SelfPrivacy/selfprivacy-nixos-infect
1
0
Fork 0
mirror of https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-infect.git synced 2024-11-25 21:11:27 +00:00
Code Issues Projects Releases Wiki Activity

Backend version updated to 0.5.1

Browse source 
Reviewed-on: https://git.selfprivacy.org/ilchub/selfprivacy-nixos-infect/pulls/16
This commit is contained in:
Illia Chub 2021-07-30 12:28:18 +03:00
parent 671714adfc 1e382e7fac
commit aa1530c0bf
1 changed files with 40 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

63
nixos-infect Executable file → Normal file
View file

@ -42,12 +42,13 @@ makeConf() {
$network_import $network_import
$NIXOS_IMPORT $NIXOS_IMPORT
./files.nix ./files.nix
./users.nix
./mailserver/system/mailserver.nix ./mailserver/system/mailserver.nix
./mailserver/system/alps.nix ./mailserver/system/alps.nix
./vpn/ocserv.nix ./vpn/ocserv.nix
./api/api.nix ./api/api.nix
./api/api-module.nix ./api/api-module.nix
./social/pleroma-module.nix #./social/pleroma-module.nix
./social/pleroma.nix ./social/pleroma.nix
./letsencrypt/acme.nix ./letsencrypt/acme.nix
./letsencrypt/resolve.nix ./letsencrypt/resolve.nix
@ -68,6 +69,7 @@ makeConf() {
allowedTCPPorts = lib.mkForce [ 22 25 80 143 443 465 587 993 8443 ]; allowedTCPPorts = lib.mkForce [ 22 25 80 143 443 465 587 993 8443 ];
allowedUDPPorts = lib.mkForce [ 8443 ]; allowedUDPPorts = lib.mkForce [ 8443 ];
}; };
nameservers = [ "1.1.1.1" "1.0.0.1" ];
}; };
time.timeZone = "Europe/Uzhgorod"; time.timeZone = "Europe/Uzhgorod";
i18n.defaultLocale = "en_GB.UTF-8"; i18n.defaultLocale = "en_GB.UTF-8";
@ -92,7 +94,7 @@ makeConf() {
}; };
system.autoUpgrade.enable = true; system.autoUpgrade.enable = true;
system.autoUpgrade.allowReboot = false; system.autoUpgrade.allowReboot = false;
system.autoUpgrade.channel = https://nixos.org/channels/nixos-20.09-small; system.autoUpgrade.channel = https://nixos.org/channels/nixos-21.05-small;
nix = { nix = {
optimise.automatic = true; optimise.automatic = true;
gc = { gc = {
@ -115,13 +117,6 @@ makeConf() {
enable = true; enable = true;
}; };
}; };
users.mutableUsers = false;
users.users = {
"$LUSER" = {
isNormalUser = true;
hashedPassword = "$HASHED_PASSWORD";
};
};
} }
EOF EOF
# If you rerun this later, be sure to prune the filesSystems attr # If you rerun this later, be sure to prune the filesSystems attr
@ -173,6 +168,23 @@ EOF
"f /var/cloudflareCredentials.ini 0440 nginx acmerecievers - \${cloudflareCredentials}" "f /var/cloudflareCredentials.ini 0440 nginx acmerecievers - \${cloudflareCredentials}"
]; ];
} }
EOF
cat > /etc/nixos/users.nix << EOF
{ pkgs, ... }:
{
users.mutableUsers = false;
users = {
users = {
#begin
"$LUSER" = {
isNormalUser = true;
hashedPassword = "$HASHED_PASSWORD";
};
#end
};
};
}
EOF EOF
cat > /etc/nixos/mailserver/system/mailserver.nix << EOF cat > /etc/nixos/mailserver/system/mailserver.nix << EOF
@ -181,10 +193,10 @@ EOF
imports = [ imports = [
(builtins.fetchTarball { (builtins.fetchTarball {
# Pick a commit from the branch you are interested in # Pick a commit from the branch you are interested in
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/99f843de/nixos-mailserver-99f843de.tar.gz"; url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/5675b122/nixos-mailserver-5675b122.tar.gz";
# And set its hash # And set its hash
sha256 = "1af7phs8a2j26ywsm5mfhzvqmy0wdsph7ajs9s65c4r1bfq646fw"; sha256 = "1fwhb7a5v9c98nzhf3dyqf3a5ianqh7k50zizj8v5nmj3blxw4pi";
}) })
]; ];
@ -192,6 +204,13 @@ EOF
enablePAM = lib.mkForce true; enablePAM = lib.mkForce true;
showPAMFailure = lib.mkForce true; showPAMFailure = lib.mkForce true;
}; };
users.users = {
virtualMail = {
isNormalUser = false;
};
};
mailserver = { mailserver = {
enable = true; enable = true;
fqdn = "$DOMAIN"; fqdn = "$DOMAIN";
@ -303,6 +322,7 @@ EOF
}; };
users.users.restic = { users.users.restic = {
isNormalUser = false; isNormalUser = false;
isSystemUser = true;
}; };
environment.etc."restic/resticPasswd".text = '' environment.etc."restic/resticPasswd".text = ''
$PASSWORD $PASSWORD
@ -455,7 +475,7 @@ EOF
enable = true; enable = true;
user = "memcached"; user = "memcached";
listen = "127.0.0.1"; listen = "127.0.0.1";
port = "11211"; port = 11211;
maxMemory = 64; maxMemory = 64;
maxConnections = 1024; maxConnections = 1024;
}; };
@ -629,6 +649,7 @@ cat > /etc/nixos/api/api.nix << EOF
users.users."selfprivacy-api" = { users.users."selfprivacy-api" = {
isNormalUser = false; isNormalUser = false;
isSystemUser = true;
extraGroups = [ "opendkim" ]; extraGroups = [ "opendkim" ];
}; };
users.groups."selfprivacy-api" = { users.groups."selfprivacy-api" = {
@ -650,7 +671,7 @@ let
version = "1.0"; version = "1.0";
src = builtins.fetchGit { src = builtins.fetchGit {
url = "https://git.selfprivacy.org/ilchub/selfprivacy-rest-api.git"; url = "https://git.selfprivacy.org/ilchub/selfprivacy-rest-api.git";
rev = "d7a6b3ca12d936165a4fc1c6265a2dfc3fd6229e"; rev = "0980039a67c32a128a96ac73c98fc87aad64674b";
}; };
propagatedBuildInputs = [ flask flask-restful pandas ]; propagatedBuildInputs = [ flask flask-restful pandas ];
meta = { meta = {
@ -690,21 +711,16 @@ in
systemd.services.selfprivacy-api = { systemd.services.selfprivacy-api = {
description = "API Server used to control system from the mobile application"; description = "API Server used to control system from the mobile application";
environment = { environment = config.nix.envVars // {
inherit (config.environment.sessionVariables) NIX_PATH;
HOME = "/root";
PYTHONUNBUFFERED = "1"; PYTHONUNBUFFERED = "1";
}; } // config.networking.proxy.envVars;
path = [ "/var/" "/var/dkim/" ]; path = [ "/var/" "/var/dkim/" pkgs.coreutils pkgs.gnutar pkgs.xz.bin pkgs.gzip pkgs.gitMinimal config.nix.package.out pkgs.nixos-rebuild ];
after = [ "network-online.target" ]; after = [ "network-online.target" ];
wantedBy = [ "network-online.target" ]; wantedBy = [ "network-online.target" ];
serviceConfig = { serviceConfig = {
User = "root"; User = "root";
PrivateDevices = "true";
ProtectKernelTunables = "true";
ProtectKernelModules = "true";
LockPersonality = "true";
RestrictRealtime = "true";
SystemCallFilter = "@system-service @network-io @signal";
SystemCallErrorNumber = "EPERM";
ExecStart = "\${selfprivacy-api}/bin/main.py"; ExecStart = "\${selfprivacy-api}/bin/main.py";
Restart = "always"; Restart = "always";
RestartSec = "5"; RestartSec = "5";
@ -722,6 +738,7 @@ cat > /etc/nixos/vpn/ocserv.nix << EOF
}; };
users.users.ocserv = { users.users.ocserv = {
isNormalUser = false; isNormalUser = false;
isSystemUser = true;
extraGroups = [ "ocserv" "acmerecievers" ]; extraGroups = [ "ocserv" "acmerecievers" ];
}; };
services.ocserv = { services.ocserv = {