mirror of
https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-infect.git
synced 2024-11-25 21:11:27 +00:00
Made major improvements to DNS resolution process
This commit is contained in:
parent
7df10a99b4
commit
f88bc0e6fe
75
nixos-infect
75
nixos-infect
|
@ -78,15 +78,9 @@ makeConf() {
|
||||||
hostKeyAlgorithms = [ "ssh-ed25519" ];
|
hostKeyAlgorithms = [ "ssh-ed25519" ];
|
||||||
};
|
};
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
letsencrypt
|
|
||||||
mkpasswd
|
|
||||||
git
|
git
|
||||||
wget
|
wget
|
||||||
curl
|
curl
|
||||||
restic
|
|
||||||
pwgen
|
|
||||||
tmux
|
|
||||||
sudo
|
|
||||||
python3
|
python3
|
||||||
] ++ (with python38Packages; [
|
] ++ (with python38Packages; [
|
||||||
pip
|
pip
|
||||||
|
@ -163,6 +157,12 @@ EOF
|
||||||
domain = builtins.replaceStrings [ "\n" "\"" "\\\" ] [ "\\\n" "\\\\\"" "\\\\\\\\" ] ''
|
domain = builtins.replaceStrings [ "\n" "\"" "\\\" ] [ "\\\n" "\\\\\"" "\\\\\\\\" ] ''
|
||||||
$DOMAIN
|
$DOMAIN
|
||||||
'';
|
'';
|
||||||
|
cloudflareCredentials = builtins.replaceStrings [ "\n" "\"" "\\\" ] [ "\\\n" "\\\\\"" "\\\\\\\\" ] ''
|
||||||
|
# Cloudflare API token used by Certbot
|
||||||
|
CF_API_KEY=$CF_TOKEN
|
||||||
|
CLOUDFLARE_DNS_API_TOKEN=$CF_TOKEN
|
||||||
|
CLOUDFLARE_ZONE_API_TOKEN=$CF_TOKEN
|
||||||
|
'';
|
||||||
in
|
in
|
||||||
[
|
[
|
||||||
"d /var/restic 0660 restic - - -"
|
"d /var/restic 0660 restic - - -"
|
||||||
|
@ -172,7 +172,7 @@ EOF
|
||||||
"f /var/restic/restic-repo-password 0660 restic - - \${resticPass}"
|
"f /var/restic/restic-repo-password 0660 restic - - \${resticPass}"
|
||||||
"f /var/nextcloud-db-pass 0440 nextcloud nextcloud - \${nextcloudDBPass}"
|
"f /var/nextcloud-db-pass 0440 nextcloud nextcloud - \${nextcloudDBPass}"
|
||||||
"f /var/nextcloud-admin-pass 0440 nextcloud nextcloud - \${nextcloudAdminPass}"
|
"f /var/nextcloud-admin-pass 0440 nextcloud nextcloud - \${nextcloudAdminPass}"
|
||||||
"f /var/shadowsocks-password 0440 nobody nobody - \${shadowsocksPass}"
|
"f /var/cloudflareCredentials.ini 0440 nginx acmerecievers - \${cloudflareCredentials}"
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
EOF
|
EOF
|
||||||
|
@ -235,7 +235,9 @@ EOF
|
||||||
|
|
||||||
# Use Let's Encrypt certificates. Note that this needs to set up a stripped
|
# Use Let's Encrypt certificates. Note that this needs to set up a stripped
|
||||||
# down nginx and opens port 80.
|
# down nginx and opens port 80.
|
||||||
certificateScheme = 3;
|
certificateScheme = 1;
|
||||||
|
certificateFile = "/var/lib/acme/$DOMAIN/fullchain.pem";
|
||||||
|
keyFile = "/var/lib/acme/$DOMAIN/key.pem";
|
||||||
|
|
||||||
# Enable IMAP and POP3
|
# Enable IMAP and POP3
|
||||||
enableImap = true;
|
enableImap = true;
|
||||||
|
@ -256,39 +258,18 @@ EOF
|
||||||
{ pkgs, ... }:
|
{ pkgs, ... }:
|
||||||
{
|
{
|
||||||
users.groups.acmerecievers = {
|
users.groups.acmerecievers = {
|
||||||
members = [ "nginx" "dovecot2" "postfix" "virtualMail" "bitwarden_rs" "nextcloud" ];
|
members = [ "nginx" "dovecot2" "postfix" "virtualMail" "ocserv" ];
|
||||||
};
|
};
|
||||||
security.acme = {
|
security.acme = {
|
||||||
acceptTerms = true;
|
acceptTerms = true;
|
||||||
email = "$USER@$DOMAIN";
|
email = "$USER@$DOMAIN";
|
||||||
certs = {
|
certs = {
|
||||||
"$DOMAIN" = {
|
"$DOMAIN" = {
|
||||||
|
domain = "*.$DOMAIN";
|
||||||
|
extraDomainNames = [ "$DOMAIN" ];
|
||||||
group = "acmerecievers";
|
group = "acmerecievers";
|
||||||
webroot = "/var/lib/acme/acme-challenge";
|
dnsProvider = "cloudflare";
|
||||||
};
|
credentialsFile = "/var/cloudflareCredentials.ini";
|
||||||
"vpn.$DOMAIN" = {
|
|
||||||
group = "acmerecievers";
|
|
||||||
webroot = "/var/lib/acme/acme-challenge";
|
|
||||||
};
|
|
||||||
"git.$DOMAIN" = {
|
|
||||||
group = "acmerecievers";
|
|
||||||
webroot = "/var/lib/acme/acme-challenge";
|
|
||||||
};
|
|
||||||
"cloud.$DOMAIN" = {
|
|
||||||
group = "acmerecievers";
|
|
||||||
webroot = "/var/lib/acme/acme-challenge";
|
|
||||||
};
|
|
||||||
"password.$DOMAIN" = {
|
|
||||||
group = "acmerecievers";
|
|
||||||
webroot = "/var/lib/acme/acme-challenge";
|
|
||||||
};
|
|
||||||
"api.$DOMAIN" = {
|
|
||||||
group = "acmerecievers";
|
|
||||||
webroot = "/var/lib/acme/acme-challenge";
|
|
||||||
};
|
|
||||||
"meet.$DOMAIN" = {
|
|
||||||
group = "acmerecievers";
|
|
||||||
webroot = "/var/lib/acme/acme-challenge";
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -358,15 +339,18 @@ EOF
|
||||||
virtualHosts = {
|
virtualHosts = {
|
||||||
|
|
||||||
"$DOMAIN" = {
|
"$DOMAIN" = {
|
||||||
enableACME = true;
|
sslCertificate = "/var/lib/acme/$DOMAIN/fullchain.pem";
|
||||||
|
sslCertificateKey = "/var/lib/acme/$DOMAIN/key.pem";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
};
|
};
|
||||||
"vpn.$DOMAIN" = {
|
"vpn.$DOMAIN" = {
|
||||||
enableACME = true;
|
sslCertificate = "/var/lib/acme/$DOMAIN/fullchain.pem";
|
||||||
|
sslCertificateKey = "/var/lib/acme/$DOMAIN/key.pem";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
};
|
};
|
||||||
"git.$DOMAIN" = {
|
"git.$DOMAIN" = {
|
||||||
enableACME = true;
|
sslCertificate = "/var/lib/acme/$DOMAIN/fullchain.pem";
|
||||||
|
sslCertificateKey = "/var/lib/acme/$DOMAIN/key.pem";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
locations = {
|
locations = {
|
||||||
"/" = {
|
"/" = {
|
||||||
|
@ -379,8 +363,9 @@ proxy_headers_hash_bucket_size 128;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
"cloud.$DOMAIN" = {
|
"cloud.$DOMAIN" = {
|
||||||
enableACME = true;
|
sslCertificate = "/var/lib/acme/$DOMAIN/fullchain.pem";
|
||||||
forceSSL = true;
|
sslCertificateKey = "/var/lib/acme/$DOMAIN/key.pem";
|
||||||
|
forceSSL = true;
|
||||||
locations = {
|
locations = {
|
||||||
"/" = {
|
"/" = {
|
||||||
proxyPass = "http://127.0.0.1:80/";
|
proxyPass = "http://127.0.0.1:80/";
|
||||||
|
@ -392,7 +377,8 @@ proxy_headers_hash_bucket_size 128;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
"password.$DOMAIN" = {
|
"password.$DOMAIN" = {
|
||||||
enableACME = true;
|
sslCertificate = "/var/lib/acme/$DOMAIN/fullchain.pem";
|
||||||
|
sslCertificateKey = "/var/lib/acme/$DOMAIN/key.pem";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
locations = {
|
locations = {
|
||||||
"/" = {
|
"/" = {
|
||||||
|
@ -405,8 +391,9 @@ proxy_headers_hash_bucket_size 128;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
"api.$DOMAIN" = {
|
"api.$DOMAIN" = {
|
||||||
enableACME = true;
|
sslCertificate = "/var/lib/acme/$DOMAIN/fullchain.pem";
|
||||||
forceSSL = true;
|
sslCertificateKey = "/var/lib/acme/$DOMAIN/key.pem";
|
||||||
|
forceSSL = true;
|
||||||
locations = {
|
locations = {
|
||||||
"/" = {
|
"/" = {
|
||||||
proxyPass = "http://127.0.0.1:5050";
|
proxyPass = "http://127.0.0.1:5050";
|
||||||
|
@ -694,8 +681,8 @@ auth = "pam"
|
||||||
tcp-port = 8443
|
tcp-port = 8443
|
||||||
udp-port = 8443
|
udp-port = 8443
|
||||||
|
|
||||||
server-cert = /var/lib/acme/vpn.$DOMAIN/fullchain.pem
|
server-cert = /var/lib/acme/$DOMAIN/fullchain.pem
|
||||||
server-key = /var/lib/acme/vpn.$DOMAIN/key.pem
|
server-key = /var/lib/acme/$DOMAIN/key.pem
|
||||||
|
|
||||||
compression = true
|
compression = true
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue