get rid of files.nix; ACME/credentialsFile and other cleanup

2024-11-26 04:51:26 +00:00 · 2023-12-16 09:39:22 +04:00 · 2023-12-16 09:39:22 +04:00 · 83e8f6e8a1
parent 7f6c48f978
commit 83e8f6e8a1
6 changed files with 57 additions and 90 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -13,6 +13,8 @@

  fileSystems."/".options = [ "noatime" ];

+  services.selfprivacy-api.enable = true;
+
  services.redis.servers.sp-api = {
    enable = true;
    save = [
@ -36,6 +38,7 @@
  boot.cleanTmpDir = true;
  networking = {
    hostName = config.selfprivacy.hostname;
+    domain = config.selfprivacy.domain;
    usePredictableInterfaceNames = false;
    firewall = {
      allowedTCPPorts = lib.mkForce [ 22 25 80 143 443 465 587 993 4443 8443 ];
@ -69,6 +72,10 @@
    DOMAIN = config.selfprivacy.domain;
  };
  documentation.enable = false; # no {man,info}-pages & docs, etc to save space
+  systemd.tmpfiles.rules = [
+    "# Completely remove remnants of NIXOS_LUSTRATE."
+    "R! /old-root"
+  ];
  system.autoUpgrade = {
    enable = config.selfprivacy.autoUpgrade.enable;
    allowReboot = config.selfprivacy.autoUpgrade.allowReboot;
--- a/files.nix
+++ b/files.nix
@ -1,46 +0,0 @@
-nixos-config-source: { config, pkgs, ... }:
-let
-  cfg = config.selfprivacy;
-  dnsCredentialsTemplates = {
-    DIGITALOCEAN = "DO_AUTH_TOKEN=REPLACEME";
-    CLOUDFLARE = ''
-      CF_API_KEY=REPLACEME
-      CLOUDFLARE_DNS_API_TOKEN=REPLACEME
-      CLOUDFLARE_ZONE_API_TOKEN=REPLACEME
-    '';
-    DESEC = "DESEC_TOKEN=REPLACEME";
-  };
-  dnsCredentialsTemplate = dnsCredentialsTemplates.${cfg.dns.provider};
-in
-{
-  systemd.tmpfiles.rules =
-    let
-      domain = builtins.replaceStrings [ "\n" "\"" "\\" "%" ] [ "\\n" "\\\"" "\\\\" "%%" ] cfg.domain;
-    in
-    [
-      "f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}"
-    ];
-  system.activationScripts =
-    let
-      jq = "${pkgs.jq}/bin/jq";
-      sed = "${pkgs.gnused}/bin/sed";
-    in
-    {
-      nixos-lustrate = ''
-        rm -rf /old-root
-      '';
-      selfprivacy-nixos-configuration-source = ''
-        rm -rf /etc/nixos/{*,.[!.]*}
-        cp -r --no-preserve=all ${nixos-config-source}/ -T /etc/nixos/
-      '';
-      cloudflareCredentials = ''
-        mkdir -p /var/lib/cloudflare
-        chmod 0440 /var/lib/cloudflare
-        chown nginx:acmereceivers /var/lib/cloudflare
-        echo '${dnsCredentialsTemplate}' > /var/lib/cloudflare/Credentials.ini
-        ${sed} -i "s/REPLACEME/$(cat /etc/selfprivacy/secrets.json | ${jq} -r '.dns.apiKey')/g" /var/lib/cloudflare/Credentials.ini
-        chmod 0440 /var/lib/cloudflare/Credentials.ini
-        chown nginx:acmereceivers /var/lib/cloudflare/Credentials.ini
-      '';
-    };
-}
--- a/flake.lock
+++ b/flake.lock
@ -28,11 +28,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1702381323,
-        "narHash": "sha256-jPDDlY2thQgJqY8I3Ef3QeojHci7UikMjMVZ5P7pjt4=",
+        "lastModified": 1702870693,
+        "narHash": "sha256-ZtoeXTzQ52wn8chX/0PsLCFuc32m5zpDJpPdpWlrxwU=",
        "ref": "userdata",
-        "rev": "2bdb73d348d1a8b85a71aa480ab1c08fafb2c9ba",
-        "revCount": 1044,
+        "rev": "789a1c579c5c8f2431cff2baed45713ab791ca7c",
+        "revCount": 1046,
        "type": "git",
        "url": "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-rest-api.git"
      },
--- a/flake.nix
+++ b/flake.nix
@ -24,20 +24,28 @@
            hardware-configuration
            deployment
            ./configuration.nix
-            (import ./files.nix top-level-flake.outPath)
            selfprivacy-api.nixosModules.default
            {
              # pass userdata (parsed from JSON) options to selfprivacy module
              selfprivacy = userdata;
+
              # embed top-level flake source folder into the build
              environment.etc."selfprivacy/nixos-config-source".source =
-                top-level-flake.outPath;
+                top-level-flake;
+
              # for running "nix search nixpkgs", etc
              nix.registry.nixpkgs.flake = nixpkgs;
+
              # embed commit sha1 for `nixos-version --configuration-revision`
              system.configurationRevision = self.rev
                or "@${self.lastModifiedDate}"; # for development
              # TODO assertion to forbid dirty builds caused by top-level-flake
+
+              # reset contents of /etc/nixos to match running NixOS generation
+              system.activationScripts.selfprivacy-nixos-config-source = ''
+                rm -rf /etc/nixos/{*,.[!.]*}
+                cp -r --no-preserve=all ${top-level-flake}/ -T /etc/nixos/
+              '';
            }
          ]
          ++
--- a/letsencrypt/acme.nix
+++ b/letsencrypt/acme.nix
@ -1,6 +1,18 @@
-{ config, pkgs, lib, ... }:
+{ config, lib, pkgs, ... }:
 let
  cfg = config.selfprivacy;
+  dnsCredentialsTemplates = {
+    DIGITALOCEAN = "DO_AUTH_TOKEN=$TOKEN";
+    CLOUDFLARE = ''
+      CF_API_KEY=$TOKEN
+      CLOUDFLARE_DNS_API_TOKEN=$TOKEN
+      CLOUDFLARE_ZONE_API_TOKEN=$TOKEN
+    '';
+    DESEC = "DESEC_TOKEN=$TOKEN";
+  };
+  dnsCredentialsTemplate = dnsCredentialsTemplates.${cfg.dns.provider};
+  acme-env-filepath = "/var/lib/selfprivacy/acme-env";
+  secrets-filepath = "/etc/selfprivacy/secrets.json";
 in
 {
  users.groups.acmereceivers.members = [ "nginx" ];
@ -18,8 +30,26 @@ in
        extraDomainNames = [ "${cfg.domain}" ];
        group = "acmereceivers";
        dnsProvider = lib.strings.toLower cfg.dns.provider;
-        credentialsFile = "/var/lib/cloudflare/Credentials.ini";
+        credentialsFile = acme-env-filepath;
      };
    };
  };
+  systemd.services.acme-secrets = {
+    before = [ "acme-${cfg.domain}.service" ];
+    requiredBy = [ "acme-${cfg.domain}.service" ];
+    serviceConfig.Type = "oneshot";
+    path = with pkgs; [ coreutils jq ];
+    script = ''
+      set -o nounset
+
+      TOKEN="$(jq -re '.dns.apiKey' ${secrets-filepath})"
+      filecontents=$(cat <<- EOF
+      ${dnsCredentialsTemplate}
+      EOF
+      )
+
+      install -m 0440 -o root -g acmereceivers -DT \
+      <(printf "%s\n" "$filecontents") ${acme-env-filepath}
+    '';
+  };
 }
--- a/selfprivacy-module.nix
+++ b/selfprivacy-module.nix
@ -12,7 +12,8 @@ with lib;
      description = ''
        Domain used by the server
      '';
-      type = types.nullOr types.str;
+      # see: https://regexr.com/7p7ep, https://stackoverflow.com/a/26987741
+      type = lib.types.strMatching ''^(xn--)?[a-z0-9][a-z0-9_-]{0,61}[a-z0-9]{0,1}\.(xn--)?([a-z0-9\-]{1,61}|[a-z0-9-]{1,30}\.[a-z]{2,})$'';
    };
    timezone = mkOption {
      description = ''
@ -33,13 +34,6 @@ with lib;
        type = types.nullOr types.bool;
      };
    };
-    stateVersion = mkOption {
-      description = ''
-        State version of the server
-      '';
-      type = types.str;
-      default = "22.11";
-    };
    ########################
    # Server admin options #
    ########################
@ -62,27 +56,8 @@ with lib;
      type = types.nullOr (types.listOf types.str);
      default = [ ];
    };
-    ###############
-    # API options #
-    ###############
-    api = {
-      enableSwagger = mkOption {
-        default = true;
-        description = ''
-          Enable Swagger UI
-        '';
-        type = types.bool;
-      };
-      skippedMigrations = mkOption {
-        default = [ ];
-        description = ''
-          List of migrations that should be skipped
-        '';
-        type = types.listOf types.str;
-      };
-    };
    #############
-    #  Secrets  #
+    #    DNS    #
    #############
    dns = {
      provider = mkOption {
@ -95,17 +70,10 @@ with lib;
        default = false;
      };
    };
-    backup = {
-      bucket = mkOption {
-        description = "Bucket name used for userdata backups";
-        type = types.nullOr types.str;
-        default = "";
-      };
-    };
    server = {
      provider = mkOption {
        description = "Server provider that was defined at the initial setup process.";
-        type = types.nullOr types.str;
+        type = types.str;
      };
    };
    #########