From 68278ad983f1116e8706d7d4a353785c2759e853 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20Yule=20B=C3=A4dorf?= Date: Wed, 8 May 2024 19:47:47 +0200 Subject: [PATCH] refactor: use options for config parts This works towards having reusable modules * `config.pub-solar-os.networking.domain` is used for the main domain * `config.pub-solar-os.privacyPolicUrl` links towards the privacy policy * `config.pub-solar-os.imprintUrl` links towards the imprint * `config.pub-solar-os.auth.enable` enables the keycloak installation. This is needed because `config.pub-solar-os.auth` has to be available everywhere, but we do not want to install keycloak everywhere. * `config.pub-solar-os.auth.realm` sets the keycloak realm name --- hosts/default.nix | 1 + modules/caddy/default.nix | 27 +-- modules/collabora/default.nix | 6 +- modules/core/default.nix | 12 ++ modules/coturn/default.nix | 4 +- modules/drone/default.nix | 12 +- modules/forgejo/default.nix | 8 +- modules/grafana/default.nix | 12 +- modules/keycloak/default.nix | 164 ++++++++++-------- modules/loki/default.nix | 13 ++ modules/mailman/default.nix | 12 +- modules/mastodon/default.nix | 10 +- modules/matrix-irc/default.nix | 4 +- modules/matrix-telegram/default.nix | 6 +- modules/matrix/default.nix | 4 +- modules/mediawiki/default.nix | 8 +- modules/nextcloud/default.nix | 6 +- modules/nginx-mastodon-files/default.nix | 7 +- modules/nginx-mastodon/default.nix | 6 +- modules/nginx-matrix/default.nix | 18 +- .../nginx-prometheus-exporters/default.nix | 2 +- modules/nginx-website/default.nix | 23 +-- modules/nginx/default.nix | 2 +- modules/obs-portal/default.nix | 14 +- modules/owncast/default.nix | 2 +- modules/prometheus/default.nix | 4 +- modules/promtail/default.nix | 2 +- modules/searx/default.nix | 8 +- modules/tmate/default.nix | 4 +- 29 files changed, 209 insertions(+), 192 deletions(-) diff --git a/hosts/default.nix b/hosts/default.nix index ffd9fca0..c17b5cc3 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -49,6 +49,7 @@ self.nixosModules.overlays self.nixosModules.core + self.nixosModules.keycloak self.nixosModules.caddy self.nixosModules.drone self.nixosModules.forgejo-actions-runner diff --git a/modules/caddy/default.nix b/modules/caddy/default.nix index cc3acf61..ee6c4c4c 100644 --- a/modules/caddy/default.nix +++ b/modules/caddy/default.nix @@ -5,11 +5,7 @@ , ... }: { - systemd.tmpfiles.rules = [ - "d '/data/srv/www/os/download/' 0750 ${config.pub-solar-os.authentication.robot.username} ${config.pub-solar-os.authentication.robot.username} - -" - ]; - - services.caddy = { + services.caddy = { enable = lib.mkForce true; group = config.pub-solar-os.authentication.robot.username; email = config.pub-solar-os.adminEmail; @@ -17,27 +13,6 @@ globalConfig = lib.mkForce '' grace_period 60s ''; - virtualHosts = { - "flora-6.pub.solar" = { - logFormat = lib.mkForce '' - output discard - ''; - extraConfig = '' - basicauth * { - ${config.pub-solar-os.authentication.robot.username} $2a$14$mmIAy/Ezm6YGohUtXa2mWeW6Bcw1MQXPhrRbz14jAD2iUu3oob/t. - } - reverse_proxy :${toString config.services.loki.configuration.server.http_listen_port} - ''; - }; - "obs-portal.pub.solar" = { - logFormat = lib.mkForce '' - output discard - ''; - extraConfig = '' - reverse_proxy obs-portal.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.int.greenbaum.zone:3000 - ''; - }; - }; }; networking.firewall.allowedTCPPorts = [ 80 443 ]; } diff --git a/modules/collabora/default.nix b/modules/collabora/default.nix index 1edebee4..36f8aa7d 100644 --- a/modules/collabora/default.nix +++ b/modules/collabora/default.nix @@ -4,7 +4,7 @@ , self , ... }: { - services.nginx.virtualHosts."collabora.pub.solar" = { + services.nginx.virtualHosts."collabora.${config.pub-solar-os.networking.domain}" = { enableACME = true; forceSSL = true; @@ -32,8 +32,8 @@ "--pull=always" ]; environment = { - server_name = "collabora.pub.solar"; - aliasgroup1 = "https://cloud.pub.solar:443"; + server_name = "collabora.${config.pub-solar-os.networking.domain}"; + aliasgroup1 = "https://cloud.${config.pub-solar-os.networking.domain}:443"; DONT_GEN_SSL_CERT = "1"; extra_params = "--o:ssl.enable=false --o:ssl.termination=true"; SLEEPFORDEBUGGER = "0"; diff --git a/modules/core/default.nix b/modules/core/default.nix index a15dbbc5..263984d5 100644 --- a/modules/core/default.nix +++ b/modules/core/default.nix @@ -12,6 +12,18 @@ type = types.str; default = "admins@pub.solar"; }; + + privacyPolicyUrl = mkOption { + description = "URL of the privacy policy. Used to link there from applications"; + type = types.str; + default = "https://pub.solar/privacy"; + }; + + imprintUrl = mkOption { + description = "URL of the imprint. Used to link there from applications"; + type = types.str; + default = "https://pub.solar/about"; + }; }; config = { diff --git a/modules/coturn/default.nix b/modules/coturn/default.nix index 93bea420..0bf3bc65 100644 --- a/modules/coturn/default.nix +++ b/modules/coturn/default.nix @@ -14,7 +14,7 @@ max-port = 50000; use-auth-secret = true; static-auth-secret-file = "/run/agenix/coturn-static-auth-secret"; - realm = "turn.pub.solar"; + realm = "turn.${config.pub-solar-os.networking.domain}"; cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; extraConfig = @@ -89,7 +89,7 @@ services.nginx.virtualHosts.${config.services.coturn.realm} = { enableACME = true; addSSL = true; - globalRedirect = "pub.solar"; + globalRedirect = "${config.pub-solar-os.networking.domain}"; }; users.users.nginx.extraGroups = [ "turnserver" ]; diff --git a/modules/drone/default.nix b/modules/drone/default.nix index 84d254e3..48bc1e14 100644 --- a/modules/drone/default.nix +++ b/modules/drone/default.nix @@ -30,7 +30,7 @@ "d '/var/lib/drone-db' 0750 drone drone - -" ]; - services.caddy.virtualHosts."ci.pub.solar" = { + services.caddy.virtualHosts."ci.${config.pub-solar-os.networking.domain}" = { logFormat = lib.mkForce '' output discard ''; @@ -87,11 +87,11 @@ extraOptions = [ "--network=drone-net" "--pull=always" - "--add-host=nachtigall.pub.solar:10.7.6.1" + "--add-host=nachtigall.${config.pub-solar-os.networking.domain}:10.7.6.1" ]; environment = { - DRONE_GITEA_SERVER = "https://git.pub.solar"; - DRONE_SERVER_HOST = "ci.pub.solar"; + DRONE_GITEA_SERVER = "https://git.${config.pub-solar-os.networking.domain}"; + DRONE_SERVER_HOST = "ci.${config.pub-solar-os.networking.domain}"; DRONE_SERVER_PROTO = "https"; DRONE_DATABASE_DRIVER = "postgres"; }; @@ -111,10 +111,10 @@ extraOptions = [ "--network=drone-net" "--pull=always" - "--add-host=nachtigall.pub.solar:10.7.6.1" + "--add-host=nachtigall.${config.pub-solar-os.networking.domain}:10.7.6.1" ]; environment = { - DRONE_RPC_HOST = "ci.pub.solar"; + DRONE_RPC_HOST = "ci.${config.pub-solar-os.networking.domain}"; DRONE_RPC_PROTO = "https"; DRONE_RUNNER_CAPACITY = "2"; DRONE_RUNNER_NAME = "flora-6-docker-runner"; diff --git a/modules/forgejo/default.nix b/modules/forgejo/default.nix index 397503d9..84218a70 100644 --- a/modules/forgejo/default.nix +++ b/modules/forgejo/default.nix @@ -29,7 +29,7 @@ user = "gitea"; }; - services.nginx.virtualHosts."git.pub.solar" = { + services.nginx.virtualHosts."git.${config.pub-solar-os.networking.domain}" = { enableACME = true; forceSSL = true; @@ -78,8 +78,8 @@ DEFAULT.APP_NAME = "pub.solar git server"; server = { - ROOT_URL = "https://git.pub.solar"; - DOMAIN = "git.pub.solar"; + ROOT_URL = "https://git.${config.pub-solar-os.networking.domain}"; + DOMAIN = "git.${config.pub-solar-os.networking.domain}"; HTTP_ADDR = "127.0.0.1"; HTTP_PORT = 3000; START_SSH_SERVER = true; @@ -123,7 +123,7 @@ # https://forgejo.org/docs/latest/admin/config-cheat-sheet/#webhook-webhook webhook = { - ALLOWED_HOST_LIST = "loopback,external,*.pub.solar"; + ALLOWED_HOST_LIST = "loopback,external,*.${config.pub-solar-os.networking.domain}"; }; # See https://forgejo.org/docs/latest/admin/actions/ diff --git a/modules/grafana/default.nix b/modules/grafana/default.nix index cbd7ba8c..9df0b73e 100644 --- a/modules/grafana/default.nix +++ b/modules/grafana/default.nix @@ -33,7 +33,7 @@ }; }; - services.caddy.virtualHosts."grafana.pub.solar" = { + services.caddy.virtualHosts."grafana.${config.pub-solar-os.networking.domain}" = { logFormat = lib.mkForce '' output discard ''; @@ -51,8 +51,8 @@ # and Port http_port = 3000; # Grafana needs to know on which domain and URL it's running - domain = "grafana.pub.solar"; - root_url = "https://grafana.pub.solar"; + domain = "grafana.${config.pub-solar-os.networking.domain}"; + root_url = "https://grafana.${config.pub-solar-os.networking.domain}"; enable_gzip = true; }; smtp = { @@ -78,9 +78,9 @@ email_attribute_path = "email"; login_attribute_path = "preferred_username"; name_attribute_path = "full_name"; - auth_url = "https://auth.pub.solar/realms/pub.solar/protocol/openid-connect/auth"; - token_url = "https://auth.pub.solar/realms/pub.solar/protocol/openid-connect/token"; - api_url = "https://auth.pub.solar/realms/pub.solar/protocol/openid-connect/userinfo"; + auth_url = "https://auth.${config.pub-solar-os.networking.domain}/realms/${config.pub-solar-os.auth.realm}/protocol/openid-connect/auth"; + token_url = "https://auth.${config.pub-solar-os.networking.domain}/realms/${config.pub-solar-os.auth.realm}/protocol/openid-connect/token"; + api_url = "https://auth.${config.pub-solar-os.networking.domain}/realms/${config.pub-solar-os.auth.realm}/protocol/openid-connect/userinfo"; role_attribute_path = "contains(roles[*], 'admin') && 'GrafanaAdmin' || 'Viewer'"; allow_assign_grafana_admin = true; }; diff --git a/modules/keycloak/default.nix b/modules/keycloak/default.nix index 81b46ec5..ebf11b25 100644 --- a/modules/keycloak/default.nix +++ b/modules/keycloak/default.nix @@ -4,93 +4,105 @@ , pkgs , ... }: { - age.secrets.keycloak-database-password = { - file = "${flake.self}/secrets/keycloak-database-password.age"; - mode = "600"; - #owner = "keycloak"; + options.pub-solar-os.auth = with lib; { + enable = mkEnableOption "Enable keycloak to run on the node"; + + realm = mkOption { + description = "Name of the realm"; + type = types.str; + default = config.pub-solar-os.networking.domain; + }; }; - services.nginx.virtualHosts."auth.pub.solar" = { - enableACME = true; - forceSSL = true; + config = lib.mkIf config.pub-solar-os.auth.enable { + age.secrets.keycloak-database-password = { + file = "${flake.self}/secrets/keycloak-database-password.age"; + mode = "600"; + #owner = "keycloak"; + }; - locations = { - "= /" = { - extraConfig = '' - return 302 /realms/pub.solar/account; - ''; - }; + services.nginx.virtualHosts."auth.${config.pub-solar-os.networking.domain}" = { + enableACME = true; + forceSSL = true; - "/" = { - extraConfig = '' - proxy_pass http://127.0.0.1:8080; - proxy_buffer_size 8k; - ''; + locations = { + "= /" = { + extraConfig = '' + return 302 /realms/${config.pub-solar-os.auth.realm}/account; + ''; + }; + + "/" = { + extraConfig = '' + proxy_pass http://127.0.0.1:8080; + proxy_buffer_size 8k; + ''; + }; }; }; - }; - # keycloak - services.keycloak = { - enable = true; - database.passwordFile = config.age.secrets.keycloak-database-password.path; - settings = { - hostname = "auth.pub.solar"; - http-host = "127.0.0.1"; - http-port = 8080; - proxy = "edge"; - features = "declarative-user-profile"; + # keycloak + services.keycloak = { + enable = true; + database.passwordFile = config.age.secrets.keycloak-database-password.path; + settings = { + hostname = "auth.${config.pub-solar-os.networking.domain}"; + http-host = "127.0.0.1"; + http-port = 8080; + proxy = "edge"; + features = "declarative-user-profile"; + }; + themes = { + "pub.solar" = flake.inputs.keycloak-theme-pub-solar.legacyPackages.${pkgs.system}.keycloak-theme-pub-solar; + }; }; - themes = { - "pub.solar" = flake.inputs.keycloak-theme-pub-solar.legacyPackages.${pkgs.system}.keycloak-theme-pub-solar; - }; - }; - services.restic.backups.keycloak-droppie = { - paths = [ - "/tmp/keycloak-backup.sql" - ]; - timerConfig = { - OnCalendar = "*-*-* 02:00:00 Etc/UTC"; - # droppie will be offline if nachtigall misses the timer - Persistent = false; + services.restic.backups.keycloak-droppie = { + paths = [ + "/tmp/keycloak-backup.sql" + ]; + timerConfig = { + OnCalendar = "*-*-* 02:00:00 Etc/UTC"; + # droppie will be offline if nachtigall misses the timer + Persistent = false; + }; + initialize = true; + passwordFile = config.age.secrets."restic-repo-droppie".path; + repository = "sftp:yule@droppie.b12f.io:/media/internal/pub.solar"; + backupPrepareCommand = '' + ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d keycloak > /tmp/keycloak-backup.sql + ''; + backupCleanupCommand = '' + rm /tmp/keycloak-backup.sql + ''; + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 4" + "--keep-monthly 3" + ]; }; - initialize = true; - passwordFile = config.age.secrets."restic-repo-droppie".path; - repository = "sftp:yule@droppie.b12f.io:/media/internal/pub.solar"; - backupPrepareCommand = '' - ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d keycloak > /tmp/keycloak-backup.sql - ''; - backupCleanupCommand = '' - rm /tmp/keycloak-backup.sql - ''; - pruneOpts = [ - "--keep-daily 7" - "--keep-weekly 4" - "--keep-monthly 3" - ]; - }; - services.restic.backups.keycloak-storagebox = { - paths = [ - "/tmp/keycloak-backup.sql" - ]; - timerConfig = { - OnCalendar = "*-*-* 04:10:00 Etc/UTC"; + services.restic.backups.keycloak-storagebox = { + paths = [ + "/tmp/keycloak-backup.sql" + ]; + timerConfig = { + OnCalendar = "*-*-* 04:10:00 Etc/UTC"; + }; + initialize = true; + passwordFile = config.age.secrets."restic-repo-storagebox".path; + repository = "sftp:u377325@u377325.your-storagebox.de:/backups"; + backupPrepareCommand = '' + ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d keycloak > /tmp/keycloak-backup.sql + ''; + backupCleanupCommand = '' + rm /tmp/keycloak-backup.sql + ''; + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 4" + "--keep-monthly 3" + ]; }; - initialize = true; - passwordFile = config.age.secrets."restic-repo-storagebox".path; - repository = "sftp:u377325@u377325.your-storagebox.de:/backups"; - backupPrepareCommand = '' - ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d keycloak > /tmp/keycloak-backup.sql - ''; - backupCleanupCommand = '' - rm /tmp/keycloak-backup.sql - ''; - pruneOpts = [ - "--keep-daily 7" - "--keep-weekly 4" - "--keep-monthly 3" - ]; }; } diff --git a/modules/loki/default.nix b/modules/loki/default.nix index 5e7a8cc7..3aae445b 100644 --- a/modules/loki/default.nix +++ b/modules/loki/default.nix @@ -4,6 +4,19 @@ , flake , ... }: { + services.caddy.virtualHosts = { + "flora-6.${config.pub-solar-os.networking.domain}" = { + logFormat = lib.mkForce '' + output discard + ''; + extraConfig = '' + basicauth * { + ${config.pub-solar-os.authentication.robot.username} $2a$14$mmIAy/Ezm6YGohUtXa2mWeW6Bcw1MQXPhrRbz14jAD2iUu3oob/t. + } + reverse_proxy :${toString config.services.loki.configuration.server.http_listen_port} + ''; + }; + }; # source: https://gist.github.com/rickhull/895b0cb38fdd537c1078a858cf15d63e # https://grafana.com/docs/loki/latest/configure/examples/#1-local-configuration-exampleyaml services.loki = { diff --git a/modules/mailman/default.nix b/modules/mailman/default.nix index 01ea8cc2..ff590b55 100644 --- a/modules/mailman/default.nix +++ b/modules/mailman/default.nix @@ -9,7 +9,7 @@ users.users.nginx.extraGroups = [ "mailman" ]; - services.nginx.virtualHosts."list.pub.solar" = { + services.nginx.virtualHosts."list.${config.pub-solar-os.networking.domain}" = { enableACME = true; forceSSL = true; }; @@ -24,15 +24,15 @@ enable = true; relayDomains = [ "hash:/var/lib/mailman/data/postfix_domains" ]; # get TLS certs for list.pub.solar from acme - sslCert = "/var/lib/acme/list.pub.solar/fullchain.pem"; - sslKey = "/var/lib/acme/list.pub.solar/key.pem"; + sslCert = "/var/lib/acme/list.${config.pub-solar-os.networking.domain}/fullchain.pem"; + sslKey = "/var/lib/acme/list.${config.pub-solar-os.networking.domain}/key.pem"; config = { transport_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ]; local_recipient_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ]; }; rootAlias = "admins@pub.solar"; postmasterAlias = "admins@pub.solar"; - hostname = "list.pub.solar"; + hostname = "list.${config.pub-solar-os.networking.domain}"; }; systemd.paths.watcher-acme-ssl-file = { @@ -40,7 +40,7 @@ documentation = [ "systemd.path(5)" ]; partOf = [ "postfix-reload.service" ]; pathConfig = { - PathChanged = "/var/lib/acme/list.pub.solar/fullchain.pem"; + PathChanged = "/var/lib/acme/list.${config.pub-solar-os.networking.domain}/fullchain.pem"; Unit = "postfix-reload.service"; }; wantedBy = [ "multi-user.target" ]; @@ -64,7 +64,7 @@ enable = true; serve.enable = true; hyperkitty.enable = true; - webHosts = [ "list.pub.solar" ]; + webHosts = [ "list.${config.pub-solar-os.networking.domain}" ]; siteOwner = "admins@pub.solar"; }; diff --git a/modules/mastodon/default.nix b/modules/mastodon/default.nix index 3df8efd5..d490440e 100644 --- a/modules/mastodon/default.nix +++ b/modules/mastodon/default.nix @@ -38,7 +38,7 @@ services.mastodon = { enable = true; # Different from WEB_DOMAIN in our case - localDomain = "pub.solar"; + localDomain = "${config.pub-solar-os.networking.domain}"; enableUnixSocket = true; # Number of processes used by the mastodon-streaming service # Recommended is the amount of your CPU cores minus one @@ -68,7 +68,7 @@ "/run/agenix/mastodon-extra-env-secrets" ]; extraConfig = { - WEB_DOMAIN = "mastodon.pub.solar"; + WEB_DOMAIN = "mastodon.${config.pub-solar-os.networking.domain}"; # Defined in ./opensearch.nix ES_HOST = "127.0.0.1"; # S3 File storage (optional) @@ -77,7 +77,7 @@ S3_BUCKET = "pub-solar-mastodon"; S3_REGION = "europe-west-1"; S3_ENDPOINT = "https://gateway.tardigradeshare.io"; - S3_ALIAS_HOST = "files.pub.solar"; + S3_ALIAS_HOST = "files.${config.pub-solar-os.networking.domain}"; # Translation (optional) # ----------------------- DEEPL_PLAN = "free"; @@ -85,11 +85,11 @@ # -------------- OIDC_ENABLED = "true"; OIDC_DISPLAY_NAME = "pub.solar ID"; - OIDC_ISSUER = "https://auth.pub.solar/realms/pub.solar"; + OIDC_ISSUER = "https://auth.${config.pub-solar-os.networking.domain}/realms/${config.pub-solar-os.auth.realm}"; OIDC_DISCOVERY = "true"; OIDC_SCOPE = "openid,profile,email"; OIDC_UID_FIELD = "preferred_username"; - OIDC_REDIRECT_URI = "https://mastodon.pub.solar/auth/auth/openid_connect/callback"; + OIDC_REDIRECT_URI = "https://mastodon.${config.pub-solar-os.networking.domain}/auth/auth/openid_connect/callback"; OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true"; # only use OIDC for login / registration OMNIAUTH_ONLY = "true"; diff --git a/modules/matrix-irc/default.nix b/modules/matrix-irc/default.nix index fb2c1e07..e7b3597c 100644 --- a/modules/matrix-irc/default.nix +++ b/modules/matrix-irc/default.nix @@ -25,9 +25,9 @@ in registrationUrl = "http://localhost:8010"; settings = { homeserver = { - domain = "pub.solar"; + domain = "${config.pub-solar-os.networking.domain}"; url = "http://127.0.0.1:${synapseClientPort}"; - media_url = "https://matrix.pub.solar"; + media_url = "https://matrix.${config.pub-solar-os.networking.domain}"; enablePresence = false; }; ircService = { diff --git a/modules/matrix-telegram/default.nix b/modules/matrix-telegram/default.nix index 776c8db5..2742a4ff 100644 --- a/modules/matrix-telegram/default.nix +++ b/modules/matrix-telegram/default.nix @@ -13,7 +13,7 @@ homeserver = { # TODO: Use the port from synapse config address = "http://127.0.0.1:8008"; - domain = "pub.solar"; + domain = "${config.pub-solar-os.networking.domain}"; verify_ssl = true; }; appservice = { @@ -34,7 +34,7 @@ }; public = { enabled = true; - external = "https://matrix.pub.solar/c3c3f34b-29fb-5feb-86e5-98c75ec8214b"; + external = "https://matrix.${config.pub-solar-os.networking.domain}/c3c3f34b-29fb-5feb-86e5-98c75ec8214b"; prefix = "/c3c3f34b-29fb-5feb-86e5-98c75ec8214b"; }; }; @@ -140,7 +140,7 @@ username_template = "telegram_{userid}"; permissions = { - "pub.solar" = "full"; + "${config.pub-solar-os.networking.domain}" = "full"; }; }; diff --git a/modules/matrix/default.nix b/modules/matrix/default.nix index dd799100..433b7fac 100644 --- a/modules/matrix/default.nix +++ b/modules/matrix/default.nix @@ -1,7 +1,7 @@ { flake, config, pkgs, ... }: let - publicDomain = "matrix.pub.solar"; - serverDomain = "pub.solar"; + publicDomain = "matrix.${config.pub-solar-os.networking.domain}"; + serverDomain = "${config.pub-solar-os.networking.domain}"; in { age.secrets."matrix-synapse-signing-key" = { diff --git a/modules/mediawiki/default.nix b/modules/mediawiki/default.nix index 9011fbaf..0eca621a 100644 --- a/modules/mediawiki/default.nix +++ b/modules/mediawiki/default.nix @@ -26,14 +26,14 @@ let ## For more information on customizing the URLs ## (like /w/index.php/Page_title to /wiki/Page_title) please see: ## https://www.mediawiki.org/wiki/Manual:Short_URL - $wgScriptPath = "https://wiki.pub.solar"; + $wgScriptPath = "https://wiki.${config.pub-solar-os.networking.domain}"; ## https://www.mediawiki.org/wiki/Manual:Short_URL ## https://www.mediawiki.org/wiki/Extension:OpenID_Connect#Known_issues $wgArticlePath = "/index.php/$1"; ## The protocol and server name to use in fully-qualified URLs - $wgServer = "https://wiki.pub.solar"; + $wgServer = "https://wiki.${config.pub-solar-os.networking.domain}"; ## The URL path to static resources (images, scripts, etc.) $wgResourceBasePath = $wgScriptPath; @@ -143,7 +143,7 @@ let $wgPluggableAuth_Config[] = [ 'plugin' => 'OpenIDConnect', 'data' => [ - 'providerURL' => 'https://auth.pub.solar/realms/pub.solar', + 'providerURL' => 'https://auth.${config.pub-solar-os.networking.domain}/realms/${config.pub-solar-os.auth.realm}', 'clientID' => 'mediawiki', 'clientsecret' => trim(file_get_contents('/run/mediawiki/oidc-client-secret')) ] @@ -189,7 +189,7 @@ in ''; }; - services.nginx.virtualHosts."wiki.pub.solar" = { + services.nginx.virtualHosts."wiki.${config.pub-solar-os.networking.domain}" = { enableACME = true; forceSSL = true; diff --git a/modules/nextcloud/default.nix b/modules/nextcloud/default.nix index bed4c04d..1d478638 100644 --- a/modules/nextcloud/default.nix +++ b/modules/nextcloud/default.nix @@ -16,13 +16,13 @@ owner = "nextcloud"; }; - services.nginx.virtualHosts."cloud.pub.solar" = { + services.nginx.virtualHosts."cloud.${config.pub-solar-os.networking.domain}" = { enableACME = true; forceSSL = true; }; services.nextcloud = { - hostName = "cloud.pub.solar"; + hostName = "cloud.${config.pub-solar-os.networking.domain}"; home = "/var/lib/nextcloud"; enable = true; @@ -50,7 +50,7 @@ }; extraOptions = { - overwrite.cli.url = "http://cloud.pub.solar"; + overwrite.cli.url = "http://cloud.${config.pub-solar-os.networking.domain}"; installed = true; default_phone_region = "+49"; diff --git a/modules/nginx-mastodon-files/default.nix b/modules/nginx-mastodon-files/default.nix index 8ca4499f..ec93783a 100644 --- a/modules/nginx-mastodon-files/default.nix +++ b/modules/nginx-mastodon-files/default.nix @@ -1,4 +1,7 @@ -{ ... }: +{ + config, + ... +}: let objStorHost = "link.tardigradeshare.io"; @@ -6,7 +9,7 @@ let in { services.nginx.virtualHosts = { - "files.pub.solar" = { + "files.${config.pub-solar-os.networking.domain}" = { enableACME = true; forceSSL = true; diff --git a/modules/nginx-mastodon/default.nix b/modules/nginx-mastodon/default.nix index 5e9f9b02..791974f7 100644 --- a/modules/nginx-mastodon/default.nix +++ b/modules/nginx-mastodon/default.nix @@ -5,7 +5,7 @@ in { services.nginx = { virtualHosts = { - "mastodon.pub.solar" = { + "mastodon.${config.pub-solar-os.networking.domain}" = { root = "${cfg.package}/public/"; # mastodon only supports https, but you can override this if you offload tls elsewhere. forceSSL = lib.mkDefault true; @@ -16,11 +16,11 @@ in ''; locations."/auth/confirmation/new".extraConfig = '' - return 302 https://auth.pub.solar/realms/pub.solar/login-actions/reset-credentials?client_id=mastodon; + return 302 https://auth.${config.pub-solar-os.networking.domain}/realms/${config.pub-solar-os.auth.realm}/login-actions/reset-credentials?client_id=mastodon; ''; locations."/auth/password/new".extraConfig = '' - return 302 https://auth.pub.solar/realms/pub.solar/login-actions/reset-credentials?client_id=mastodon; + return 302 https://auth.${config.pub-solar-os.networking.domain}/realms/${config.pub-solar-os.auth.realm}/login-actions/reset-credentials?client_id=mastodon; ''; locations."/system/".alias = "/var/lib/mastodon/public-system/"; diff --git a/modules/nginx-matrix/default.nix b/modules/nginx-matrix/default.nix index dc978e6e..a1f760eb 100644 --- a/modules/nginx-matrix/default.nix +++ b/modules/nginx-matrix/default.nix @@ -1,4 +1,4 @@ -{ lib, pkgs, ... }: +{ lib, pkgs, config, ... }: let commonHeaders = '' add_header Permissions-Policy interest-cohort=() always; @@ -44,7 +44,7 @@ let role = "m.role.admin"; } ]; - support_page = "https://pub.solar/about"; + support_page = "https://${config.pub-solar-os.networking.domain}/about"; }; mkWellKnown = data: '' add_header Content-Type application/json; @@ -64,11 +64,11 @@ in # This is already in production use # ##################################### - "pub.solar" = { - locations = wellKnownLocations "pub.solar"; + "${config.pub-solar-os.networking.domain}" = { + locations = wellKnownLocations "${config.pub-solar-os.networking.domain}"; }; - "chat.pub.solar" = { + "chat.${config.pub-solar-os.networking.domain}" = { forceSSL = true; enableACME = true; root = pkgs.element-web.override { @@ -76,13 +76,13 @@ in }; }; - "stickers.chat.pub.solar" = { + "stickers.chat.${config.pub-solar-os.networking.domain}" = { forceSSL = true; enableACME = true; root = pkgs.element-stickerpicker; }; - "matrix.pub.solar" = { + "matrix.${config.pub-solar-os.networking.domain}" = { root = "/dev/null"; forceSSL = lib.mkDefault true; @@ -122,8 +122,8 @@ in }; }; }; - "matrix.pub.solar-federation" = { - serverName = "matrix.pub.solar"; + "matrix.${config.pub-solar-os.networking.domain}-federation" = { + serverName = "matrix.${config.pub-solar-os.networking.domain}"; forceSSL = lib.mkDefault true; enableACME = lib.mkDefault true; listen = [{ diff --git a/modules/nginx-prometheus-exporters/default.nix b/modules/nginx-prometheus-exporters/default.nix index af5678c7..2edc9694 100644 --- a/modules/nginx-prometheus-exporters/default.nix +++ b/modules/nginx-prometheus-exporters/default.nix @@ -17,7 +17,7 @@ in owner = "nginx"; }; services.nginx.virtualHosts = { - "nachtigall.pub.solar" = { + "nachtigall.${config.pub-solar-os.networking.domain}" = { enableACME = true; addSSL = true; basicAuthFile = "${config.age.secrets.nachtigall-metrics-nginx-basic-auth.path}"; diff --git a/modules/nginx-website/default.nix b/modules/nginx-website/default.nix index 3611d48d..03d21176 100644 --- a/modules/nginx-website/default.nix +++ b/modules/nginx-website/default.nix @@ -1,10 +1,11 @@ -{ lib, ... }: { +{ + lib, config, ... }: { systemd.tmpfiles.rules = [ - "d '/srv/www/pub.solar' 0750 hakkonaut hakkonaut - -" + "d '/srv/www/${config.pub-solar-os.networking.domain}' 0750 hakkonaut hakkonaut - -" ]; services.nginx.virtualHosts = { - "www.pub.solar" = { + "www.${config.pub-solar-os.networking.domain}" = { enableACME = true; addSSL = true; @@ -15,12 +16,12 @@ locations."/" = { extraConfig = '' - return 301 https://pub.solar$request_uri; + return 301 https://${config.pub-solar-os.networking.domain}$request_uri; ''; }; }; - "pub.solar" = { + "${config.pub-solar-os.networking.domain}" = { default = true; enableACME = true; forceSSL = true; @@ -35,7 +36,7 @@ # https://masto.host/mastodon-usernames-different-from-the-domain-used-for-installation/ "/.well-known/host-meta" = { extraConfig = '' - return 301 https://mastodon.pub.solar$request_uri; + return 301 https://mastodon.${config.pub-solar-os.networking.domain}$request_uri; ''; }; @@ -44,11 +45,11 @@ # Redirect requests that match /.well-known/webfinger?resource=* to Mastodon extraConfig = '' if ($arg_resource) { - return 301 https://mastodon.pub.solar$request_uri; + return 301 https://mastodon.${config.pub-solar-os.networking.domain}$request_uri; } add_header Content-Type text/plain; - return 200 '{\n "subject": "acct:admins@pub.solar",\n "links": [\n {\n "rel": "http://openid.net/specs/connect/1.0/issuer",\n "href": "https://auth.pub.solar/realms/pub.solar"\n }\n ]\n}'; + return 200 '{\n "subject": "acct:admins@pub.solar",\n "links": [\n {\n "rel": "http://openid.net/specs/connect/1.0/issuer",\n "href": "https://auth.${config.pub-solar-os.networking.domain}/realms/pub.solar"\n }\n ]\n}'; ''; }; @@ -59,7 +60,7 @@ "Expires: 2025-01-04T23:00:00.000Z" "Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/8A8987ADE3736C8CA2EB315A9B809EBBDD62BAE3" "Preferred-Languages: en,de" - "Canonical: https://pub.solar/.well-known/security.txt" + "Canonical: https://${config.pub-solar-os.networking.domain}/.well-known/security.txt" ]; in { extraConfig = '' @@ -70,12 +71,12 @@ "/satzung" = { extraConfig = '' - return 302 https://cloud.pub.solar/s/iaKqiW25QJpHPYs; + return 302 https://cloud.${config.pub-solar-os.networking.domain}/s/iaKqiW25QJpHPYs; ''; }; "/" = { - root = "/srv/www/pub.solar"; + root = "/srv/www/${config.pub-solar-os.networking.domain}"; index = "index.html"; tryFiles = "$uri $uri/ =404"; }; diff --git a/modules/nginx/default.nix b/modules/nginx/default.nix index 01e933c5..ff462d0f 100644 --- a/modules/nginx/default.nix +++ b/modules/nginx/default.nix @@ -5,7 +5,7 @@ , ... }: let - acmeEmailAddress = "admins@pub.solar"; + acmeEmailAddress = config.pub-solar-os.adminEmail; webserverGroup = "hakkonaut"; in { diff --git a/modules/obs-portal/default.nix b/modules/obs-portal/default.nix index c182b8e8..57906635 100644 --- a/modules/obs-portal/default.nix +++ b/modules/obs-portal/default.nix @@ -4,7 +4,7 @@ , self , flake , ... -}: let +}: let configPy = pkgs.writeText "obs-portal-config.py" '' DEBUG = False VERBOSE = DEBUG @@ -14,8 +14,8 @@ FRONTEND_URL = None FRONTEND_HTTPS = True FRONTEND_DIR = "../frontend/build/" FRONTEND_CONFIG = { - "imprintUrl": "https://pub.solar/about", - "privacyPolicyUrl": "https://pub.solar/privacy", + "imprintUrl": "${config.pub-solar-os.imprintUrl}", + "privacyPolicyUrl": "${config.pub-solar-os.privacyPolicyUrl}", "mapHome": {"zoom": 12, "latitude": 50.93, "longitude": 6.97}, "banner": { "text": "This is an installation serving the Cologne/Bonn region run for Team OBSKöln by pub.solar n.e.V.", @@ -27,15 +27,15 @@ ADDITIONAL_CORS_ORIGINS = None ''; env = { - OBS_KEYCLOAK_URI = "auth.pub.solar"; - OBS_PORTAL_URI = "obs-portal.pub.solar"; + OBS_KEYCLOAK_URI = "auth.${config.pub-solar-os.networking.domain}"; + OBS_PORTAL_URI = "obs-portal.${config.pub-solar-os.networking.domain}"; OBS_POSTGRES_MAX_OVERFLOW = "20"; OBS_POSTGRES_POOL_SIZE = "40"; OBS_HOST = "0.0.0.0"; OBS_PORT = "3000"; - OBS_KEYCLOAK_URL = "https://auth.pub.solar/realms/pub.solar/"; + OBS_KEYCLOAK_URL = "https://auth.${config.pub-solar-os.networking.domain}/realms/${config.pub-solar-os.auth.realm}/"; OBS_KEYCLOAK_CLIENT_ID = "openbikesensor-portal"; OBS_DEDICATED_WORKER = "True"; OBS_DATA_DIR = "/data"; @@ -66,7 +66,7 @@ in { ''; }; - services.nginx.virtualHosts."obs-portal.pub.solar" = { + services.nginx.virtualHosts."obs-portal.${config.pub-solar-os.networking.domain}" = { enableACME = true; forceSSL = true; diff --git a/modules/owncast/default.nix b/modules/owncast/default.nix index c5026a41..5512c3c4 100644 --- a/modules/owncast/default.nix +++ b/modules/owncast/default.nix @@ -4,7 +4,7 @@ , pkgs , ... }: { - services.nginx.virtualHosts."stream.pub.solar" = { + services.nginx.virtualHosts."stream.${config.pub-solar-os.networking.domain}" = { enableACME = true; forceSSL = true; locations."/" = { diff --git a/modules/prometheus/default.nix b/modules/prometheus/default.nix index 11bc0bf0..5b0356c0 100644 --- a/modules/prometheus/default.nix +++ b/modules/prometheus/default.nix @@ -43,7 +43,7 @@ password_file = "${config.age.secrets.nachtigall-metrics-prometheus-basic-auth-password.path}"; }; static_configs = [{ - targets = [ "nachtigall.pub.solar" ]; + targets = [ "nachtigall.${config.pub-solar-os.networking.domain}" ]; labels = { instance = "nachtigall"; }; @@ -58,7 +58,7 @@ password_file = "${config.age.secrets.nachtigall-metrics-prometheus-basic-auth-password.path}"; }; static_configs = [{ - targets = [ "nachtigall.pub.solar" ]; + targets = [ "nachtigall.${config.pub-solar-os.networking.domain}" ]; labels = { instance = "nachtigall"; }; diff --git a/modules/promtail/default.nix b/modules/promtail/default.nix index 10e641e6..8ffc9bb2 100644 --- a/modules/promtail/default.nix +++ b/modules/promtail/default.nix @@ -21,7 +21,7 @@ filename = "/tmp/positions.yaml"; }; clients = [{ - url = "https://flora-6.pub.solar/loki/api/v1/push"; + url = "https://flora-6.${config.pub-solar-os.networking.domain}/loki/api/v1/push"; basic_auth = { username = "hakkonaut"; password_file = "${config.age.secrets.nachtigall-metrics-prometheus-basic-auth-password.path}"; diff --git a/modules/searx/default.nix b/modules/searx/default.nix index febe91b2..d4c3b731 100644 --- a/modules/searx/default.nix +++ b/modules/searx/default.nix @@ -10,7 +10,7 @@ mode = "600"; }; - services.nginx.virtualHosts."search.pub.solar" = { + services.nginx.virtualHosts."search.${config.pub-solar-os.networking.domain}" = { enableACME = true; forceSSL = true; @@ -38,14 +38,14 @@ use_default_settings = true; server = { - base_url = "https://search.pub.solar"; + base_url = "https://search.${config.pub-solar-os.networking.domain}"; secret_key = "@SEARX_SECRET_KEY@"; }; general = { debug = false; - instance_name = "search.pub.solar"; - privacypolicy_url = "https://pub.solar/privacy"; + instance_name = "search.${config.pub-solar-os.networking.domain}"; + privacypolicy_url = config.pub-solar-os.privacyPolicyUrl; # use true to use your own donation page written in searx/info/en/donate.md # use false to disable the donation link donation_url = false; diff --git a/modules/tmate/default.nix b/modules/tmate/default.nix index 59018d30..18a4c1db 100644 --- a/modules/tmate/default.nix +++ b/modules/tmate/default.nix @@ -1,9 +1,9 @@ -{ ... }: +{ config,... }: { services.tmate-ssh-server = { enable = true; port = 2222; openFirewall = true; - host = "tmate.pub.solar"; + host = "tmate.${config.pub-solar-os.networking.domain}"; }; }