get rid of files.nix; ACME/credentialsFile and other cleanup

This commit is contained in:
Alexander Tomokhov 2023-12-16 09:39:22 +04:00
parent 7f6c48f978
commit 83e8f6e8a1
6 changed files with 57 additions and 90 deletions

View file

@ -13,6 +13,8 @@
fileSystems."/".options = [ "noatime" ];
services.selfprivacy-api.enable = true;
services.redis.servers.sp-api = {
enable = true;
save = [
@ -36,6 +38,7 @@
boot.cleanTmpDir = true;
networking = {
hostName = config.selfprivacy.hostname;
domain = config.selfprivacy.domain;
usePredictableInterfaceNames = false;
firewall = {
allowedTCPPorts = lib.mkForce [ 22 25 80 143 443 465 587 993 4443 8443 ];
@ -69,6 +72,10 @@
DOMAIN = config.selfprivacy.domain;
};
documentation.enable = false; # no {man,info}-pages & docs, etc to save space
systemd.tmpfiles.rules = [
"# Completely remove remnants of NIXOS_LUSTRATE."
"R! /old-root"
];
system.autoUpgrade = {
enable = config.selfprivacy.autoUpgrade.enable;
allowReboot = config.selfprivacy.autoUpgrade.allowReboot;

View file

@ -1,46 +0,0 @@
nixos-config-source: { config, pkgs, ... }:
let
cfg = config.selfprivacy;
dnsCredentialsTemplates = {
DIGITALOCEAN = "DO_AUTH_TOKEN=REPLACEME";
CLOUDFLARE = ''
CF_API_KEY=REPLACEME
CLOUDFLARE_DNS_API_TOKEN=REPLACEME
CLOUDFLARE_ZONE_API_TOKEN=REPLACEME
'';
DESEC = "DESEC_TOKEN=REPLACEME";
};
dnsCredentialsTemplate = dnsCredentialsTemplates.${cfg.dns.provider};
in
{
systemd.tmpfiles.rules =
let
domain = builtins.replaceStrings [ "\n" "\"" "\\" "%" ] [ "\\n" "\\\"" "\\\\" "%%" ] cfg.domain;
in
[
"f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}"
];
system.activationScripts =
let
jq = "${pkgs.jq}/bin/jq";
sed = "${pkgs.gnused}/bin/sed";
in
{
nixos-lustrate = ''
rm -rf /old-root
'';
selfprivacy-nixos-configuration-source = ''
rm -rf /etc/nixos/{*,.[!.]*}
cp -r --no-preserve=all ${nixos-config-source}/ -T /etc/nixos/
'';
cloudflareCredentials = ''
mkdir -p /var/lib/cloudflare
chmod 0440 /var/lib/cloudflare
chown nginx:acmereceivers /var/lib/cloudflare
echo '${dnsCredentialsTemplate}' > /var/lib/cloudflare/Credentials.ini
${sed} -i "s/REPLACEME/$(cat /etc/selfprivacy/secrets.json | ${jq} -r '.dns.apiKey')/g" /var/lib/cloudflare/Credentials.ini
chmod 0440 /var/lib/cloudflare/Credentials.ini
chown nginx:acmereceivers /var/lib/cloudflare/Credentials.ini
'';
};
}

View file

@ -28,11 +28,11 @@
]
},
"locked": {
"lastModified": 1702381323,
"narHash": "sha256-jPDDlY2thQgJqY8I3Ef3QeojHci7UikMjMVZ5P7pjt4=",
"lastModified": 1702870693,
"narHash": "sha256-ZtoeXTzQ52wn8chX/0PsLCFuc32m5zpDJpPdpWlrxwU=",
"ref": "userdata",
"rev": "2bdb73d348d1a8b85a71aa480ab1c08fafb2c9ba",
"revCount": 1044,
"rev": "789a1c579c5c8f2431cff2baed45713ab791ca7c",
"revCount": 1046,
"type": "git",
"url": "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-rest-api.git"
},

View file

@ -24,20 +24,28 @@
hardware-configuration
deployment
./configuration.nix
(import ./files.nix top-level-flake.outPath)
selfprivacy-api.nixosModules.default
{
# pass userdata (parsed from JSON) options to selfprivacy module
selfprivacy = userdata;
# embed top-level flake source folder into the build
environment.etc."selfprivacy/nixos-config-source".source =
top-level-flake.outPath;
top-level-flake;
# for running "nix search nixpkgs", etc
nix.registry.nixpkgs.flake = nixpkgs;
# embed commit sha1 for `nixos-version --configuration-revision`
system.configurationRevision = self.rev
or "@${self.lastModifiedDate}"; # for development
# TODO assertion to forbid dirty builds caused by top-level-flake
# reset contents of /etc/nixos to match running NixOS generation
system.activationScripts.selfprivacy-nixos-config-source = ''
rm -rf /etc/nixos/{*,.[!.]*}
cp -r --no-preserve=all ${top-level-flake}/ -T /etc/nixos/
'';
}
]
++

View file

@ -1,6 +1,18 @@
{ config, pkgs, lib, ... }:
{ config, lib, pkgs, ... }:
let
cfg = config.selfprivacy;
dnsCredentialsTemplates = {
DIGITALOCEAN = "DO_AUTH_TOKEN=$TOKEN";
CLOUDFLARE = ''
CF_API_KEY=$TOKEN
CLOUDFLARE_DNS_API_TOKEN=$TOKEN
CLOUDFLARE_ZONE_API_TOKEN=$TOKEN
'';
DESEC = "DESEC_TOKEN=$TOKEN";
};
dnsCredentialsTemplate = dnsCredentialsTemplates.${cfg.dns.provider};
acme-env-filepath = "/var/lib/selfprivacy/acme-env";
secrets-filepath = "/etc/selfprivacy/secrets.json";
in
{
users.groups.acmereceivers.members = [ "nginx" ];
@ -18,8 +30,26 @@ in
extraDomainNames = [ "${cfg.domain}" ];
group = "acmereceivers";
dnsProvider = lib.strings.toLower cfg.dns.provider;
credentialsFile = "/var/lib/cloudflare/Credentials.ini";
credentialsFile = acme-env-filepath;
};
};
};
systemd.services.acme-secrets = {
before = [ "acme-${cfg.domain}.service" ];
requiredBy = [ "acme-${cfg.domain}.service" ];
serviceConfig.Type = "oneshot";
path = with pkgs; [ coreutils jq ];
script = ''
set -o nounset
TOKEN="$(jq -re '.dns.apiKey' ${secrets-filepath})"
filecontents=$(cat <<- EOF
${dnsCredentialsTemplate}
EOF
)
install -m 0440 -o root -g acmereceivers -DT \
<(printf "%s\n" "$filecontents") ${acme-env-filepath}
'';
};
}

View file

@ -12,7 +12,8 @@ with lib;
description = ''
Domain used by the server
'';
type = types.nullOr types.str;
# see: https://regexr.com/7p7ep, https://stackoverflow.com/a/26987741
type = lib.types.strMatching ''^(xn--)?[a-z0-9][a-z0-9_-]{0,61}[a-z0-9]{0,1}\.(xn--)?([a-z0-9\-]{1,61}|[a-z0-9-]{1,30}\.[a-z]{2,})$'';
};
timezone = mkOption {
description = ''
@ -33,13 +34,6 @@ with lib;
type = types.nullOr types.bool;
};
};
stateVersion = mkOption {
description = ''
State version of the server
'';
type = types.str;
default = "22.11";
};
########################
# Server admin options #
########################
@ -62,27 +56,8 @@ with lib;
type = types.nullOr (types.listOf types.str);
default = [ ];
};
###############
# API options #
###############
api = {
enableSwagger = mkOption {
default = true;
description = ''
Enable Swagger UI
'';
type = types.bool;
};
skippedMigrations = mkOption {
default = [ ];
description = ''
List of migrations that should be skipped
'';
type = types.listOf types.str;
};
};
#############
# Secrets #
# DNS #
#############
dns = {
provider = mkOption {
@ -95,17 +70,10 @@ with lib;
default = false;
};
};
backup = {
bucket = mkOption {
description = "Bucket name used for userdata backups";
type = types.nullOr types.str;
default = "";
};
};
server = {
provider = mkOption {
description = "Server provider that was defined at the initial setup process.";
type = types.nullOr types.str;
type = types.str;
};
};
#########