mirror of
https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config.git
synced 2024-11-25 12:31:27 +00:00
Remove all secrets from nix store
This commit is contained in:
parent
17b927f700
commit
ea383780b6
|
@ -12,18 +12,12 @@ in
|
|||
{
|
||||
options.services.selfprivacy-api = {
|
||||
enable = mkOption {
|
||||
default = false;
|
||||
default = true;
|
||||
type = types.bool;
|
||||
description = ''
|
||||
Enable SelfPrivacy API service
|
||||
'';
|
||||
};
|
||||
token = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
SelfPrivacy API token
|
||||
'';
|
||||
};
|
||||
enableSwagger = mkOption {
|
||||
default = false;
|
||||
type = types.bool;
|
||||
|
@ -37,12 +31,6 @@ in
|
|||
B2 bucket
|
||||
'';
|
||||
};
|
||||
resticPassword = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
Restic password
|
||||
'';
|
||||
};
|
||||
};
|
||||
config = lib.mkIf cfg.enable {
|
||||
|
||||
|
@ -52,10 +40,8 @@ in
|
|||
inherit (config.environment.sessionVariables) NIX_PATH;
|
||||
HOME = "/root";
|
||||
PYTHONUNBUFFERED = "1";
|
||||
AUTH_TOKEN = cfg.token;
|
||||
ENABLE_SWAGGER = (if cfg.enableSwagger then "1" else "0");
|
||||
B2_BUCKET = cfg.b2Bucket;
|
||||
RESTIC_PASSWORD = cfg.resticPassword;
|
||||
} // config.networking.proxy.envVars;
|
||||
path = [ "/var/" "/var/dkim/" pkgs.coreutils pkgs.gnutar pkgs.xz.bin pkgs.gzip pkgs.gitMinimal config.nix.package.out pkgs.nixos-rebuild pkgs.restic pkgs.mkpasswd ];
|
||||
after = [ "network-online.target" ];
|
||||
|
|
|
@ -2,10 +2,8 @@
|
|||
{
|
||||
services.selfprivacy-api = {
|
||||
enable = true;
|
||||
token = config.services.userdata.api.token;
|
||||
enableSwagger = config.services.userdata.api.enableSwagger;
|
||||
b2Bucket = config.services.userdata.backblaze.bucket;
|
||||
resticPassword = config.services.userdata.resticPassword;
|
||||
};
|
||||
|
||||
users.users."selfprivacy-api" = {
|
||||
|
|
92
files.nix
92
files.nix
|
@ -15,48 +15,62 @@ in
|
|||
(if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "")
|
||||
"f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}"
|
||||
];
|
||||
system.activationScripts = let
|
||||
jq = "${pkgs.jq}/bin/jq";
|
||||
sed = "${pkgs.gnused}/bin/sed";
|
||||
in
|
||||
{
|
||||
nextcloudSecrets =
|
||||
if cfg.nextcloud.enable then ''
|
||||
cat /etc/nixos/userdata/userdata.json | ${jq} -r '.nextcloud.databasePassword' > /var/lib/nextcloud/db-pass
|
||||
chmod 0440 /var/lib/nextcloud/db-pass
|
||||
chown nextcloud:nextcloud /var/lib/nextcloud/db-pass
|
||||
system.activationScripts =
|
||||
let
|
||||
jq = "${pkgs.jq}/bin/jq";
|
||||
sed = "${pkgs.gnused}/bin/sed";
|
||||
in
|
||||
{
|
||||
nextcloudSecrets =
|
||||
if cfg.nextcloud.enable then ''
|
||||
cat /etc/nixos/userdata/userdata.json | ${jq} -r '.nextcloud.databasePassword' > /var/lib/nextcloud/db-pass
|
||||
chmod 0440 /var/lib/nextcloud/db-pass
|
||||
chown nextcloud:nextcloud /var/lib/nextcloud/db-pass
|
||||
|
||||
cat /etc/nixos/userdata/userdata.json | ${jq} -r '.nextcloud.adminPassword' > /var/lib/nextcloud/admin-pass
|
||||
chmod 0440 /var/lib/nextcloud/admin-pass
|
||||
chown nextcloud:nextcloud /var/lib/nextcloud/admin-pass
|
||||
''
|
||||
else ''
|
||||
rm -f /var/lib/nextcloud/db-pass
|
||||
rm -f /var/lib/nextcloud/admin-pass
|
||||
cat /etc/nixos/userdata/userdata.json | ${jq} -r '.nextcloud.adminPassword' > /var/lib/nextcloud/admin-pass
|
||||
chmod 0440 /var/lib/nextcloud/admin-pass
|
||||
chown nextcloud:nextcloud /var/lib/nextcloud/admin-pass
|
||||
''
|
||||
else ''
|
||||
rm -f /var/lib/nextcloud/db-pass
|
||||
rm -f /var/lib/nextcloud/admin-pass
|
||||
'';
|
||||
cloudflareCredentials = ''
|
||||
echo 'CF_API_KEY=REPLACEME' > /var/lib/cloudflare/Credentials.ini
|
||||
echo 'CLOUDFLARE_DNS_API_TOKEN=REPLACEME' >> /var/lib/cloudflare/Credentials.ini
|
||||
echo 'CLOUDFLARE_ZONE_API_TOKEN=REPLACEME' >> /var/lib/cloudflare/Credentials.ini
|
||||
${sed} -i "s/REPLACEME/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.cloudflare.apiKey')/g" /var/lib/cloudflare/Credentials.ini
|
||||
chmod 0440 /var/lib/cloudflare/Credentials.ini
|
||||
chown nginx:acmerecievers /var/lib/cloudflare/Credentials.ini
|
||||
'';
|
||||
cloudflareCredentials = ''
|
||||
echo 'CF_API_KEY=REPLACEME' > /var/lib/cloudflare/Credentials.ini
|
||||
echo 'CLOUDFLARE_DNS_API_TOKEN=REPLACEME' >> /var/lib/cloudflare/Credentials.ini
|
||||
echo 'CLOUDFLARE_ZONE_API_TOKEN=REPLACEME' >> /var/lib/cloudflare/Credentials.ini
|
||||
${sed} -i "s/REPLACEME/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.cloudflare.apiKey')/g" /var/lib/cloudflare/Credentials.ini
|
||||
chmod 0440 /var/lib/cloudflare/Credentials.ini
|
||||
chown nginx:acmerecievers /var/lib/cloudflare/Credentials.ini
|
||||
'';
|
||||
resticCredentials = ''
|
||||
echo '[backblaze]' > /root/.config/rclone/rclone.conf
|
||||
echo 'type = b2' >> /root/.config/rclone/rclone.conf
|
||||
echo 'account = REPLACEME1' >> /root/.config/rclone/rclone.conf
|
||||
echo 'key = REPLACEME2' >> /root/.config/rclone/rclone.conf
|
||||
resticCredentials = ''
|
||||
echo '[backblaze]' > /root/.config/rclone/rclone.conf
|
||||
echo 'type = b2' >> /root/.config/rclone/rclone.conf
|
||||
echo 'account = REPLACEME1' >> /root/.config/rclone/rclone.conf
|
||||
echo 'key = REPLACEME2' >> /root/.config/rclone/rclone.conf
|
||||
|
||||
${sed} -i "s/REPLACEME1/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backblaze.accountId')/g" /root/.config/rclone/rclone.conf
|
||||
${sed} -i "s/REPLACEME2/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backblaze.accountKey')/g" /root/.config/rclone/rclone.conf
|
||||
${sed} -i "s/REPLACEME1/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backblaze.accountId')/g" /root/.config/rclone/rclone.conf
|
||||
${sed} -i "s/REPLACEME2/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backblaze.accountKey')/g" /root/.config/rclone/rclone.conf
|
||||
|
||||
chmod 0400 /root/.config/rclone/rclone.conf
|
||||
chown root:root /root/.config/rclone/rclone.conf
|
||||
chmod 0400 /root/.config/rclone/rclone.conf
|
||||
chown root:root /root/.config/rclone/rclone.conf
|
||||
|
||||
cat /etc/nixos/userdata/userdata.json | ${jq} -r '.resticPassword' > /var/lib/restic/pass
|
||||
chmod 0400 /var/lib/restic/pass
|
||||
chown restic /var/lib/restic/pass
|
||||
'';
|
||||
};
|
||||
cat /etc/nixos/userdata/userdata.json | ${jq} -r '.resticPassword' > /var/lib/restic/pass
|
||||
chmod 0400 /var/lib/restic/pass
|
||||
chown restic /var/lib/restic/pass
|
||||
'';
|
||||
pleromaCredentials =
|
||||
if cfg.pleroma.enable then ''
|
||||
echo 'import Config' > /var/lib/pleroma/secrets.exs
|
||||
echo 'config :pleroma, Pleroma.Repo,' >> /var/lib/pleroma/secrets.exs
|
||||
echo ' password: "REPLACEME",' >> /var/lib/pleroma/secrets.exs
|
||||
|
||||
${sed} -i "s/REPLACEME/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.databasePassword')/g" /var/lib/pleroma/secrets.exs
|
||||
|
||||
chmod 0750 /var/lib/pleroma/secrets.exs
|
||||
chown pleroma:pleroma /var/lib/pleroma/secrets.exs
|
||||
'' else ''
|
||||
rm -f /var/lib/pleroma/secrets.exs
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
|
@ -22,9 +22,8 @@ config :pleroma, :media_proxy,
|
|||
config :pleroma, Pleroma.Repo,
|
||||
adapter: Ecto.Adapters.Postgres,
|
||||
username: "pleroma",
|
||||
password: "$DB_PASSWORD",
|
||||
database: "pleroma",
|
||||
hostname: "localhost",
|
||||
socket_dir: "/run/postgresql",
|
||||
pool_size: 10
|
||||
|
||||
#config :web_push_encryption, :vapid_details,
|
||||
|
@ -41,4 +40,4 @@ config :pleroma, :http_security,
|
|||
|
||||
#config :joken, default_signer: ""
|
||||
|
||||
config :pleroma, configurable_from_database: false
|
||||
config :pleroma, configurable_from_database: true
|
||||
|
|
|
@ -10,8 +10,8 @@ in
|
|||
group = "pleroma";
|
||||
configs = [
|
||||
(builtins.replaceStrings
|
||||
[ "$DOMAIN" "$LUSER" "$DB_PASSWORD" ]
|
||||
[ cfg.domain cfg.username cfg.databasePassword ]
|
||||
[ "$DOMAIN" "$LUSER" ]
|
||||
[ cfg.domain cfg.username ]
|
||||
(builtins.readFile ./config.exs))
|
||||
];
|
||||
};
|
||||
|
@ -19,11 +19,20 @@ in
|
|||
enable = true;
|
||||
package = pkgs.postgresql_12;
|
||||
initialScript = "/etc/setup.psql";
|
||||
ensureDatabases = [
|
||||
"pleroma"
|
||||
];
|
||||
ensureUsers = [
|
||||
{
|
||||
name = "pleroma";
|
||||
ensurePermissions = {
|
||||
"DATABASE pleroma" = "ALL PRIVILEGES";
|
||||
};
|
||||
};
|
||||
];
|
||||
};
|
||||
};
|
||||
environment.etc."setup.psql".text = ''
|
||||
CREATE USER pleroma WITH ENCRYPTED PASSWORD '${cfg.databasePassword}';
|
||||
CREATE DATABASE pleroma OWNER pleroma;
|
||||
\c pleroma;
|
||||
--Extensions made by ecto.migrate that need superuser access
|
||||
CREATE EXTENSION IF NOT EXISTS citext;
|
||||
|
|
72
userdata/tokens_schema.json
Normal file
72
userdata/tokens_schema.json
Normal file
|
@ -0,0 +1,72 @@
|
|||
{
|
||||
"$schema": "http://json-schema.org/schema#",
|
||||
"$id": "https://git.selfprivacy.org/inex/selfprivacy-nixos-config/raw/branch/master/userdata/tokens_schema.json",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"tokens": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"token": {
|
||||
"type": "string"
|
||||
},
|
||||
"name": {
|
||||
"type": "string"
|
||||
},
|
||||
"date": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"required": [
|
||||
"token",
|
||||
"name",
|
||||
"date"
|
||||
]
|
||||
}
|
||||
},
|
||||
"recovery_token": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"token": {
|
||||
"type": "string"
|
||||
},
|
||||
"date": {
|
||||
"type": "string"
|
||||
},
|
||||
"expiration": {
|
||||
"type": "string"
|
||||
},
|
||||
"uses_left": {
|
||||
"type": "integer"
|
||||
}
|
||||
},
|
||||
"required": [
|
||||
"token",
|
||||
"date"
|
||||
]
|
||||
},
|
||||
"new_device": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"token": {
|
||||
"type": "string"
|
||||
},
|
||||
"date": {
|
||||
"type": "string"
|
||||
},
|
||||
"expiration": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"required": [
|
||||
"token",
|
||||
"date",
|
||||
"expiration"
|
||||
]
|
||||
}
|
||||
},
|
||||
"required": [
|
||||
"tokens"
|
||||
]
|
||||
}
|
|
@ -67,12 +67,6 @@ in
|
|||
# API options #
|
||||
###############
|
||||
api = {
|
||||
token = mkOption {
|
||||
description = ''
|
||||
API token used to authenticate with the server
|
||||
'';
|
||||
type = types.nullOr types.str;
|
||||
};
|
||||
enableSwagger = mkOption {
|
||||
default = true;
|
||||
description = ''
|
||||
|
@ -97,21 +91,9 @@ in
|
|||
type = types.nullOr types.str;
|
||||
};
|
||||
};
|
||||
cloudflare = {
|
||||
apiKey = mkOption {
|
||||
description = "Cloudflare API Key.";
|
||||
type = types.nullOr types.str;
|
||||
};
|
||||
};
|
||||
##############
|
||||
# Services #
|
||||
##############
|
||||
databasePassword = mkOption {
|
||||
description = ''
|
||||
Password for the database
|
||||
'';
|
||||
type = types.nullOr types.str;
|
||||
};
|
||||
bitwarden = {
|
||||
enable = mkOption {
|
||||
default = false;
|
||||
|
@ -129,18 +111,6 @@ in
|
|||
default = true;
|
||||
type = types.nullOr types.bool;
|
||||
};
|
||||
# databasePassword = mkOption {
|
||||
# description = ''
|
||||
# Password for the nextcloud database
|
||||
# '';
|
||||
# type = types.nullOr types.str;
|
||||
# };
|
||||
adminPassword = mkOption {
|
||||
description = ''
|
||||
Password for the nextcloud admin user
|
||||
'';
|
||||
type = types.nullOr types.str;
|
||||
};
|
||||
};
|
||||
pleroma = {
|
||||
enable = mkOption {
|
||||
|
@ -160,15 +130,6 @@ in
|
|||
type = types.nullOr types.bool;
|
||||
};
|
||||
};
|
||||
#############
|
||||
# Backups #
|
||||
#############
|
||||
resticPassword = mkOption {
|
||||
description = ''
|
||||
Password for the restic
|
||||
'';
|
||||
type = types.nullOr types.str;
|
||||
};
|
||||
#########
|
||||
# SSH #
|
||||
#########
|
||||
|
|
|
@ -15,17 +15,12 @@ in
|
|||
hashedMasterPassword = lib.attrsets.attrByPath [ "hashedMasterPassword" ] null jsonData;
|
||||
sshKeys = lib.attrsets.attrByPath [ "sshKeys" ] [] jsonData;
|
||||
api = {
|
||||
token = jsonData.api.token;
|
||||
enableSwagger = lib.attrsets.attrByPath [ "api" "enableSwagger" ] false jsonData;
|
||||
skippedMigrations = lib.attrsets.attrByPath [ "api" "skippedMigrations" ] [] jsonData;
|
||||
};
|
||||
backblaze = {
|
||||
bucket = lib.attrsets.attrByPath [ "backblaze" "bucket" ] "" jsonData;
|
||||
};
|
||||
cloudflare = {
|
||||
apiKey = lib.attrsets.attrByPath [ "cloudflare" "apiKey" ] "" jsonData;
|
||||
};
|
||||
databasePassword = lib.attrsets.attrByPath [ "databasePassword" ] null jsonData;
|
||||
bitwarden = {
|
||||
enable = lib.attrsets.attrByPath [ "bitwarden" "enable" ] false jsonData;
|
||||
};
|
||||
|
@ -34,7 +29,6 @@ in
|
|||
};
|
||||
nextcloud = {
|
||||
enable = lib.attrsets.attrByPath [ "nextcloud" "enable" ] false jsonData;
|
||||
adminPassword = lib.attrsets.attrByPath [ "nextcloud" "adminPassword" ] "" jsonData;
|
||||
};
|
||||
pleroma = {
|
||||
enable = lib.attrsets.attrByPath [ "pleroma" "enable" ] false jsonData;
|
||||
|
@ -45,7 +39,6 @@ in
|
|||
ocserv = {
|
||||
enable = lib.attrsets.attrByPath [ "ocserv" "enable" ] false jsonData;
|
||||
};
|
||||
resticPassword = lib.attrsets.attrByPath [ "resticPassword" ] null jsonData;
|
||||
ssh = {
|
||||
enable = lib.attrsets.attrByPath [ "ssh" "enable" ] true jsonData;
|
||||
rootKeys = lib.attrsets.attrByPath [ "ssh" "rootKeys" ] [ "" ] jsonData;
|
||||
|
|
Loading…
Reference in a new issue