summary refs log tree commit diff stats
diff options
context:
space:
mode:
-rw-r--r--system/impermanence/default.nix2
-rw-r--r--system/impermanence/mods/etebase-server.nix10
-rw-r--r--system/secrets/default.nix5
-rw-r--r--system/secrets/etebase-server/passwd.tix17
-rw-r--r--system/secrets/secrets.nix1
-rw-r--r--system/services/default.nix1
-rw-r--r--system/services/etebase/default.nix33
7 files changed, 69 insertions, 0 deletions
diff --git a/system/impermanence/default.nix b/system/impermanence/default.nix
index f42c084..3c923d8 100644
--- a/system/impermanence/default.nix
+++ b/system/impermanence/default.nix
@@ -2,6 +2,8 @@
   # TODO: Only activate them if their module is also active
   imports = [
     ./mods/acme.nix
+    ./mods/etebase-server.nix
+    ./mods/fail2ban.nix
     ./mods/mail.nix
     ./mods/mastodon.nix
     ./mods/matrix.nix
diff --git a/system/impermanence/mods/etebase-server.nix b/system/impermanence/mods/etebase-server.nix
new file mode 100644
index 0000000..cfe5a39
--- /dev/null
+++ b/system/impermanence/mods/etebase-server.nix
@@ -0,0 +1,10 @@
+{...}: {
+  environment.persistence."/srv".directories = [
+    {
+      directory = "/var/lib/etebase-server";
+      user = "etebase-server";
+      group = "etebase-server";
+      mode = "0700";
+    }
+  ];
+}
diff --git a/system/secrets/default.nix b/system/secrets/default.nix
index 658679b..1e3ce84 100644
--- a/system/secrets/default.nix
+++ b/system/secrets/default.nix
@@ -13,6 +13,11 @@
         owner = "matrix-synapse";
         group = "matrix-synapse";
       };
+      etebase-server = {
+        file = ./etebase-server/passwd.tix;
+        mode = "700";
+        owner = "etebase-server";
+        group = "etebase-server";
       invidiousHmac = {
         file = ./invidious/hmac.tix;
         mode = "700";
diff --git a/system/secrets/etebase-server/passwd.tix b/system/secrets/etebase-server/passwd.tix
new file mode 100644
index 0000000..8d8e3c2
--- /dev/null
+++ b/system/secrets/etebase-server/passwd.tix
@@ -0,0 +1,17 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0UiswNDhQNWpsaFZUQTdY
+U3F2TFlrSzhMbmRBWEIyTGQ2VGVramdPTDI4CjRGSnlqUm5rWWJ2Vk5neE56azdt
+WitpbXlPWngxSGtEalBKWkRZdHF5QjQKLT4gWDI1NTE5IDRSSW1jcHhocjBIM0tM
+ZjRxNUhZWkhkd1c5aVlucTMxTTVhSHRIMHMyU0EKbWlQZ0xKRXUvOWluSkZQRWdp
+UjNMQWR3MHNwbUVYbm4vSGJQOGtrb2ZxVQotPiBzc2gtZWQyNTUxOSBPRDhUNGcg
+SEpCY1JWZm5yMG1lL3QwUERPVUFqRWo5ZVJEb1JqNGVLS3pXVkhaYk1SYwpjb3dW
+UWcrMkdmYTlvckFOYmsvcGwvY1dvc1oxY1FaY2p4eURCK3BIR044Ci0+ICgreWhl
+KG9RLWdyZWFzZSAobEpLXVEgNVA3IGQKekx5YVFkeFRBUlJiUis2cFVyWlBPNncK
+LS0tIFJxa0hDZUIyYm5uYlhiZjRnNHRLNTRrRW01d1hCL2dCZnByL1M2SkFyQXMK
+gsR7erKGQrBhXlcnR73PbnC+PzOQlsBOg6a6DosGyixbnEgZ4DfyeK5Ep1oPB81Q
+zcS9AV7h+8NlpmVM4G+0JCIC8I3TTCEQyOPwiu+GVXr4GYy/3stg+pK1htkt2V2M
+WraPl//K3kvFln1KRt5lbsVXLX8SYZS4UJDzK25oJElwdNuqXHqwMkTmXjEgnbvS
+pjgaNak5ooxHiZfCtzismLx5iL+P/+oohegUPvW16fQTq/eKp3mIjeBZmrWNnTuL
+/xlhk0vp0+jS3+TqgGWSwAAqoCp/+TewUZ9f+GhU0/pkU3HP4+tx35rKN2wxerQj
+nMbQ8SphigUeMpc501oDRw6X5ZAasoww
+-----END AGE ENCRYPTED FILE-----
diff --git a/system/secrets/secrets.nix b/system/secrets/secrets.nix
index 411f92e..29904ab 100644
--- a/system/secrets/secrets.nix
+++ b/system/secrets/secrets.nix
@@ -12,6 +12,7 @@ let
 in {
   "keycloak/passwd.tix".publicKeys = allSecrets;
   "matrix-synapse/passwd.tix".publicKeys = allSecrets;
+  "etebase-server/passwd.tix".publicKeys = allSecrets;
   "invidious/hmac.tix".publicKeys = allSecrets;
   "invidious/settings.tix".publicKeys = allSecrets;
   "miniflux/admin.tix".publicKeys = allSecrets;
diff --git a/system/services/default.nix b/system/services/default.nix
index 9998e43..e269dbc 100644
--- a/system/services/default.nix
+++ b/system/services/default.nix
@@ -1,5 +1,6 @@
 {...}: {
   imports = [
+    ./etebase
     ./fail2ban
     ./invidious
     ./keycloak
diff --git a/system/services/etebase/default.nix b/system/services/etebase/default.nix
new file mode 100644
index 0000000..58d8b4b
--- /dev/null
+++ b/system/services/etebase/default.nix
@@ -0,0 +1,33 @@
+{config, ...}: {
+  services.etebase-server = {
+    enable = true;
+    port = 8001;
+    settings = {
+      global.secret_file = "${config.age.secrets.etebase-server.path}";
+      allowed_hosts.allowed_host1 = "localhost";
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+    virtualHosts = {
+      "dav.vhack.eu" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:8001";
+          extraConfig = ''
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Host $server_name;
+          '';
+        };
+      };
+    };
+  };
+}