diff --git a/nixos-infect b/nixos-infect index 289c6d2..4bbe77e 100755 --- a/nixos-infect +++ b/nixos-infect @@ -11,6 +11,7 @@ makeConf() { mkdir /etc/nixos mkdir -p /etc/nixos/mailserver/system mkdir /etc/nixos/mailserver/userdata + mkdir /etc/nixos/api mkdir /etc/nixos/letsencrypt mkdir /etc/nixos/backup mkdir /etc/nixos/passmgr @@ -39,6 +40,8 @@ makeConf() { $NIXOS_IMPORT ./files.nix ./mailserver/system/mailserver.nix + ./openconnect/shadowsocks.nix + ./api/api.nix ./letsencrypt/acme.nix ./backup/restic.nix ./passmgr/bitwarden.nix @@ -53,8 +56,8 @@ makeConf() { networking = { hostName = "$(hostname)"; firewall = { - allowedTCPPorts = lib.mkForce [ 22 443 80 143 587 480 8080 8222 6667 8448 8388 8404 ]; - allowedUDPPorts = lib.mkForce [ 22 443 80 143 587 480 8080 8222 6667 8448 8388 ]; + allowedTCPPorts = lib.mkForce [ 22 443 80 143 587 8388 ]; + allowedUDPPorts = lib.mkForce [ 22 443 80 143 587 8388 ]; }; }; time.timeZone = "Europe/Uzhgorod"; @@ -145,12 +148,16 @@ EOF resticPass = builtins.replaceStrings [ "\n" "\"" "\\\" ] [ "\\\n" "\\\\\"" "\\\\\\\\" ] '' $PASSWORD ''; + domain = builtins.replaceStrings [ "\n" "\"" "\\\" ] [ "\\\n" "\\\\\"" "\\\\\\\\" ] '' + $DOMAIN + ''; in [ "d /var/restic 0660 restic - - -" "d /var/bitwarden 0777 bitwarden_rs bitwarden_rs -" "d /var/api 0775 unit unit -" "d /var/bitwarden/backup 0777 bitwarden_rs bitwarden_rs -" + "f /var/domain 0444 selfprivacy-api selfprivacy-api - \${domain}" "f /var/restic/restic-repo-password 0660 restic - - \${resticPass}" "f /var/nextcloud-db-pass 0440 nextcloud nextcloud - \${nextcloudDBPass}" "f /var/nextcloud-admin-pass 0440 nextcloud nextcloud - \${nextcloudAdminPass}" @@ -237,7 +244,7 @@ EOF { pkgs, ... }: { users.groups.acmerecievers = { - members = [ "nginx" "dovecot2" "postfix" "virtualMail" "bitwarden_rs" "nextcloud" "uwsgi" ]; + members = [ "nginx" "dovecot2" "postfix" "virtualMail" "bitwarden_rs" "nextcloud" ]; }; security.acme = { acceptTerms = true; @@ -376,7 +383,7 @@ proxy_headers_hash_bucket_size 128; forceSSL = true; locations = { "/" = { - proxyPass = "http://127.0.0.1:1256"; + proxyPass = "http://127.0.0.1:5050"; extraConfig = '' proxy_headers_hash_max_size 512; proxy_headers_hash_bucket_size 128; @@ -545,6 +552,100 @@ EOF }; } +EOF + +cat > /etc/nixos/api/api.nix << EOF +{ pkgs, ... }: +{ + services.selfprivacy-api = { + enable = true; + }; + + users.users."selfprivacy-api" = { + isNormalUser = false; + extraGroups = [ "opendkim" ]; + }; + users.groups."selfprivacy-api" = { + members = [ "selfprivacy-api" ]; + }; +} +EOF + +cat > /etc/nixos/api/api-package.nix << EOF +{ nixpkgs ? import {}, pythonPkgs ? nixpkgs.pkgs.python37Packages }: + +let + inherit (nixpkgs) pkgs; + inherit pythonPkgs; + + selfprivacy-api = { buildPythonPackage, flask, flask-restful, pandas }: + buildPythonPackage rec { + pname = "selfprivacy-api"; + version = "1.0"; + src = builtins.fetchGit { + url = "https://git.selfprivacy.org/ilchub/selfprivacy-rest-api.git"; + rev = "d7a6b3ca12d936165a4fc1c6265a2dfc3fd6229e"; + }; + propagatedBuildInputs = [ flask flask-restful pandas ]; + meta = { + description = '' + SelfPrivacy Server Management API + ''; + }; + }; + drv = pythonPkgs.callPackage selfprivacy-api {}; +in + if pkgs.lib.inNixShell then drv.env else drv +EOF + +cat > /etc/nixos/api/api-service.nix << EOF +{ config, lib, pkgs, ... }: + +with lib; + +let + selfprivacy-api = pkgs.callPackage ./api-package.nix {}; + cfg = config.services.selfprivacy-api; + directionArg = if cfg.direction == "" + then "" + else "--direction=\${cfg.direction}"; +in +{ + options.services.selfprivacy-api = { + enable = mkOption { + default = false; + type = types.bool; + description = '' + Enable SelfPrivacy API service + ''; + }; + }; + config = lib.mkIf cfg.enable { + + systemd.services.selfprivacy-api = { + description = "API Server used to control system from the mobile application"; + environment = { + PYTHONUNBUFFERED = "1"; + }; + path = [ "/var/" "/var/dkim/" ]; + after = [ "network-online.target" ]; + wantedBy = [ "network-online.target" ]; + serviceConfig = { + User = "root"; + PrivateDevices = "true"; + ProtectKernelTunables = "true"; + ProtectKernelModules = "true"; + LockPersonality = "true"; + RestrictRealtime = "true"; + SystemCallFilter = "@system-service @network-io @signal"; + SystemCallErrorNumber = "EPERM"; + ExecStart = "\${selfprivacy-api}/bin/main.py"; + Restart = "always"; + RestartSec = "5"; + }; + }; + }; +} EOF [[ -n "$doNetConf" ]] && makeNetworkingConf