diff options
-rw-r--r-- | system/impermanence/default.nix | 2 | ||||
-rw-r--r-- | system/impermanence/mods/etebase-server.nix | 10 | ||||
-rw-r--r-- | system/secrets/default.nix | 5 | ||||
-rw-r--r-- | system/secrets/etebase-server/passwd.tix | 17 | ||||
-rw-r--r-- | system/secrets/secrets.nix | 1 | ||||
-rw-r--r-- | system/services/default.nix | 1 | ||||
-rw-r--r-- | system/services/etebase/default.nix | 33 |
7 files changed, 69 insertions, 0 deletions
diff --git a/system/impermanence/default.nix b/system/impermanence/default.nix index f42c084..3c923d8 100644 --- a/system/impermanence/default.nix +++ b/system/impermanence/default.nix @@ -2,6 +2,8 @@ # TODO: Only activate them if their module is also active imports = [ ./mods/acme.nix + ./mods/etebase-server.nix + ./mods/fail2ban.nix ./mods/mail.nix ./mods/mastodon.nix ./mods/matrix.nix diff --git a/system/impermanence/mods/etebase-server.nix b/system/impermanence/mods/etebase-server.nix new file mode 100644 index 0000000..cfe5a39 --- /dev/null +++ b/system/impermanence/mods/etebase-server.nix @@ -0,0 +1,10 @@ +{...}: { + environment.persistence."/srv".directories = [ + { + directory = "/var/lib/etebase-server"; + user = "etebase-server"; + group = "etebase-server"; + mode = "0700"; + } + ]; +} diff --git a/system/secrets/default.nix b/system/secrets/default.nix index 658679b..1e3ce84 100644 --- a/system/secrets/default.nix +++ b/system/secrets/default.nix @@ -13,6 +13,11 @@ owner = "matrix-synapse"; group = "matrix-synapse"; }; + etebase-server = { + file = ./etebase-server/passwd.tix; + mode = "700"; + owner = "etebase-server"; + group = "etebase-server"; invidiousHmac = { file = ./invidious/hmac.tix; mode = "700"; diff --git a/system/secrets/etebase-server/passwd.tix b/system/secrets/etebase-server/passwd.tix new file mode 100644 index 0000000..8d8e3c2 --- /dev/null +++ b/system/secrets/etebase-server/passwd.tix @@ -0,0 +1,17 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0UiswNDhQNWpsaFZUQTdY +U3F2TFlrSzhMbmRBWEIyTGQ2VGVramdPTDI4CjRGSnlqUm5rWWJ2Vk5neE56azdt +WitpbXlPWngxSGtEalBKWkRZdHF5QjQKLT4gWDI1NTE5IDRSSW1jcHhocjBIM0tM +ZjRxNUhZWkhkd1c5aVlucTMxTTVhSHRIMHMyU0EKbWlQZ0xKRXUvOWluSkZQRWdp +UjNMQWR3MHNwbUVYbm4vSGJQOGtrb2ZxVQotPiBzc2gtZWQyNTUxOSBPRDhUNGcg +SEpCY1JWZm5yMG1lL3QwUERPVUFqRWo5ZVJEb1JqNGVLS3pXVkhaYk1SYwpjb3dW +UWcrMkdmYTlvckFOYmsvcGwvY1dvc1oxY1FaY2p4eURCK3BIR044Ci0+ICgreWhl +KG9RLWdyZWFzZSAobEpLXVEgNVA3IGQKekx5YVFkeFRBUlJiUis2cFVyWlBPNncK +LS0tIFJxa0hDZUIyYm5uYlhiZjRnNHRLNTRrRW01d1hCL2dCZnByL1M2SkFyQXMK +gsR7erKGQrBhXlcnR73PbnC+PzOQlsBOg6a6DosGyixbnEgZ4DfyeK5Ep1oPB81Q +zcS9AV7h+8NlpmVM4G+0JCIC8I3TTCEQyOPwiu+GVXr4GYy/3stg+pK1htkt2V2M +WraPl//K3kvFln1KRt5lbsVXLX8SYZS4UJDzK25oJElwdNuqXHqwMkTmXjEgnbvS +pjgaNak5ooxHiZfCtzismLx5iL+P/+oohegUPvW16fQTq/eKp3mIjeBZmrWNnTuL +/xlhk0vp0+jS3+TqgGWSwAAqoCp/+TewUZ9f+GhU0/pkU3HP4+tx35rKN2wxerQj +nMbQ8SphigUeMpc501oDRw6X5ZAasoww +-----END AGE ENCRYPTED FILE----- diff --git a/system/secrets/secrets.nix b/system/secrets/secrets.nix index 411f92e..29904ab 100644 --- a/system/secrets/secrets.nix +++ b/system/secrets/secrets.nix @@ -12,6 +12,7 @@ let in { "keycloak/passwd.tix".publicKeys = allSecrets; "matrix-synapse/passwd.tix".publicKeys = allSecrets; + "etebase-server/passwd.tix".publicKeys = allSecrets; "invidious/hmac.tix".publicKeys = allSecrets; "invidious/settings.tix".publicKeys = allSecrets; "miniflux/admin.tix".publicKeys = allSecrets; diff --git a/system/services/default.nix b/system/services/default.nix index 9998e43..e269dbc 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -1,5 +1,6 @@ {...}: { imports = [ + ./etebase ./fail2ban ./invidious ./keycloak diff --git a/system/services/etebase/default.nix b/system/services/etebase/default.nix new file mode 100644 index 0000000..58d8b4b --- /dev/null +++ b/system/services/etebase/default.nix @@ -0,0 +1,33 @@ +{config, ...}: { + services.etebase-server = { + enable = true; + port = 8001; + settings = { + global.secret_file = "${config.age.secrets.etebase-server.path}"; + allowed_hosts.allowed_host1 = "localhost"; + }; + }; + + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + virtualHosts = { + "dav.vhack.eu" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8001"; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $server_name; + ''; + }; + }; + }; + }; +} |