Merge pull request 'fix: Conflicting Gitea log level' (#27 ) from master into api-redis

Reviewed-on: SelfPrivacy/selfprivacy-nixos-config#27
Merge pull request 'master' (#26 ) from master into api-redis
2023-03-20 17:32:05 +02:00 · 2023-03-20 17:27:48 +02:00
13 changed files with 114 additions and 86 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,5 +1,4 @@
 userdata/userdata.json
 userdata/tokens.json
 hardware-configuration.nix
-networking.nix
-/result
+networking.nix
--- a/api/api-module.nix
+++ b/api/api-module.nix
@ -18,6 +18,19 @@ in
        Enable SelfPrivacy API service
      '';
    };
+    enableSwagger = mkOption {
+      default = false;
+      type = types.bool;
+      description = ''
+        Enable Swagger UI
+      '';
+    };
+    b2Bucket = mkOption {
+      type = types.str;
+      description = ''
+        B2 bucket
+      '';
+    };
  };
  config = lib.mkIf cfg.enable {

@ -27,6 +40,8 @@ in
        inherit (config.environment.sessionVariables) NIX_PATH;
        HOME = "/root";
        PYTHONUNBUFFERED = "1";
+        ENABLE_SWAGGER = (if cfg.enableSwagger then "1" else "0");
+        B2_BUCKET = cfg.b2Bucket;
      } // config.networking.proxy.envVars;
      path = [
        "/var/"
@ -38,14 +53,11 @@ in
        pkgs.gitMinimal
        config.nix.package.out
        pkgs.nixos-rebuild
-        pkgs.rclone
        pkgs.restic
        pkgs.mkpasswd
        pkgs.util-linux
        pkgs.e2fsprogs
        pkgs.iproute2
-        pkgs.fuse-overlayfs
-        pkgs.fuse
      ];
      after = [ "network-online.target" ];
      wantedBy = [ "network-online.target" ];
@ -62,6 +74,8 @@ in
        inherit (config.environment.sessionVariables) NIX_PATH;
        HOME = "/root";
        PYTHONUNBUFFERED = "1";
+        ENABLE_SWAGGER = (if cfg.enableSwagger then "1" else "0");
+        B2_BUCKET = cfg.b2Bucket;
        PYTHONPATH = pkgs.selfprivacy-graphql-api.pythonPath + ":${pkgs.selfprivacy-graphql-api}/lib/python3.10/site-packages/";
      } // config.networking.proxy.envVars;
      path = [
@ -74,14 +88,11 @@ in
        pkgs.gitMinimal
        config.nix.package.out
        pkgs.nixos-rebuild
-        pkgs.rclone
        pkgs.restic
        pkgs.mkpasswd
        pkgs.util-linux
        pkgs.e2fsprogs
        pkgs.iproute2
-        pkgs.fuse-overlayfs
-        pkgs.fuse
      ];
      after = [ "network-online.target" ];
      wantedBy = [ "network-online.target" ];
--- a/api/api.nix
+++ b/api/api.nix
@ -2,6 +2,8 @@
 {
  services.selfprivacy-api = {
    enable = true;
+    enableSwagger = config.services.userdata.api.enableSwagger;
+    b2Bucket = config.services.userdata.backup.bucket;
  };

  users.users."selfprivacy-api" = {
--- a/backup/restic.nix
+++ b/backup/restic.nix
@ -0,0 +1,29 @@
+{ config, pkgs, ... }:
+let
+  cfg = config.services.userdata;
+in
+{
+  services.restic.backups = {
+    options = {
+      passwordFile = "/etc/restic/resticPasswd";
+      repository = "s3:s3.anazonaws.com/${cfg.backup.bucket}";
+      initialize = true;
+      paths = [
+        "/var/dkim"
+        "/var/vmail"
+      ];
+      timerConfig = {
+        OnCalendar = [ "daily" ];
+      };
+      user = "restic";
+      pruneOpts = [
+        "--keep-daily 5"
+      ];
+    };
+  };
+  users.users.restic = {
+    isNormalUser = false;
+    isSystemUser = true;
+    group = "restic";
+  };
+}
--- a/configuration.nix
+++ b/configuration.nix
@ -1,6 +1,6 @@
 { config, pkgs, lib, ... }:
 let
-  url-overlay = "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nix-repo/archive/test-migration.tar.gz";
+  url-overlay = "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nix-repo/archive/22-11.tar.gz";
  nix-overlay = (import (builtins.fetchTarball url-overlay));
 in
 {
@ -18,6 +18,7 @@ in
    ./social/pleroma.nix
    ./letsencrypt/acme.nix
    ./letsencrypt/resolve.nix
+    ./backup/restic.nix
    ./passmgr/bitwarden.nix
    ./webserver/nginx.nix
    ./webserver/memcached.nix
@ -73,7 +74,7 @@ in
    openFirewall = false;
  };
  programs.ssh = {
-    pubkeyAcceptedKeyTypes = [ "ssh-ed25519" "ssh-rsa" "ecdsa-sha2-nistp256" ];
+    pubkeyAcceptedKeyTypes = [ "ssh-ed25519" "ssh-rsa" ];
    hostKeyAlgorithms = [ "ssh-ed25519" "ssh-rsa" ];
  };
  environment.systemPackages = with pkgs; [
@ -95,9 +96,6 @@ in
      automatic = true;
      options = "--delete-older-than 7d";
    };
-    extraOptions = ''
-      experimental-features = nix-command flakes repl-flake
-    '';
  };
  services.journald.extraConfig = "SystemMaxUse=500M";
  boot.kernel.sysctl = {
--- a/files.nix
+++ b/files.nix
@ -1,16 +1,6 @@
 { config, pkgs, ... }:
 let
  cfg = config.services.userdata;
-  dnsCredentialsTemplates = {
-    DIGITALOCEAN = "DO_AUTH_TOKEN=REPLACEME";
-    CLOUDFLARE = ''
-      CF_API_KEY=REPLACEME
-      CLOUDFLARE_DNS_API_TOKEN=REPLACEME
-      CLOUDFLARE_ZONE_API_TOKEN=REPLACEME
-    '';
-    DESEC = "DESEC_TOKEN=REPLACEME";
-  };
-  dnsCredentialsTemplate = dnsCredentialsTemplates.${cfg.dns.provider};
 in
 {
  systemd.tmpfiles.rules =
@ -18,14 +8,12 @@ in
      domain = builtins.replaceStrings [ "\n" "\"" "\\" "%" ] [ "\\n" "\\\"" "\\\\" "%%" ] cfg.domain;
    in
    [
-      (if cfg.bitwarden.enable then "d /var/lib/bitwarden 0770 vaultwarden vaultwarden -" else "")
-      (if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0770 vaultwarden vaultwarden -" else "")
+      (if cfg.bitwarden.enable then "d /var/lib/bitwarden 0777 vaultwarden vaultwarden -" else "")
+      (if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0777 vaultwarden vaultwarden -" else "")
      (if cfg.pleroma.enable then "d /var/lib/pleroma 0700 pleroma pleroma - -" else "")
-      (if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0750 pleroma pleroma - -" else "")
+      "d /var/lib/restic 0600 restic - - -"
+      (if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "")
      "f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}"
-      (if cfg.bitwarden.enable then "f /var/lib/bitwarden/.env 0640 vaultwarden vaultwarden - -" else "")
-      "d /var/sieve 0770 virtualMail virtualMail - -"
-      "d /var/www/root 0750 nginx nginx - -"
    ];
  system.activationScripts =
    let
@ -52,11 +40,32 @@ in
        mkdir -p /var/lib/cloudflare
        chmod 0440 /var/lib/cloudflare
        chown nginx:acmerecievers /var/lib/cloudflare
-        echo '${dnsCredentialsTemplate}' > /var/lib/cloudflare/Credentials.ini
+        echo 'CF_API_KEY=REPLACEME' > /var/lib/cloudflare/Credentials.ini
+        echo 'CLOUDFLARE_DNS_API_TOKEN=REPLACEME' >> /var/lib/cloudflare/Credentials.ini
+        echo 'CLOUDFLARE_ZONE_API_TOKEN=REPLACEME' >> /var/lib/cloudflare/Credentials.ini
        ${sed} -i "s/REPLACEME/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.dns.apiKey')/g" /var/lib/cloudflare/Credentials.ini
        chmod 0440 /var/lib/cloudflare/Credentials.ini
        chown nginx:acmerecievers /var/lib/cloudflare/Credentials.ini
      '';
+      resticCredentials = ''
+        mkdir -p /root/.config/rclone
+        chmod 0400 /root/.config/rclone
+        chown root:root /root/.config/rclone
+        echo '[backblaze]' > /root/.config/rclone/rclone.conf
+        echo 'type = b2' >> /root/.config/rclone/rclone.conf
+        echo 'account = REPLACEME1' >> /root/.config/rclone/rclone.conf
+        echo 'key = REPLACEME2' >> /root/.config/rclone/rclone.conf
+
+        ${sed} -i "s/REPLACEME1/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backup.accountId')/g" /root/.config/rclone/rclone.conf
+        ${sed} -i "s/REPLACEME2/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backup.accountKey')/g" /root/.config/rclone/rclone.conf
+
+        chmod 0400 /root/.config/rclone/rclone.conf
+        chown root:root /root/.config/rclone/rclone.conf
+
+        cat /etc/nixos/userdata/userdata.json | ${jq} -r '.resticPassword' > /var/lib/restic/pass
+        chmod 0400 /var/lib/restic/pass
+        chown restic /var/lib/restic/pass
+      '';
      pleromaCredentials =
        if cfg.pleroma.enable then ''
          echo 'import Config' > /var/lib/pleroma/secrets.exs
@ -70,20 +79,5 @@ in
        '' else ''
          rm -f /var/lib/pleroma/secrets.exs
        '';
-      bitwardenCredentials =
-        if cfg.bitwarden.enable then ''
-          mkdir -p /var/lib/bitwarden
-          token=$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.bitwarden.adminToken')
-          if [ "$token" == "null" ]; then
-            # If it's null, delete the contents of the file
-            > /var/lib/bitwarden/.env
-          else
-            echo "ADMIN_TOKEN=$token" > /var/lib/bitwarden/.env
-          fi
-          chmod 0640 /var/lib/bitwarden/.env
-          chown vaultwarden:vaultwarden /var/lib/bitwarden/.env
-        '' else ''
-          rm -f /var/lib/bitwarden/.env
-        '';
    };
 }
--- a/git/gitea.nix
+++ b/git/gitea.nix
@ -13,10 +13,6 @@ in
    gitea = {
      enable = cfg.gitea.enable;
      stateDir = "/var/lib/gitea";
-#      log = {
-#        rootPath = "/var/lib/gitea/log";
-#        level = "Warn";
-#      };
      user = "gitea";
      database = {
        type = "sqlite3";
@ -40,7 +36,6 @@ in
      rootUrl = "https://git.${cfg.domain}/";
      httpAddress = "0.0.0.0";
      httpPort = 3000;
-#      cookieSecure = true;
      settings = {
        mailer = {
          ENABLED = false;
@ -63,7 +58,7 @@ in
        };
        log = {
          ROOT_PATH = "/var/lib/gitea/log";
-          LEVEL = "Warn";
+#          LEVEL = "Warn";
        };
      };
    };
--- a/letsencrypt/acme.nix
+++ b/letsencrypt/acme.nix
@ -1,7 +1,6 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.userdata;
-  dnsPropagationCheckExceptions = [ "DIGITALOCEAN" ];
 in
 {
  users.groups.acmerecievers = {
@ -12,20 +11,20 @@ in
    defaults = {
      email = "${cfg.username}@${cfg.domain}";
      server = if cfg.dns.useStagingACME then "https://acme-staging-v02.api.letsencrypt.org/directory" else "https://acme-v02.api.letsencrypt.org/directory";
-      dnsPropagationCheck = if lib.elem cfg.dns.provider dnsPropagationCheckExceptions then false else true;
-      reloadServices = [ "nginx" ];
    };
    certs = lib.mkForce {
-      "wildcard-${cfg.domain}" = {
+      "${cfg.domain}" = {
        domain = "*.${cfg.domain}";
+        extraDomainNames = [ "${cfg.domain}" ];
        group = "acmerecievers";
-        dnsProvider = lib.strings.toLower cfg.dns.provider;
+        dnsProvider = "cloudflare";
        credentialsFile = "/var/lib/cloudflare/Credentials.ini";
      };
-      "${cfg.domain}" = {
-        domain = cfg.domain;
+      "meet.${cfg.domain}" = {
+        domain = "meet.${cfg.domain}";
        group = "acmerecievers";
-        webroot = "/var/lib/acme/acme-challenge";
+        dnsProvider = "cloudflare";
+        credentialsFile = "/var/lib/cloudflare/Credentials.ini";
      };
    };
  };
--- a/letsencrypt/resolve.nix
+++ b/letsencrypt/resolve.nix
@ -12,6 +12,11 @@ in
          Restart = "on-failure";
        };
      };
+      "nginx-config-reload" = {
+        serviceConfig = {
+          After = [ "acme-${domain}.service" ];
+        };
+      };
    };
  };
 }
--- a/passmgr/bitwarden.nix
+++ b/passmgr/bitwarden.nix
@ -17,7 +17,6 @@ in
    enable = cfg.bitwarden.enable;
    dbBackend = "sqlite";
    backupDir = "/var/lib/bitwarden/backup";
-    environmentFile = "/var/lib/bitwarden/.env";
    config = {
      domain = "https://password.${cfg.domain}/";
      signupsAllowed = true;
--- a/variables-module.nix
+++ b/variables-module.nix
@ -74,6 +74,13 @@ in
    # API options #
    ###############
    api = {
+      enableSwagger = mkOption {
+        default = true;
+        description = ''
+          Enable Swagger UI
+        '';
+        type = types.bool;
+      };
      skippedMigrations = mkOption {
        default = [ ];
        description = ''
@ -187,7 +194,7 @@ in
        description = ''
          Password authentication for SSH
        '';
-        default = false;
+        default = true;
        type = types.nullOr types.bool;
      };
    };
--- a/variables.nix
+++ b/variables.nix
@ -16,6 +16,7 @@ in
    hashedMasterPassword = lib.attrsets.attrByPath [ "hashedMasterPassword" ] null jsonData;
    sshKeys = lib.attrsets.attrByPath [ "sshKeys" ] [ ] jsonData;
    api = {
+      enableSwagger = lib.attrsets.attrByPath [ "api" "enableSwagger" ] false jsonData;
      skippedMigrations = lib.attrsets.attrByPath [ "api" "skippedMigrations" ] [ ] jsonData;
    };
    dns = {
--- a/webserver/nginx.nix
+++ b/webserver/nginx.nix
@ -20,7 +20,8 @@ in

    virtualHosts = {
      "${domain}" = {
-        enableACME = true;
+        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
+        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
        forceSSL = true;
        extraConfig = ''
          add_header Strict-Transport-Security $hsts_header;
@ -32,15 +33,10 @@ in
          proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
          expires 10m;
        '';
-        locations = {
-          "/" = {
-            root = "/var/www/root";
-          };
-        };
      };
      "vpn.${domain}" = {
-        sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
+        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
+        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
        forceSSL = true;
        extraConfig = ''
          add_header Strict-Transport-Security $hsts_header;
@ -54,8 +50,8 @@ in
        '';
      };
      "git.${domain}" = {
-        sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
+        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
+        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
        forceSSL = true;
        extraConfig = ''
          add_header Strict-Transport-Security $hsts_header;
@ -74,8 +70,8 @@ in
        };
      };
      "cloud.${domain}" = {
-        sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
+        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
+        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
        forceSSL = true;
        extraConfig = ''
          add_header Strict-Transport-Security $hsts_header;
@ -94,8 +90,8 @@ in
        };
      };
      "password.${domain}" = {
-        sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
+        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
+        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
        forceSSL = true;
        extraConfig = ''
          add_header Strict-Transport-Security $hsts_header;
@ -114,8 +110,8 @@ in
        };
      };
      "api.${domain}" = {
-        sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
+        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
+        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
        forceSSL = true;
        extraConfig = ''
          add_header Strict-Transport-Security $hsts_header;
@ -135,8 +131,8 @@ in
        };
      };
      "social.${domain}" = {
-        sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
+        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
+        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
        root = "/var/www/social.${domain}";
        forceSSL = true;
        extraConfig = ''
@ -155,13 +151,6 @@ in
          };
        };
      };
-      "meet.${domain}" = {
-        sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
-        forceSSL = true;
-        useACMEHost = "wildcard-${domain}";
-        enableACME = false;
-      };
    };
  };
 }
Author	SHA1	Message	Date
Inex Code	196414f99a	Merge pull request 'fix: Conflicting Gitea log level' (#27 ) from master into api-redis Reviewed-on: SelfPrivacy/selfprivacy-nixos-config#27	2023-03-20 17:32:05 +02:00
Inex Code	d8ebbcd1cf	Merge pull request 'master' (#26 ) from master into api-redis Reviewed-on: SelfPrivacy/selfprivacy-nixos-config#26	2023-03-20 17:27:48 +02:00