Updated webhook config

This commit is contained in:
Illia Chub 2020-10-26 10:13:35 +02:00
parent daae6cc6da
commit 7b39daf74e

View file

@ -2,151 +2,209 @@
{ {
nixpkgs.overlays = [(self: super: { nixpkgs.overlays = [(self: super: {
updateScript = pkgs.writeScriptBin "updateScript" '' updateScript = pkgs.writeScriptBin "updateScript" ''
#!${pkgs.stdenv.shell} #!${pkgs.stdenv.shell}
/run/wrappers/bin/sudo ${config.system.build.nixos-rebuild}/bin/nixos-rebuild switch --upgrade /run/wrappers/bin/sudo ${config.system.build.nixos-rebuild}/bin/nixos-rebuild switch --upgrade
''; '';
rollbackScript = pkgs.writeScriptBin "rollbackScript" '' rollbackScript = pkgs.writeScriptBin "rollbackScript" ''
#!${pkgs.stdenv.shell} #!${pkgs.stdenv.shell}
/run/wrappers/bin/sudo ${config.system.build.nixos-rebuild}/bin/nixos-rebuild switch --rollback /run/wrappers/bin/sudo ${config.system.build.nixos-rebuild}/bin/nixos-rebuild switch --rollback
''; '';
applyConfigScript = pkgs.writeScriptBin "applyConfigScript" '' applyConfigScript = pkgs.writeScriptBin "applyConfigScript" ''
#!${pkgs.stdenv.shell} #!${pkgs.stdenv.shell}
/run/wrappers/bin/sudo ${config.system.build.nixos-rebuild}/bin/nixos-rebuild switch /run/wrappers/bin/sudo ${config.system.build.nixos-rebuild}/bin/nixos-rebuild switch
''; '';
setupConfigsScript = pkgs.writeScriptBin "setupConfigsScript" '' setupConfigsScript = pkgs.writeScriptBin "setupConfigsScript" ''
#!${pkgs.stdenv.shell} #!${pkgs.stdenv.shell}
export DOMAIN=$1 export DOMAIN=$1
export USER=$2 export USER=$2
export PASSWORD=$3 export PASSWORD=$3
${pkgs.wget}/bin/wget https://bitbucket.org/ilchub/serverdata/raw/b297b4026794c5420da97d7d06a393a5bf7e0819/configuration.nix ${pkgs.wget}/bin/wget https://bitbucket.org/ilchub/serverdata/raw/b297b4026794c5420da97d7d06a393a5bf7e0819/configuration.nix
${pkgs.wget}/bin/wget https://bitbucket.org/ilchub/serverdata/raw/b297b4026794c5420da97d7d06a393a5bf7e0819/mailserver.nix ${pkgs.wget}/bin/wget https://bitbucket.org/ilchub/serverdata/raw/b297b4026794c5420da97d7d06a393a5bf7e0819/mailserver.nix
${pkgs.wget}/bin/wget https://bitbucket.org/ilchub/serverdata/raw/b297b4026794c5420da97d7d06a393a5bf7e0819/restic.nix ${pkgs.wget}/bin/wget https://bitbucket.org/ilchub/serverdata/raw/b297b4026794c5420da97d7d06a393a5bf7e0819/restic.nix
sed -i '17s/.*/ fqdn = "'"$DOMAIN"'";/' mailserver.nix #Mailserver
sed -i '18s/.*/ domains = [ "'"$DOMAIN"'" ];/' mailserver.nix sed -i '17s/.*/ fqdn = "'"$DOMAIN"'";/' mailserver.nix
sed -i '23s/.*/\t"'"$USER"'@'"$DOMAIN"'" = {/' mailserver.nix sed -i '18s/.*/ domains = [ "'"$DOMAIN"'" ];/' mailserver.nix
sed -i "24s,.*,\t\ hashedPassword = \"$PASSWORD\";," mailserver.nix sed -i '23s/.*/\t"'"$USER"'@'"$DOMAIN"'" = {/' mailserver.nix
sed -i '33s/.*/\t\t"'"$DOMAIN"'"/' mailserver.nix sed -i "24s,.*,\t\ hashedPassword = \"$PASSWORD\";," mailserver.nix
sed -i '50s/.*/\t "admin@'"$DOMAIN"'" = "'"$USER"'@'"$DOMAIN"'";/' mailserver.nix sed -i '33s/.*/\t\t"'"$DOMAIN"'"/' mailserver.nix
sed -i '72s/.*/ email = "'"$USER"'@'"$DOMAIN"'";/' mailserver.nix sed -i '50s/.*/\t "admin@'"$DOMAIN"'" = "'"$USER"'@'"$DOMAIN"'";/' mailserver.nix
sed -i '72s/.*/ email = "'"$USER"'@'"$DOMAIN"'";/' mailserver.nix
# System Configuration # System Configuration
sed -i "16s,.*,\t\"$sshKey\"," configuration.nix sed -i "16s,.*,\t\"$sshKey\"," configuration.nix
# Restic # OpenConnect
#sed -i '14s/.*/\t\tEnvironment = [ "AWS_ACCESS_KEY_ID='"$AWS_TOKEN_ID"'" "AWS_SECRET_ACCESS_KEY='"$AWS_TOKEN"'" ];/' restic.nix
#sed -i "17s,.*,\t restic -r s3:s3.amazonaws.com/$AWS_BUCKET_NAME backup /var/vmail /var/vmail ," restic.nix
#FIXME: Give access to system environment sed -i '25s/.*/server-cert = /etc/letsencrypt/live/$DOMAIN/cert.pem/' ocserv.nix
#cp configuration.nix /etc/nixos/configuration.nix sed -i '26s/.*/server-key = /etc/letsencrypt/live/$DOMAIN/privkey.pem/' ocserv.nix
#cp mailserver.nix /etc/nixos/mailserver.nix sed -i '28s/.*/default-domain = $DOMAIN/' ocserv.nix
#cp restic.nix /etc/nixos/restic.nix sed -i '137s/.*/[vhost:$DOMAIN]/' ocserv.nix
sed -i '140s/.*/server-cert = /etc/letsencrypt/live/$DOMAIN/cert.pem/' ocserv.nix
sed -i '141s/.*/server-key = /etc/letsencrypt/live/$DOMAIN/privkey.pem/' ocserv.nix
sed -i '146s/.*/route = $machineip/255.255.255.255/' ocserv.nix
#rm configuration.nix # ACME
#rm mailserver.nix sed -i '8s/.*/ email = "'"$USER"'@'"$DOMAIN"'";/' acme.nix
#rm restic.nix sed -i '9s/.*/ certs."'"$DOMAIN"'" = {/' acme.nix
/run/wrappers/bin/sudo ${config.system.build.nixos-rebuild}/bin/nixos-rebuild switch
#FIXME: Give access to system environment
#cp configuration.nix /etc/nixos/configuration.nix
#cp mailserver.nix /etc/nixos/mailserver/mailserver.nix
#cp restic.nix /etc/nixos/backup/restic.nix
/run/wrappers/bin/sudo ${config.system.build.nixos-rebuild}/bin/nixos-rebuild switch
''; '';
getDKIMScript = pkgs.writeScriptBin "getDKIMScript" '' getDKIMScript = pkgs.writeScriptBin "getDKIMScript" ''
#!${pkgs.stdenv.shell} #!${pkgs.stdenv.shell}
'';
createUserScript = pkgs.writeScriptBin "createUserScript" ''
#!${pkgs.stdenv.shell}
export dkim=$( cat "$1".selector.txt ) ${pkgs.shadow}/bin/useradd -m $1
''; '';
createBackupScript = pkgs.writeScriptBin "createBackupScript" ''
#!${pkgs.stdenv.shell}
${pkgs.restic}/bin/restic -r /srv/restic-repo backup ~/work
'';
restoreBackupScript = pkgs.writeScriptBin "restoreBackupScript" ''
#!${pkgs.stdenv.shell}
${pkgs.restic}/bin/restic -r $1 restore $2 --target $3
'';
webhook-server = self.callPackage ../packages/webhook-server.nix {};
})]; })];
environment.etc."webhook_server.yml".text = ''
domain: "ilchub.net"
port: 8080
workers: 4
webhooks:
-
name: 'ls'
command: '${pkgs.applyConfigScript}/bin/applyConfigScript'
cwd: '/tmp'
'';
environment.etc."webhook.conf".text = '' environment.etc."webhook.conf".text = ''
[ [
{ {
"id": "update", "id": "update",
"execute-command": "${pkgs.updateScript}/bin/updateScript", "execute-command": "${pkgs.updateScript}/bin/updateScript",
"command-working-directory": "/tmp", "command-working-directory": "/tmp",
"response-message": "Updating system..." "response-message": "Updating system..."
}, },
{ {
"id": "rollback", "id": "rollback",
"execute-command": "${pkgs.rollbackScript}/bin/rollbackScript", "execute-command": "${pkgs.rollbackScript}/bin/rollbackScript",
"command-working-directory": "/tmp" "command-working-directory": "/tmp"
}, },
{ {
"id": "apply", "id": "apply",
"execute-command": "${pkgs.applyConfigScript}/bin/applyConfigScript", "execute-command": "${pkgs.applyConfigScript}/bin/applyConfigScript",
"command-working-directory": "/tmp" "command-working-directory": "/tmp"
}, },
{ {
"id": "setupConfigs", "id": "setupConfigs",
"execute-command": "${pkgs.setupConfigsScript}/bin/setupConfigsScript", "execute-command": "${pkgs.setupConfigsScript}/bin/setupConfigsScript",
"command-working-directory": "/tmp", "command-working-directory": "/tmp",
"pass-arguments-to-command": "pass-arguments-to-command":
[ [
{
"source": "header",
"name": "X-Domain"
},
{
"source": "header",
"name": "X-User"
},
{
"source": "header",
"name": "X-Password"
}
],
"trigger-rule":
{ {
"and": "source": "header",
[ "name": "X-Domain"
"match": },
{ {
"type": "value", "source": "header",
"value": "blahblah", "name": "X-User"
"parameter": },
{ {
"source": "header", "source": "header",
"name": "X-Signature" "name": "X-Password"
}
}
]
} }
} ],
"trigger-rule":
{ {
"id": "getdkim", "and":
"execute-command": "${getDKIMScript}/bin/getDKIMScript",
"command-working-directory": "/var/dkim",
"pass-arguments-to-command":
[ [
"match":
{ {
"source": "header", "type": "value",
"name": "X-Domain" "value": "eemioqu5ohgu9eif6ahzo0shaiqu0caezaj0feel0quahp5u",
} "parameter":
], {
"response-headers": "source": "header",
[ "name": "X-Signature"
{ }
"name": "DKIM-Signature",
"value": "{{ getenv "dkim" }}"
} }
] ]
} }
] },
'';
{
"id": "getDKIM",
"execute-command": "${pkgs.getDKIMScript}/bin/getDKIMScript",
"command-working-directory": "/var/dkim",
"pass-arguments-to-command":
[
{
"source": "header",
"name": "X-Domain"
}
],
"response-message": "Getting DKIM key",
"response-headers":
[
{
"name": "X-DKIM",
"value": "${config.environment.variables.dkim}"
}
]
},
{
"id": "createUser",
"execute-command": "${pkgs.createUserScript}/bin/createUserScript",
"command-working-directory": "/tmp",
"pass-arguments-to-command":
[
{
"source": "header",
"name": "X-User"
}
]
},
{
"id": "restoreBackup",
"execute-command": "${pkgs.restoreBackupScript}/bin/restoreBackupScript",
"command-working-directory": "/tmp"
}
]
'';
users.users.webhook = { users.users.webhook = {
isNormalUser = false; isNormalUser = false;
extraGroups = [ "wheel" ]; extraGroups = [ "wheel" ];
}; };
users.users.rswebhook = {
isNormalUser = false;
extraGroups = [ "wheel" ];
};
systemd.services.webhook = { systemd.services.webhook = {
path = with pkgs; [ path = with pkgs; [
@ -155,11 +213,26 @@
sudo sudo
git git
wget wget
restic
shadow
]; ];
enable = true; enable = true;
serviceConfig = { serviceConfig = {
User = "webhook"; User = "webhook";
ExecStart = "${pkgs.webhook}/bin/webhook -hooks /etc/webhook.conf -secure -cert /var/lib/acme/ilchub.net/fullchain.pem -key /var/lib/acme/ilchub.net/key.pem -verbose"; ExecStart = "${pkgs.webhook}/bin/webhook -hooks /etc/webhook.conf -verbose";
};
};
systemd.services.webhook-server = {
path = with pkgs; [
man
config.nix.package.out
sudo
];
enable = true;
serviceConfig = {
User = "rswebhook";
ExecStart = "${pkgs.webhook-server}/bin/webhookserver";
}; };
}; };
} }