mirror of
https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config.git
synced 2024-11-29 14:11:26 +00:00
get rid of files.nix; ACME/credentialsFile and other cleanup
This commit is contained in:
parent
7f6c48f978
commit
83e8f6e8a1
|
@ -13,6 +13,8 @@
|
|||
|
||||
fileSystems."/".options = [ "noatime" ];
|
||||
|
||||
services.selfprivacy-api.enable = true;
|
||||
|
||||
services.redis.servers.sp-api = {
|
||||
enable = true;
|
||||
save = [
|
||||
|
@ -36,6 +38,7 @@
|
|||
boot.cleanTmpDir = true;
|
||||
networking = {
|
||||
hostName = config.selfprivacy.hostname;
|
||||
domain = config.selfprivacy.domain;
|
||||
usePredictableInterfaceNames = false;
|
||||
firewall = {
|
||||
allowedTCPPorts = lib.mkForce [ 22 25 80 143 443 465 587 993 4443 8443 ];
|
||||
|
@ -69,6 +72,10 @@
|
|||
DOMAIN = config.selfprivacy.domain;
|
||||
};
|
||||
documentation.enable = false; # no {man,info}-pages & docs, etc to save space
|
||||
systemd.tmpfiles.rules = [
|
||||
"# Completely remove remnants of NIXOS_LUSTRATE."
|
||||
"R! /old-root"
|
||||
];
|
||||
system.autoUpgrade = {
|
||||
enable = config.selfprivacy.autoUpgrade.enable;
|
||||
allowReboot = config.selfprivacy.autoUpgrade.allowReboot;
|
||||
|
|
46
files.nix
46
files.nix
|
@ -1,46 +0,0 @@
|
|||
nixos-config-source: { config, pkgs, ... }:
|
||||
let
|
||||
cfg = config.selfprivacy;
|
||||
dnsCredentialsTemplates = {
|
||||
DIGITALOCEAN = "DO_AUTH_TOKEN=REPLACEME";
|
||||
CLOUDFLARE = ''
|
||||
CF_API_KEY=REPLACEME
|
||||
CLOUDFLARE_DNS_API_TOKEN=REPLACEME
|
||||
CLOUDFLARE_ZONE_API_TOKEN=REPLACEME
|
||||
'';
|
||||
DESEC = "DESEC_TOKEN=REPLACEME";
|
||||
};
|
||||
dnsCredentialsTemplate = dnsCredentialsTemplates.${cfg.dns.provider};
|
||||
in
|
||||
{
|
||||
systemd.tmpfiles.rules =
|
||||
let
|
||||
domain = builtins.replaceStrings [ "\n" "\"" "\\" "%" ] [ "\\n" "\\\"" "\\\\" "%%" ] cfg.domain;
|
||||
in
|
||||
[
|
||||
"f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}"
|
||||
];
|
||||
system.activationScripts =
|
||||
let
|
||||
jq = "${pkgs.jq}/bin/jq";
|
||||
sed = "${pkgs.gnused}/bin/sed";
|
||||
in
|
||||
{
|
||||
nixos-lustrate = ''
|
||||
rm -rf /old-root
|
||||
'';
|
||||
selfprivacy-nixos-configuration-source = ''
|
||||
rm -rf /etc/nixos/{*,.[!.]*}
|
||||
cp -r --no-preserve=all ${nixos-config-source}/ -T /etc/nixos/
|
||||
'';
|
||||
cloudflareCredentials = ''
|
||||
mkdir -p /var/lib/cloudflare
|
||||
chmod 0440 /var/lib/cloudflare
|
||||
chown nginx:acmereceivers /var/lib/cloudflare
|
||||
echo '${dnsCredentialsTemplate}' > /var/lib/cloudflare/Credentials.ini
|
||||
${sed} -i "s/REPLACEME/$(cat /etc/selfprivacy/secrets.json | ${jq} -r '.dns.apiKey')/g" /var/lib/cloudflare/Credentials.ini
|
||||
chmod 0440 /var/lib/cloudflare/Credentials.ini
|
||||
chown nginx:acmereceivers /var/lib/cloudflare/Credentials.ini
|
||||
'';
|
||||
};
|
||||
}
|
|
@ -28,11 +28,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1702381323,
|
||||
"narHash": "sha256-jPDDlY2thQgJqY8I3Ef3QeojHci7UikMjMVZ5P7pjt4=",
|
||||
"lastModified": 1702870693,
|
||||
"narHash": "sha256-ZtoeXTzQ52wn8chX/0PsLCFuc32m5zpDJpPdpWlrxwU=",
|
||||
"ref": "userdata",
|
||||
"rev": "2bdb73d348d1a8b85a71aa480ab1c08fafb2c9ba",
|
||||
"revCount": 1044,
|
||||
"rev": "789a1c579c5c8f2431cff2baed45713ab791ca7c",
|
||||
"revCount": 1046,
|
||||
"type": "git",
|
||||
"url": "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-rest-api.git"
|
||||
},
|
||||
|
|
12
flake.nix
12
flake.nix
|
@ -24,20 +24,28 @@
|
|||
hardware-configuration
|
||||
deployment
|
||||
./configuration.nix
|
||||
(import ./files.nix top-level-flake.outPath)
|
||||
selfprivacy-api.nixosModules.default
|
||||
{
|
||||
# pass userdata (parsed from JSON) options to selfprivacy module
|
||||
selfprivacy = userdata;
|
||||
|
||||
# embed top-level flake source folder into the build
|
||||
environment.etc."selfprivacy/nixos-config-source".source =
|
||||
top-level-flake.outPath;
|
||||
top-level-flake;
|
||||
|
||||
# for running "nix search nixpkgs", etc
|
||||
nix.registry.nixpkgs.flake = nixpkgs;
|
||||
|
||||
# embed commit sha1 for `nixos-version --configuration-revision`
|
||||
system.configurationRevision = self.rev
|
||||
or "@${self.lastModifiedDate}"; # for development
|
||||
# TODO assertion to forbid dirty builds caused by top-level-flake
|
||||
|
||||
# reset contents of /etc/nixos to match running NixOS generation
|
||||
system.activationScripts.selfprivacy-nixos-config-source = ''
|
||||
rm -rf /etc/nixos/{*,.[!.]*}
|
||||
cp -r --no-preserve=all ${top-level-flake}/ -T /etc/nixos/
|
||||
'';
|
||||
}
|
||||
]
|
||||
++
|
||||
|
|
|
@ -1,6 +1,18 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
cfg = config.selfprivacy;
|
||||
dnsCredentialsTemplates = {
|
||||
DIGITALOCEAN = "DO_AUTH_TOKEN=$TOKEN";
|
||||
CLOUDFLARE = ''
|
||||
CF_API_KEY=$TOKEN
|
||||
CLOUDFLARE_DNS_API_TOKEN=$TOKEN
|
||||
CLOUDFLARE_ZONE_API_TOKEN=$TOKEN
|
||||
'';
|
||||
DESEC = "DESEC_TOKEN=$TOKEN";
|
||||
};
|
||||
dnsCredentialsTemplate = dnsCredentialsTemplates.${cfg.dns.provider};
|
||||
acme-env-filepath = "/var/lib/selfprivacy/acme-env";
|
||||
secrets-filepath = "/etc/selfprivacy/secrets.json";
|
||||
in
|
||||
{
|
||||
users.groups.acmereceivers.members = [ "nginx" ];
|
||||
|
@ -18,8 +30,26 @@ in
|
|||
extraDomainNames = [ "${cfg.domain}" ];
|
||||
group = "acmereceivers";
|
||||
dnsProvider = lib.strings.toLower cfg.dns.provider;
|
||||
credentialsFile = "/var/lib/cloudflare/Credentials.ini";
|
||||
credentialsFile = acme-env-filepath;
|
||||
};
|
||||
};
|
||||
};
|
||||
systemd.services.acme-secrets = {
|
||||
before = [ "acme-${cfg.domain}.service" ];
|
||||
requiredBy = [ "acme-${cfg.domain}.service" ];
|
||||
serviceConfig.Type = "oneshot";
|
||||
path = with pkgs; [ coreutils jq ];
|
||||
script = ''
|
||||
set -o nounset
|
||||
|
||||
TOKEN="$(jq -re '.dns.apiKey' ${secrets-filepath})"
|
||||
filecontents=$(cat <<- EOF
|
||||
${dnsCredentialsTemplate}
|
||||
EOF
|
||||
)
|
||||
|
||||
install -m 0440 -o root -g acmereceivers -DT \
|
||||
<(printf "%s\n" "$filecontents") ${acme-env-filepath}
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
|
@ -12,7 +12,8 @@ with lib;
|
|||
description = ''
|
||||
Domain used by the server
|
||||
'';
|
||||
type = types.nullOr types.str;
|
||||
# see: https://regexr.com/7p7ep, https://stackoverflow.com/a/26987741
|
||||
type = lib.types.strMatching ''^(xn--)?[a-z0-9][a-z0-9_-]{0,61}[a-z0-9]{0,1}\.(xn--)?([a-z0-9\-]{1,61}|[a-z0-9-]{1,30}\.[a-z]{2,})$'';
|
||||
};
|
||||
timezone = mkOption {
|
||||
description = ''
|
||||
|
@ -33,13 +34,6 @@ with lib;
|
|||
type = types.nullOr types.bool;
|
||||
};
|
||||
};
|
||||
stateVersion = mkOption {
|
||||
description = ''
|
||||
State version of the server
|
||||
'';
|
||||
type = types.str;
|
||||
default = "22.11";
|
||||
};
|
||||
########################
|
||||
# Server admin options #
|
||||
########################
|
||||
|
@ -62,27 +56,8 @@ with lib;
|
|||
type = types.nullOr (types.listOf types.str);
|
||||
default = [ ];
|
||||
};
|
||||
###############
|
||||
# API options #
|
||||
###############
|
||||
api = {
|
||||
enableSwagger = mkOption {
|
||||
default = true;
|
||||
description = ''
|
||||
Enable Swagger UI
|
||||
'';
|
||||
type = types.bool;
|
||||
};
|
||||
skippedMigrations = mkOption {
|
||||
default = [ ];
|
||||
description = ''
|
||||
List of migrations that should be skipped
|
||||
'';
|
||||
type = types.listOf types.str;
|
||||
};
|
||||
};
|
||||
#############
|
||||
# Secrets #
|
||||
# DNS #
|
||||
#############
|
||||
dns = {
|
||||
provider = mkOption {
|
||||
|
@ -95,17 +70,10 @@ with lib;
|
|||
default = false;
|
||||
};
|
||||
};
|
||||
backup = {
|
||||
bucket = mkOption {
|
||||
description = "Bucket name used for userdata backups";
|
||||
type = types.nullOr types.str;
|
||||
default = "";
|
||||
};
|
||||
};
|
||||
server = {
|
||||
provider = mkOption {
|
||||
description = "Server provider that was defined at the initial setup process.";
|
||||
type = types.nullOr types.str;
|
||||
type = types.str;
|
||||
};
|
||||
};
|
||||
#########
|
||||
|
|
Loading…
Reference in a new issue