2021-11-15 10:02:05 +00:00
|
|
|
{ config, pkgs, ... }:
|
|
|
|
let
|
2023-11-16 00:00:11 +00:00
|
|
|
cfg = config.selfprivacy;
|
2023-06-05 12:45:07 +00:00
|
|
|
dnsCredentialsTemplates = {
|
|
|
|
DIGITALOCEAN = "DO_AUTH_TOKEN=REPLACEME";
|
|
|
|
CLOUDFLARE = ''
|
|
|
|
CF_API_KEY=REPLACEME
|
|
|
|
CLOUDFLARE_DNS_API_TOKEN=REPLACEME
|
|
|
|
CLOUDFLARE_ZONE_API_TOKEN=REPLACEME
|
|
|
|
'';
|
|
|
|
DESEC = "DESEC_TOKEN=REPLACEME";
|
|
|
|
};
|
|
|
|
dnsCredentialsTemplate = dnsCredentialsTemplates.${cfg.dns.provider};
|
2021-11-15 10:02:05 +00:00
|
|
|
in
|
|
|
|
{
|
|
|
|
systemd.tmpfiles.rules =
|
|
|
|
let
|
2022-06-09 19:52:54 +00:00
|
|
|
domain = builtins.replaceStrings [ "\n" "\"" "\\" "%" ] [ "\\n" "\\\"" "\\\\" "%%" ] cfg.domain;
|
2021-11-15 10:02:05 +00:00
|
|
|
in
|
|
|
|
[
|
2022-05-02 08:04:02 +00:00
|
|
|
(if cfg.bitwarden.enable then "d /var/lib/bitwarden 0777 vaultwarden vaultwarden -" else "")
|
|
|
|
(if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0777 vaultwarden vaultwarden -" else "")
|
2021-12-16 13:51:43 +00:00
|
|
|
(if cfg.pleroma.enable then "d /var/lib/pleroma 0700 pleroma pleroma - -" else "")
|
2021-11-17 08:54:36 +00:00
|
|
|
"d /var/lib/restic 0600 restic - - -"
|
2021-12-16 13:51:43 +00:00
|
|
|
(if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "")
|
2021-12-02 20:30:53 +00:00
|
|
|
"f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}"
|
2023-05-03 07:48:57 +00:00
|
|
|
(if cfg.bitwarden.enable then "f /var/lib/bitwarden/.env 0640 vaultwarden vaultwarden - -" else "")
|
2021-11-15 10:02:05 +00:00
|
|
|
];
|
2022-07-19 12:18:46 +00:00
|
|
|
system.activationScripts =
|
|
|
|
let
|
|
|
|
jq = "${pkgs.jq}/bin/jq";
|
|
|
|
sed = "${pkgs.gnused}/bin/sed";
|
|
|
|
in
|
|
|
|
{
|
2023-11-20 22:54:06 +00:00
|
|
|
nixos-lustrate = ''
|
|
|
|
rm -rf /old-root
|
|
|
|
'';
|
2022-07-19 12:18:46 +00:00
|
|
|
cloudflareCredentials = ''
|
|
|
|
mkdir -p /var/lib/cloudflare
|
|
|
|
chmod 0440 /var/lib/cloudflare
|
|
|
|
chown nginx:acmerecievers /var/lib/cloudflare
|
2023-06-05 12:45:07 +00:00
|
|
|
echo '${dnsCredentialsTemplate}' > /var/lib/cloudflare/Credentials.ini
|
2023-11-18 05:11:48 +00:00
|
|
|
${sed} -i "s/REPLACEME/$(cat /etc/selfprivacy/secrets.json | ${jq} -r '.dns.apiKey')/g" /var/lib/cloudflare/Credentials.ini
|
2022-07-19 12:18:46 +00:00
|
|
|
chmod 0440 /var/lib/cloudflare/Credentials.ini
|
|
|
|
chown nginx:acmerecievers /var/lib/cloudflare/Credentials.ini
|
|
|
|
'';
|
|
|
|
resticCredentials = ''
|
|
|
|
mkdir -p /root/.config/rclone
|
|
|
|
chmod 0400 /root/.config/rclone
|
|
|
|
chown root:root /root/.config/rclone
|
|
|
|
echo '[backblaze]' > /root/.config/rclone/rclone.conf
|
|
|
|
echo 'type = b2' >> /root/.config/rclone/rclone.conf
|
|
|
|
echo 'account = REPLACEME1' >> /root/.config/rclone/rclone.conf
|
|
|
|
echo 'key = REPLACEME2' >> /root/.config/rclone/rclone.conf
|
|
|
|
|
2023-11-18 05:11:48 +00:00
|
|
|
${sed} -i "s/REPLACEME1/$(cat /etc/selfprivacy/secrets.json | ${jq} -r '.backup.accountId')/g" /root/.config/rclone/rclone.conf
|
|
|
|
${sed} -i "s/REPLACEME2/$(cat /etc/selfprivacy/secrets.json | ${jq} -r '.backup.accountKey')/g" /root/.config/rclone/rclone.conf
|
2022-07-19 12:18:46 +00:00
|
|
|
|
|
|
|
chmod 0400 /root/.config/rclone/rclone.conf
|
|
|
|
chown root:root /root/.config/rclone/rclone.conf
|
|
|
|
|
2023-11-18 05:11:48 +00:00
|
|
|
cat /etc/selfprivacy/secrets.json | ${jq} -r '.resticPassword' > /var/lib/restic/pass
|
2022-07-19 12:18:46 +00:00
|
|
|
chmod 0400 /var/lib/restic/pass
|
|
|
|
chown restic /var/lib/restic/pass
|
|
|
|
'';
|
|
|
|
pleromaCredentials =
|
|
|
|
if cfg.pleroma.enable then ''
|
|
|
|
echo 'import Config' > /var/lib/pleroma/secrets.exs
|
|
|
|
echo 'config :pleroma, Pleroma.Repo,' >> /var/lib/pleroma/secrets.exs
|
|
|
|
echo ' password: "REPLACEME"' >> /var/lib/pleroma/secrets.exs
|
|
|
|
|
2023-11-18 05:11:48 +00:00
|
|
|
${sed} -i "s/REPLACEME/$(cat /etc/selfprivacy/secrets.json | ${jq} -r '.databasePassword')/g" /var/lib/pleroma/secrets.exs
|
2022-07-19 12:18:46 +00:00
|
|
|
|
|
|
|
chmod 0750 /var/lib/pleroma/secrets.exs
|
|
|
|
chown pleroma:pleroma /var/lib/pleroma/secrets.exs
|
|
|
|
'' else ''
|
|
|
|
rm -f /var/lib/pleroma/secrets.exs
|
|
|
|
'';
|
2023-05-03 07:48:57 +00:00
|
|
|
bitwardenCredentials =
|
|
|
|
if cfg.bitwarden.enable then ''
|
|
|
|
mkdir -p /var/lib/bitwarden
|
2023-11-18 05:11:48 +00:00
|
|
|
token=$(cat /etc/selfprivacy/secrets.json | ${jq} -r '.bitwarden.adminToken')
|
2023-05-03 07:48:57 +00:00
|
|
|
if [ "$token" == "null" ]; then
|
|
|
|
# If it's null, delete the contents of the file
|
|
|
|
> /var/lib/bitwarden/.env
|
|
|
|
else
|
|
|
|
echo "ADMIN_TOKEN=$token" > /var/lib/bitwarden/.env
|
|
|
|
fi
|
|
|
|
chmod 0640 /var/lib/bitwarden/.env
|
|
|
|
chown vaultwarden:vaultwarden /var/lib/bitwarden/.env
|
|
|
|
'' else ''
|
|
|
|
rm -f /var/lib/bitwarden/.env
|
|
|
|
'';
|
2022-07-19 12:18:46 +00:00
|
|
|
};
|
2021-11-15 10:02:05 +00:00
|
|
|
}
|