SelfPrivacy
/
selfprivacy-nixos-infect
mirror of https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-infect.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Made major improvements to DNS resolution process

This commit is contained in:
Illia Chub 2021-02-02 04:48:20 +02:00
parent 7df10a99b4
commit f88bc0e6fe
1 changed files with 31 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
nixos-infect
View File

@ -78,15 +78,9 @@ makeConf() {
hostKeyAlgorithms = [ "ssh-ed25519" ]; hostKeyAlgorithms = [ "ssh-ed25519" ];
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
letsencrypt
mkpasswd
git git
wget wget
curl curl
restic
pwgen
tmux
sudo
python3 python3
] ++ (with python38Packages; [ ] ++ (with python38Packages; [
pip pip
@ -163,6 +157,12 @@ EOF
domain = builtins.replaceStrings [ "\n" "\"" "\\\" ] [ "\\\n" "\\\\\"" "\\\\\\\\" ] '' domain = builtins.replaceStrings [ "\n" "\"" "\\\" ] [ "\\\n" "\\\\\"" "\\\\\\\\" ] ''
$DOMAIN $DOMAIN
''; '';
cloudflareCredentials = builtins.replaceStrings [ "\n" "\"" "\\\" ] [ "\\\n" "\\\\\"" "\\\\\\\\" ] ''
# Cloudflare API token used by Certbot
CF_API_KEY=$CF_TOKEN
CLOUDFLARE_DNS_API_TOKEN=$CF_TOKEN
CLOUDFLARE_ZONE_API_TOKEN=$CF_TOKEN
'';
in in
[ [
"d /var/restic 0660 restic - - -" "d /var/restic 0660 restic - - -"
@ -172,7 +172,7 @@ EOF
"f /var/restic/restic-repo-password 0660 restic - - \${resticPass}" "f /var/restic/restic-repo-password 0660 restic - - \${resticPass}"
"f /var/nextcloud-db-pass 0440 nextcloud nextcloud - \${nextcloudDBPass}" "f /var/nextcloud-db-pass 0440 nextcloud nextcloud - \${nextcloudDBPass}"
"f /var/nextcloud-admin-pass 0440 nextcloud nextcloud - \${nextcloudAdminPass}" "f /var/nextcloud-admin-pass 0440 nextcloud nextcloud - \${nextcloudAdminPass}"
"f /var/shadowsocks-password 0440 nobody nobody - \${shadowsocksPass}" "f /var/cloudflareCredentials.ini 0440 nginx acmerecievers - \${cloudflareCredentials}"
]; ];
} }
EOF EOF
@ -235,7 +235,9 @@ EOF
# Use Let's Encrypt certificates. Note that this needs to set up a stripped # Use Let's Encrypt certificates. Note that this needs to set up a stripped
# down nginx and opens port 80. # down nginx and opens port 80.
certificateScheme = 3; certificateScheme = 1;
certificateFile = "/var/lib/acme/$DOMAIN/fullchain.pem";
keyFile = "/var/lib/acme/$DOMAIN/key.pem";
# Enable IMAP and POP3 # Enable IMAP and POP3
enableImap = true; enableImap = true;
@ -256,39 +258,18 @@ EOF
{ pkgs, ... }: { pkgs, ... }:
{ {
users.groups.acmerecievers = { users.groups.acmerecievers = {
members = [ "nginx" "dovecot2" "postfix" "virtualMail" "bitwarden_rs" "nextcloud" ]; members = [ "nginx" "dovecot2" "postfix" "virtualMail" "ocserv" ];
}; };
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
email = "$USER@$DOMAIN"; email = "$USER@$DOMAIN";
certs = { certs = {
"$DOMAIN" = { "$DOMAIN" = {
domain = "*.$DOMAIN";
extraDomainNames = [ "$DOMAIN" ];
group = "acmerecievers"; group = "acmerecievers";
webroot = "/var/lib/acme/acme-challenge"; dnsProvider = "cloudflare";
}; credentialsFile = "/var/cloudflareCredentials.ini";
"vpn.$DOMAIN" = {
group = "acmerecievers";
webroot = "/var/lib/acme/acme-challenge";
};
"git.$DOMAIN" = {
group = "acmerecievers";
webroot = "/var/lib/acme/acme-challenge";
};
"cloud.$DOMAIN" = {
group = "acmerecievers";
webroot = "/var/lib/acme/acme-challenge";
};
"password.$DOMAIN" = {
group = "acmerecievers";
webroot = "/var/lib/acme/acme-challenge";
};
"api.$DOMAIN" = {
group = "acmerecievers";
webroot = "/var/lib/acme/acme-challenge";
};
"meet.$DOMAIN" = {
group = "acmerecievers";
webroot = "/var/lib/acme/acme-challenge";
}; };
}; };
}; };
@ -358,15 +339,18 @@ EOF
virtualHosts = { virtualHosts = {
"$DOMAIN" = { "$DOMAIN" = {
enableACME = true; sslCertificate = "/var/lib/acme/$DOMAIN/fullchain.pem";
sslCertificateKey = "/var/lib/acme/$DOMAIN/key.pem";
forceSSL = true; forceSSL = true;
}; };
"vpn.$DOMAIN" = { "vpn.$DOMAIN" = {
enableACME = true; sslCertificate = "/var/lib/acme/$DOMAIN/fullchain.pem";
sslCertificateKey = "/var/lib/acme/$DOMAIN/key.pem";
forceSSL = true; forceSSL = true;
}; };
"git.$DOMAIN" = { "git.$DOMAIN" = {
enableACME = true; sslCertificate = "/var/lib/acme/$DOMAIN/fullchain.pem";
sslCertificateKey = "/var/lib/acme/$DOMAIN/key.pem";
forceSSL = true; forceSSL = true;
locations = { locations = {
"/" = { "/" = {
@ -379,8 +363,9 @@ proxy_headers_hash_bucket_size 128;
}; };
}; };
"cloud.$DOMAIN" = { "cloud.$DOMAIN" = {
enableACME = true; sslCertificate = "/var/lib/acme/$DOMAIN/fullchain.pem";
forceSSL = true; sslCertificateKey = "/var/lib/acme/$DOMAIN/key.pem";
forceSSL = true;
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://127.0.0.1:80/"; proxyPass = "http://127.0.0.1:80/";
@ -392,7 +377,8 @@ proxy_headers_hash_bucket_size 128;
}; };
}; };
"password.$DOMAIN" = { "password.$DOMAIN" = {
enableACME = true; sslCertificate = "/var/lib/acme/$DOMAIN/fullchain.pem";
sslCertificateKey = "/var/lib/acme/$DOMAIN/key.pem";
forceSSL = true; forceSSL = true;
locations = { locations = {
"/" = { "/" = {
@ -405,8 +391,9 @@ proxy_headers_hash_bucket_size 128;
}; };
}; };
"api.$DOMAIN" = { "api.$DOMAIN" = {
enableACME = true; sslCertificate = "/var/lib/acme/$DOMAIN/fullchain.pem";
forceSSL = true; sslCertificateKey = "/var/lib/acme/$DOMAIN/key.pem";
forceSSL = true;
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://127.0.0.1:5050"; proxyPass = "http://127.0.0.1:5050";
@ -694,8 +681,8 @@ auth = "pam"
tcp-port = 8443 tcp-port = 8443
udp-port = 8443 udp-port = 8443
server-cert = /var/lib/acme/vpn.$DOMAIN/fullchain.pem server-cert = /var/lib/acme/$DOMAIN/fullchain.pem
server-key = /var/lib/acme/vpn.$DOMAIN/key.pem server-key = /var/lib/acme/$DOMAIN/key.pem
compression = true compression = true