs
@ -79,5 +70,20 @@ in
        '' else ''
          rm -f /var/lib/pleroma/secrets.exs
        '';
+      bitwardenCredentials =
+        if cfg.bitwarden.enable then ''
+          mkdir -p /var/lib/bitwarden
+          token=$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.bitwarden.adminToken')
+          if [ "$token" == "null" ]; then
+            # If it's null, delete the contents of the file
+            > /var/lib/bitwarden/.env
+          else
+            echo "ADMIN_TOKEN=$token" > /var/lib/bitwarden/.env
+          fi
+          chmod 0640 /var/lib/bitwarden/.env
+          chown vaultwarden:vaultwarden /var/lib/bitwarden/.env
+        '' else ''
+          rm -f /var/lib/bitwarden/.env
+        '';
    };
 }
--- a/git/gitea.nix
+++ b/git/gitea.nix
@ -13,10 +13,10 @@ in
    gitea = {
      enable = cfg.gitea.enable;
      stateDir = "/var/lib/gitea";
-      log = {
-        rootPath = "/var/lib/gitea/log";
-        level = "Warn";
-      };
+#      log = {
+#        rootPath = "/var/lib/gitea/log";
+#        level = "Warn";
+#      };
      user = "gitea";
      database = {
        type = "sqlite3";
@ -26,10 +26,10 @@ in
        path = "/var/lib/gitea/data/gitea.db";
        createDatabase = true;
      };
-      ssh = {
-        enable = true;
-        clonePort = 22;
-      };
+      # ssh = {
+      #   enable = true;
+      #   clonePort = 22;
+      # };
      lfs = {
        enable = true;
        contentDir = "/var/lib/gitea/lfs";
@ -37,16 +37,17 @@ in
      appName = "SelfPrivacy git Service";
      repositoryRoot = "/var/lib/gitea/repositories";
      domain = "git.${cfg.domain}";
-      rootUrl = "https://${cfg.domain}/";
+      rootUrl = "https://git.${cfg.domain}/";
      httpAddress = "0.0.0.0";
      httpPort = 3000;
-      cookieSecure = true;
+#      cookieSecure = true;
      settings = {
        mailer = {
          ENABLED = false;
        };
        ui = {
          DEFAULT_THEME = "arc-green";
+          SHOW_USER_EMAIL = false;
        };
        picture = {
          DISABLE_GRAVATAR = true;
@ -57,6 +58,13 @@ in
        repository = {
          FORCE_PRIVATE = false;
        };
+        session = {
+          COOKIE_SECURE = true;
+        };
+        log = {
+          ROOT_PATH = "/var/lib/gitea/log";
+          LEVEL = "Warn";
+        };
      };
    };
  };
--- a/letsencrypt/acme.nix
+++ b/letsencrypt/acme.nix
@ -1,6 +1,7 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.userdata;
+  dnsPropagationCheckExceptions = [ "DIGITALOCEAN" ];
 in
 {
  users.groups.acmerecievers = {
@ -8,20 +9,23 @@ in
  };
  security.acme = {
    acceptTerms = true;
-    email = "${cfg.username}@${cfg.domain}";
+    defaults = {
+      email = "${cfg.username}@${cfg.domain}";
+      server = if cfg.dns.useStagingACME then "https://acme-staging-v02.api.letsencrypt.org/directory" else "https://acme-v02.api.letsencrypt.org/directory";
+      dnsPropagationCheck = if lib.elem cfg.dns.provider dnsPropagationCheckExceptions then false else true;
+      reloadServices = [ "nginx" ];
+    };
    certs = lib.mkForce {
-      "${cfg.domain}" = {
+      "wildcard-${cfg.domain}" = {
        domain = "*.${cfg.domain}";
-        extraDomainNames = [ "${cfg.domain}" ];
        group = "acmerecievers";
-        dnsProvider = "cloudflare";
+        dnsProvider = lib.strings.toLower cfg.dns.provider;
        credentialsFile = "/var/lib/cloudflare/Credentials.ini";
      };
-      "meet.${cfg.domain}" = {
-        domain = "meet.${cfg.domain}";
+      "${cfg.domain}" = {
+        domain = cfg.domain;
        group = "acmerecievers";
-        dnsProvider = "cloudflare";
-        credentialsFile = "/var/lib/cloudflare/Credentials.ini";
+        webroot = "/var/lib/acme/acme-challenge";
      };
    };
  };
--- a/letsencrypt/resolve.nix
+++ b/letsencrypt/resolve.nix
@ -12,11 +12,6 @@ in
          Restart = "on-failure";
        };
      };
-      "nginx-config-reload" = {
-        serviceConfig = {
-          After = [ "acme-${domain}.service" ];
-        };
-      };
    };
  };
 }
--- a/mailserver/system/mailserver.nix
+++ b/mailserver/system/mailserver.nix
@ -6,10 +6,10 @@ in
  imports = [
    (builtins.fetchTarball {
      # Pick a commit from the branch you are interested in
-      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/5675b122/nixos-mailserver-5675b122.tar.gz";
+      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/6d0d9fb9/nixos-mailserver-6d0d9fb9.tar.gz";

      # And set its hash
-      sha256 = "1fwhb7a5v9c98nzhf3dyqf3a5ianqh7k50zizj8v5nmj3blxw4pi";
+      sha256 = "sha256:0h35al73p15z9v8zb6hi5nq987sfl5wp4rm5c8947nlzlnsjl61x";
    })
  ];

--- a/nextcloud/nextcloud.nix
+++ b/nextcloud/nextcloud.nix
@ -11,7 +11,7 @@ in
  };
  services.nextcloud = {
    enable = cfg.nextcloud.enable;
-    package = pkgs.nextcloud23;
+    package = pkgs.nextcloud25;
    hostName = "cloud.${cfg.domain}";

    # Use HTTPS for links
--- a/passmgr/bitwarden.nix
+++ b/passmgr/bitwarden.nix
@ -17,6 +17,7 @@ in
    enable = cfg.bitwarden.enable;
    dbBackend = "sqlite";
    backupDir = "/var/lib/bitwarden/backup";
+    environmentFile = "/var/lib/bitwarden/.env";
    config = {
      domain = "https://password.${cfg.domain}/";
      signupsAllowed = true;
--- a/variables-module.nix
+++ b/variables-module.nix
@ -41,6 +41,13 @@ in
        type = types.nullOr types.bool;
      };
    };
+    stateVersion = mkOption {
+      description = ''
+        State version of the server
+      '';
+      type = types.str;
+      default = "22.11";
+    };
    ########################
    # Server admin options #
    ########################
@ -67,13 +74,6 @@ in
    # API options #
    ###############
    api = {
-      enableSwagger = mkOption {
-        default = true;
-        description = ''
-          Enable Swagger UI
-        '';
-        type = types.bool;
-      };
      skippedMigrations = mkOption {
        default = [ ];
        description = ''
@ -85,12 +85,28 @@ in
    #############
    #  Secrets  #
    #############
-    backblaze = {
+    dns = {
+      provider = mkOption {
+        description = "DNS provider that was defined at the initial setup process. Default is ClOUDFLARE";
+        type = types.nullOr types.str;
+      };
+      useStagingACME = mkOption {
+        description = "Use staging ACME server. Default is false";
+        type = types.nullOr types.bool;
+      };
+    };
+    backup = {
      bucket = mkOption {
        description = "Bucket name used for userdata backups";
        type = types.nullOr types.str;
      };
    };
+    server = {
+      provider = mkOption {
+        description = "Server provider that was defined at the initial setup process. Default is HETZNER";
+        type = types.nullOr types.str;
+      };
+    };
    ##############
    #  Services  #
    ##############
@ -171,7 +187,7 @@ in
        description = ''
          Password authentication for SSH
        '';
-        default = true;
+        default = false;
        type = types.nullOr types.bool;
      };
    };
--- a/variables.nix
+++ b/variables.nix
@ -7,6 +7,7 @@ in
    hostname = lib.attrsets.attrByPath [ "hostname" ] null jsonData;
    domain = lib.attrsets.attrByPath [ "domain" ] null jsonData;
    timezone = lib.attrsets.attrByPath [ "timezone" ] "Europe/Uzhgorod" jsonData;
+    stateVersion = lib.attrsets.attrByPath [ "stateVersion" ] "22.05" jsonData;
    autoUpgrade = {
      enable = lib.attrsets.attrByPath [ "autoUpgrade" "enable" ] true jsonData;
      allowReboot = lib.attrsets.attrByPath [ "autoUpgrade" "allowReboot" ] true jsonData;
@ -15,11 +16,17 @@ in
    hashedMasterPassword = lib.attrsets.attrByPath [ "hashedMasterPassword" ] null jsonData;
    sshKeys = lib.attrsets.attrByPath [ "sshKeys" ] [ ] jsonData;
    api = {
-      enableSwagger = lib.attrsets.attrByPath [ "api" "enableSwagger" ] false jsonData;
      skippedMigrations = lib.attrsets.attrByPath [ "api" "skippedMigrations" ] [ ] jsonData;
    };
-    backblaze = {
-      bucket = lib.attrsets.attrByPath [ "backblaze" "bucket" ] "" jsonData;
+    dns = {
+      provider = lib.attrsets.attrByPath [ "dns" "provider" ] "CLOUDFLARE" jsonData;
+      useStagingACME = lib.attrsets.attrByPath [ "dns" "useStagingACME" ] false jsonData;
+    };
+    backup = {
+      bucket = lib.attrsets.attrByPath [ "backup" "bucket" ] (lib.attrsets.attrByPath [ "backblaze" "bucket" ] "" jsonData) jsonData;
+    };
+    server = {
+      provider = lib.attrsets.attrByPath [ "server" "provider" ] "HETZNER" jsonData;
    };
    bitwarden = {
      enable = lib.attrsets.attrByPath [ "bitwarden" "enable" ] false jsonData;
--- a/webserver/nginx.nix
+++ b/webserver/nginx.nix
@ -20,8 +20,7 @@ in

    virtualHosts = {
      "${domain}" = {
-        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
+        enableACME = true;
        forceSSL = true;
        extraConfig = ''
          add_header Strict-Transport-Security $hsts_header;
@ -33,10 +32,15 @@ in
          proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
          expires 10m;
        '';
+        locations = {
+          "/" = {
+            root = "/var/www/root";
+          };
+        };
      };
      "vpn.${domain}" = {
-        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
+        sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
+        sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
        forceSSL = true;
        extraConfig = ''
          add_header Strict-Transport-Security $hsts_header;
@ -50,8 +54,8 @@ in
        '';
      };
      "git.${domain}" = {
-        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
+        sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
+        sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
        forceSSL = true;
        extraConfig = ''
          add_header Strict-Transport-Security $hsts_header;
@ -70,8 +74,8 @@ in
        };
      };
      "cloud.${domain}" = {
-        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
+        sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
+        sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
        forceSSL = true;
        extraConfig = ''
          add_header Strict-Transport-Security $hsts_header;
@ -90,8 +94,8 @@ in
        };
      };
      "password.${domain}" = {
-        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
+        sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
+        sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
        forceSSL = true;
        extraConfig = ''
          add_header Strict-Transport-Security $hsts_header;
@ -110,8 +114,8 @@ in
        };
      };
      "api.${domain}" = {
-        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
+        sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
+        sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
        forceSSL = true;
        extraConfig = ''
          add_header Strict-Transport-Security $hsts_header;
@ -131,8 +135,8 @@ in
        };
      };
      "social.${domain}" = {
-        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
+        sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
+        sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
        root = "/var/www/social.${domain}";
        forceSSL = true;
        extraConfig = ''
@ -151,6 +155,13 @@ in
          };
        };
      };
+      "meet.${domain}" = {
+        sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
+        sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
+        forceSSL = true;
+        useACMEHost = "wildcard-${domain}";
+        enableACME = false;
+      };
    };
  };
 }
Author	SHA1	Message	Date
Inex Code	40f92d15d3	feat: Migrate to flakes	2024-01-19 14:50:25 +03:00
Inex Code	2c2bb80006	Merge pull request 'add nix experimental-features for flakes' (#49 ) from experimental-features into master Reviewed-on: SelfPrivacy/selfprivacy-nixos-config#49 Reviewed-by: Inex Code <inex.code@selfprivacy.org>	2023-11-09 15:43:17 +02:00
Alexander Tomokhov	5685a9e128	add nix experimental-features for flakes	2023-11-09 17:35:24 +04:00
Inex Code	f8befb0e3d	Merge pull request 'Disable password auth and allow serving static files at root domain' (#48 ) from inex-oct-31 into master Reviewed-on: SelfPrivacy/selfprivacy-nixos-config#48	2023-10-31 18:28:19 +02:00
Inex Code	1464d7f3bd	feat(nginx): Allow serving static files at root domain	2023-10-31 17:27:46 +03:00
Inex Code	d02524bb8f	refactor(ssh): Disable password auth by default	2023-10-31 17:22:15 +03:00
Inex Code	23155b3c96	feat(ssh): Allow ecdsa-sha2-nistp256 keys	2023-10-03 16:34:47 +03:00
Inex Code	6c07cc024b	fix: permissions for vaultwarden backups were too broad	2023-08-25 13:56:01 +03:00
Inex Code	5710f5892b	fix(email): make sure /var/sieve owned my mail user	2023-07-28 03:41:06 +03:00
Inex Code	325dc40f34	fix(acme): add dns propagation check exceptions	2023-07-28 03:01:30 +03:00
Inex Code	25d7bc6ec5	fix(acme): enable DNS propagation check	2023-07-22 00:01:29 +03:00
Inex Code	29b855818d	fix: acme retrieval	2023-07-21 20:59:34 +03:00
Inex Code	e0ad80b4ca	Revert "fix: rename the cert name" This reverts commit `e8a25ec565`.	2023-07-21 20:36:40 +03:00
Inex Code	e8a25ec565	fix: rename the cert name	2023-07-21 20:35:37 +03:00
Inex Code	d41cf6a4db	fix: do not use DNS challenge for root domain TLS Previous solution made ACME create two TXT records on the same subdomain, creating the conflict	2023-07-21 20:32:03 +03:00
Inex Code	2f0107ce3b	refactor: remove unused restic-related code	2023-07-21 17:51:12 +03:00
Inex Code	8f72f60286	refactor: remove restic credentials from post-installation scripts These are handled by API now.	2023-07-20 19:58:54 +03:00
Inex Code	58e4f3acd8	feat: update API deps	2023-07-20 19:52:24 +03:00
Inex Code	65b5a19777	Merge pull request 'fix: Reloading nginx after ACME' (#34 ) from nginx-reload-fix into master Reviewed-on: SelfPrivacy/selfprivacy-nixos-config#34	2023-06-14 19:19:56 +03:00
Inex Code	60dd766846	fix: Reloading nginx after ACME	2023-06-14 19:19:49 +03:00
Inex Code	8006f83257	Merge pull request 'refactor(jitsi): Use the common TLS cert for Jitsi' (#33 ) from jitsi-tls-fix into master Reviewed-on: SelfPrivacy/selfprivacy-nixos-config#33	2023-06-09 16:01:09 +03:00
Inex Code	74d35b16f2	fix(jitsi): disable gettings tls certs	2023-06-09 15:59:15 +03:00
Inex Code	dd020c3a7d	fix(acme): Disable DNS propagation check	2023-06-09 15:57:19 +03:00
Inex Code	ba1695c642	fix(jitsi): Use the common TLS cert	2023-06-09 14:06:22 +03:00
Inex Code	bc5778fdea	feat(dns): Add support for DigitalOcean DNS and DeSEC DNS (#31 ) Co-authored-by: inexcode <inex.code@selfprivacy.org> Co-authored-by: NaiJi ✨ <naiji@udongein.xyz> Reviewed-on: SelfPrivacy/selfprivacy-nixos-config#31	2023-06-05 15:45:07 +03:00
Inex Code	8d99d1c78a	fix: Make bitwarden read the env file	2023-05-14 17:22:09 +03:00
Inex Code	5e64b08381	feat(bitwarden): Add admin token support	2023-05-03 10:48:57 +03:00
Inex Code	7e590ae60c	revert(gitea): Nix deprecations x2	2023-03-20 18:39:41 +03:00
Inex Code	eb36e9b265	revert(gitea): Nix deprecations	2023-03-20 18:36:32 +03:00
Inex Code	3626506e3a	fix: Conflicting Gitea log level	2023-03-20 18:31:39 +03:00
Inex Code	c8c69957b5	Merge pull request 'nixos-22.11' (#25 ) from nixos-22.11 into master Reviewed-on: SelfPrivacy/selfprivacy-nixos-config#25	2023-03-20 17:23:02 +02:00
Inex Code	9a8af62e0b	fix: State Version type	2023-03-17 15:10:47 +03:00
Inex Code	a5b965f08f	fix(api): Python version	2023-03-17 15:09:13 +03:00
Inex Code	d7edf5a95d	chore(mailserver): Bump Mailserver to 22.11 release	2023-03-17 15:05:21 +03:00
Inex Code	bdaf88208f	fix: Huey version	2023-03-17 14:54:14 +03:00
Inex Code	2e175f8c10	feat: Add state version	2023-03-17 14:50:54 +03:00
Inex Code	497cf28ecc	fix: Change Gitea settings due to Nix deprecations	2023-03-17 14:50:40 +03:00
Inex Code	9c662d9629	chore: Change channel of overlay for testing	2023-03-17 14:38:48 +03:00
Inex Code	0500315ae0	chore(nextcloud): Upgrade Nextcloud to v25	2023-03-17 14:38:11 +03:00
Inex Code	d8f0922b8a	fix(gitea): incorrect root URL	2023-01-08 10:29:08 +02:00
Inex Code	ab0c3e113c	Merge pull request 'API 2.1.0 support' (#24 ) from api-redis into master Reviewed-on: SelfPrivacy/selfprivacy-nixos-config#24	2022-12-30 20:35:45 +02:00
Inex Code	b4827e6e26	Merge branch 'master' into api-redis	2022-12-30 20:35:16 +02:00
Inex Code	bfe0d18090	chore: Switch to API 2.1.0	2022-12-30 21:34:23 +03:00
Inex Code	426d84f636	Merge pull request 'feat: opt-in to displaying gitea email on profile' (#23 ) from sova/selfprivacy-nixos-config:master into master Reviewed-on: SelfPrivacy/selfprivacy-nixos-config#23 Reviewed-by: Inex Code <inex.code@selfprivacy.org>	2022-12-29 19:41:38 +02:00
sоvд[сова]	41edc9f26f	Merge pull request 'feat: set default gitea email display to false' (#1 ) from sova/gitea-default-email-display into master Reviewed-on: sova/selfprivacy-nixos-config#1	2022-12-28 16:49:00 +02:00
sоvд[сова]	5d3395648a	feat: set default gitea email display to false	2022-12-28 14:46:51 +00:00
Inex Code	1944739d28	chore(nextcloud): Upgrade Nextcloud to v24	2022-12-01 18:06:57 +03:00
Inex Code	08d8407a86	Merge pull request 'chore(mailserver): Update the simple-nixos-mailserver to the 22.05 version' (#21 ) from mailserver-22.05 into master Reviewed-on: SelfPrivacy/selfprivacy-nixos-config#21	2022-12-01 17:02:30 +02:00
Inex Code	0d3e8c890c	Switch API branch to develop	2022-11-20 17:12:20 +03:00
Inex Code	3dd8ff1821	feat: add dns.useStagingACME option Used for testing environments, so we don't stumble upon ACME rate limits.	2022-11-16 11:02:20 +03:00
Inex Code	895a816ef5	fix: one more path to backups data	2022-11-08 02:55:26 +03:00
Inex Code	5210e610df	fix: path to backup backet	2022-11-08 02:49:12 +03:00
Inex Code	eab3d1e761	fix: path of the provider info	2022-11-08 02:41:18 +03:00
Inex Code	a59fbef22a	feat: Enable Digital Ocean agent when on DO	2022-11-08 01:44:28 +03:00
Inex Code	7a6f57def8	feat(userdata): Support for newer JSON schema of provider	2022-11-08 01:44:09 +03:00
Inex Code	e4ba827d5a	Merge branch '3rd-party-bumps/nextcloud-24' into api-redis	2022-11-04 11:57:09 +03:00
Inex Code	aeeffe42b1	feat: a redis database for SelfPrivacy API	2022-11-04 11:57:00 +03:00
Inex Code	399790e202	chore(nextcloud): Upgrade Nextcloud to v24	2022-10-28 11:52:47 +03:00
Inex Code	5f2ab0495b	chore(mailserver): Update the simple-nixos-mailserver to the 22.05 version	2022-10-20 23:19:04 +03:00