feat: Migrate to flakes

Merge pull request 'add nix experimental-features for flakes' (#49 ) from experimental-features into master
Reviewed-on: SelfPrivacy/selfprivacy-nixos-config#49 Reviewed-by: Inex Code <inex.code@selfprivacy.org>
2024-01-19 14:50:25 +03:00 · 2023-11-09 15:43:17 +02:00 · 2023-11-09 17:35:24 +04:00 · 2023-10-31 18:28:19 +02:00 · 2023-10-31 17:27:46 +03:00 · 2023-10-31 17:22:15 +03:00
13 changed files with 86 additions and 114 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,4 +1,5 @@
 userdata/userdata.json
 userdata/tokens.json
 hardware-configuration.nix
-networking.nix
+networking.nix
+/result
--- a/api/api-module.nix
+++ b/api/api-module.nix
@ -18,19 +18,6 @@ in
        Enable SelfPrivacy API service
      '';
    };
-    enableSwagger = mkOption {
-      default = false;
-      type = types.bool;
-      description = ''
-        Enable Swagger UI
-      '';
-    };
-    b2Bucket = mkOption {
-      type = types.str;
-      description = ''
-        B2 bucket
-      '';
-    };
  };
  config = lib.mkIf cfg.enable {

@ -40,8 +27,6 @@ in
        inherit (config.environment.sessionVariables) NIX_PATH;
        HOME = "/root";
        PYTHONUNBUFFERED = "1";
-        ENABLE_SWAGGER = (if cfg.enableSwagger then "1" else "0");
-        B2_BUCKET = cfg.b2Bucket;
      } // config.networking.proxy.envVars;
      path = [
        "/var/"
@ -53,11 +38,14 @@ in
        pkgs.gitMinimal
        config.nix.package.out
        pkgs.nixos-rebuild
+        pkgs.rclone
        pkgs.restic
        pkgs.mkpasswd
        pkgs.util-linux
        pkgs.e2fsprogs
        pkgs.iproute2
+        pkgs.fuse-overlayfs
+        pkgs.fuse
      ];
      after = [ "network-online.target" ];
      wantedBy = [ "network-online.target" ];
@ -74,8 +62,6 @@ in
        inherit (config.environment.sessionVariables) NIX_PATH;
        HOME = "/root";
        PYTHONUNBUFFERED = "1";
-        ENABLE_SWAGGER = (if cfg.enableSwagger then "1" else "0");
-        B2_BUCKET = cfg.b2Bucket;
        PYTHONPATH = pkgs.selfprivacy-graphql-api.pythonPath + ":${pkgs.selfprivacy-graphql-api}/lib/python3.10/site-packages/";
      } // config.networking.proxy.envVars;
      path = [
@ -88,11 +74,14 @@ in
        pkgs.gitMinimal
        config.nix.package.out
        pkgs.nixos-rebuild
+        pkgs.rclone
        pkgs.restic
        pkgs.mkpasswd
        pkgs.util-linux
        pkgs.e2fsprogs
        pkgs.iproute2
+        pkgs.fuse-overlayfs
+        pkgs.fuse
      ];
      after = [ "network-online.target" ];
      wantedBy = [ "network-online.target" ];
--- a/api/api.nix
+++ b/api/api.nix
@ -2,8 +2,6 @@
 {
  services.selfprivacy-api = {
    enable = true;
-    enableSwagger = config.services.userdata.api.enableSwagger;
-    b2Bucket = config.services.userdata.backup.bucket;
  };

  users.users."selfprivacy-api" = {
--- a/backup/restic.nix
+++ b/backup/restic.nix
@ -1,29 +0,0 @@
-{ config, pkgs, ... }:
-let
-  cfg = config.services.userdata;
-in
-{
-  services.restic.backups = {
-    options = {
-      passwordFile = "/etc/restic/resticPasswd";
-      repository = "s3:s3.anazonaws.com/${cfg.backup.bucket}";
-      initialize = true;
-      paths = [
-        "/var/dkim"
-        "/var/vmail"
-      ];
-      timerConfig = {
-        OnCalendar = [ "daily" ];
-      };
-      user = "restic";
-      pruneOpts = [
-        "--keep-daily 5"
-      ];
-    };
-  };
-  users.users.restic = {
-    isNormalUser = false;
-    isSystemUser = true;
-    group = "restic";
-  };
-}
--- a/configuration.nix
+++ b/configuration.nix
@ -1,6 +1,6 @@
 { config, pkgs, lib, ... }:
 let
-  url-overlay = "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nix-repo/archive/22-11.tar.gz";
+  url-overlay = "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nix-repo/archive/test-migration.tar.gz";
  nix-overlay = (import (builtins.fetchTarball url-overlay));
 in
 {
@ -18,7 +18,6 @@ in
    ./social/pleroma.nix
    ./letsencrypt/acme.nix
    ./letsencrypt/resolve.nix
-    ./backup/restic.nix
    ./passmgr/bitwarden.nix
    ./webserver/nginx.nix
    ./webserver/memcached.nix
@ -74,7 +73,7 @@ in
    openFirewall = false;
  };
  programs.ssh = {
-    pubkeyAcceptedKeyTypes = [ "ssh-ed25519" "ssh-rsa" ];
+    pubkeyAcceptedKeyTypes = [ "ssh-ed25519" "ssh-rsa" "ecdsa-sha2-nistp256" ];
    hostKeyAlgorithms = [ "ssh-ed25519" "ssh-rsa" ];
  };
  environment.systemPackages = with pkgs; [
@ -96,6 +95,9 @@ in
      automatic = true;
      options = "--delete-older-than 7d";
    };
+    extraOptions = ''
+      experimental-features = nix-command flakes repl-flake
+    '';
  };
  services.journald.extraConfig = "SystemMaxUse=500M";
  boot.kernel.sysctl = {
--- a/files.nix
+++ b/files.nix
@ -1,6 +1,16 @@
 { config, pkgs, ... }:
 let
  cfg = config.services.userdata;
+  dnsCredentialsTemplates = {
+    DIGITALOCEAN = "DO_AUTH_TOKEN=REPLACEME";
+    CLOUDFLARE = ''
+      CF_API_KEY=REPLACEME
+      CLOUDFLARE_DNS_API_TOKEN=REPLACEME
+      CLOUDFLARE_ZONE_API_TOKEN=REPLACEME
+    '';
+    DESEC = "DESEC_TOKEN=REPLACEME";
+  };
+  dnsCredentialsTemplate = dnsCredentialsTemplates.${cfg.dns.provider};
 in
 {
  systemd.tmpfiles.rules =
@ -8,12 +18,14 @@ in
      domain = builtins.replaceStrings [ "\n" "\"" "\\" "%" ] [ "\\n" "\\\"" "\\\\" "%%" ] cfg.domain;
    in
    [
-      (if cfg.bitwarden.enable then "d /var/lib/bitwarden 0777 vaultwarden vaultwarden -" else "")
-      (if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0777 vaultwarden vaultwarden -" else "")
+      (if cfg.bitwarden.enable then "d /var/lib/bitwarden 0770 vaultwarden vaultwarden -" else "")
+      (if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0770 vaultwarden vaultwarden -" else "")
      (if cfg.pleroma.enable then "d /var/lib/pleroma 0700 pleroma pleroma - -" else "")
-      "d /var/lib/restic 0600 restic - - -"
-      (if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "")
+      (if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0750 pleroma pleroma - -" else "")
      "f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}"
+      (if cfg.bitwarden.enable then "f /var/lib/bitwarden/.env 0640 vaultwarden vaultwarden - -" else "")
+      "d /var/sieve 0770 virtualMail virtualMail - -"
+      "d /var/www/root 0750 nginx nginx - -"
    ];
  system.activationScripts =
    let
@ -40,32 +52,11 @@ in
        mkdir -p /var/lib/cloudflare
        chmod 0440 /var/lib/cloudflare
        chown nginx:acmerecievers /var/lib/cloudflare
-        echo 'CF_API_KEY=REPLACEME' > /var/lib/cloudflare/Credentials.ini
-        echo 'CLOUDFLARE_DNS_API_TOKEN=REPLACEME' >> /var/lib/cloudflare/Credentials.ini
-        echo 'CLOUDFLARE_ZONE_API_TOKEN=REPLACEME' >> /var/lib/cloudflare/Credentials.ini
+        echo '${dnsCredentialsTemplate}' > /var/lib/cloudflare/Credentials.ini
        ${sed} -i "s/REPLACEME/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.dns.apiKey')/g" /var/lib/cloudflare/Credentials.ini
        chmod 0440 /var/lib/cloudflare/Credentials.ini
        chown nginx:acmerecievers /var/lib/cloudflare/Credentials.ini
      '';
-      resticCredentials = ''
-        mkdir -p /root/.config/rclone
-        chmod 0400 /root/.config/rclone
-        chown root:root /root/.config/rclone
-        echo '[backblaze]' > /root/.config/rclone/rclone.conf
-        echo 'type = b2' >> /root/.config/rclone/rclone.conf
-        echo 'account = REPLACEME1' >> /root/.config/rclone/rclone.conf
-        echo 'key = REPLACEME2' >> /root/.config/rclone/rclone.conf
-
-        ${sed} -i "s/REPLACEME1/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backup.accountId')/g" /root/.config/rclone/rclone.conf
-        ${sed} -i "s/REPLACEME2/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backup.accountKey')/g" /root/.config/rclone/rclone.conf
-
-        chmod 0400 /root/.config/rclone/rclone.conf
-        chown root:root /root/.config/rclone/rclone.conf
-
-        cat /etc/nixos/userdata/userdata.json | ${jq} -r '.resticPassword' > /var/lib/restic/pass
-        chmod 0400 /var/lib/restic/pass
-        chown restic /var/lib/restic/pass
-      '';
      pleromaCredentials =
        if cfg.pleroma.enable then ''
          echo 'import Config' > /var/lib/pleroma/secrets.exs
@ -79,5 +70,20 @@ in
        '' else ''
          rm -f /var/lib/pleroma/secrets.exs
        '';
+      bitwardenCredentials =
+        if cfg.bitwarden.enable then ''
+          mkdir -p /var/lib/bitwarden
+          token=$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.bitwarden.adminToken')
+          if [ "$token" == "null" ]; then
+            # If it's null, delete the contents of the file
+            > /var/lib/bitwarden/.env
+          else
+            echo "ADMIN_TOKEN=$token" > /var/lib/bitwarden/.env
+          fi
+          chmod 0640 /var/lib/bitwarden/.env
+          chown vaultwarden:vaultwarden /var/lib/bitwarden/.env
+        '' else ''
+          rm -f /var/lib/bitwarden/.env
+        '';
    };
 }
--- a/git/gitea.nix
+++ b/git/gitea.nix
@ -13,6 +13,10 @@ in
    gitea = {
      enable = cfg.gitea.enable;
      stateDir = "/var/lib/gitea";
+#      log = {
+#        rootPath = "/var/lib/gitea/log";
+#        level = "Warn";
+#      };
      user = "gitea";
      database = {
        type = "sqlite3";
@ -36,6 +40,7 @@ in
      rootUrl = "https://git.${cfg.domain}/";
      httpAddress = "0.0.0.0";
      httpPort = 3000;
+#      cookieSecure = true;
      settings = {
        mailer = {
          ENABLED = false;
@ -58,7 +63,7 @@ in
        };
        log = {
          ROOT_PATH = "/var/lib/gitea/log";
-#          LEVEL = "Warn";
+          LEVEL = "Warn";
        };
      };
    };
--- a/letsencrypt/acme.nix
+++ b/letsencrypt/acme.nix
@ -1,6 +1,7 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.userdata;
+  dnsPropagationCheckExceptions = [ "DIGITALOCEAN" ];
 in
 {
  users.groups.acmerecievers = {
@ -11,20 +12,20 @@ in
    defaults = {
      email = "${cfg.username}@${cfg.domain}";
      server = if cfg.dns.useStagingACME then "https://acme-staging-v02.api.letsencrypt.org/directory" else "https://acme-v02.api.letsencrypt.org/directory";
+      dnsPropagationCheck = if lib.elem cfg.dns.provider dnsPropagationCheckExceptions then false else true;
+      reloadServices = [ "nginx" ];
    };
    certs = lib.mkForce {
-      "${cfg.domain}" = {
+      "wildcard-${cfg.domain}" = {
        domain = "*.${cfg.domain}";
-        extraDomainNames = [ "${cfg.domain}" ];
        group = "acmerecievers";
-        dnsProvider = "cloudflare";
+        dnsProvider = lib.strings.toLower cfg.dns.provider;
        credentialsFile = "/var/lib/cloudflare/Credentials.ini";
      };
-      "meet.${cfg.domain}" = {
-        domain = "meet.${cfg.domain}";
+      "${cfg.domain}" = {
+        domain = cfg.domain;
        group = "acmerecievers";
-        dnsProvider = "cloudflare";
-        credentialsFile = "/var/lib/cloudflare/Credentials.ini";
+        webroot = "/var/lib/acme/acme-challenge";
      };
    };
  };
--- a/letsencrypt/resolve.nix
+++ b/letsencrypt/resolve.nix
@ -12,11 +12,6 @@ in
          Restart = "on-failure";
        };
      };
-      "nginx-config-reload" = {
-        serviceConfig = {
-          After = [ "acme-${domain}.service" ];
-        };
-      };
    };
  };
 }
--- a/passmgr/bitwarden.nix
+++ b/passmgr/bitwarden.nix
@ -17,6 +17,7 @@ in
    enable = cfg.bitwarden.enable;
    dbBackend = "sqlite";
    backupDir = "/var/lib/bitwarden/backup";
+    environmentFile = "/var/lib/bitwarden/.env";
    config = {
      domain = "https://password.${cfg.domain}/";
      signupsAllowed = true;
--- a/variables-module.nix
+++ b/variables-module.nix
@ -74,13 +74,6 @@ in
    # API options #
    ###############
    api = {
-      enableSwagger = mkOption {
-        default = true;
-        description = ''
-          Enable Swagger UI
-        '';
-        type = types.bool;
-      };
      skippedMigrations = mkOption {
        default = [ ];
        description = ''
@ -194,7 +187,7 @@ in
        description = ''
          Password authentication for SSH
        '';
-        default = true;
+        default = false;
        type = types.nullOr types.bool;
      };
    };
--- a/variables.nix
+++ b/variables.nix
@ -16,7 +16,6 @@ in
    hashedMasterPassword = lib.attrsets.attrByPath [ "hashedMasterPassword" ] null jsonData;
    sshKeys = lib.attrsets.attrByPath [ "sshKeys" ] [ ] jsonData;
    api = {
-      enableSwagger = lib.attrsets.attrByPath [ "api" "enableSwagger" ] false jsonData;
      skippedMigrations = lib.attrsets.attrByPath [ "api" "skippedMigrations" ] [ ] jsonData;
    };
    dns = {
--- a/webserver/nginx.nix
+++ b/webserver/nginx.nix
@ -20,8 +20,7 @@ in

    virtualHosts = {
      "${domain}" = {
-        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
+        enableACME = true;
        forceSSL = true;
        extraConfig = ''
          add_header Strict-Transport-Security $hsts_header;
@ -33,10 +32,15 @@ in
          proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
          expires 10m;
        '';
+        locations = {
+          "/" = {
+            root = "/var/www/root";
+          };
+        };
      };
      "vpn.${domain}" = {
-        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
+        sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
+        sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
        forceSSL = true;
        extraConfig = ''
          add_header Strict-Transport-Security $hsts_header;
@ -50,8 +54,8 @@ in
        '';
      };
      "git.${domain}" = {
-        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
+        sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
+        sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
        forceSSL = true;
        extraConfig = ''
          add_header Strict-Transport-Security $hsts_header;
@ -70,8 +74,8 @@ in
        };
      };
      "cloud.${domain}" = {
-        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
+        sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
+        sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
        forceSSL = true;
        extraConfig = ''
          add_header Strict-Transport-Security $hsts_header;
@ -90,8 +94,8 @@ in
        };
      };
      "password.${domain}" = {
-        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
+        sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
+        sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
        forceSSL = true;
        extraConfig = ''
          add_header Strict-Transport-Security $hsts_header;
@ -110,8 +114,8 @@ in
        };
      };
      "api.${domain}" = {
-        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
+        sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
+        sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
        forceSSL = true;
        extraConfig = ''
          add_header Strict-Transport-Security $hsts_header;
@ -131,8 +135,8 @@ in
        };
      };
      "social.${domain}" = {
-        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
+        sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
+        sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
        root = "/var/www/social.${domain}";
        forceSSL = true;
        extraConfig = ''
@ -151,6 +155,13 @@ in
          };
        };
      };
+      "meet.${domain}" = {
+        sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
+        sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
+        forceSSL = true;
+        useACMEHost = "wildcard-${domain}";
+        enableACME = false;
+      };
    };
  };
 }
Author	SHA1	Message	Date
Inex Code	40f92d15d3	feat: Migrate to flakes	2024-01-19 14:50:25 +03:00
Inex Code	2c2bb80006	Merge pull request 'add nix experimental-features for flakes' (#49 ) from experimental-features into master Reviewed-on: SelfPrivacy/selfprivacy-nixos-config#49 Reviewed-by: Inex Code <inex.code@selfprivacy.org>	2023-11-09 15:43:17 +02:00
Alexander Tomokhov	5685a9e128	add nix experimental-features for flakes	2023-11-09 17:35:24 +04:00
Inex Code	f8befb0e3d	Merge pull request 'Disable password auth and allow serving static files at root domain' (#48 ) from inex-oct-31 into master Reviewed-on: SelfPrivacy/selfprivacy-nixos-config#48	2023-10-31 18:28:19 +02:00
Inex Code	1464d7f3bd	feat(nginx): Allow serving static files at root domain	2023-10-31 17:27:46 +03:00
Inex Code	d02524bb8f	refactor(ssh): Disable password auth by default	2023-10-31 17:22:15 +03:00
Inex Code	23155b3c96	feat(ssh): Allow ecdsa-sha2-nistp256 keys	2023-10-03 16:34:47 +03:00
Inex Code	6c07cc024b	fix: permissions for vaultwarden backups were too broad	2023-08-25 13:56:01 +03:00
Inex Code	5710f5892b	fix(email): make sure /var/sieve owned my mail user	2023-07-28 03:41:06 +03:00
Inex Code	325dc40f34	fix(acme): add dns propagation check exceptions	2023-07-28 03:01:30 +03:00
Inex Code	25d7bc6ec5	fix(acme): enable DNS propagation check	2023-07-22 00:01:29 +03:00
Inex Code	29b855818d	fix: acme retrieval	2023-07-21 20:59:34 +03:00
Inex Code	e0ad80b4ca	Revert "fix: rename the cert name" This reverts commit `e8a25ec565`.	2023-07-21 20:36:40 +03:00
Inex Code	e8a25ec565	fix: rename the cert name	2023-07-21 20:35:37 +03:00
Inex Code	d41cf6a4db	fix: do not use DNS challenge for root domain TLS Previous solution made ACME create two TXT records on the same subdomain, creating the conflict	2023-07-21 20:32:03 +03:00
Inex Code	2f0107ce3b	refactor: remove unused restic-related code	2023-07-21 17:51:12 +03:00
Inex Code	8f72f60286	refactor: remove restic credentials from post-installation scripts These are handled by API now.	2023-07-20 19:58:54 +03:00
Inex Code	58e4f3acd8	feat: update API deps	2023-07-20 19:52:24 +03:00
Inex Code	65b5a19777	Merge pull request 'fix: Reloading nginx after ACME' (#34 ) from nginx-reload-fix into master Reviewed-on: SelfPrivacy/selfprivacy-nixos-config#34	2023-06-14 19:19:56 +03:00
Inex Code	60dd766846	fix: Reloading nginx after ACME	2023-06-14 19:19:49 +03:00
Inex Code	8006f83257	Merge pull request 'refactor(jitsi): Use the common TLS cert for Jitsi' (#33 ) from jitsi-tls-fix into master Reviewed-on: SelfPrivacy/selfprivacy-nixos-config#33	2023-06-09 16:01:09 +03:00
Inex Code	74d35b16f2	fix(jitsi): disable gettings tls certs	2023-06-09 15:59:15 +03:00
Inex Code	dd020c3a7d	fix(acme): Disable DNS propagation check	2023-06-09 15:57:19 +03:00
Inex Code	ba1695c642	fix(jitsi): Use the common TLS cert	2023-06-09 14:06:22 +03:00
Inex Code	bc5778fdea	feat(dns): Add support for DigitalOcean DNS and DeSEC DNS (#31 ) Co-authored-by: inexcode <inex.code@selfprivacy.org> Co-authored-by: NaiJi ✨ <naiji@udongein.xyz> Reviewed-on: SelfPrivacy/selfprivacy-nixos-config#31	2023-06-05 15:45:07 +03:00
Inex Code	8d99d1c78a	fix: Make bitwarden read the env file	2023-05-14 17:22:09 +03:00
Inex Code	5e64b08381	feat(bitwarden): Add admin token support	2023-05-03 10:48:57 +03:00
Inex Code	7e590ae60c	revert(gitea): Nix deprecations x2	2023-03-20 18:39:41 +03:00
Inex Code	eb36e9b265	revert(gitea): Nix deprecations	2023-03-20 18:36:32 +03:00