Compare commits
No commits in common. "c7583bf501d0b8a226d807d7535b5aed535a5d68" and "2159c4cc6ee61fcd0dab95eed8bc40f6cde2d8f0" have entirely different histories.
c7583bf501
...
2159c4cc6e
|
@ -2,7 +2,6 @@
|
|||
let
|
||||
secrets-filepath = "/etc/selfprivacy/secrets.json";
|
||||
backup-dir = "/var/lib/bitwarden/backup";
|
||||
cfg = sp.modules.bitwarden;
|
||||
inherit (import ./common.nix config) bitwarden-env sp;
|
||||
in
|
||||
{
|
||||
|
@ -14,16 +13,12 @@ in
|
|||
location = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
};
|
||||
subdomain = lib.mkOption {
|
||||
default = "password";
|
||||
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf config.selfprivacy.modules.bitwarden.enable {
|
||||
fileSystems = lib.mkIf sp.useBinds {
|
||||
"/var/lib/bitwarden" = {
|
||||
device = "/volumes/${cfg.location}/bitwarden";
|
||||
device = "/volumes/${sp.modules.bitwarden.location}/bitwarden";
|
||||
options = [
|
||||
"bind"
|
||||
"x-systemd.required-by=bitwarden-secrets.service"
|
||||
|
@ -35,7 +30,7 @@ in
|
|||
];
|
||||
};
|
||||
"/var/lib/bitwarden_rs" = {
|
||||
device = "/volumes/${cfg.location}/bitwarden_rs";
|
||||
device = "/volumes/${sp.modules.bitwarden.location}/bitwarden_rs";
|
||||
options = [
|
||||
"bind"
|
||||
"x-systemd.required-by=bitwarden-secrets.service"
|
||||
|
@ -53,7 +48,7 @@ in
|
|||
backupDir = backup-dir;
|
||||
environmentFile = "${bitwarden-env}";
|
||||
config = {
|
||||
domain = "https://${cfg.subdomain}.${sp.domain}/";
|
||||
domain = "https://password.${sp.domain}/";
|
||||
signupsAllowed = true;
|
||||
rocketPort = 8222;
|
||||
};
|
||||
|
@ -81,7 +76,7 @@ in
|
|||
<(printf "%s" "$bitwarden_env") ${bitwarden-env}
|
||||
'';
|
||||
};
|
||||
services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {
|
||||
services.nginx.virtualHosts."password.${sp.domain}" = {
|
||||
useACMEHost = sp.domain;
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
|
|
|
@ -3,9 +3,8 @@ let
|
|||
sp = config.selfprivacy;
|
||||
stateDir =
|
||||
if sp.useBinds
|
||||
then "/volumes/${cfg.location}/gitea"
|
||||
then "/volumes/${sp.modules.gitea.location}/gitea"
|
||||
else "/var/lib/gitea";
|
||||
cfg = sp.modules.gitea;
|
||||
in
|
||||
{
|
||||
options.selfprivacy.modules.gitea = {
|
||||
|
@ -16,16 +15,12 @@ in
|
|||
location = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
};
|
||||
subdomain = lib.mkOption {
|
||||
default = "git";
|
||||
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
config = lib.mkIf config.selfprivacy.modules.gitea.enable {
|
||||
fileSystems = lib.mkIf sp.useBinds {
|
||||
"/var/lib/gitea" = {
|
||||
device = "/volumes/${cfg.location}/gitea";
|
||||
device = "/volumes/${sp.modules.gitea.location}/gitea";
|
||||
options = [ "bind" ];
|
||||
};
|
||||
};
|
||||
|
@ -58,8 +53,8 @@ in
|
|||
# cookieSecure = true;
|
||||
settings = {
|
||||
server = {
|
||||
DOMAIN = "${cfg.subdomain}.${sp.domain}";
|
||||
ROOT_URL = "https://${cfg.subdomain}.${sp.domain}/";
|
||||
DOMAIN = "git.${sp.domain}";
|
||||
ROOT_URL = "https://git.${sp.domain}/";
|
||||
HTTP_ADDR = "0.0.0.0";
|
||||
HTTP_PORT = 3000;
|
||||
};
|
||||
|
@ -88,7 +83,7 @@ in
|
|||
};
|
||||
};
|
||||
};
|
||||
services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {
|
||||
services.nginx.virtualHosts."git.${sp.domain}" = {
|
||||
useACMEHost = sp.domain;
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
|
@ -108,6 +103,6 @@ in
|
|||
};
|
||||
};
|
||||
systemd.services.gitea.unitConfig.RequiresMountsFor =
|
||||
lib.mkIf sp.useBinds "/volumes/${cfg.location}/gitea";
|
||||
lib.mkIf sp.useBinds "/volumes/${sp.modules.gitea.location}/gitea";
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,7 +1,6 @@
|
|||
{ config, lib, ... }:
|
||||
let
|
||||
domain = config.selfprivacy.domain;
|
||||
cfg = config.selfprivacy.modules.jitsi-meet;
|
||||
in
|
||||
{
|
||||
options.selfprivacy.modules.jitsi-meet = {
|
||||
|
@ -9,23 +8,19 @@ in
|
|||
default = false;
|
||||
type = lib.types.bool;
|
||||
};
|
||||
subdomain = lib.mkOption {
|
||||
default = "meet";
|
||||
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
config = lib.mkIf config.selfprivacy.modules.jitsi-meet.enable {
|
||||
services.jitsi-meet = {
|
||||
enable = true;
|
||||
hostName = "${cfg.subdomain}.${domain}";
|
||||
hostName = "meet.${domain}";
|
||||
nginx.enable = true;
|
||||
interfaceConfig = {
|
||||
SHOW_JITSI_WATERMARK = false;
|
||||
SHOW_WATERMARK_FOR_GUESTS = false;
|
||||
};
|
||||
};
|
||||
services.nginx.virtualHosts."${cfg.subdomain}.${domain}" = {
|
||||
services.nginx.virtualHosts."meet.${domain}" = {
|
||||
forceSSL = true;
|
||||
useACMEHost = domain;
|
||||
enableACME = false;
|
||||
|
|
|
@ -8,23 +8,18 @@
|
|||
location = mkOption {
|
||||
type = types.str;
|
||||
};
|
||||
subdomain = lib.mkOption {
|
||||
default = "cloud";
|
||||
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
|
||||
};
|
||||
};
|
||||
|
||||
config =
|
||||
let
|
||||
inherit (import ./common.nix config)
|
||||
sp secrets-filepath db-pass-filepath admin-pass-filepath;
|
||||
cfg = sp.modules.nextcloud;
|
||||
hostName = "${cfg.subdomain}.${sp.domain}";
|
||||
hostName = "cloud.${sp.domain}";
|
||||
in
|
||||
lib.mkIf sp.modules.nextcloud.enable {
|
||||
fileSystems = lib.mkIf sp.useBinds {
|
||||
"/var/lib/nextcloud" = {
|
||||
device = "/volumes/${cfg.location}/nextcloud";
|
||||
device = "/volumes/${sp.modules.nextcloud.location}/nextcloud";
|
||||
options = [
|
||||
"bind"
|
||||
"x-systemd.required-by=nextcloud-setup.service"
|
||||
|
|
|
@ -3,7 +3,6 @@ let
|
|||
domain = config.selfprivacy.domain;
|
||||
cert = "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
|
||||
key = "${config.security.acme.certs.${domain}.directory}/key.pem";
|
||||
cfg = config.selfprivacy.modules.ocserv;
|
||||
in
|
||||
{
|
||||
options.selfprivacy.modules.ocserv = {
|
||||
|
@ -11,13 +10,9 @@ in
|
|||
default = false;
|
||||
type = lib.types.bool;
|
||||
};
|
||||
subdomain = lib.mkOption {
|
||||
default = "vpn";
|
||||
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
config = lib.mkIf config.selfprivacy.modules.ocserv.enable {
|
||||
users.groups.ocserv.members = [ "ocserv" ];
|
||||
users.users.ocserv = {
|
||||
isNormalUser = false;
|
||||
|
@ -48,7 +43,7 @@ in
|
|||
idle-timeout=1200
|
||||
mobile-idle-timeout=2400
|
||||
|
||||
default-domain = ${cfg.subdomain}.${domain}
|
||||
default-domain = vpn.${domain}
|
||||
|
||||
device = vpn0
|
||||
|
||||
|
@ -62,7 +57,7 @@ in
|
|||
route = default
|
||||
'';
|
||||
};
|
||||
services.nginx.virtualHosts."${cfg.subdomain}.${domain}" = {
|
||||
services.nginx.virtualHosts."vpn.${domain}" = {
|
||||
useACMEHost = domain;
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
|
|
|
@ -1,7 +1,6 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
secrets-filepath = "/etc/selfprivacy/secrets.json";
|
||||
cfg = config.selfprivacy.modules.pleroma;
|
||||
inherit (import ./common.nix config) secrets-exs sp;
|
||||
in
|
||||
{
|
||||
|
@ -13,15 +12,11 @@ in
|
|||
location = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
};
|
||||
subdomain = lib.mkOption {
|
||||
default = "social";
|
||||
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
|
||||
};
|
||||
};
|
||||
config = lib.mkIf cfg.enable {
|
||||
config = lib.mkIf config.selfprivacy.modules.pleroma.enable {
|
||||
fileSystems = lib.mkIf sp.useBinds {
|
||||
"/var/lib/pleroma" = {
|
||||
device = "/volumes/${cfg.location}/pleroma";
|
||||
device = "/volumes/${sp.modules.pleroma.location}/pleroma";
|
||||
options = [
|
||||
"bind"
|
||||
"x-systemd.required-by=pleroma-secrets.service"
|
||||
|
@ -31,7 +26,7 @@ in
|
|||
];
|
||||
};
|
||||
"/var/lib/postgresql" = {
|
||||
device = "/volumes/${cfg.location}/postgresql";
|
||||
device = "/volumes/${sp.modules.pleroma.location}/postgresql";
|
||||
options = [
|
||||
"bind"
|
||||
"x-systemd.required-by=pleroma-secrets.service"
|
||||
|
@ -107,9 +102,9 @@ in
|
|||
};
|
||||
# seems to be an upstream nixpkgs/nixos bug (missing hexdump)
|
||||
systemd.services.pleroma.path = [ pkgs.util-linux ];
|
||||
services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {
|
||||
useACMEHost = sp.domain;
|
||||
root = "/var/www/${cfg.subdomain}.${sp.domain}";
|
||||
services.nginx.virtualHosts."social.${sp.domain}" = {
|
||||
useACMEHost = config.selfprivacy.domain;
|
||||
root = "/var/www/social.${sp.domain}";
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
add_header Strict-Transport-Security $hsts_header;
|
||||
|
|
Loading…
Reference in New Issue