forked from SelfPrivacy/selfprivacy-nixos-infect
Illia Chub
commit
aa1530c0bf
|
|
@ -42,12 +42,13 @@ makeConf() {
|
||||||
$network_import
|
$network_import
|
||||||
$NIXOS_IMPORT
|
$NIXOS_IMPORT
|
||||||
./files.nix
|
./files.nix
|
||||||
|
./users.nix
|
||||||
./mailserver/system/mailserver.nix
|
./mailserver/system/mailserver.nix
|
||||||
./mailserver/system/alps.nix
|
./mailserver/system/alps.nix
|
||||||
./vpn/ocserv.nix
|
./vpn/ocserv.nix
|
||||||
./api/api.nix
|
./api/api.nix
|
||||||
./api/api-module.nix
|
./api/api-module.nix
|
||||||
./social/pleroma-module.nix
|
#./social/pleroma-module.nix
|
||||||
./social/pleroma.nix
|
./social/pleroma.nix
|
||||||
./letsencrypt/acme.nix
|
./letsencrypt/acme.nix
|
||||||
./letsencrypt/resolve.nix
|
./letsencrypt/resolve.nix
|
||||||
|
|
@ -68,6 +69,7 @@ makeConf() {
|
||||||
allowedTCPPorts = lib.mkForce [ 22 25 80 143 443 465 587 993 8443 ];
|
allowedTCPPorts = lib.mkForce [ 22 25 80 143 443 465 587 993 8443 ];
|
||||||
allowedUDPPorts = lib.mkForce [ 8443 ];
|
allowedUDPPorts = lib.mkForce [ 8443 ];
|
||||||
};
|
};
|
||||||
|
nameservers = [ "1.1.1.1" "1.0.0.1" ];
|
||||||
};
|
};
|
||||||
time.timeZone = "Europe/Uzhgorod";
|
time.timeZone = "Europe/Uzhgorod";
|
||||||
i18n.defaultLocale = "en_GB.UTF-8";
|
i18n.defaultLocale = "en_GB.UTF-8";
|
||||||
|
|
@ -92,7 +94,7 @@ makeConf() {
|
||||||
};
|
};
|
||||||
system.autoUpgrade.enable = true;
|
system.autoUpgrade.enable = true;
|
||||||
system.autoUpgrade.allowReboot = false;
|
system.autoUpgrade.allowReboot = false;
|
||||||
system.autoUpgrade.channel = https://nixos.org/channels/nixos-20.09-small;
|
system.autoUpgrade.channel = https://nixos.org/channels/nixos-21.05-small;
|
||||||
nix = {
|
nix = {
|
||||||
optimise.automatic = true;
|
optimise.automatic = true;
|
||||||
gc = {
|
gc = {
|
||||||
|
|
@ -115,13 +117,6 @@ makeConf() {
|
||||||
enable = true;
|
enable = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
users.mutableUsers = false;
|
|
||||||
users.users = {
|
|
||||||
"$LUSER" = {
|
|
||||||
isNormalUser = true;
|
|
||||||
hashedPassword = "$HASHED_PASSWORD";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
EOF
|
EOF
|
||||||
# If you rerun this later, be sure to prune the filesSystems attr
|
# If you rerun this later, be sure to prune the filesSystems attr
|
||||||
|
|
@ -173,6 +168,23 @@ EOF
|
||||||
"f /var/cloudflareCredentials.ini 0440 nginx acmerecievers - \${cloudflareCredentials}"
|
"f /var/cloudflareCredentials.ini 0440 nginx acmerecievers - \${cloudflareCredentials}"
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
EOF
|
||||||
|
|
||||||
|
cat > /etc/nixos/users.nix << EOF
|
||||||
|
{ pkgs, ... }:
|
||||||
|
{
|
||||||
|
users.mutableUsers = false;
|
||||||
|
users = {
|
||||||
|
users = {
|
||||||
|
#begin
|
||||||
|
"$LUSER" = {
|
||||||
|
isNormalUser = true;
|
||||||
|
hashedPassword = "$HASHED_PASSWORD";
|
||||||
|
};
|
||||||
|
#end
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
cat > /etc/nixos/mailserver/system/mailserver.nix << EOF
|
cat > /etc/nixos/mailserver/system/mailserver.nix << EOF
|
||||||
|
|
@ -181,10 +193,10 @@ EOF
|
||||||
imports = [
|
imports = [
|
||||||
(builtins.fetchTarball {
|
(builtins.fetchTarball {
|
||||||
# Pick a commit from the branch you are interested in
|
# Pick a commit from the branch you are interested in
|
||||||
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/99f843de/nixos-mailserver-99f843de.tar.gz";
|
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/5675b122/nixos-mailserver-5675b122.tar.gz";
|
||||||
|
|
||||||
# And set its hash
|
# And set its hash
|
||||||
sha256 = "1af7phs8a2j26ywsm5mfhzvqmy0wdsph7ajs9s65c4r1bfq646fw";
|
sha256 = "1fwhb7a5v9c98nzhf3dyqf3a5ianqh7k50zizj8v5nmj3blxw4pi";
|
||||||
})
|
})
|
||||||
];
|
];
|
||||||
|
|
||||||
|
|
@ -192,6 +204,13 @@ EOF
|
||||||
enablePAM = lib.mkForce true;
|
enablePAM = lib.mkForce true;
|
||||||
showPAMFailure = lib.mkForce true;
|
showPAMFailure = lib.mkForce true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
users.users = {
|
||||||
|
virtualMail = {
|
||||||
|
isNormalUser = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
mailserver = {
|
mailserver = {
|
||||||
enable = true;
|
enable = true;
|
||||||
fqdn = "$DOMAIN";
|
fqdn = "$DOMAIN";
|
||||||
|
|
@ -303,6 +322,7 @@ EOF
|
||||||
};
|
};
|
||||||
users.users.restic = {
|
users.users.restic = {
|
||||||
isNormalUser = false;
|
isNormalUser = false;
|
||||||
|
isSystemUser = true;
|
||||||
};
|
};
|
||||||
environment.etc."restic/resticPasswd".text = ''
|
environment.etc."restic/resticPasswd".text = ''
|
||||||
$PASSWORD
|
$PASSWORD
|
||||||
|
|
@ -455,7 +475,7 @@ EOF
|
||||||
enable = true;
|
enable = true;
|
||||||
user = "memcached";
|
user = "memcached";
|
||||||
listen = "127.0.0.1";
|
listen = "127.0.0.1";
|
||||||
port = "11211";
|
port = 11211;
|
||||||
maxMemory = 64;
|
maxMemory = 64;
|
||||||
maxConnections = 1024;
|
maxConnections = 1024;
|
||||||
};
|
};
|
||||||
|
|
@ -629,6 +649,7 @@ cat > /etc/nixos/api/api.nix << EOF
|
||||||
|
|
||||||
users.users."selfprivacy-api" = {
|
users.users."selfprivacy-api" = {
|
||||||
isNormalUser = false;
|
isNormalUser = false;
|
||||||
|
isSystemUser = true;
|
||||||
extraGroups = [ "opendkim" ];
|
extraGroups = [ "opendkim" ];
|
||||||
};
|
};
|
||||||
users.groups."selfprivacy-api" = {
|
users.groups."selfprivacy-api" = {
|
||||||
|
|
@ -650,7 +671,7 @@ let
|
||||||
version = "1.0";
|
version = "1.0";
|
||||||
src = builtins.fetchGit {
|
src = builtins.fetchGit {
|
||||||
url = "https://git.selfprivacy.org/ilchub/selfprivacy-rest-api.git";
|
url = "https://git.selfprivacy.org/ilchub/selfprivacy-rest-api.git";
|
||||||
rev = "d7a6b3ca12d936165a4fc1c6265a2dfc3fd6229e";
|
rev = "0980039a67c32a128a96ac73c98fc87aad64674b";
|
||||||
};
|
};
|
||||||
propagatedBuildInputs = [ flask flask-restful pandas ];
|
propagatedBuildInputs = [ flask flask-restful pandas ];
|
||||||
meta = {
|
meta = {
|
||||||
|
|
@ -690,21 +711,16 @@ in
|
||||||
|
|
||||||
systemd.services.selfprivacy-api = {
|
systemd.services.selfprivacy-api = {
|
||||||
description = "API Server used to control system from the mobile application";
|
description = "API Server used to control system from the mobile application";
|
||||||
environment = {
|
environment = config.nix.envVars // {
|
||||||
|
inherit (config.environment.sessionVariables) NIX_PATH;
|
||||||
|
HOME = "/root";
|
||||||
PYTHONUNBUFFERED = "1";
|
PYTHONUNBUFFERED = "1";
|
||||||
};
|
} // config.networking.proxy.envVars;
|
||||||
path = [ "/var/" "/var/dkim/" ];
|
path = [ "/var/" "/var/dkim/" pkgs.coreutils pkgs.gnutar pkgs.xz.bin pkgs.gzip pkgs.gitMinimal config.nix.package.out pkgs.nixos-rebuild ];
|
||||||
after = [ "network-online.target" ];
|
after = [ "network-online.target" ];
|
||||||
wantedBy = [ "network-online.target" ];
|
wantedBy = [ "network-online.target" ];
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
User = "root";
|
User = "root";
|
||||||
PrivateDevices = "true";
|
|
||||||
ProtectKernelTunables = "true";
|
|
||||||
ProtectKernelModules = "true";
|
|
||||||
LockPersonality = "true";
|
|
||||||
RestrictRealtime = "true";
|
|
||||||
SystemCallFilter = "@system-service @network-io @signal";
|
|
||||||
SystemCallErrorNumber = "EPERM";
|
|
||||||
ExecStart = "\${selfprivacy-api}/bin/main.py";
|
ExecStart = "\${selfprivacy-api}/bin/main.py";
|
||||||
Restart = "always";
|
Restart = "always";
|
||||||
RestartSec = "5";
|
RestartSec = "5";
|
||||||
|
|
@ -722,6 +738,7 @@ cat > /etc/nixos/vpn/ocserv.nix << EOF
|
||||||
};
|
};
|
||||||
users.users.ocserv = {
|
users.users.ocserv = {
|
||||||
isNormalUser = false;
|
isNormalUser = false;
|
||||||
|
isSystemUser = true;
|
||||||
extraGroups = [ "ocserv" "acmerecievers" ];
|
extraGroups = [ "ocserv" "acmerecievers" ];
|
||||||
};
|
};
|
||||||
services.ocserv = {
|
services.ocserv = {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue