From 7fe499ee1ff7ecd88b4ecfc96b200ed2704468a7 Mon Sep 17 00:00:00 2001 From: Soispha Date: Thu, 27 Jul 2023 09:45:30 +0200 Subject: Feat(system/services/matrix/bridges): Add mautrix-whatsapp bridge --- .../services/matrix/bridges/mautrix-whatsapp.nix | 149 +++++++++++++++++++++ system/services/matrix/default.nix | 27 ++++ 2 files changed, 176 insertions(+) create mode 100644 system/services/matrix/bridges/mautrix-whatsapp.nix (limited to 'system/services') diff --git a/system/services/matrix/bridges/mautrix-whatsapp.nix b/system/services/matrix/bridges/mautrix-whatsapp.nix new file mode 100644 index 0000000..1c68af9 --- /dev/null +++ b/system/services/matrix/bridges/mautrix-whatsapp.nix @@ -0,0 +1,149 @@ +# TAKEN FROM: https://raw.githubusercontent.com/Vskilet/nixpkgs/mautrix-whatsapp2/nixos/modules/services/matrix/mautrix-whatsapp.nix +{ + lib, + config, + pkgs, + ... +}: +with lib; let + cfg = config.services.mautrix-whatsapp; + dataDir = "/var/lib/mautrix-whatsapp"; + settingsFormat = pkgs.formats.json {}; + + registrationFile = "${dataDir}/whatsapp-registration.yaml"; + settingsFile = settingsFormat.generate "config.json" cfg.settings; + + startupScript = '' + ${pkgs.yq}/bin/yq -s '.[0].appservice.as_token = .[1].as_token + | .[0].appservice.hs_token = .[1].hs_token + | .[0]' ${settingsFile} ${registrationFile} \ + > ${dataDir}/config.yml + + ${pkgs.mautrix-whatsapp}/bin/mautrix-whatsapp \ + --config='${dataDir}/config.yml' \ + --registration='${registrationFile}' + ''; +in { + options.services.mautrix-whatsapp = { + enable = mkEnableOption "Mautrix-whatsapp, a puppeting bridge between Matrix and WhatsApp."; + + settings = mkOption rec { + apply = recursiveUpdate default; + inherit (settingsFormat) type; + + description = lib.mdDoc '' + {file}`config.yaml` configuration as a Nix attribute set. + Configuration options should match those described in + [example-config.yaml](https://github.com/mautrix/whatsapp/blob/master/example-config.yaml). + ''; + default = { + homeserver = { + domain = config.services.matrix-synapse.settings.server_name; + }; + appservice = { + address = "http://localhost:29318"; + hostname = "0.0.0.0"; + port = 29318; + database = { + type = "sqlite3"; + uri = "${dataDir}/mautrix-whatsapp.db"; + }; + id = "whatsapp"; + bot = { + username = "whatsappbot"; + displayname = "WhatsApp Bot"; + }; + as_token = ""; + hs_token = ""; + }; + bridge = { + username_template = "whatsapp_{{.}}"; + displayname_template = "{{if .Notify}}{{.Notify}}{{else}}{{.Jid}}{{end}}"; + command_prefix = "!wa"; + permissions."*" = "relay"; + }; + relay = { + enabled = true; + management = "!whatsappbot:${toString config.services.matrix-synapse.settings.server_name}"; + }; + logging = { + directory = "${dataDir}/logs"; + file_name_format = "{{.Date}}-{{.Index}}.log"; + file_date_format = "2006-01-02"; + file_mode = 0384; + timestamp_format = "Jan _2, 2006 15:04:05"; + print_level = "info"; + }; + }; + example = { + settings = { + homeserver.address = "https://matrix.myhomeserver.org"; + bridge.permissions = { + "@admin:myhomeserver.org" = "admin"; + }; + }; + }; + }; + + serviceDependencies = mkOption { + type = with types; listOf str; + default = optional config.services.matrix-synapse.enable "matrix-synapse.service"; + defaultText = literalExpression '' + optional config.services.matrix-synapse.enable "matrix-synapse.service" + ''; + description = lib.mdDoc '' + List of Systemd services to require and wait for when starting the application service. + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services.mautrix-whatsapp = { + description = "Mautrix-WhatsApp Service - A WhatsApp bridge for Matrix"; + + wantedBy = ["multi-user.target"]; + wants = ["network-online.target"] ++ cfg.serviceDependencies; + after = ["network-online.target"] ++ cfg.serviceDependencies; + + preStart = '' + # generate the appservice's registration file if absent + if [ ! -f '${registrationFile}' ]; then + ${pkgs.mautrix-whatsapp}/bin/mautrix-whatsapp \ + --generate-registration \ + --config='${settingsFile}' \ + --registration='${registrationFile}' + fi + chmod 640 ${registrationFile} + ''; + + script = startupScript; + + serviceConfig = { + Type = "simple"; + #DynamicUser = true; + PrivateTmp = true; + StateDirectory = baseNameOf dataDir; + WorkingDirectory = "${dataDir}"; + + ProtectSystem = "strict"; + ProtectHome = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + User = "mautrix-whatsapp"; + Group = "matrix-synapse"; + SupplementaryGroups = "matrix-synapse"; + UMask = 0027; + Restart = "always"; + }; + }; + + users.groups.mautrix-whatsapp = {}; + users.users.mautrix-whatsapp = { + isSystemUser = true; + group = "mautrix-whatsapp"; + home = dataDir; + }; + services.matrix-synapse.settings.app_service_config_files = ["${registrationFile}"]; + }; +} diff --git a/system/services/matrix/default.nix b/system/services/matrix/default.nix index 62345a7..5fe9e9b 100644 --- a/system/services/matrix/default.nix +++ b/system/services/matrix/default.nix @@ -12,6 +12,10 @@ return 200 '${builtins.toJSON data}'; ''; in { + imports = [ + ./bridges/mautrix-whatsapp.nix + ]; + networking.firewall.allowedTCPPorts = [80 443]; services.postgresql.enable = true; @@ -52,6 +56,29 @@ in { }; }; + services.mautrix-whatsapp = { + enable = true; + settings = { + appservice = { + database = { + type = "postgres"; + uri = "postgres:///dbname?host=/var/run/postgresql"; + }; + whatsapp = { + # TODO: See https://github.com/tulir/whatsmeow/blob/efc632c008604016ddde63bfcfca8de4e5304da9/binary/proto/def.proto#L43-L64 for a list. + # This also determints the whatsapp icon + browser_name = "unknown"; + }; + }; + homeserver.address = "https://matrix.vhack.eu"; + bridge.permissions = { + "@soispha:vhack.eu" = "admin"; + "@sils:vhack.eu" = "admin"; + "@nightingale:vhack.eu" = "admin"; + }; + }; + }; + services.matrix-synapse = { enable = true; dataDir = "/var/lib/matrix"; -- cgit 1.4.1 From 30c0434571c975892dc09a65aaa8f3fd066017a9 Mon Sep 17 00:00:00 2001 From: Soispha Date: Thu, 27 Jul 2023 10:05:20 +0200 Subject: Fix(system/services/matrix/bridges/m-wa): Correct postgresql uri --- system/services/matrix/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/services') diff --git a/system/services/matrix/default.nix b/system/services/matrix/default.nix index 5fe9e9b..b0219ef 100644 --- a/system/services/matrix/default.nix +++ b/system/services/matrix/default.nix @@ -62,7 +62,7 @@ in { appservice = { database = { type = "postgres"; - uri = "postgres:///dbname?host=/var/run/postgresql"; + uri = "postgres:///matrix-synapse?host=/run/postgresql"; }; whatsapp = { # TODO: See https://github.com/tulir/whatsmeow/blob/efc632c008604016ddde63bfcfca8de4e5304da9/binary/proto/def.proto#L43-L64 for a list. -- cgit 1.4.1 From 911c3a166b08e2a6a4864980fa197b04cba83fa7 Mon Sep 17 00:00:00 2001 From: Soispha Date: Thu, 27 Jul 2023 10:12:00 +0200 Subject: Fix(system/services/matrix/bridges/m-wa): Use own database --- system/services/matrix/default.nix | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'system/services') diff --git a/system/services/matrix/default.nix b/system/services/matrix/default.nix index b0219ef..ed3b567 100644 --- a/system/services/matrix/default.nix +++ b/system/services/matrix/default.nix @@ -20,11 +20,19 @@ in { services.postgresql.enable = true; services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" '' + --Matrix: CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"; + + --Whatsapp-bridge: + CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp'; + CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; ''; services.nginx = { @@ -62,7 +70,7 @@ in { appservice = { database = { type = "postgres"; - uri = "postgres:///matrix-synapse?host=/run/postgresql"; + uri = "postgres:///mautrix-whatsapp?host=/run/postgresql"; }; whatsapp = { # TODO: See https://github.com/tulir/whatsmeow/blob/efc632c008604016ddde63bfcfca8de4e5304da9/binary/proto/def.proto#L43-L64 for a list. -- cgit 1.4.1 From fe5da037e82d3344d4fec5d4c1bf0d9286237ac0 Mon Sep 17 00:00:00 2001 From: sils Date: Fri, 28 Jul 2023 11:43:19 +0200 Subject: Fix(system/services/mail): Update mail users --- system/services/mail/users.nix | Bin 716 -> 954 bytes 1 file changed, 0 insertions(+), 0 deletions(-) (limited to 'system/services') diff --git a/system/services/mail/users.nix b/system/services/mail/users.nix index 60f41a9..9bc6749 100644 Binary files a/system/services/mail/users.nix and b/system/services/mail/users.nix differ -- cgit 1.4.1 From 2b766df421b359b2d2cd10c32f3fa04611b22999 Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 28 Jul 2023 17:57:10 +0200 Subject: Refactor(system/services/nginx): Reduce encrypted stuff to a minimum --- system/services/nginx/default.nix | 40 ++++++++++++++++++++++++++++++++++---- system/services/nginx/hosts.nix | Bin 976 -> 298 bytes 2 files changed, 36 insertions(+), 4 deletions(-) (limited to 'system/services') diff --git a/system/services/nginx/default.nix b/system/services/nginx/default.nix index 404c167..8544475 100644 --- a/system/services/nginx/default.nix +++ b/system/services/nginx/default.nix @@ -1,7 +1,33 @@ -{...}: { - imports = [ - ./hosts.nix - ]; +{...}: let + domains = import ./hosts.nix {}; + mkVirtHost = { + domain, + root, + url, + }: { + name = "${domain}"; + value = { + forceSSL = true; + enableACME = true; + root = "${root}"; + }; + }; + + mkNixSyncRepository = { + domain, + root, + url, + }: { + name = "${domain}"; + value = { + path = "${root}"; + uri = "${url}"; + }; + }; + + virtHosts = builtins.listToAttrs (builtins.map mkVirtHost domains); + nixSyncRepositories = builtins.listToAttrs (builtins.map mkNixSyncRepository domains); +in { security.acme = { acceptTerms = true; defaults = { @@ -15,5 +41,11 @@ }; services.nginx = { enable = true; + virtualHosts = virtHosts; + }; + + services.nix-sync = { + enable = true; + repositories = nixSyncRepositories; }; } diff --git a/system/services/nginx/hosts.nix b/system/services/nginx/hosts.nix index 1590756..b209b69 100644 Binary files a/system/services/nginx/hosts.nix and b/system/services/nginx/hosts.nix differ -- cgit 1.4.1 From a3eed534642ac3bd367ce16925d5d8ebd182fecf Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 28 Jul 2023 18:07:28 +0200 Subject: Feat(system/services/mail/users): Add mailusers --- system/services/mail/users.nix | Bin 954 -> 1136 bytes 1 file changed, 0 insertions(+), 0 deletions(-) (limited to 'system/services') diff --git a/system/services/mail/users.nix b/system/services/mail/users.nix index 9bc6749..0b8952a 100644 Binary files a/system/services/mail/users.nix and b/system/services/mail/users.nix differ -- cgit 1.4.1 From 8350b2ebe1f8da0a54c13a2b1c6e50fc77f2367d Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 28 Jul 2023 18:13:31 +0200 Subject: Fix(treewide): Use correct function argument specification --- system/services/mail/users.nix | Bin 1136 -> 1138 bytes system/services/nginx/hosts.nix | Bin 298 -> 300 bytes 2 files changed, 0 insertions(+), 0 deletions(-) (limited to 'system/services') diff --git a/system/services/mail/users.nix b/system/services/mail/users.nix index 0b8952a..a30d547 100644 Binary files a/system/services/mail/users.nix and b/system/services/mail/users.nix differ diff --git a/system/services/nginx/hosts.nix b/system/services/nginx/hosts.nix index b209b69..3abd841 100644 Binary files a/system/services/nginx/hosts.nix and b/system/services/nginx/hosts.nix differ -- cgit 1.4.1 From 81bf11240f8a254fe311c72d96adbcacb12d124b Mon Sep 17 00:00:00 2001 From: Soispha Date: Mon, 31 Jul 2023 18:16:29 +0200 Subject: Feat(system/services/nginx/hosts): Add another domain --- system/services/nginx/hosts.nix | Bin 300 -> 454 bytes 1 file changed, 0 insertions(+), 0 deletions(-) (limited to 'system/services') diff --git a/system/services/nginx/hosts.nix b/system/services/nginx/hosts.nix index 3abd841..550c28f 100644 Binary files a/system/services/nginx/hosts.nix and b/system/services/nginx/hosts.nix differ -- cgit 1.4.1 From 18aa0c5687d9b047b06ad00132d6881bce1a74a0 Mon Sep 17 00:00:00 2001 From: Soispha Date: Mon, 31 Jul 2023 23:03:06 +0200 Subject: Fix(system/services/nix-sync): Make the timer relative to the unit start The timer before hand started `repo.interval` after it self was started, i.e., it was a oneshot timer. This change now fixes this by make the point the timer activates relative to the time elapsed, since the associated unit was last started. --- system/services/nix-sync/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/services') diff --git a/system/services/nix-sync/default.nix b/system/services/nix-sync/default.nix index 44348c0..482c268 100644 --- a/system/services/nix-sync/default.nix +++ b/system/services/nix-sync/default.nix @@ -10,7 +10,7 @@ description = "Nix sync ${name} timer"; wantedBy = ["timers.target"]; timerConfig = { - OnActiveSec = repo.interval; + OnUnitActiveSec = repo.interval; }; after = ["network-online.target"]; }; -- cgit 1.4.1 From 8d9ef95d74fe58302b7fff945162beb01c3e6d33 Mon Sep 17 00:00:00 2001 From: Soispha Date: Tue, 1 Aug 2023 23:58:16 +0200 Subject: Fix(system/services/nix-sync): Rebase on pulls, to allow for force pushes As the nix-sync service should _never_ commit new stuff, this rebase should always be a fast-forward, i.e. it works without manual intervention. Without the rebase as argument, this services would break, when the history gets rewritten, for example on a amended commit. --- system/services/nix-sync/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'system/services') diff --git a/system/services/nix-sync/default.nix b/system/services/nix-sync/default.nix index 482c268..cedbb91 100644 --- a/system/services/nix-sync/default.nix +++ b/system/services/nix-sync/default.nix @@ -37,7 +37,7 @@ branch="$(git rev-parse @)"; if ! [ "$origin" = "$branch" ]; then - git pull; + git pull --rebase; out_paths=$(mktemp); nix build . --print-out-paths --experimental-features 'nix-command flakes' > "$out_paths"; @@ -66,7 +66,7 @@ if ! [ -L ${esa repo.path} ]; then cd ${esa repoCachePath}; - git pull; + git pull --rebase; out_paths=$(mktemp); nix build . --print-out-paths --experimental-features 'nix-command flakes' > "$out_paths"; -- cgit 1.4.1 From dfb847a3c9d3bdd73aa187e590c239f3531f5e07 Mon Sep 17 00:00:00 2001 From: Soispha Date: Mon, 31 Jul 2023 18:27:09 +0200 Subject: Fix(system/services/nix-sync): Remove timeout on build The unit had the potential to fail, if the build took longer than the default timeout. This is obviously not ideal, so the timeout was removed, as all nix builds should be safe enough not to devour resources. --- system/services/nix-sync/default.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'system/services') diff --git a/system/services/nix-sync/default.nix b/system/services/nix-sync/default.nix index cedbb91..8c466b8 100644 --- a/system/services/nix-sync/default.nix +++ b/system/services/nix-sync/default.nix @@ -88,6 +88,7 @@ preStart = execStartPreScript; serviceConfig = { + TimeoutSec = 0; ExecStart = execStartScript; Restart = "on-abort"; # User and group -- cgit 1.4.1 From 1256cabb7981cfed4bf02c70940c4553edc557a6 Mon Sep 17 00:00:00 2001 From: Soispha Date: Wed, 2 Aug 2023 14:19:21 +0200 Subject: Feat(system/services/snapper): Add --- system/services/default.nix | 1 + system/services/snapper/default.nix | 41 +++++++++++++++++++++++++++++++++++++ 2 files changed, 42 insertions(+) create mode 100644 system/services/snapper/default.nix (limited to 'system/services') diff --git a/system/services/default.nix b/system/services/default.nix index 7bf26c3..8f5540f 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -10,5 +10,6 @@ ./nix-sync ./openssh ./rust-motd + ./snapper ]; } diff --git a/system/services/snapper/default.nix b/system/services/snapper/default.nix new file mode 100644 index 0000000..cdebf8d --- /dev/null +++ b/system/services/snapper/default.nix @@ -0,0 +1,41 @@ +{...}: { + services.snapper = { + configs = { + srv = { + SUBVOLUME = "/srv"; + FSTYPE = "btrfs"; + # users and groups allowed to work with config + ALLOW_GROUPS = ["wheel"]; + + # sync users and groups from ALLOW_USERS and ALLOW_GROUPS to .snapshots + # directory + SYNC_ACL = true; + + # run daily number cleanup + NUMBER_CLEANUP = false; + + # limit for number cleanup + NUMBER_MIN_AGE = 1800; + NUMBER_LIMIT = 50; + NUMBER_LIMIT_IMPORTANT = 10; + + # create hourly snapshots + TIMELINE_CREATE = true; + + # cleanup hourly snapshots after some time + TIMELINE_CLEANUP = true; + + # limits for timeline cleanup + TIMELINE_MIN_AGE = 1800; + TIMELINE_LIMIT_HOURLY = 7; + TIMELINE_LIMIT_DAILY = 3; + TIMELINE_LIMIT_WEEKLY = 2; + TIMELINE_LIMIT_MONTHLY = 2; + TIMELINE_LIMIT_YEARLY = 2; + + # cleanup empty pre-post-pairs + EMPTY_PRE_POST_CLEANUP = true; + }; + }; + }; +} -- cgit 1.4.1 From 317575461a640ddc601751741bc6da92a3edb867 Mon Sep 17 00:00:00 2001 From: sils Date: Mon, 7 Aug 2023 12:40:14 +0200 Subject: Feat(system): Add invidious --- system/secrets/default.nix | 12 ++++++++++++ system/secrets/invidious/passwd.tix | 16 ++++++++++++++++ system/secrets/invidious/settings.tix | 14 ++++++++++++++ system/secrets/secrets.nix | 2 ++ system/services/default.nix | 1 + system/services/invidious/default.nix | 12 ++++++++++++ 6 files changed, 57 insertions(+) create mode 100644 system/secrets/invidious/passwd.tix create mode 100644 system/secrets/invidious/settings.tix create mode 100644 system/services/invidious/default.nix (limited to 'system/services') diff --git a/system/secrets/default.nix b/system/secrets/default.nix index 5cd401c..515c3e7 100644 --- a/system/secrets/default.nix +++ b/system/secrets/default.nix @@ -13,6 +13,18 @@ owner = "matrix-synapse"; group = "matrix-synapse"; }; + invidious = { + file = ./invidious/passwd.tix; + mode = "700"; + owner = "invidious"; + group = "invidious"; + }; + invidiousSettings = { + file = ./invidious/settings.tix; + mode = "700"; + owner = "invidious"; + group = "invidious"; + }; }; }; } diff --git a/system/secrets/invidious/passwd.tix b/system/secrets/invidious/passwd.tix new file mode 100644 index 0000000..beaee32 --- /dev/null +++ b/system/secrets/invidious/passwd.tix @@ -0,0 +1,16 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQeHpwZFZEWXc0cGxZZ2dV +WDkvUmVFWXE5azZ1VlREM090bWJ6elgxR3hFCmhnNkhWZWVqdmxEcUJVTnFZaGw1 +YnVOYmpYOGd5YU1EaDlmc0ZrNk0zT0EKLT4gWDI1NTE5IEwyL1ptVzJ2bUdvSW1n +TzNod1BKZHQ3YXhUMkl5ZzRiT2Y3aUt0NGw4RVUKWTF3ampTMG1DYTBYTFcwNEp6 +bkFWbGl6WEVCcVdhQnVWY0piQ1VHMzk0SQotPiBzc2gtZWQyNTUxOSBPRDhUNGcg +TnFGVkQxTndPZ1l4c2J5dzNmT1YrZ0dQYytIMmtxaTN2Y01uZFdXOThqWQo2TDkv +MUJzc3BON1JwbGN3OW44WWZ5WUxWdWU2UnpJczVYVHBsdUFmdllJCi0+IHg5YmFB +eS1ncmVhc2UgYl9hXWlgIC5fIGpLaU1wWiN4ICczCkVmOHRibWptbDBxOS9Ic1VC +L0tFQXo5Sk45TDFlQlB5bnFleUF0dFlMSmdvd2dmUlZ3Ci0tLSBIN0MvMEduQVlR +bDVTQUxvZjB2TTljdjZkbGphN1l1QnZESWNZUjZzd1dVCmCWuxwFj1FyTEFasr8X +apyuQkXs6Cvfx82qMvwE1G4SLOEulJjVp/VDcICQ8RE8BE0HJGRjG64FqdtbHY2K +tPMADqfz/jt7kbXKSwB6zOHE9VNcTrGl+mx2Ki8HUG8GElj+hE2m0cWdGijcsGVW +lo2HKPa7F/d9vBUC9sLYo8U5VrnIRhBN1s4ECfAa4vj2RSsCZePCHkJMH7qFPGuC +PZST +-----END AGE ENCRYPTED FILE----- diff --git a/system/secrets/invidious/settings.tix b/system/secrets/invidious/settings.tix new file mode 100644 index 0000000..fe80a7d --- /dev/null +++ b/system/secrets/invidious/settings.tix @@ -0,0 +1,14 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkNzBJNXhlcGVJWk1nZERp +QXJrSEtxY2tyY0FwZnN6ZFB6dGVxZVVsdWtjCjI5cE85ZHhoRVBqcjdZaG9BWFJK +b09GblVERUZsR2ZPaW9aU1NCc25GM00KLT4gWDI1NTE5IHZwL3YraVBBVXVFVmpR +TENiaFoxdTJhUCtWcEFkU0ptaERpbEl1aGw3M00KWUozUTZxYm4rclN6L1IrTi9k +eEF0dVlYVEVNTnZ4Y0tUU0hwV2U0bXVCSQotPiBzc2gtZWQyNTUxOSBPRDhUNGcg +QkpGQ1RkVWhNQTFyMS9qRGYrT2s2djJHMEI0eFI5R3ZMVlRsa1JoMXIwawpRVG5z +TnZWMWhQSGxlL0VnUng1N0QvbTFuNS9WZmhnK3ZnVTdoMmtsejVJCi0+IDJNPHpY +LWdyZWFzZSBdVyBYZ3s8IG8ve0ByIHlrIkZkMwo4bmJOZU5yd3loSDlURWorZ0VZ +bWF2dHdLNkQ1ZUx5STZSa3dibVRsTCtQekdKWCtYNWlOR3BVQm5MRmQ2Z085Cmkw +OGhJU2kzR21MNk1OdkpHY29Gc21rNEh6VEZKWGkyCi0tLSBSemVvc2hlSnEyYUVM +UXRPSWtrd1hEcWtVTm95dzVFU085Y09adlFwYnhFCrbJEjFMSSaKqhW2GwuRilaw +N3U8GF22F10XHXyg+8csPFOpowRdS7ZBS52leGe/ve7oiVO5SBd3v7yWXa6ZInxo +-----END AGE ENCRYPTED FILE----- diff --git a/system/secrets/secrets.nix b/system/secrets/secrets.nix index 11c0655..194ed3c 100644 --- a/system/secrets/secrets.nix +++ b/system/secrets/secrets.nix @@ -12,4 +12,6 @@ let in { "keycloak/passwd.tix".publicKeys = allSecrets; "matrix-synapse/passwd.tix".publicKeys = allSecrets; + "invidious/passwd.tix".publicKeys = allSecrets; + "invidious/settings.tix".publicKeys = allSecrets; } diff --git a/system/services/default.nix b/system/services/default.nix index 8f5540f..6c2670d 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -1,6 +1,7 @@ {...}: { imports = [ ./fail2ban + ./invidious ./keycloak ./mail ./matrix diff --git a/system/services/invidious/default.nix b/system/services/invidious/default.nix new file mode 100644 index 0000000..50a32e8 --- /dev/null +++ b/system/services/invidious/default.nix @@ -0,0 +1,12 @@ +{config, ...}: { + services.invidious = { + enable = true; + database = { + createLocally = true; + passwordFile = "${config.age.secrets.invidious.path}"; + }; + domain = "invidious.vhack.eu"; + nginx.enable = true; + extraSettingsFile = "${config.age.secrets.invidiousSettings.path}"; + }; +} -- cgit 1.4.1 From 704232eab7b89ec235bdc9978eb6f35a30258060 Mon Sep 17 00:00:00 2001 From: sils Date: Mon, 7 Aug 2023 12:47:13 +0200 Subject: Fix(system/services/invidious): Specifiy database host --- system/services/invidious/default.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'system/services') diff --git a/system/services/invidious/default.nix b/system/services/invidious/default.nix index 50a32e8..fd10eec 100644 --- a/system/services/invidious/default.nix +++ b/system/services/invidious/default.nix @@ -4,6 +4,7 @@ database = { createLocally = true; passwordFile = "${config.age.secrets.invidious.path}"; + host = "localhost"; }; domain = "invidious.vhack.eu"; nginx.enable = true; -- cgit 1.4.1 From 96857910fa87e996945bc3f2e5b6f4ef4a6166ea Mon Sep 17 00:00:00 2001 From: sils Date: Mon, 7 Aug 2023 13:04:27 +0200 Subject: Fix(system): Binary substitution for debugging --- system/secrets/default.nix | 6 +++--- system/services/invidious/default.nix | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) (limited to 'system/services') diff --git a/system/secrets/default.nix b/system/secrets/default.nix index 515c3e7..3b8029f 100644 --- a/system/secrets/default.nix +++ b/system/secrets/default.nix @@ -21,9 +21,9 @@ }; invidiousSettings = { file = ./invidious/settings.tix; - mode = "700"; - owner = "invidious"; - group = "invidious"; + #mode = "700"; + #owner = "invidious"; + #group = "invidious"; }; }; }; diff --git a/system/services/invidious/default.nix b/system/services/invidious/default.nix index fd10eec..d03dee4 100644 --- a/system/services/invidious/default.nix +++ b/system/services/invidious/default.nix @@ -3,8 +3,8 @@ enable = true; database = { createLocally = true; - passwordFile = "${config.age.secrets.invidious.path}"; - host = "localhost"; + #passwordFile = "${config.age.secrets.invidious.path}"; + #host = "localhost"; }; domain = "invidious.vhack.eu"; nginx.enable = true; -- cgit 1.4.1 From 320cc252c1e59de8fed8993b3a527839bc0963a6 Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 11 Aug 2023 09:28:16 +0200 Subject: Refactor(system/secrets/invidious): Remove unneeded files and improve names --- system/secrets/default.nix | 10 ++-------- system/secrets/invidious/hmac.tix | 14 ++++++++++++++ system/secrets/invidious/passwd.tix | 16 ---------------- system/secrets/invidious/settings.tix | 14 -------------- system/services/invidious/default.nix | 4 +--- 5 files changed, 17 insertions(+), 41 deletions(-) create mode 100644 system/secrets/invidious/hmac.tix delete mode 100644 system/secrets/invidious/passwd.tix delete mode 100644 system/secrets/invidious/settings.tix (limited to 'system/services') diff --git a/system/secrets/default.nix b/system/secrets/default.nix index 345354c..2269672 100644 --- a/system/secrets/default.nix +++ b/system/secrets/default.nix @@ -13,15 +13,9 @@ owner = "matrix-synapse"; group = "matrix-synapse"; }; - invidious = { - file = ./invidious/passwd.tix; + invidiousHmac = { + file = ./invidious/hmac.tix; mode = "700"; - owner = "invidious"; - group = "invidious"; - }; - invidiousSettings = { - file = ./invidious/settings.tix; - mode = "744"; owner = "root"; group = "root"; }; diff --git a/system/secrets/invidious/hmac.tix b/system/secrets/invidious/hmac.tix new file mode 100644 index 0000000..f760fa9 --- /dev/null +++ b/system/secrets/invidious/hmac.tix @@ -0,0 +1,14 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvZGJGNzVGUWhsVTJFUGds +dFZmVnRnY1NrVTZBWEt2eFp1YU4yM0xoOUgwClZZNDNFQlp2aEx1eHVqbE5ZU29t +dVpMcStrMXd5WEFOaDJUVlVuUnJ4YkkKLT4gWDI1NTE5IEZSTVFhdk83RGRNWWdZ +bmQyd0FNTWhrUUxSRjVOQjAvWSsyU1Z4OWFvVUUKdkIraVRtRW5mUnZFbVRkcDBw +ME5NTDVkRUo1b0d1Z2xERWZnS0tMLzFhYwotPiBzc2gtZWQyNTUxOSBPRDhUNGcg +d09jY1doam1nc3B3MEVqN0grM3JWZzFwMW5WU2ZYdGh0TUZnM0VVdzJBSQppL3Qv +T0VDOTc1U3gyaTB6YVV4dDhEVU1OMzdlMnV2dC9zMVl1VkdkRmlBCi0+IGc/SEJa +aDZoLWdyZWFzZSBKPW1xOFRaIE9DUCBdfl1HXVUKL0I4MTJZT1ljOXE3cUtTR0Fv +S3E2UHcvYWxhUlU5QkdXVWZyUjU0SlcveG9GcjZZV242QXVwaDBQTjN0VldBCi0t +LSB6S0E2SWtmaXBnRkI5aFNIOU9VWkdhOHQrQ0x0MzJ3TC9aNkpJSTY5eDkwClOc +N6wSpWFX87Vbr+J8Sxn9O6uRbYAyNDmiJk5mDqYaqy/+PRPTx0gbmqRz911sW5Zx +aBKfDzSPjNx0CSKKL7ioTYlRrW0YyQ== +-----END AGE ENCRYPTED FILE----- diff --git a/system/secrets/invidious/passwd.tix b/system/secrets/invidious/passwd.tix deleted file mode 100644 index beaee32..0000000 --- a/system/secrets/invidious/passwd.tix +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQeHpwZFZEWXc0cGxZZ2dV -WDkvUmVFWXE5azZ1VlREM090bWJ6elgxR3hFCmhnNkhWZWVqdmxEcUJVTnFZaGw1 -YnVOYmpYOGd5YU1EaDlmc0ZrNk0zT0EKLT4gWDI1NTE5IEwyL1ptVzJ2bUdvSW1n -TzNod1BKZHQ3YXhUMkl5ZzRiT2Y3aUt0NGw4RVUKWTF3ampTMG1DYTBYTFcwNEp6 -bkFWbGl6WEVCcVdhQnVWY0piQ1VHMzk0SQotPiBzc2gtZWQyNTUxOSBPRDhUNGcg -TnFGVkQxTndPZ1l4c2J5dzNmT1YrZ0dQYytIMmtxaTN2Y01uZFdXOThqWQo2TDkv -MUJzc3BON1JwbGN3OW44WWZ5WUxWdWU2UnpJczVYVHBsdUFmdllJCi0+IHg5YmFB -eS1ncmVhc2UgYl9hXWlgIC5fIGpLaU1wWiN4ICczCkVmOHRibWptbDBxOS9Ic1VC -L0tFQXo5Sk45TDFlQlB5bnFleUF0dFlMSmdvd2dmUlZ3Ci0tLSBIN0MvMEduQVlR -bDVTQUxvZjB2TTljdjZkbGphN1l1QnZESWNZUjZzd1dVCmCWuxwFj1FyTEFasr8X -apyuQkXs6Cvfx82qMvwE1G4SLOEulJjVp/VDcICQ8RE8BE0HJGRjG64FqdtbHY2K -tPMADqfz/jt7kbXKSwB6zOHE9VNcTrGl+mx2Ki8HUG8GElj+hE2m0cWdGijcsGVW -lo2HKPa7F/d9vBUC9sLYo8U5VrnIRhBN1s4ECfAa4vj2RSsCZePCHkJMH7qFPGuC -PZST ------END AGE ENCRYPTED FILE----- diff --git a/system/secrets/invidious/settings.tix b/system/secrets/invidious/settings.tix deleted file mode 100644 index f760fa9..0000000 --- a/system/secrets/invidious/settings.tix +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvZGJGNzVGUWhsVTJFUGds -dFZmVnRnY1NrVTZBWEt2eFp1YU4yM0xoOUgwClZZNDNFQlp2aEx1eHVqbE5ZU29t -dVpMcStrMXd5WEFOaDJUVlVuUnJ4YkkKLT4gWDI1NTE5IEZSTVFhdk83RGRNWWdZ -bmQyd0FNTWhrUUxSRjVOQjAvWSsyU1Z4OWFvVUUKdkIraVRtRW5mUnZFbVRkcDBw -ME5NTDVkRUo1b0d1Z2xERWZnS0tMLzFhYwotPiBzc2gtZWQyNTUxOSBPRDhUNGcg -d09jY1doam1nc3B3MEVqN0grM3JWZzFwMW5WU2ZYdGh0TUZnM0VVdzJBSQppL3Qv -T0VDOTc1U3gyaTB6YVV4dDhEVU1OMzdlMnV2dC9zMVl1VkdkRmlBCi0+IGc/SEJa -aDZoLWdyZWFzZSBKPW1xOFRaIE9DUCBdfl1HXVUKL0I4MTJZT1ljOXE3cUtTR0Fv -S3E2UHcvYWxhUlU5QkdXVWZyUjU0SlcveG9GcjZZV242QXVwaDBQTjN0VldBCi0t -LSB6S0E2SWtmaXBnRkI5aFNIOU9VWkdhOHQrQ0x0MzJ3TC9aNkpJSTY5eDkwClOc -N6wSpWFX87Vbr+J8Sxn9O6uRbYAyNDmiJk5mDqYaqy/+PRPTx0gbmqRz911sW5Zx -aBKfDzSPjNx0CSKKL7ioTYlRrW0YyQ== ------END AGE ENCRYPTED FILE----- diff --git a/system/services/invidious/default.nix b/system/services/invidious/default.nix index d03dee4..7a37f50 100644 --- a/system/services/invidious/default.nix +++ b/system/services/invidious/default.nix @@ -3,11 +3,9 @@ enable = true; database = { createLocally = true; - #passwordFile = "${config.age.secrets.invidious.path}"; - #host = "localhost"; }; domain = "invidious.vhack.eu"; nginx.enable = true; - extraSettingsFile = "${config.age.secrets.invidiousSettings.path}"; + extraSettingsFile = "${config.age.secrets.invidiousHmac.path}"; }; } -- cgit 1.4.1 From b39d8005c6315ceb9e3e6068a854a21dfa80ab97 Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 11 Aug 2023 09:43:50 +0200 Subject: Fix(system/services/invidious): Check tables on startup --- system/services/invidious/default.nix | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'system/services') diff --git a/system/services/invidious/default.nix b/system/services/invidious/default.nix index 7a37f50..17ba0c1 100644 --- a/system/services/invidious/default.nix +++ b/system/services/invidious/default.nix @@ -7,5 +7,9 @@ domain = "invidious.vhack.eu"; nginx.enable = true; extraSettingsFile = "${config.age.secrets.invidiousHmac.path}"; + + settings = { + check_tables = true; + }; }; } -- cgit 1.4.1 From c525e36a3dd0345e3ef04b9e2669264b4ec7daa2 Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 11 Aug 2023 09:54:23 +0200 Subject: Fix(system/services/invidious): Set correct access permissions on hmac --- system/services/invidious/default.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'system/services') diff --git a/system/services/invidious/default.nix b/system/services/invidious/default.nix index 17ba0c1..8b69c2e 100644 --- a/system/services/invidious/default.nix +++ b/system/services/invidious/default.nix @@ -6,10 +6,13 @@ }; domain = "invidious.vhack.eu"; nginx.enable = true; - extraSettingsFile = "${config.age.secrets.invidiousHmac.path}"; + extraSettingsFile = "$CREDENTIALS_DIRECTORY/hmac"; settings = { check_tables = true; }; }; + systemd.services.invidious.serviceConfig = { + LoadCredential = "hmac:${config.age.secrets.invidiousHmac.path}"; + }; } -- cgit 1.4.1 From 542bb5d7b8e3dfe22826fe0af3272b8b2a8b925a Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 11 Aug 2023 10:31:46 +0200 Subject: Fix(system/service/invidious): Copy their script, to remove shell escape The default ExecStart implementation in the module, escapes all stings. This does not work for us because we need to use the `$CREDENTIALS_DIR` environment variable, for the credentials deployed in den `LoadCredential` option --- system/services/invidious/default.nix | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) (limited to 'system/services') diff --git a/system/services/invidious/default.nix b/system/services/invidious/default.nix index 8b69c2e..f51fc3d 100644 --- a/system/services/invidious/default.nix +++ b/system/services/invidious/default.nix @@ -1,4 +1,11 @@ -{config, ...}: { +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.services.invidious; +in { services.invidious = { enable = true; database = { @@ -14,5 +21,25 @@ }; systemd.services.invidious.serviceConfig = { LoadCredential = "hmac:${config.age.secrets.invidiousHmac.path}"; + + script = let + # taken from the invidious module + settingsFormat = pkgs.formats.json {}; + settingsFile = settingsFormat.generate "invidious-settings" cfg.settings; + + jqFilter = + "." + + lib.optionalString (cfg.database.host != null) "[0].db.password = \"'\"'\"$(cat ${lib.escapeShellArg cfg.database.passwordFile})\"'\"'\"" + + " | .[0]" + + lib.optionalString (cfg.extraSettingsFile != null) " * .[1]"; + + # don't escape extraSettingsFile, to allow variable substitution + jqFiles = + settingsFile + + lib.optionalString (cfg.extraSettingsFile != null) " \"${cfg.extraSettingsFile}\""; + in '' + export INVIDIOUS_CONFIG="$(${pkgs.jq}/bin/jq -s "${jqFilter}" ${jqFiles})" + exec ${cfg.package}/bin/invidious + ''; }; } -- cgit 1.4.1 From df87e1dfd15cbd229ad3a7df3ded7544aadee75a Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 11 Aug 2023 10:37:43 +0200 Subject: Fix(system/services/invidious): Force the new script option to be applied --- system/services/invidious/default.nix | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'system/services') diff --git a/system/services/invidious/default.nix b/system/services/invidious/default.nix index f51fc3d..e9ac768 100644 --- a/system/services/invidious/default.nix +++ b/system/services/invidious/default.nix @@ -22,7 +22,7 @@ in { systemd.services.invidious.serviceConfig = { LoadCredential = "hmac:${config.age.secrets.invidiousHmac.path}"; - script = let + ExecStart = let # taken from the invidious module settingsFormat = pkgs.formats.json {}; settingsFile = settingsFormat.generate "invidious-settings" cfg.settings; @@ -37,9 +37,10 @@ in { jqFiles = settingsFile + lib.optionalString (cfg.extraSettingsFile != null) " \"${cfg.extraSettingsFile}\""; - in '' - export INVIDIOUS_CONFIG="$(${pkgs.jq}/bin/jq -s "${jqFilter}" ${jqFiles})" - exec ${cfg.package}/bin/invidious - ''; + in + lib.mkForce (pkgs.writeScript "start-invidious" '' + export INVIDIOUS_CONFIG="$(${pkgs.jq}/bin/jq -s "${jqFilter}" ${jqFiles})" + exec ${cfg.package}/bin/invidious + ''); }; } -- cgit 1.4.1 From 08eb7736c7e1897885e9e28a09bbc3510e572f8f Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 11 Aug 2023 18:05:17 +0200 Subject: Fix(system/services/invidious): Add interpreter to start script --- system/services/invidious/default.nix | 2 ++ 1 file changed, 2 insertions(+) (limited to 'system/services') diff --git a/system/services/invidious/default.nix b/system/services/invidious/default.nix index e9ac768..a1d202c 100644 --- a/system/services/invidious/default.nix +++ b/system/services/invidious/default.nix @@ -39,6 +39,8 @@ in { + lib.optionalString (cfg.extraSettingsFile != null) " \"${cfg.extraSettingsFile}\""; in lib.mkForce (pkgs.writeScript "start-invidious" '' + #! ${pkgs.dash}/bin/dash + export INVIDIOUS_CONFIG="$(${pkgs.jq}/bin/jq -s "${jqFilter}" ${jqFiles})" exec ${cfg.package}/bin/invidious ''); -- cgit 1.4.1 From 503e9e2154b4b905201f3a47cffa54c3c25c7318 Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 11 Aug 2023 18:15:01 +0200 Subject: chore(version): v0.8.0 --- system/services/invidious/CHANGELOG.md | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 system/services/invidious/CHANGELOG.md (limited to 'system/services') diff --git a/system/services/invidious/CHANGELOG.md b/system/services/invidious/CHANGELOG.md new file mode 100644 index 0000000..66fa2bf --- /dev/null +++ b/system/services/invidious/CHANGELOG.md @@ -0,0 +1,11 @@ +# Changelog +All notable changes to this project will be documented in this file. See [conventional commits](https://www.conventionalcommits.org/) for commit guidelines. + +- - - +## v0.8.0 - 2023-08-11 +#### Features +- **(system/services/snapper)** Add - (1256cab) - Soispha + +- - - + +Changelog generated by [cocogitto](https://github.com/cocogitto/cocogitto). \ No newline at end of file -- cgit 1.4.1 From 03ce680b953b826098808ff3c0157da1186827e2 Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 11 Aug 2023 18:15:01 +0200 Subject: chore(version): v0.8.0 --- system/services/invidious/CHANGELOG.md | 11 ----------- 1 file changed, 11 deletions(-) delete mode 100644 system/services/invidious/CHANGELOG.md (limited to 'system/services') diff --git a/system/services/invidious/CHANGELOG.md b/system/services/invidious/CHANGELOG.md deleted file mode 100644 index 66fa2bf..0000000 --- a/system/services/invidious/CHANGELOG.md +++ /dev/null @@ -1,11 +0,0 @@ -# Changelog -All notable changes to this project will be documented in this file. See [conventional commits](https://www.conventionalcommits.org/) for commit guidelines. - -- - - -## v0.8.0 - 2023-08-11 -#### Features -- **(system/services/snapper)** Add - (1256cab) - Soispha - -- - - - -Changelog generated by [cocogitto](https://github.com/cocogitto/cocogitto). \ No newline at end of file -- cgit 1.4.1 From 7428d690a6df382444c15683377e105456f72cab Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 18 Aug 2023 14:12:24 +0200 Subject: Feat(system/services/libreddit): Init --- system/services/default.nix | 1 + system/services/libreddit/default.nix | 7 +++++++ 2 files changed, 8 insertions(+) create mode 100644 system/services/libreddit/default.nix (limited to 'system/services') diff --git a/system/services/default.nix b/system/services/default.nix index 6c2670d..9163588 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -3,6 +3,7 @@ ./fail2ban ./invidious ./keycloak + ./libreddit ./mail ./matrix ./minecraft diff --git a/system/services/libreddit/default.nix b/system/services/libreddit/default.nix new file mode 100644 index 0000000..e52507f --- /dev/null +++ b/system/services/libreddit/default.nix @@ -0,0 +1,7 @@ +{...}: { + services.libreddit = { + enable = true; + address = "libreddit.vhack.eu"; + openFirewall = true; + }; +} -- cgit 1.4.1 From 097d566da1b3fe4092d8daa38034cf9b4c64556f Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 18 Aug 2023 14:19:12 +0200 Subject: Fix(system/services/libreddit): Actually proxy services via nginx --- system/services/libreddit/default.nix | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) (limited to 'system/services') diff --git a/system/services/libreddit/default.nix b/system/services/libreddit/default.nix index e52507f..581445c 100644 --- a/system/services/libreddit/default.nix +++ b/system/services/libreddit/default.nix @@ -1,7 +1,23 @@ -{...}: { +{ + config, + lib, + ... +}: let + domain = "libreddit.vhack.eu"; +in { services.libreddit = { enable = true; - address = "libreddit.vhack.eu"; + address = "127.0.0.1"; openFirewall = true; }; + + services.nginx = { + enable = true; + virtualHosts.${domain} = { + locations."/".proxyPass = "http://127.0.0.1:${toString config.services.libreddit.port}"; + + enableACME = lib.mkDefault true; + forceSSL = lib.mkDefault true; + }; + }; } -- cgit 1.4.1 From f0a98522ac1d46c40d7337d34cd73b115512127d Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 18 Aug 2023 14:33:14 +0200 Subject: Fix(system/services/libreddit): Don't open firewall --- system/services/libreddit/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/services') diff --git a/system/services/libreddit/default.nix b/system/services/libreddit/default.nix index 581445c..e4ab893 100644 --- a/system/services/libreddit/default.nix +++ b/system/services/libreddit/default.nix @@ -8,7 +8,7 @@ in { services.libreddit = { enable = true; address = "127.0.0.1"; - openFirewall = true; + openFirewall = false; }; services.nginx = { -- cgit 1.4.1 From 2aa1c1641161185edd31df73739b26dea56b3786 Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 18 Aug 2023 20:43:59 +0200 Subject: Fix(system/services/nginx): Update hosts --- system/services/nginx/hosts.nix | Bin 454 -> 300 bytes 1 file changed, 0 insertions(+), 0 deletions(-) (limited to 'system/services') diff --git a/system/services/nginx/hosts.nix b/system/services/nginx/hosts.nix index 550c28f..3abd841 100644 Binary files a/system/services/nginx/hosts.nix and b/system/services/nginx/hosts.nix differ -- cgit 1.4.1 From cd75ff6797386c5924a2f0bbc62eadf1c6e2725d Mon Sep 17 00:00:00 2001 From: Soispha Date: Sun, 1 Oct 2023 22:07:22 +0200 Subject: feat(system/services/taskserver): Init This is the server part used in combination with Taskwarrior to regain control over the unwieldy amount of task, that accumulate over the day. --- notes/taskserver.md | 7 +++++++ system/impermanence/default.nix | 1 + system/impermanence/mods/taskserver.nix | 5 +++++ system/services/default.nix | 1 + system/services/taskserver/default.nix | 28 ++++++++++++++++++++++++++++ 5 files changed, 42 insertions(+) create mode 100644 notes/taskserver.md create mode 100644 system/impermanence/mods/taskserver.nix create mode 100644 system/services/taskserver/default.nix (limited to 'system/services') diff --git a/notes/taskserver.md b/notes/taskserver.md new file mode 100644 index 0000000..36aeff0 --- /dev/null +++ b/notes/taskserver.md @@ -0,0 +1,7 @@ +# User export +Use +```bash +nixos-taskserver user export my-company alice +# or via ssh +ssh $server nixos-taskserver user export my-company alice #| sh +``` diff --git a/system/impermanence/default.nix b/system/impermanence/default.nix index b60eb4c..6e977b5 100644 --- a/system/impermanence/default.nix +++ b/system/impermanence/default.nix @@ -8,6 +8,7 @@ ./mods/nix-sync.nix ./mods/openssh.nix ./mods/postgresql.nix + ./mods/taskserver.nix ./mods/users.nix ]; diff --git a/system/impermanence/mods/taskserver.nix b/system/impermanence/mods/taskserver.nix new file mode 100644 index 0000000..9208aa4 --- /dev/null +++ b/system/impermanence/mods/taskserver.nix @@ -0,0 +1,5 @@ +{...}: { + environment.persistence."/srv".directories = [ + "/var/lib/taskserver" + ]; +} diff --git a/system/services/default.nix b/system/services/default.nix index 9163588..3349b38 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -13,5 +13,6 @@ ./openssh ./rust-motd ./snapper + ./taskserver ]; } diff --git a/system/services/taskserver/default.nix b/system/services/taskserver/default.nix new file mode 100644 index 0000000..56255cd --- /dev/null +++ b/system/services/taskserver/default.nix @@ -0,0 +1,28 @@ +{...}: { + services.taskserver = { + enable = true; + pki.auto = { + expiration = { + server = 365; + crl = 365; + client = 365; + ca = 365; + }; + bits = 4096; + }; + organisations = { + vhack = { + users = [ + "soispha" + ]; + }; + soispha = { + users = [ + "soispha" + ]; + }; + }; + openFirewall = true; + fqdn = "taskserver.vhack.eu"; + }; +} -- cgit 1.4.1 From 18624e4434c5ec379784e59a2f8054296d4c6837 Mon Sep 17 00:00:00 2001 From: Soispha Date: Sun, 1 Oct 2023 22:55:33 +0200 Subject: fix(system/services/taskserver): Specify domain to listen on --- system/services/taskserver/default.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'system/services') diff --git a/system/services/taskserver/default.nix b/system/services/taskserver/default.nix index 56255cd..6a0aba6 100644 --- a/system/services/taskserver/default.nix +++ b/system/services/taskserver/default.nix @@ -24,5 +24,6 @@ }; openFirewall = true; fqdn = "taskserver.vhack.eu"; + listenHost = "taskserver.vhack.eu"; }; } -- cgit 1.4.1 From 17f6a00debfb2a68a691936d3f1c5a4b84edef19 Mon Sep 17 00:00:00 2001 From: Soispha Date: Mon, 2 Oct 2023 18:21:36 +0200 Subject: fix(system/services/taskserver): Use strict certificate validation --- system/services/taskserver/default.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'system/services') diff --git a/system/services/taskserver/default.nix b/system/services/taskserver/default.nix index 6a0aba6..517da5d 100644 --- a/system/services/taskserver/default.nix +++ b/system/services/taskserver/default.nix @@ -22,6 +22,7 @@ ]; }; }; + trust = "strict"; openFirewall = true; fqdn = "taskserver.vhack.eu"; listenHost = "taskserver.vhack.eu"; -- cgit 1.4.1 From 932c45d2eb843bac1bb2f6e64a91613fe0fa3dd2 Mon Sep 17 00:00:00 2001 From: Soispha Date: Tue, 3 Oct 2023 16:10:04 +0200 Subject: feat(system/services/miniflux): Init --- system/secrets/default.nix | 6 ++++++ system/secrets/miniflux/admin.tix | 20 ++++++++++++++++++++ system/secrets/secrets.nix | 1 + system/services/default.nix | 1 + system/services/miniflux/default.nix | 19 +++++++++++++++++++ 5 files changed, 47 insertions(+) create mode 100644 system/secrets/miniflux/admin.tix create mode 100644 system/services/miniflux/default.nix (limited to 'system/services') diff --git a/system/secrets/default.nix b/system/secrets/default.nix index 2269672..6cd7524 100644 --- a/system/secrets/default.nix +++ b/system/secrets/default.nix @@ -19,6 +19,12 @@ owner = "root"; group = "root"; }; + minifluxAdmin = { + file = ./miniflux/admin.tix; + mode = "700"; + owner = "root"; + group = "root"; + }; }; }; } diff --git a/system/secrets/miniflux/admin.tix b/system/secrets/miniflux/admin.tix new file mode 100644 index 0000000..5f9855b --- /dev/null +++ b/system/secrets/miniflux/admin.tix @@ -0,0 +1,20 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3a1AwRUpRS2dTVWc5dFFx +SWtnOHh0SWRVODBxUTlkWmQvOURvVk90d1hVCkNwTlZDWGhhSnNyYzZQa2N4aUxV +SUx3aWk3ditmVURjTjJCckNqOSs1QzAKLT4gWDI1NTE5IElQNHBVZnB3Umw0bW9R +K1lsQXlLc3Vld0ljanBjS1E4TGdHSE8rR3ZMemsKY3ZpVm5OSDZrNHlXMVh6bXIz +YnhFSmdFTTNCUUFkeEpCbCt6Z21SbCtEUQotPiBzc2gtZWQyNTUxOSBPRDhUNGcg +VGQxbTRiNkxRTUhRVFZEWkZiZ3ZoRStDbk5OZWFMb1BacEhmOWxjVmlRdwpidTlI +TXNnVHJPVUJjZXdGVWdMZkJ3WVZ2c3k2a3BrSDJDdWdTd1VLdVhjCi0+IExLOWst +Z3JlYXNlIC9kIDJYWlZDCkpXUW1IdFA3RjFoQXJHdG10bERLNk93ZFRvVVgxRjNY +QUlJcmpPVVU0RXYvVEZFZk5nTFNrWXVNWVg5Q0xzLzcKWWlDUUtPRWIwVWF3RXZt +M2dJenh3bk9nQ0paMTVweHlnQQotLS0gK3J4NTJ3Wkl1bDlVd3F1NVFlcVhWS0ZT +RlFxUFRBcXJEcC91M3pYaWNmYwoKAC8nGzAQewMVBhgwU4UxDIzm16OH1Te2N1Up +WjjAaHKGHeLcTG8UN6CgmIsjijV1EIN4qMLGQy1tJlMoim4/Q5kyTkHSEVAgLbKI +vUiW2/7mblgkTJzlVw0EB7wep6HPT9C7JYuirBRstUf0TdBIIB+u0Q/AGTnydcg8 +Kus1e4zuoanFxXoIFoUt48zC8T+EsPd3hMMe8h//rAfsBIxB3CJaqibxmQSWAPoA +yCuULWrmD48xjS6tzwZQo+Fx334HdH/hQSaZS0wJccwONbXaqexm+rEn+wmnBZW6 +lOFE86S9f3b1+GI3ze23yD4nbY+7txlP2QwADu815IZ3eOLBfxXjJR7K4+bEeiqz +0Q+t8fWZntB9sL0iELQlXa4uwcu7DlxLnopC/klTBisrEXizH4ALwVcr9Cxwp4Hj +vpOTqLt2Qxw= +-----END AGE ENCRYPTED FILE----- diff --git a/system/secrets/secrets.nix b/system/secrets/secrets.nix index 9fa9cc5..cd27612 100644 --- a/system/secrets/secrets.nix +++ b/system/secrets/secrets.nix @@ -14,4 +14,5 @@ in { "matrix-synapse/passwd.tix".publicKeys = allSecrets; "invidious/hmac.tix".publicKeys = allSecrets; "invidious/settings.tix".publicKeys = allSecrets; + "miniflux/admin.tix".publicKeys = allSecrets; } diff --git a/system/services/default.nix b/system/services/default.nix index 3349b38..2530f3a 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -7,6 +7,7 @@ ./mail ./matrix ./minecraft + ./miniflux ./nginx ./nix ./nix-sync diff --git a/system/services/miniflux/default.nix b/system/services/miniflux/default.nix new file mode 100644 index 0000000..e42ebe2 --- /dev/null +++ b/system/services/miniflux/default.nix @@ -0,0 +1,19 @@ +{config, ...}: { + services.miniflux = { + enable = true; + config = { + LISTEN_ADDR = "127.0.0.1:5892"; + }; + adminCredentialsFile = config.secrets.age.minifluxAdmin.path; + }; + + services.nginx = { + enable = true; + virtualHosts."rss.vhack.eu" = { + locations."/".proxyPass = "http://${config.services.miniflux.config.LISTEN_ADDR}"; + + enableACME = true; + forceSSL = true; + }; + }; +} -- cgit 1.4.1 From b4944b16cade3b006615bd3efd3795b8e235e6ec Mon Sep 17 00:00:00 2001 From: Soispha Date: Tue, 3 Oct 2023 16:13:26 +0200 Subject: fix(system/services/miniflux): Correctly specify secret path --- system/services/miniflux/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/services') diff --git a/system/services/miniflux/default.nix b/system/services/miniflux/default.nix index e42ebe2..516a9b2 100644 --- a/system/services/miniflux/default.nix +++ b/system/services/miniflux/default.nix @@ -4,7 +4,7 @@ config = { LISTEN_ADDR = "127.0.0.1:5892"; }; - adminCredentialsFile = config.secrets.age.minifluxAdmin.path; + adminCredentialsFile = config.age.secrets.minifluxAdmin.path; }; services.nginx = { -- cgit 1.4.1 From a3c31664dad17674721b0d31eec8ca0d8e57bd3e Mon Sep 17 00:00:00 2001 From: Soispha Date: Tue, 3 Oct 2023 17:11:46 +0200 Subject: feat(system/services/murmur): Initialize --- system/services/default.nix | 1 + system/services/murmur/default.nix | 23 +++++++++++++++++++++++ 2 files changed, 24 insertions(+) create mode 100644 system/services/murmur/default.nix (limited to 'system/services') diff --git a/system/services/default.nix b/system/services/default.nix index 2530f3a..db42284 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -8,6 +8,7 @@ ./matrix ./minecraft ./miniflux + ./murmur ./nginx ./nix ./nix-sync diff --git a/system/services/murmur/default.nix b/system/services/murmur/default.nix new file mode 100644 index 0000000..9c04db0 --- /dev/null +++ b/system/services/murmur/default.nix @@ -0,0 +1,23 @@ +{config, ...}: { + services.murmur = { + enable = true; + openFirewall = true; + welcometext = '' + You never get a second chance to make a first impression + + The entire team of [name of the company] is thrilled to welcome you on board. We hope you’ll do some amazing work here! + ''; + sslKey = "${config.security.acme.certs.murmur.directory}/key.pem"; + sslCert = "${config.security.acme.certs.murmur.directory}/fullchain.pem"; + + registerUrl = "vhack.eu"; + registerName = "vhack"; + registerHostname = "mumble.vhack.eu"; + hostName = "mumble.vhack.eu"; + clientCertRequired = true; + }; + + security.acme.certs.murmur = { + domain = "mumble.vhack.eu"; + }; +} -- cgit 1.4.1 From c154fa39a7f68a17713eff260c45c4d23835feb1 Mon Sep 17 00:00:00 2001 From: Soispha Date: Tue, 3 Oct 2023 17:29:00 +0200 Subject: fix(system/services/murmur): Allow murmur's user to read certs --- system/impermanence/default.nix | 1 + system/impermanence/mods/murmur.nix | 10 ++++++++++ system/services/murmur/default.nix | 26 ++++++++++++++++++++++---- 3 files changed, 33 insertions(+), 4 deletions(-) create mode 100644 system/impermanence/mods/murmur.nix (limited to 'system/services') diff --git a/system/impermanence/default.nix b/system/impermanence/default.nix index 6e977b5..f3d792d 100644 --- a/system/impermanence/default.nix +++ b/system/impermanence/default.nix @@ -5,6 +5,7 @@ ./mods/mail.nix ./mods/matrix.nix ./mods/minecraft.nix + ./mods/murmur.nix ./mods/nix-sync.nix ./mods/openssh.nix ./mods/postgresql.nix diff --git a/system/impermanence/mods/murmur.nix b/system/impermanence/mods/murmur.nix new file mode 100644 index 0000000..48912e1 --- /dev/null +++ b/system/impermanence/mods/murmur.nix @@ -0,0 +1,10 @@ +{...}: { + environment.persistence."/srv".directories = [ + { + directory = "/var/lib/murmur"; + user = "murmur"; + group = "murmur"; + mode = "0700"; + } + ]; +} diff --git a/system/services/murmur/default.nix b/system/services/murmur/default.nix index 9c04db0..1dcd781 100644 --- a/system/services/murmur/default.nix +++ b/system/services/murmur/default.nix @@ -1,23 +1,41 @@ -{config, ...}: { +{...}: let + murmurStore = "/var/lib/murmur"; +in { services.murmur = { enable = true; openFirewall = true; welcometext = '' - You never get a second chance to make a first impression + You never get a second chance to make a first impression
The entire team of [name of the company] is thrilled to welcome you on board. We hope you’ll do some amazing work here! ''; - sslKey = "${config.security.acme.certs.murmur.directory}/key.pem"; - sslCert = "${config.security.acme.certs.murmur.directory}/fullchain.pem"; + sslKey = "${murmurStore}/key.pem"; + sslCert = "${murmurStore}/fullchain.pem"; registerUrl = "vhack.eu"; registerName = "vhack"; registerHostname = "mumble.vhack.eu"; hostName = "mumble.vhack.eu"; clientCertRequired = true; + bandwidth = 7200000; }; security.acme.certs.murmur = { domain = "mumble.vhack.eu"; + postRun = + /* + bash + */ + '' + set -x + rm "${murmurStore}/key.pem" + rm "${murmurStore}/fullchain.pem" + + cp key.pem "${murmurStore}"; + cp fullchain.pem "${murmurStore}"; + + chown murmur:murmur "${murmurStore}/key.pem" + chown murmur:murmur "${murmurStore}/fullchain.pem" + ''; }; } -- cgit 1.4.1 From 52ae495f89ac232f689d2af04a7d88441bef0b4f Mon Sep 17 00:00:00 2001 From: sils Date: Wed, 11 Oct 2023 12:41:55 +0200 Subject: feat(system/services/nix): add wheel group to trusted-users --- system/services/nix/default.nix | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'system/services') diff --git a/system/services/nix/default.nix b/system/services/nix/default.nix index bd562ec..ec5fe5d 100644 --- a/system/services/nix/default.nix +++ b/system/services/nix/default.nix @@ -13,6 +13,10 @@ settings = { auto-optimise-store = true; experimental-features = ["nix-command" "flakes"]; + trusted-users = [ + "root" + "@wheel" + ]; }; }; } -- cgit 1.4.1 From 631e9c0fc66e7c0493ea447dfcfcfca93ce0d72c Mon Sep 17 00:00:00 2001 From: sils Date: Thu, 12 Oct 2023 20:49:27 +0200 Subject: feat(treewide): add mastodon --- system/impermanence/default.nix | 1 + system/impermanence/mods/mastodon.nix | 10 ++++++++++ system/secrets/default.nix | 6 ++++++ system/secrets/mastodon/mail.tix | 15 +++++++++++++++ system/secrets/secrets.nix | 1 + system/services/mail/users.nix | Bin 1138 -> 1303 bytes system/services/mastodon/default.nix | 17 +++++++++++++++++ 7 files changed, 50 insertions(+) create mode 100644 system/impermanence/mods/mastodon.nix create mode 100644 system/secrets/mastodon/mail.tix create mode 100644 system/services/mastodon/default.nix (limited to 'system/services') diff --git a/system/impermanence/default.nix b/system/impermanence/default.nix index f3d792d..f42c084 100644 --- a/system/impermanence/default.nix +++ b/system/impermanence/default.nix @@ -3,6 +3,7 @@ imports = [ ./mods/acme.nix ./mods/mail.nix + ./mods/mastodon.nix ./mods/matrix.nix ./mods/minecraft.nix ./mods/murmur.nix diff --git a/system/impermanence/mods/mastodon.nix b/system/impermanence/mods/mastodon.nix new file mode 100644 index 0000000..a5bdbfd --- /dev/null +++ b/system/impermanence/mods/mastodon.nix @@ -0,0 +1,10 @@ +{...}: { + environment.persistence."/srv".directories = [ + { + directory = "/var/lib/mastodon"; + user = "mastodon"; + group = "mastodon"; + mode = "0700"; + } + ]; +} diff --git a/system/secrets/default.nix b/system/secrets/default.nix index 6cd7524..658679b 100644 --- a/system/secrets/default.nix +++ b/system/secrets/default.nix @@ -25,6 +25,12 @@ owner = "root"; group = "root"; }; + mastodonMail = { + file = ./mastodon/mail.tix; + mode = "700"; + owner = "mastodon"; + group = "mastodon"; + }; }; }; } diff --git a/system/secrets/mastodon/mail.tix b/system/secrets/mastodon/mail.tix new file mode 100644 index 0000000..c64a2e7 --- /dev/null +++ b/system/secrets/mastodon/mail.tix @@ -0,0 +1,15 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqT05Uc2hrcFAwd1c5S1o0 +L3hhQURmdUVBbmxSYVFGczdGWThTck9VdkhRCktOZ1JSamN0Ly9pVXJDMDZ4Y0VZ +bmRyMTlaOU9HOEZ5SitzOVovUkhCNFUKLT4gWDI1NTE5IHlqUTFtODd6QXpNMFBY +WTY2cTJ2TFI5S0ZGc1doeEVEUi9veGRDKzN5UWsKUC9WZUtXVUs5cnkxL3Y5RlJs +RTRkNE5zQ0NtbG0vdStuZXZVUzFoeTBwNAotPiBzc2gtZWQyNTUxOSBPRDhUNGcg +Um1qczl3YTM0S3dIb3AzQmpSNVNNUXFzMFNLNEEwQllOSUkrMHNzVy9uMApTdjhz +U250NGNpdk5SbWhPNjhjWWM0aWovRCt0MjR3M29JSTZjLy9IbTAwCi0+IEwtZ3Jl +YXNlIEp6KCk4by1jIF0Kd2xoKytCU3d3MGFxZmRmS2gxSDJiVFp1L3hOS2hJVEtz +NlFHWHhnRW5SNTZRMFFFRUJrVXo2blZvNlZTSXNqeQpVbWFLUmVHN1ptWGdLMkJT +RVJuUWxTVE4vcDhsCi0tLSA5ckxpdFhrQWErb2NkcXlWaHR6WmVndVppbjRIQ3cw +VjAxdTlnTEdmTkVrCou6/oezocFtYn7QDWLFzknFPlD5d1xBFutng6dvazWasZXD +qecouKvAmFFA4mQHUjbmD2QxWdorU7SyYpEPeTJ4rbOuayySkYPxUoo8gqvd7JkS +0VCavUuSb8nmfk24E3M= +-----END AGE ENCRYPTED FILE----- diff --git a/system/secrets/secrets.nix b/system/secrets/secrets.nix index cd27612..411f92e 100644 --- a/system/secrets/secrets.nix +++ b/system/secrets/secrets.nix @@ -15,4 +15,5 @@ in { "invidious/hmac.tix".publicKeys = allSecrets; "invidious/settings.tix".publicKeys = allSecrets; "miniflux/admin.tix".publicKeys = allSecrets; + "mastodon/mail.tix".publicKeys = allSecrets; } diff --git a/system/services/mail/users.nix b/system/services/mail/users.nix index a30d547..2104a8a 100644 Binary files a/system/services/mail/users.nix and b/system/services/mail/users.nix differ diff --git a/system/services/mastodon/default.nix b/system/services/mastodon/default.nix new file mode 100644 index 0000000..6fb821e --- /dev/null +++ b/system/services/mastodon/default.nix @@ -0,0 +1,17 @@ +{config, ...}: let + emailAddress = "mastodon@vhack.eu"; +in { + services.mastodon = { + enable = true; + localDomain = "mstdn.vhack.eu"; + configureNginx = true; + smtp = { + authenticate = true; + createLocally = false; + fromAddress = emailAddress; + user = emailAddress; + host = "server1.vhack.eu"; + passwordFile = "${config.age.secrets.mastdonMail.path}"; + }; + }; +} -- cgit 1.4.1 From b8f786bf568187f83da586df9e5d354e79b59cb2 Mon Sep 17 00:00:00 2001 From: sils Date: Thu, 12 Oct 2023 20:56:51 +0200 Subject: fix(system/services/mastodon): correct age secret path --- system/services/mastodon/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/services') diff --git a/system/services/mastodon/default.nix b/system/services/mastodon/default.nix index 6fb821e..3a983c3 100644 --- a/system/services/mastodon/default.nix +++ b/system/services/mastodon/default.nix @@ -11,7 +11,7 @@ in { fromAddress = emailAddress; user = emailAddress; host = "server1.vhack.eu"; - passwordFile = "${config.age.secrets.mastdonMail.path}"; + passwordFile = "${config.age.secrets.mastodonMail.path}"; }; }; } -- cgit 1.4.1 From 927fc165253804a6b8ffe0e648baa279e77a8233 Mon Sep 17 00:00:00 2001 From: sils Date: Thu, 12 Oct 2023 20:57:20 +0200 Subject: feat(system/services): actually import mastodon --- system/services/default.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'system/services') diff --git a/system/services/default.nix b/system/services/default.nix index db42284..9998e43 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -5,6 +5,7 @@ ./keycloak ./libreddit ./mail + ./mastodon ./matrix ./minecraft ./miniflux -- cgit 1.4.1 From cb49aa5ed36f38aa9608695fb1884846b9f859f9 Mon Sep 17 00:00:00 2001 From: sils Date: Thu, 12 Oct 2023 21:35:13 +0200 Subject: fix(system/services/mastodon): separate domains for user handles and webinterface --- system/services/mastodon/default.nix | 36 ++++++++++++++++++++++++++++++++++-- 1 file changed, 34 insertions(+), 2 deletions(-) (limited to 'system/services') diff --git a/system/services/mastodon/default.nix b/system/services/mastodon/default.nix index 3a983c3..96c2744 100644 --- a/system/services/mastodon/default.nix +++ b/system/services/mastodon/default.nix @@ -3,8 +3,7 @@ in { services.mastodon = { enable = true; - localDomain = "mstdn.vhack.eu"; - configureNginx = true; + localDomain = "vhack.eu"; smtp = { authenticate = true; createLocally = false; @@ -13,5 +12,38 @@ in { host = "server1.vhack.eu"; passwordFile = "${config.age.secrets.mastodonMail.path}"; }; + extraConfig.WEB_DOMAIN = "mastodon.vhack.eu"; + }; + + services.nginx = { + enable = true; + recommendedProxySettings = true; # required for redirections to work + virtualHosts = { + "${config.services.mastodon.extraConfig.WEB_DOMAIN}" = { + root = "${config.services.mastodon.package}/public/"; + # mastodon only supports https, but you can override this if you offload tls elsewhere. + forceSSL = true; + enableACME = true; + + locations."/system/".alias = "/var/lib/mastodon/public-system/"; + + locations."/" = { + tryFiles = "$uri @proxy"; + }; + + locations."@proxy" = { + proxyPass = "http://unix:/run/mastodon-web/web.socket"; + proxyWebsockets = true; + }; + + locations."/api/v1/streaming/" = { + proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket"; + proxyWebsockets = true; + }; + }; + "vhack.eu" = { + locations."/.well-known/webfinger".return = "301 https://${config.services.mastodon.extraConfig.WEB_DOMAIN}$request_uri"; + }; + }; }; } -- cgit 1.4.1 From bd824945407c1db99d35e1b56fc19ef08abd6c36 Mon Sep 17 00:00:00 2001 From: sils Date: Thu, 12 Oct 2023 21:39:35 +0200 Subject: fix(system/services/mastodon): allow registration only with vhack.eu/sils.li mail --- system/services/mastodon/default.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'system/services') diff --git a/system/services/mastodon/default.nix b/system/services/mastodon/default.nix index 96c2744..5007d0e 100644 --- a/system/services/mastodon/default.nix +++ b/system/services/mastodon/default.nix @@ -12,7 +12,10 @@ in { host = "server1.vhack.eu"; passwordFile = "${config.age.secrets.mastodonMail.path}"; }; - extraConfig.WEB_DOMAIN = "mastodon.vhack.eu"; + extraConfig = { + WEB_DOMAIN = "mastodon.vhack.eu"; + EMAIL_DOMAIN_ALLOWLIST = "vhack.eu|sils.li"; + }; }; services.nginx = { -- cgit 1.4.1 From 1ddfb655c9cb35a40cc13dca84652678f7a30f1a Mon Sep 17 00:00:00 2001 From: sils Date: Thu, 12 Oct 2023 21:52:37 +0200 Subject: fix(system/services/mastodon): add nginx to group 'mastodon' --- system/services/mastodon/default.nix | 2 ++ 1 file changed, 2 insertions(+) (limited to 'system/services') diff --git a/system/services/mastodon/default.nix b/system/services/mastodon/default.nix index 5007d0e..ea49fc5 100644 --- a/system/services/mastodon/default.nix +++ b/system/services/mastodon/default.nix @@ -49,4 +49,6 @@ in { }; }; }; + + users.groups.${config.services.mastodon.group}.members = config.services.nginx.user; } -- cgit 1.4.1 From 478437be715c965a4028693582bef650ce190198 Mon Sep 17 00:00:00 2001 From: sils Date: Thu, 12 Oct 2023 21:54:21 +0200 Subject: fix(system/services/mastodon): change string to list of string --- system/services/mastodon/default.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'system/services') diff --git a/system/services/mastodon/default.nix b/system/services/mastodon/default.nix index ea49fc5..fee472e 100644 --- a/system/services/mastodon/default.nix +++ b/system/services/mastodon/default.nix @@ -50,5 +50,7 @@ in { }; }; - users.groups.${config.services.mastodon.group}.members = config.services.nginx.user; + users.groups.${config.services.mastodon.group}.members = [ + config.services.nginx.user + ]; } -- cgit 1.4.1 From cfdd2e350ff5df55beef4fa5b7bc11e9ff5e23c1 Mon Sep 17 00:00:00 2001 From: sils Date: Fri, 13 Oct 2023 13:40:22 +0200 Subject: fix(system/services/mastodon): remove unneccessary stringcasts --- system/services/mastodon/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'system/services') diff --git a/system/services/mastodon/default.nix b/system/services/mastodon/default.nix index fee472e..7522d99 100644 --- a/system/services/mastodon/default.nix +++ b/system/services/mastodon/default.nix @@ -10,7 +10,7 @@ in { fromAddress = emailAddress; user = emailAddress; host = "server1.vhack.eu"; - passwordFile = "${config.age.secrets.mastodonMail.path}"; + passwordFile = config.age.secrets.mastodonMail.path; }; extraConfig = { WEB_DOMAIN = "mastodon.vhack.eu"; @@ -22,7 +22,7 @@ in { enable = true; recommendedProxySettings = true; # required for redirections to work virtualHosts = { - "${config.services.mastodon.extraConfig.WEB_DOMAIN}" = { + "config.services.mastodon.extraConfig.WEB_DOMAIN" = { root = "${config.services.mastodon.package}/public/"; # mastodon only supports https, but you can override this if you offload tls elsewhere. forceSSL = true; -- cgit 1.4.1 From 900d013b708fb84add332fe397a01991cf71a119 Mon Sep 17 00:00:00 2001 From: sils Date: Fri, 13 Oct 2023 17:20:20 +0200 Subject: Revert "fix(system/services/mastodon): remove unneccessary stringcasts" These stringcasts were mandatory. This reverts commit cfdd2e350ff5df55beef4fa5b7bc11e9ff5e23c1. --- system/services/mastodon/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'system/services') diff --git a/system/services/mastodon/default.nix b/system/services/mastodon/default.nix index 7522d99..fee472e 100644 --- a/system/services/mastodon/default.nix +++ b/system/services/mastodon/default.nix @@ -10,7 +10,7 @@ in { fromAddress = emailAddress; user = emailAddress; host = "server1.vhack.eu"; - passwordFile = config.age.secrets.mastodonMail.path; + passwordFile = "${config.age.secrets.mastodonMail.path}"; }; extraConfig = { WEB_DOMAIN = "mastodon.vhack.eu"; @@ -22,7 +22,7 @@ in { enable = true; recommendedProxySettings = true; # required for redirections to work virtualHosts = { - "config.services.mastodon.extraConfig.WEB_DOMAIN" = { + "${config.services.mastodon.extraConfig.WEB_DOMAIN}" = { root = "${config.services.mastodon.package}/public/"; # mastodon only supports https, but you can override this if you offload tls elsewhere. forceSSL = true; -- cgit 1.4.1 From 925e9936646bf071f6de271c8f17727e2ab86616 Mon Sep 17 00:00:00 2001 From: Soispha Date: Fri, 13 Oct 2023 17:36:16 +0200 Subject: fix(system/services/mastodon): Correctly avoid string casts --- system/services/mastodon/default.nix | 30 ++++++++++++++---------------- 1 file changed, 14 insertions(+), 16 deletions(-) (limited to 'system/services') diff --git a/system/services/mastodon/default.nix b/system/services/mastodon/default.nix index fee472e..39a0f56 100644 --- a/system/services/mastodon/default.nix +++ b/system/services/mastodon/default.nix @@ -10,7 +10,7 @@ in { fromAddress = emailAddress; user = emailAddress; host = "server1.vhack.eu"; - passwordFile = "${config.age.secrets.mastodonMail.path}"; + passwordFile = config.age.secrets.mastodonMail.path; }; extraConfig = { WEB_DOMAIN = "mastodon.vhack.eu"; @@ -22,28 +22,26 @@ in { enable = true; recommendedProxySettings = true; # required for redirections to work virtualHosts = { - "${config.services.mastodon.extraConfig.WEB_DOMAIN}" = { + ${config.services.mastodon.extraConfig.WEB_DOMAIN} = { root = "${config.services.mastodon.package}/public/"; # mastodon only supports https, but you can override this if you offload tls elsewhere. forceSSL = true; enableACME = true; - locations."/system/".alias = "/var/lib/mastodon/public-system/"; - - locations."/" = { - tryFiles = "$uri @proxy"; - }; - - locations."@proxy" = { - proxyPass = "http://unix:/run/mastodon-web/web.socket"; - proxyWebsockets = true; - }; - - locations."/api/v1/streaming/" = { - proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket"; - proxyWebsockets = true; + locations = { + "/system/".alias = "/var/lib/mastodon/public-system/"; + "/".tryFiles = "$uri @proxy"; + "@proxy" = { + proxyPass = "http://unix:/run/mastodon-web/web.socket"; + proxyWebsockets = true; + }; + "/api/v1/streaming/" = { + proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket"; + proxyWebsockets = true; + }; }; }; + "vhack.eu" = { locations."/.well-known/webfinger".return = "301 https://${config.services.mastodon.extraConfig.WEB_DOMAIN}$request_uri"; }; -- cgit 1.4.1