SelfPrivacy/selfprivacy-nixos-config
1
0
Fork 0
mirror of https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config.git synced 2025-02-18 07:14:36 +00:00
Code Issues Projects Releases Wiki Activity

Remove all secrets from nix store

Browse source
This commit is contained in:
inexcode 2022-07-14 20:42:42 +03:00
parent 17b927f700
commit ea383780b6
8 changed files with 141 additions and 109 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
api/api-module.nix
View file

@ -12,18 +12,12 @@ in
{ {
options.services.selfprivacy-api = { options.services.selfprivacy-api = {
enable = mkOption { enable = mkOption {
default = false; default = true;
type = types.bool; type = types.bool;
description = '' description = ''
Enable SelfPrivacy API service Enable SelfPrivacy API service
''; '';
}; };
token = mkOption {
type = types.str;
description = ''
SelfPrivacy API token
'';
};
enableSwagger = mkOption { enableSwagger = mkOption {
default = false; default = false;
type = types.bool; type = types.bool;
@ -37,12 +31,6 @@ in
B2 bucket B2 bucket
''; '';
}; };
resticPassword = mkOption {
type = types.str;
description = ''
Restic password
'';
};
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
@ -52,10 +40,8 @@ in
inherit (config.environment.sessionVariables) NIX_PATH; inherit (config.environment.sessionVariables) NIX_PATH;
HOME = "/root"; HOME = "/root";
PYTHONUNBUFFERED = "1"; PYTHONUNBUFFERED = "1";
AUTH_TOKEN = cfg.token;
ENABLE_SWAGGER = (if cfg.enableSwagger then "1" else "0"); ENABLE_SWAGGER = (if cfg.enableSwagger then "1" else "0");
B2_BUCKET = cfg.b2Bucket; B2_BUCKET = cfg.b2Bucket;
RESTIC_PASSWORD = cfg.resticPassword;
} // config.networking.proxy.envVars; } // config.networking.proxy.envVars;
path = [ "/var/" "/var/dkim/" pkgs.coreutils pkgs.gnutar pkgs.xz.bin pkgs.gzip pkgs.gitMinimal config.nix.package.out pkgs.nixos-rebuild pkgs.restic pkgs.mkpasswd ]; path = [ "/var/" "/var/dkim/" pkgs.coreutils pkgs.gnutar pkgs.xz.bin pkgs.gzip pkgs.gitMinimal config.nix.package.out pkgs.nixos-rebuild pkgs.restic pkgs.mkpasswd ];
after = [ "network-online.target" ]; after = [ "network-online.target" ];

2
api/api.nix
View file

@ -2,10 +2,8 @@
{ {
services.selfprivacy-api = { services.selfprivacy-api = {
enable = true; enable = true;
token = config.services.userdata.api.token;
enableSwagger = config.services.userdata.api.enableSwagger; enableSwagger = config.services.userdata.api.enableSwagger;
b2Bucket = config.services.userdata.backblaze.bucket; b2Bucket = config.services.userdata.backblaze.bucket;
resticPassword = config.services.userdata.resticPassword;
}; };
users.users."selfprivacy-api" = { users.users."selfprivacy-api" = {

92
files.nix
View file

@ -15,48 +15,62 @@ in
(if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "") (if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "")
"f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}" "f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}"
]; ];
system.activationScripts = let system.activationScripts =
jq = "${pkgs.jq}/bin/jq"; let
sed = "${pkgs.gnused}/bin/sed"; jq = "${pkgs.jq}/bin/jq";
in sed = "${pkgs.gnused}/bin/sed";
{ in
nextcloudSecrets = {
if cfg.nextcloud.enable then '' nextcloudSecrets =
cat /etc/nixos/userdata/userdata.json | ${jq} -r '.nextcloud.databasePassword' > /var/lib/nextcloud/db-pass if cfg.nextcloud.enable then ''
chmod 0440 /var/lib/nextcloud/db-pass cat /etc/nixos/userdata/userdata.json | ${jq} -r '.nextcloud.databasePassword' > /var/lib/nextcloud/db-pass
chown nextcloud:nextcloud /var/lib/nextcloud/db-pass chmod 0440 /var/lib/nextcloud/db-pass
chown nextcloud:nextcloud /var/lib/nextcloud/db-pass
cat /etc/nixos/userdata/userdata.json | ${jq} -r '.nextcloud.adminPassword' > /var/lib/nextcloud/admin-pass cat /etc/nixos/userdata/userdata.json | ${jq} -r '.nextcloud.adminPassword' > /var/lib/nextcloud/admin-pass
chmod 0440 /var/lib/nextcloud/admin-pass chmod 0440 /var/lib/nextcloud/admin-pass
chown nextcloud:nextcloud /var/lib/nextcloud/admin-pass chown nextcloud:nextcloud /var/lib/nextcloud/admin-pass
'' ''
else '' else ''
rm -f /var/lib/nextcloud/db-pass rm -f /var/lib/nextcloud/db-pass
rm -f /var/lib/nextcloud/admin-pass rm -f /var/lib/nextcloud/admin-pass
'';
cloudflareCredentials = ''
echo 'CF_API_KEY=REPLACEME' > /var/lib/cloudflare/Credentials.ini
echo 'CLOUDFLARE_DNS_API_TOKEN=REPLACEME' >> /var/lib/cloudflare/Credentials.ini
echo 'CLOUDFLARE_ZONE_API_TOKEN=REPLACEME' >> /var/lib/cloudflare/Credentials.ini
${sed} -i "s/REPLACEME/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.cloudflare.apiKey')/g" /var/lib/cloudflare/Credentials.ini
chmod 0440 /var/lib/cloudflare/Credentials.ini
chown nginx:acmerecievers /var/lib/cloudflare/Credentials.ini
''; '';
cloudflareCredentials = '' resticCredentials = ''
echo 'CF_API_KEY=REPLACEME' > /var/lib/cloudflare/Credentials.ini echo '[backblaze]' > /root/.config/rclone/rclone.conf
echo 'CLOUDFLARE_DNS_API_TOKEN=REPLACEME' >> /var/lib/cloudflare/Credentials.ini echo 'type = b2' >> /root/.config/rclone/rclone.conf
echo 'CLOUDFLARE_ZONE_API_TOKEN=REPLACEME' >> /var/lib/cloudflare/Credentials.ini echo 'account = REPLACEME1' >> /root/.config/rclone/rclone.conf
${sed} -i "s/REPLACEME/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.cloudflare.apiKey')/g" /var/lib/cloudflare/Credentials.ini echo 'key = REPLACEME2' >> /root/.config/rclone/rclone.conf
chmod 0440 /var/lib/cloudflare/Credentials.ini
chown nginx:acmerecievers /var/lib/cloudflare/Credentials.ini
'';
resticCredentials = ''
echo '[backblaze]' > /root/.config/rclone/rclone.conf
echo 'type = b2' >> /root/.config/rclone/rclone.conf
echo 'account = REPLACEME1' >> /root/.config/rclone/rclone.conf
echo 'key = REPLACEME2' >> /root/.config/rclone/rclone.conf
${sed} -i "s/REPLACEME1/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backblaze.accountId')/g" /root/.config/rclone/rclone.conf ${sed} -i "s/REPLACEME1/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backblaze.accountId')/g" /root/.config/rclone/rclone.conf
${sed} -i "s/REPLACEME2/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backblaze.accountKey')/g" /root/.config/rclone/rclone.conf ${sed} -i "s/REPLACEME2/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backblaze.accountKey')/g" /root/.config/rclone/rclone.conf
chmod 0400 /root/.config/rclone/rclone.conf chmod 0400 /root/.config/rclone/rclone.conf
chown root:root /root/.config/rclone/rclone.conf chown root:root /root/.config/rclone/rclone.conf
cat /etc/nixos/userdata/userdata.json | ${jq} -r '.resticPassword' > /var/lib/restic/pass cat /etc/nixos/userdata/userdata.json | ${jq} -r '.resticPassword' > /var/lib/restic/pass
chmod 0400 /var/lib/restic/pass chmod 0400 /var/lib/restic/pass
chown restic /var/lib/restic/pass chown restic /var/lib/restic/pass
''; '';
}; pleromaCredentials =
if cfg.pleroma.enable then ''
echo 'import Config' > /var/lib/pleroma/secrets.exs
echo 'config :pleroma, Pleroma.Repo,' >> /var/lib/pleroma/secrets.exs
echo ' password: "REPLACEME",' >> /var/lib/pleroma/secrets.exs
${sed} -i "s/REPLACEME/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.databasePassword')/g" /var/lib/pleroma/secrets.exs
chmod 0750 /var/lib/pleroma/secrets.exs
chown pleroma:pleroma /var/lib/pleroma/secrets.exs
'' else ''
rm -f /var/lib/pleroma/secrets.exs
'';
};
} }

5
social/config.exs
View file

@ -22,9 +22,8 @@ config :pleroma, :media_proxy,
config :pleroma, Pleroma.Repo, config :pleroma, Pleroma.Repo,
adapter: Ecto.Adapters.Postgres, adapter: Ecto.Adapters.Postgres,
username: "pleroma", username: "pleroma",
password: "$DB_PASSWORD",
database: "pleroma", database: "pleroma",
hostname: "localhost", socket_dir: "/run/postgresql",
pool_size: 10 pool_size: 10
#config :web_push_encryption, :vapid_details, #config :web_push_encryption, :vapid_details,
@ -41,4 +40,4 @@ config :pleroma, :http_security,
#config :joken, default_signer: "" #config :joken, default_signer: ""
config :pleroma, configurable_from_database: false config :pleroma, configurable_from_database: true

17
social/pleroma.nix
View file

@ -10,8 +10,8 @@ in
group = "pleroma"; group = "pleroma";
configs = [ configs = [
(builtins.replaceStrings (builtins.replaceStrings
[ "$DOMAIN" "$LUSER" "$DB_PASSWORD" ] [ "$DOMAIN" "$LUSER" ]
[ cfg.domain cfg.username cfg.databasePassword ] [ cfg.domain cfg.username ]
(builtins.readFile ./config.exs)) (builtins.readFile ./config.exs))
]; ];
}; };
@ -19,11 +19,20 @@ in
enable = true; enable = true;
package = pkgs.postgresql_12; package = pkgs.postgresql_12;
initialScript = "/etc/setup.psql"; initialScript = "/etc/setup.psql";
ensureDatabases = [
"pleroma"
];
ensureUsers = [
{
name = "pleroma";
ensurePermissions = {
"DATABASE pleroma" = "ALL PRIVILEGES";
};
};
];
}; };
}; };
environment.etc."setup.psql".text = '' environment.etc."setup.psql".text = ''
CREATE USER pleroma WITH ENCRYPTED PASSWORD '${cfg.databasePassword}';
CREATE DATABASE pleroma OWNER pleroma;
\c pleroma; \c pleroma;
--Extensions made by ecto.migrate that need superuser access --Extensions made by ecto.migrate that need superuser access
CREATE EXTENSION IF NOT EXISTS citext; CREATE EXTENSION IF NOT EXISTS citext;

72
userdata/tokens_schema.json Normal file
View file

@ -0,0 +1,72 @@
{
"$schema": "http://json-schema.org/schema#",
"$id": "https://git.selfprivacy.org/inex/selfprivacy-nixos-config/raw/branch/master/userdata/tokens_schema.json",
"type": "object",
"properties": {
"tokens": {
"type": "array",
"items": {
"type": "object",
"properties": {
"token": {
"type": "string"
},
"name": {
"type": "string"
},
"date": {
"type": "string"
}
},
"required": [
"token",
"name",
"date"
]
}
},
"recovery_token": {
"type": "object",
"properties": {
"token": {
"type": "string"
},
"date": {
"type": "string"
},
"expiration": {
"type": "string"
},
"uses_left": {
"type": "integer"
}
},
"required": [
"token",
"date"
]
},
"new_device": {
"type": "object",
"properties": {
"token": {
"type": "string"
},
"date": {
"type": "string"
},
"expiration": {
"type": "string"
}
},
"required": [
"token",
"date",
"expiration"
]
}
},
"required": [
"tokens"
]
}

39
variables-module.nix
View file

@ -67,12 +67,6 @@ in
# API options # # API options #
############### ###############
api = { api = {
token = mkOption {
description = ''
API token used to authenticate with the server
'';
type = types.nullOr types.str;
};
enableSwagger = mkOption { enableSwagger = mkOption {
default = true; default = true;
description = '' description = ''
@ -97,21 +91,9 @@ in
type = types.nullOr types.str; type = types.nullOr types.str;
}; };
}; };
cloudflare = {
apiKey = mkOption {
description = "Cloudflare API Key.";
type = types.nullOr types.str;
};
};
############## ##############
# Services # # Services #
############## ##############
databasePassword = mkOption {
description = ''
Password for the database
'';
type = types.nullOr types.str;
};
bitwarden = { bitwarden = {
enable = mkOption { enable = mkOption {
default = false; default = false;
@ -129,18 +111,6 @@ in
default = true; default = true;
type = types.nullOr types.bool; type = types.nullOr types.bool;
}; };
# databasePassword = mkOption {
# description = ''
# Password for the nextcloud database
# '';
# type = types.nullOr types.str;
# };
adminPassword = mkOption {
description = ''
Password for the nextcloud admin user
'';
type = types.nullOr types.str;
};
}; };
pleroma = { pleroma = {
enable = mkOption { enable = mkOption {
@ -160,15 +130,6 @@ in
type = types.nullOr types.bool; type = types.nullOr types.bool;
}; };
}; };
#############
# Backups #
#############
resticPassword = mkOption {
description = ''
Password for the restic
'';
type = types.nullOr types.str;
};
######### #########
# SSH # # SSH #
######### #########

7
variables.nix
View file

@ -15,17 +15,12 @@ in
hashedMasterPassword = lib.attrsets.attrByPath [ "hashedMasterPassword" ] null jsonData; hashedMasterPassword = lib.attrsets.attrByPath [ "hashedMasterPassword" ] null jsonData;
sshKeys = lib.attrsets.attrByPath [ "sshKeys" ] [] jsonData; sshKeys = lib.attrsets.attrByPath [ "sshKeys" ] [] jsonData;
api = { api = {
token = jsonData.api.token;
enableSwagger = lib.attrsets.attrByPath [ "api" "enableSwagger" ] false jsonData; enableSwagger = lib.attrsets.attrByPath [ "api" "enableSwagger" ] false jsonData;
skippedMigrations = lib.attrsets.attrByPath [ "api" "skippedMigrations" ] [] jsonData; skippedMigrations = lib.attrsets.attrByPath [ "api" "skippedMigrations" ] [] jsonData;
}; };
backblaze = { backblaze = {
bucket = lib.attrsets.attrByPath [ "backblaze" "bucket" ] "" jsonData; bucket = lib.attrsets.attrByPath [ "backblaze" "bucket" ] "" jsonData;
}; };
cloudflare = {
apiKey = lib.attrsets.attrByPath [ "cloudflare" "apiKey" ] "" jsonData;
};
databasePassword = lib.attrsets.attrByPath [ "databasePassword" ] null jsonData;
bitwarden = { bitwarden = {
enable = lib.attrsets.attrByPath [ "bitwarden" "enable" ] false jsonData; enable = lib.attrsets.attrByPath [ "bitwarden" "enable" ] false jsonData;
}; };
@ -34,7 +29,6 @@ in
}; };
nextcloud = { nextcloud = {
enable = lib.attrsets.attrByPath [ "nextcloud" "enable" ] false jsonData; enable = lib.attrsets.attrByPath [ "nextcloud" "enable" ] false jsonData;
adminPassword = lib.attrsets.attrByPath [ "nextcloud" "adminPassword" ] "" jsonData;
}; };
pleroma = { pleroma = {
enable = lib.attrsets.attrByPath [ "pleroma" "enable" ] false jsonData; enable = lib.attrsets.attrByPath [ "pleroma" "enable" ] false jsonData;
@ -45,7 +39,6 @@ in
ocserv = { ocserv = {
enable = lib.attrsets.attrByPath [ "ocserv" "enable" ] false jsonData; enable = lib.attrsets.attrByPath [ "ocserv" "enable" ] false jsonData;
}; };
resticPassword = lib.attrsets.attrByPath [ "resticPassword" ] null jsonData;
ssh = { ssh = {
enable = lib.attrsets.attrByPath [ "ssh" "enable" ] true jsonData; enable = lib.attrsets.attrByPath [ "ssh" "enable" ] true jsonData;
rootKeys = lib.attrsets.attrByPath [ "ssh" "rootKeys" ] [ "" ] jsonData; rootKeys = lib.attrsets.attrByPath [ "ssh" "rootKeys" ] [ "" ] jsonData;