From c33889e7e53386204dae25b1eed6b36aaf006b21 Mon Sep 17 00:00:00 2001
From: Benedikt Peetz <benedikt.peetz@b-peetz.de>
Date: Thu, 13 Jun 2024 15:34:09 +0200
Subject: refactor(modules/etesync): Move to a complete module

---
 hosts/server1/configuration.nix             |  1 +
 modules/nixos/vhack/default.nix             |  1 +
 modules/nixos/vhack/etesync/default.nix     | 72 +++++++++++++++++++++++++++++
 modules/nixos/vhack/etesync/secret_file.age | 17 +++++++
 secrets.nix                                 | 23 +++++++++
 system/impermanence/default.nix             |  1 -
 system/impermanence/mods/etebase-server.nix | 10 ----
 system/secrets/default.nix                  |  6 ---
 system/secrets/etebase-server/passwd.age    | 17 -------
 system/secrets/secrets.nix                  | 23 ---------
 system/services/default.nix                 |  1 -
 system/services/etebase/default.nix         | 45 ------------------
 12 files changed, 114 insertions(+), 103 deletions(-)
 create mode 100644 modules/nixos/vhack/etesync/default.nix
 create mode 100644 modules/nixos/vhack/etesync/secret_file.age
 create mode 100644 secrets.nix
 delete mode 100644 system/impermanence/mods/etebase-server.nix
 delete mode 100644 system/secrets/etebase-server/passwd.age
 delete mode 100644 system/secrets/secrets.nix
 delete mode 100644 system/services/etebase/default.nix

diff --git a/hosts/server1/configuration.nix b/hosts/server1/configuration.nix
index 59dda92..78a9c4b 100644
--- a/hosts/server1/configuration.nix
+++ b/hosts/server1/configuration.nix
@@ -8,6 +8,7 @@
 
   vhack = {
     git-server.enable = true;
+    etesync.enable = true;
   };
 
   boot.tmp.cleanOnBoot = true;
diff --git a/modules/nixos/vhack/default.nix b/modules/nixos/vhack/default.nix
index b6abcc1..06a4e69 100644
--- a/modules/nixos/vhack/default.nix
+++ b/modules/nixos/vhack/default.nix
@@ -1,5 +1,6 @@
 {...}: {
   imports = [
+    ./etesync
     ./git-server
   ];
 }
diff --git a/modules/nixos/vhack/etesync/default.nix b/modules/nixos/vhack/etesync/default.nix
new file mode 100644
index 0000000..0f6c565
--- /dev/null
+++ b/modules/nixos/vhack/etesync/default.nix
@@ -0,0 +1,72 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.vhack.etesync;
+in {
+  options.vhack.etesync = {
+    enable = lib.mkEnableOption ''
+      a secure, end-to-end encrypted, and privacy respecting sync for your contacts, calendars, tasks and notes.
+    '';
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.etebase-server = {
+      enable = true;
+      port = 8001;
+      settings = {
+        global.secret_file = "${config.age.secrets.etebase-server.path}";
+        allowed_hosts = {
+          allowed_host1 = "etebase.vhack.eu";
+          allowed_host2 = "dav.vhack.eu";
+        };
+      };
+    };
+
+    age.secrets.etebase-server = {
+      file = ./secret_file.age;
+      mode = "700";
+      owner = "etebase-server";
+      group = "etebase-server";
+    };
+
+    environment.persistence."/srv".directories = [
+      {
+        directory = "/var/lib/etebase-server";
+        user = "etebase-server";
+        group = "etebase-server";
+        mode = "0700";
+      }
+    ];
+
+    services.nginx = {
+      enable = true;
+      recommendedTlsSettings = true;
+      recommendedOptimisation = true;
+      recommendedGzipSettings = true;
+      recommendedProxySettings = true;
+
+      virtualHosts = {
+        "etebase.vhack.eu" = {
+          enableACME = true;
+          forceSSL = true;
+
+          locations = {
+            # TODO: Maybe fix permissions to use pregenerated static files which would
+            # improve performance.
+            #"/static" = {
+            #  root = config.services.etebase-server.settings.global.static_root;
+            #};
+            "/" = {
+              proxyPass = "http://127.0.0.1:${builtins.toString config.services.etebase-server.port}";
+            };
+          };
+          serverAliases = [
+            "dav.vhack.eu"
+          ];
+        };
+      };
+    };
+  };
+}
diff --git a/modules/nixos/vhack/etesync/secret_file.age b/modules/nixos/vhack/etesync/secret_file.age
new file mode 100644
index 0000000..8d8e3c2
--- /dev/null
+++ b/modules/nixos/vhack/etesync/secret_file.age
@@ -0,0 +1,17 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0UiswNDhQNWpsaFZUQTdY
+U3F2TFlrSzhMbmRBWEIyTGQ2VGVramdPTDI4CjRGSnlqUm5rWWJ2Vk5neE56azdt
+WitpbXlPWngxSGtEalBKWkRZdHF5QjQKLT4gWDI1NTE5IDRSSW1jcHhocjBIM0tM
+ZjRxNUhZWkhkd1c5aVlucTMxTTVhSHRIMHMyU0EKbWlQZ0xKRXUvOWluSkZQRWdp
+UjNMQWR3MHNwbUVYbm4vSGJQOGtrb2ZxVQotPiBzc2gtZWQyNTUxOSBPRDhUNGcg
+SEpCY1JWZm5yMG1lL3QwUERPVUFqRWo5ZVJEb1JqNGVLS3pXVkhaYk1SYwpjb3dW
+UWcrMkdmYTlvckFOYmsvcGwvY1dvc1oxY1FaY2p4eURCK3BIR044Ci0+ICgreWhl
+KG9RLWdyZWFzZSAobEpLXVEgNVA3IGQKekx5YVFkeFRBUlJiUis2cFVyWlBPNncK
+LS0tIFJxa0hDZUIyYm5uYlhiZjRnNHRLNTRrRW01d1hCL2dCZnByL1M2SkFyQXMK
+gsR7erKGQrBhXlcnR73PbnC+PzOQlsBOg6a6DosGyixbnEgZ4DfyeK5Ep1oPB81Q
+zcS9AV7h+8NlpmVM4G+0JCIC8I3TTCEQyOPwiu+GVXr4GYy/3stg+pK1htkt2V2M
+WraPl//K3kvFln1KRt5lbsVXLX8SYZS4UJDzK25oJElwdNuqXHqwMkTmXjEgnbvS
+pjgaNak5ooxHiZfCtzismLx5iL+P/+oohegUPvW16fQTq/eKp3mIjeBZmrWNnTuL
+/xlhk0vp0+jS3+TqgGWSwAAqoCp/+TewUZ9f+GhU0/pkU3HP4+tx35rKN2wxerQj
+nMbQ8SphigUeMpc501oDRw6X5ZAasoww
+-----END AGE ENCRYPTED FILE-----
diff --git a/secrets.nix b/secrets.nix
new file mode 100644
index 0000000..5f1ff73
--- /dev/null
+++ b/secrets.nix
@@ -0,0 +1,23 @@
+let
+  soispha = "age1mshh4ynzhhzhff25tqwkg4j054g3xwrfznh98ycchludj9wjj48qn2uffn";
+  sils = "age1vuhaey7kd9l76y6f9weeqmde3s4kjw38869ju6u3027yece2r3rqssjxst";
+
+  server1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMnqsfIZjelH7rcvFvnLR5zUZuC8thsBupBlvjcMRBUm";
+
+  allSecrets = [
+    soispha
+    sils
+    server1
+  ];
+in {
+  "./modules/nixos/vhack/etesync/secret_file.age".publicKeys = allSecrets;
+  "./system/secrets/backup/backuppass.age".publicKeys = allSecrets;
+  "./system/secrets/backup/backupssh.age".publicKeys = allSecrets;
+  "./system/secrets/invidious/hmac.age".publicKeys = allSecrets;
+  "./system/secrets/invidious/settings.age".publicKeys = allSecrets;
+  "./system/secrets/mastodon/mail.age".publicKeys = allSecrets;
+  "./system/secrets/matrix-synapse/passwd.age".publicKeys = allSecrets;
+  "./system/secrets/miniflux/admin.age".publicKeys = allSecrets;
+  "./system/secrets/taskserver/ca.age".publicKeys = allSecrets;
+  "./system/secrets/taskserver/systemd_tmpfiles.age".publicKeys = allSecrets;
+}
diff --git a/system/impermanence/default.nix b/system/impermanence/default.nix
index dd363ae..f42c084 100644
--- a/system/impermanence/default.nix
+++ b/system/impermanence/default.nix
@@ -2,7 +2,6 @@
   # TODO: Only activate them if their module is also active
   imports = [
     ./mods/acme.nix
-    ./mods/etebase-server.nix
     ./mods/mail.nix
     ./mods/mastodon.nix
     ./mods/matrix.nix
diff --git a/system/impermanence/mods/etebase-server.nix b/system/impermanence/mods/etebase-server.nix
deleted file mode 100644
index cfe5a39..0000000
--- a/system/impermanence/mods/etebase-server.nix
+++ /dev/null
@@ -1,10 +0,0 @@
-{...}: {
-  environment.persistence."/srv".directories = [
-    {
-      directory = "/var/lib/etebase-server";
-      user = "etebase-server";
-      group = "etebase-server";
-      mode = "0700";
-    }
-  ];
-}
diff --git a/system/secrets/default.nix b/system/secrets/default.nix
index 1656cec..b74e883 100644
--- a/system/secrets/default.nix
+++ b/system/secrets/default.nix
@@ -1,12 +1,6 @@
 {...}: {
   age = {
     secrets = {
-      etebase-server = {
-       file = ./etebase-server/passwd.age;
-       mode = "700";
-       owner = "etebase-server";
-       group = "etebase-server";
-      };
       invidiousHmac = {
         file = ./invidious/hmac.age;
         mode = "700";
diff --git a/system/secrets/etebase-server/passwd.age b/system/secrets/etebase-server/passwd.age
deleted file mode 100644
index 8d8e3c2..0000000
--- a/system/secrets/etebase-server/passwd.age
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0UiswNDhQNWpsaFZUQTdY
-U3F2TFlrSzhMbmRBWEIyTGQ2VGVramdPTDI4CjRGSnlqUm5rWWJ2Vk5neE56azdt
-WitpbXlPWngxSGtEalBKWkRZdHF5QjQKLT4gWDI1NTE5IDRSSW1jcHhocjBIM0tM
-ZjRxNUhZWkhkd1c5aVlucTMxTTVhSHRIMHMyU0EKbWlQZ0xKRXUvOWluSkZQRWdp
-UjNMQWR3MHNwbUVYbm4vSGJQOGtrb2ZxVQotPiBzc2gtZWQyNTUxOSBPRDhUNGcg
-SEpCY1JWZm5yMG1lL3QwUERPVUFqRWo5ZVJEb1JqNGVLS3pXVkhaYk1SYwpjb3dW
-UWcrMkdmYTlvckFOYmsvcGwvY1dvc1oxY1FaY2p4eURCK3BIR044Ci0+ICgreWhl
-KG9RLWdyZWFzZSAobEpLXVEgNVA3IGQKekx5YVFkeFRBUlJiUis2cFVyWlBPNncK
-LS0tIFJxa0hDZUIyYm5uYlhiZjRnNHRLNTRrRW01d1hCL2dCZnByL1M2SkFyQXMK
-gsR7erKGQrBhXlcnR73PbnC+PzOQlsBOg6a6DosGyixbnEgZ4DfyeK5Ep1oPB81Q
-zcS9AV7h+8NlpmVM4G+0JCIC8I3TTCEQyOPwiu+GVXr4GYy/3stg+pK1htkt2V2M
-WraPl//K3kvFln1KRt5lbsVXLX8SYZS4UJDzK25oJElwdNuqXHqwMkTmXjEgnbvS
-pjgaNak5ooxHiZfCtzismLx5iL+P/+oohegUPvW16fQTq/eKp3mIjeBZmrWNnTuL
-/xlhk0vp0+jS3+TqgGWSwAAqoCp/+TewUZ9f+GhU0/pkU3HP4+tx35rKN2wxerQj
-nMbQ8SphigUeMpc501oDRw6X5ZAasoww
------END AGE ENCRYPTED FILE-----
diff --git a/system/secrets/secrets.nix b/system/secrets/secrets.nix
deleted file mode 100644
index 21558e3..0000000
--- a/system/secrets/secrets.nix
+++ /dev/null
@@ -1,23 +0,0 @@
-let
-  soispha = "age1mshh4ynzhhzhff25tqwkg4j054g3xwrfznh98ycchludj9wjj48qn2uffn";
-  sils = "age1vuhaey7kd9l76y6f9weeqmde3s4kjw38869ju6u3027yece2r3rqssjxst";
-
-  server1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMnqsfIZjelH7rcvFvnLR5zUZuC8thsBupBlvjcMRBUm";
-
-  allSecrets = [
-    soispha
-    sils
-    server1
-  ];
-in {
-  "backup/backuppass.age".publicKeys = allSecrets;
-  "backup/backupssh.age".publicKeys = allSecrets;
-  "etebase-server/passwd.age".publicKeys = allSecrets;
-  "invidious/hmac.age".publicKeys = allSecrets;
-  "invidious/settings.age".publicKeys = allSecrets;
-  "mastodon/mail.age".publicKeys = allSecrets;
-  "matrix-synapse/passwd.age".publicKeys = allSecrets;
-  "miniflux/admin.age".publicKeys = allSecrets;
-  "taskserver/ca.age".publicKeys = allSecrets;
-  "taskserver/systemd_tmpfiles.age".publicKeys = allSecrets;
-}
diff --git a/system/services/default.nix b/system/services/default.nix
index eab92d9..8b8151a 100644
--- a/system/services/default.nix
+++ b/system/services/default.nix
@@ -1,6 +1,5 @@
 {...}: {
   imports = [
-    ./etebase
     ./fail2ban
     ./invidious
     ./invidious-router
diff --git a/system/services/etebase/default.nix b/system/services/etebase/default.nix
deleted file mode 100644
index 5d0284f..0000000
--- a/system/services/etebase/default.nix
+++ /dev/null
@@ -1,45 +0,0 @@
-{
-  config,
-  ...
-}: {
-  services.etebase-server = {
-    enable = true;
-    port = 8001;
-    settings = {
-      global.secret_file = "${config.age.secrets.etebase-server.path}";
-      allowed_hosts = {
-        allowed_host1 = "etebase.vhack.eu";
-        allowed_host2 = "dav.vhack.eu";
-      };
-    };
-  };
-
-  services.nginx = {
-    enable = true;
-    recommendedTlsSettings = true;
-    recommendedOptimisation = true;
-    recommendedGzipSettings = true;
-    recommendedProxySettings = true;
-
-    virtualHosts = {
-      "etebase.vhack.eu" = {
-        enableACME = true;
-        forceSSL = true;
-
-        locations = {
-          # TODO: Maybe fix permissions to use pregenerated static files which would
-          # improve performance.
-          #"/static" = {
-          #  root = config.services.etebase-server.settings.global.static_root;
-          #};
-          "/" = {
-            proxyPass = "http://127.0.0.1:${builtins.toString config.services.etebase-server.port}";
-          };
-        };
-        serverAliases = [
-          "dav.vhack.eu"
-        ];
-      };
-    };
-  };
-}
-- 
cgit 1.4.1