mirror of
https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-infect.git
synced 2024-11-25 21:11:27 +00:00
Added API propagation
This commit is contained in:
parent
58c85fae6f
commit
a7a0cb586f
109
nixos-infect
109
nixos-infect
|
@ -11,6 +11,7 @@ makeConf() {
|
||||||
mkdir /etc/nixos
|
mkdir /etc/nixos
|
||||||
mkdir -p /etc/nixos/mailserver/system
|
mkdir -p /etc/nixos/mailserver/system
|
||||||
mkdir /etc/nixos/mailserver/userdata
|
mkdir /etc/nixos/mailserver/userdata
|
||||||
|
mkdir /etc/nixos/api
|
||||||
mkdir /etc/nixos/letsencrypt
|
mkdir /etc/nixos/letsencrypt
|
||||||
mkdir /etc/nixos/backup
|
mkdir /etc/nixos/backup
|
||||||
mkdir /etc/nixos/passmgr
|
mkdir /etc/nixos/passmgr
|
||||||
|
@ -39,6 +40,8 @@ makeConf() {
|
||||||
$NIXOS_IMPORT
|
$NIXOS_IMPORT
|
||||||
./files.nix
|
./files.nix
|
||||||
./mailserver/system/mailserver.nix
|
./mailserver/system/mailserver.nix
|
||||||
|
./openconnect/shadowsocks.nix
|
||||||
|
./api/api.nix
|
||||||
./letsencrypt/acme.nix
|
./letsencrypt/acme.nix
|
||||||
./backup/restic.nix
|
./backup/restic.nix
|
||||||
./passmgr/bitwarden.nix
|
./passmgr/bitwarden.nix
|
||||||
|
@ -53,8 +56,8 @@ makeConf() {
|
||||||
networking = {
|
networking = {
|
||||||
hostName = "$(hostname)";
|
hostName = "$(hostname)";
|
||||||
firewall = {
|
firewall = {
|
||||||
allowedTCPPorts = lib.mkForce [ 22 443 80 143 587 480 8080 8222 6667 8448 8388 8404 ];
|
allowedTCPPorts = lib.mkForce [ 22 443 80 143 587 8388 ];
|
||||||
allowedUDPPorts = lib.mkForce [ 22 443 80 143 587 480 8080 8222 6667 8448 8388 ];
|
allowedUDPPorts = lib.mkForce [ 22 443 80 143 587 8388 ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
time.timeZone = "Europe/Uzhgorod";
|
time.timeZone = "Europe/Uzhgorod";
|
||||||
|
@ -145,12 +148,16 @@ EOF
|
||||||
resticPass = builtins.replaceStrings [ "\n" "\"" "\\\" ] [ "\\\n" "\\\\\"" "\\\\\\\\" ] ''
|
resticPass = builtins.replaceStrings [ "\n" "\"" "\\\" ] [ "\\\n" "\\\\\"" "\\\\\\\\" ] ''
|
||||||
$PASSWORD
|
$PASSWORD
|
||||||
'';
|
'';
|
||||||
|
domain = builtins.replaceStrings [ "\n" "\"" "\\\" ] [ "\\\n" "\\\\\"" "\\\\\\\\" ] ''
|
||||||
|
$DOMAIN
|
||||||
|
'';
|
||||||
in
|
in
|
||||||
[
|
[
|
||||||
"d /var/restic 0660 restic - - -"
|
"d /var/restic 0660 restic - - -"
|
||||||
"d /var/bitwarden 0777 bitwarden_rs bitwarden_rs -"
|
"d /var/bitwarden 0777 bitwarden_rs bitwarden_rs -"
|
||||||
"d /var/api 0775 unit unit -"
|
"d /var/api 0775 unit unit -"
|
||||||
"d /var/bitwarden/backup 0777 bitwarden_rs bitwarden_rs -"
|
"d /var/bitwarden/backup 0777 bitwarden_rs bitwarden_rs -"
|
||||||
|
"f /var/domain 0444 selfprivacy-api selfprivacy-api - \${domain}"
|
||||||
"f /var/restic/restic-repo-password 0660 restic - - \${resticPass}"
|
"f /var/restic/restic-repo-password 0660 restic - - \${resticPass}"
|
||||||
"f /var/nextcloud-db-pass 0440 nextcloud nextcloud - \${nextcloudDBPass}"
|
"f /var/nextcloud-db-pass 0440 nextcloud nextcloud - \${nextcloudDBPass}"
|
||||||
"f /var/nextcloud-admin-pass 0440 nextcloud nextcloud - \${nextcloudAdminPass}"
|
"f /var/nextcloud-admin-pass 0440 nextcloud nextcloud - \${nextcloudAdminPass}"
|
||||||
|
@ -237,7 +244,7 @@ EOF
|
||||||
{ pkgs, ... }:
|
{ pkgs, ... }:
|
||||||
{
|
{
|
||||||
users.groups.acmerecievers = {
|
users.groups.acmerecievers = {
|
||||||
members = [ "nginx" "dovecot2" "postfix" "virtualMail" "bitwarden_rs" "nextcloud" "uwsgi" ];
|
members = [ "nginx" "dovecot2" "postfix" "virtualMail" "bitwarden_rs" "nextcloud" ];
|
||||||
};
|
};
|
||||||
security.acme = {
|
security.acme = {
|
||||||
acceptTerms = true;
|
acceptTerms = true;
|
||||||
|
@ -376,7 +383,7 @@ proxy_headers_hash_bucket_size 128;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
locations = {
|
locations = {
|
||||||
"/" = {
|
"/" = {
|
||||||
proxyPass = "http://127.0.0.1:1256";
|
proxyPass = "http://127.0.0.1:5050";
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
proxy_headers_hash_max_size 512;
|
proxy_headers_hash_max_size 512;
|
||||||
proxy_headers_hash_bucket_size 128;
|
proxy_headers_hash_bucket_size 128;
|
||||||
|
@ -545,6 +552,100 @@ EOF
|
||||||
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
EOF
|
||||||
|
|
||||||
|
cat > /etc/nixos/api/api.nix << EOF
|
||||||
|
{ pkgs, ... }:
|
||||||
|
{
|
||||||
|
services.selfprivacy-api = {
|
||||||
|
enable = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
users.users."selfprivacy-api" = {
|
||||||
|
isNormalUser = false;
|
||||||
|
extraGroups = [ "opendkim" ];
|
||||||
|
};
|
||||||
|
users.groups."selfprivacy-api" = {
|
||||||
|
members = [ "selfprivacy-api" ];
|
||||||
|
};
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
|
||||||
|
cat > /etc/nixos/api/api-package.nix << EOF
|
||||||
|
{ nixpkgs ? import <nixpkgs> {}, pythonPkgs ? nixpkgs.pkgs.python37Packages }:
|
||||||
|
|
||||||
|
let
|
||||||
|
inherit (nixpkgs) pkgs;
|
||||||
|
inherit pythonPkgs;
|
||||||
|
|
||||||
|
selfprivacy-api = { buildPythonPackage, flask, flask-restful, pandas }:
|
||||||
|
buildPythonPackage rec {
|
||||||
|
pname = "selfprivacy-api";
|
||||||
|
version = "1.0";
|
||||||
|
src = builtins.fetchGit {
|
||||||
|
url = "https://git.selfprivacy.org/ilchub/selfprivacy-rest-api.git";
|
||||||
|
rev = "d7a6b3ca12d936165a4fc1c6265a2dfc3fd6229e";
|
||||||
|
};
|
||||||
|
propagatedBuildInputs = [ flask flask-restful pandas ];
|
||||||
|
meta = {
|
||||||
|
description = ''
|
||||||
|
SelfPrivacy Server Management API
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
drv = pythonPkgs.callPackage selfprivacy-api {};
|
||||||
|
in
|
||||||
|
if pkgs.lib.inNixShell then drv.env else drv
|
||||||
|
EOF
|
||||||
|
|
||||||
|
cat > /etc/nixos/api/api-service.nix << EOF
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
|
||||||
|
let
|
||||||
|
selfprivacy-api = pkgs.callPackage ./api-package.nix {};
|
||||||
|
cfg = config.services.selfprivacy-api;
|
||||||
|
directionArg = if cfg.direction == ""
|
||||||
|
then ""
|
||||||
|
else "--direction=\${cfg.direction}";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.services.selfprivacy-api = {
|
||||||
|
enable = mkOption {
|
||||||
|
default = false;
|
||||||
|
type = types.bool;
|
||||||
|
description = ''
|
||||||
|
Enable SelfPrivacy API service
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
config = lib.mkIf cfg.enable {
|
||||||
|
|
||||||
|
systemd.services.selfprivacy-api = {
|
||||||
|
description = "API Server used to control system from the mobile application";
|
||||||
|
environment = {
|
||||||
|
PYTHONUNBUFFERED = "1";
|
||||||
|
};
|
||||||
|
path = [ "/var/" "/var/dkim/" ];
|
||||||
|
after = [ "network-online.target" ];
|
||||||
|
wantedBy = [ "network-online.target" ];
|
||||||
|
serviceConfig = {
|
||||||
|
User = "root";
|
||||||
|
PrivateDevices = "true";
|
||||||
|
ProtectKernelTunables = "true";
|
||||||
|
ProtectKernelModules = "true";
|
||||||
|
LockPersonality = "true";
|
||||||
|
RestrictRealtime = "true";
|
||||||
|
SystemCallFilter = "@system-service @network-io @signal";
|
||||||
|
SystemCallErrorNumber = "EPERM";
|
||||||
|
ExecStart = "\${selfprivacy-api}/bin/main.py";
|
||||||
|
Restart = "always";
|
||||||
|
RestartSec = "5";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
[[ -n "$doNetConf" ]] && makeNetworkingConf
|
[[ -n "$doNetConf" ]] && makeNetworkingConf
|
||||||
|
|
Loading…
Reference in a new issue