refactor: use options for config parts

This works towards having reusable modules

* `config.pub-solar-os.networking.domain` is used for the main domain
* `config.pub-solar-os.privacyPolicUrl` links towards the privacy policy
* `config.pub-solar-os.imprintUrl` links towards the imprint
* `config.pub-solar-os.auth.enable` enables the keycloak installation.
  This is needed because `config.pub-solar-os.auth` has to be available
  everywhere, but we do not want to install keycloak everywhere.
* `config.pub-solar-os.auth.realm` sets the keycloak realm name
This commit is contained in:
Benjamin Yule Bädorf 2024-05-08 19:47:47 +02:00
parent aa7ab4bc6b
commit 68278ad983
Signed by untrusted user: b12f
GPG key ID: 729956E1124F8F26
29 changed files with 209 additions and 192 deletions

View file

@ -49,6 +49,7 @@
self.nixosModules.overlays self.nixosModules.overlays
self.nixosModules.core self.nixosModules.core
self.nixosModules.keycloak
self.nixosModules.caddy self.nixosModules.caddy
self.nixosModules.drone self.nixosModules.drone
self.nixosModules.forgejo-actions-runner self.nixosModules.forgejo-actions-runner

View file

@ -5,11 +5,7 @@
, ... , ...
}: }:
{ {
systemd.tmpfiles.rules = [ services.caddy = {
"d '/data/srv/www/os/download/' 0750 ${config.pub-solar-os.authentication.robot.username} ${config.pub-solar-os.authentication.robot.username} - -"
];
services.caddy = {
enable = lib.mkForce true; enable = lib.mkForce true;
group = config.pub-solar-os.authentication.robot.username; group = config.pub-solar-os.authentication.robot.username;
email = config.pub-solar-os.adminEmail; email = config.pub-solar-os.adminEmail;
@ -17,27 +13,6 @@
globalConfig = lib.mkForce '' globalConfig = lib.mkForce ''
grace_period 60s grace_period 60s
''; '';
virtualHosts = {
"flora-6.pub.solar" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
basicauth * {
${config.pub-solar-os.authentication.robot.username} $2a$14$mmIAy/Ezm6YGohUtXa2mWeW6Bcw1MQXPhrRbz14jAD2iUu3oob/t.
}
reverse_proxy :${toString config.services.loki.configuration.server.http_listen_port}
'';
};
"obs-portal.pub.solar" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
reverse_proxy obs-portal.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.int.greenbaum.zone:3000
'';
};
};
}; };
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];
} }

View file

@ -4,7 +4,7 @@
, self , self
, ... , ...
}: { }: {
services.nginx.virtualHosts."collabora.pub.solar" = { services.nginx.virtualHosts."collabora.${config.pub-solar-os.networking.domain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
@ -32,8 +32,8 @@
"--pull=always" "--pull=always"
]; ];
environment = { environment = {
server_name = "collabora.pub.solar"; server_name = "collabora.${config.pub-solar-os.networking.domain}";
aliasgroup1 = "https://cloud.pub.solar:443"; aliasgroup1 = "https://cloud.${config.pub-solar-os.networking.domain}:443";
DONT_GEN_SSL_CERT = "1"; DONT_GEN_SSL_CERT = "1";
extra_params = "--o:ssl.enable=false --o:ssl.termination=true"; extra_params = "--o:ssl.enable=false --o:ssl.termination=true";
SLEEPFORDEBUGGER = "0"; SLEEPFORDEBUGGER = "0";

View file

@ -12,6 +12,18 @@
type = types.str; type = types.str;
default = "admins@pub.solar"; default = "admins@pub.solar";
}; };
privacyPolicyUrl = mkOption {
description = "URL of the privacy policy. Used to link there from applications";
type = types.str;
default = "https://pub.solar/privacy";
};
imprintUrl = mkOption {
description = "URL of the imprint. Used to link there from applications";
type = types.str;
default = "https://pub.solar/about";
};
}; };
config = { config = {

View file

@ -14,7 +14,7 @@
max-port = 50000; max-port = 50000;
use-auth-secret = true; use-auth-secret = true;
static-auth-secret-file = "/run/agenix/coturn-static-auth-secret"; static-auth-secret-file = "/run/agenix/coturn-static-auth-secret";
realm = "turn.pub.solar"; realm = "turn.${config.pub-solar-os.networking.domain}";
cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
extraConfig = extraConfig =
@ -89,7 +89,7 @@
services.nginx.virtualHosts.${config.services.coturn.realm} = { services.nginx.virtualHosts.${config.services.coturn.realm} = {
enableACME = true; enableACME = true;
addSSL = true; addSSL = true;
globalRedirect = "pub.solar"; globalRedirect = "${config.pub-solar-os.networking.domain}";
}; };
users.users.nginx.extraGroups = [ "turnserver" ]; users.users.nginx.extraGroups = [ "turnserver" ];

View file

@ -30,7 +30,7 @@
"d '/var/lib/drone-db' 0750 drone drone - -" "d '/var/lib/drone-db' 0750 drone drone - -"
]; ];
services.caddy.virtualHosts."ci.pub.solar" = { services.caddy.virtualHosts."ci.${config.pub-solar-os.networking.domain}" = {
logFormat = lib.mkForce '' logFormat = lib.mkForce ''
output discard output discard
''; '';
@ -87,11 +87,11 @@
extraOptions = [ extraOptions = [
"--network=drone-net" "--network=drone-net"
"--pull=always" "--pull=always"
"--add-host=nachtigall.pub.solar:10.7.6.1" "--add-host=nachtigall.${config.pub-solar-os.networking.domain}:10.7.6.1"
]; ];
environment = { environment = {
DRONE_GITEA_SERVER = "https://git.pub.solar"; DRONE_GITEA_SERVER = "https://git.${config.pub-solar-os.networking.domain}";
DRONE_SERVER_HOST = "ci.pub.solar"; DRONE_SERVER_HOST = "ci.${config.pub-solar-os.networking.domain}";
DRONE_SERVER_PROTO = "https"; DRONE_SERVER_PROTO = "https";
DRONE_DATABASE_DRIVER = "postgres"; DRONE_DATABASE_DRIVER = "postgres";
}; };
@ -111,10 +111,10 @@
extraOptions = [ extraOptions = [
"--network=drone-net" "--network=drone-net"
"--pull=always" "--pull=always"
"--add-host=nachtigall.pub.solar:10.7.6.1" "--add-host=nachtigall.${config.pub-solar-os.networking.domain}:10.7.6.1"
]; ];
environment = { environment = {
DRONE_RPC_HOST = "ci.pub.solar"; DRONE_RPC_HOST = "ci.${config.pub-solar-os.networking.domain}";
DRONE_RPC_PROTO = "https"; DRONE_RPC_PROTO = "https";
DRONE_RUNNER_CAPACITY = "2"; DRONE_RUNNER_CAPACITY = "2";
DRONE_RUNNER_NAME = "flora-6-docker-runner"; DRONE_RUNNER_NAME = "flora-6-docker-runner";

View file

@ -29,7 +29,7 @@
user = "gitea"; user = "gitea";
}; };
services.nginx.virtualHosts."git.pub.solar" = { services.nginx.virtualHosts."git.${config.pub-solar-os.networking.domain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
@ -78,8 +78,8 @@
DEFAULT.APP_NAME = "pub.solar git server"; DEFAULT.APP_NAME = "pub.solar git server";
server = { server = {
ROOT_URL = "https://git.pub.solar"; ROOT_URL = "https://git.${config.pub-solar-os.networking.domain}";
DOMAIN = "git.pub.solar"; DOMAIN = "git.${config.pub-solar-os.networking.domain}";
HTTP_ADDR = "127.0.0.1"; HTTP_ADDR = "127.0.0.1";
HTTP_PORT = 3000; HTTP_PORT = 3000;
START_SSH_SERVER = true; START_SSH_SERVER = true;
@ -123,7 +123,7 @@
# https://forgejo.org/docs/latest/admin/config-cheat-sheet/#webhook-webhook # https://forgejo.org/docs/latest/admin/config-cheat-sheet/#webhook-webhook
webhook = { webhook = {
ALLOWED_HOST_LIST = "loopback,external,*.pub.solar"; ALLOWED_HOST_LIST = "loopback,external,*.${config.pub-solar-os.networking.domain}";
}; };
# See https://forgejo.org/docs/latest/admin/actions/ # See https://forgejo.org/docs/latest/admin/actions/

View file

@ -33,7 +33,7 @@
}; };
}; };
services.caddy.virtualHosts."grafana.pub.solar" = { services.caddy.virtualHosts."grafana.${config.pub-solar-os.networking.domain}" = {
logFormat = lib.mkForce '' logFormat = lib.mkForce ''
output discard output discard
''; '';
@ -51,8 +51,8 @@
# and Port # and Port
http_port = 3000; http_port = 3000;
# Grafana needs to know on which domain and URL it's running # Grafana needs to know on which domain and URL it's running
domain = "grafana.pub.solar"; domain = "grafana.${config.pub-solar-os.networking.domain}";
root_url = "https://grafana.pub.solar"; root_url = "https://grafana.${config.pub-solar-os.networking.domain}";
enable_gzip = true; enable_gzip = true;
}; };
smtp = { smtp = {
@ -78,9 +78,9 @@
email_attribute_path = "email"; email_attribute_path = "email";
login_attribute_path = "preferred_username"; login_attribute_path = "preferred_username";
name_attribute_path = "full_name"; name_attribute_path = "full_name";
auth_url = "https://auth.pub.solar/realms/pub.solar/protocol/openid-connect/auth"; auth_url = "https://auth.${config.pub-solar-os.networking.domain}/realms/${config.pub-solar-os.auth.realm}/protocol/openid-connect/auth";
token_url = "https://auth.pub.solar/realms/pub.solar/protocol/openid-connect/token"; token_url = "https://auth.${config.pub-solar-os.networking.domain}/realms/${config.pub-solar-os.auth.realm}/protocol/openid-connect/token";
api_url = "https://auth.pub.solar/realms/pub.solar/protocol/openid-connect/userinfo"; api_url = "https://auth.${config.pub-solar-os.networking.domain}/realms/${config.pub-solar-os.auth.realm}/protocol/openid-connect/userinfo";
role_attribute_path = "contains(roles[*], 'admin') && 'GrafanaAdmin' || 'Viewer'"; role_attribute_path = "contains(roles[*], 'admin') && 'GrafanaAdmin' || 'Viewer'";
allow_assign_grafana_admin = true; allow_assign_grafana_admin = true;
}; };

View file

@ -4,93 +4,105 @@
, pkgs , pkgs
, ... , ...
}: { }: {
age.secrets.keycloak-database-password = { options.pub-solar-os.auth = with lib; {
file = "${flake.self}/secrets/keycloak-database-password.age"; enable = mkEnableOption "Enable keycloak to run on the node";
mode = "600";
#owner = "keycloak"; realm = mkOption {
description = "Name of the realm";
type = types.str;
default = config.pub-solar-os.networking.domain;
};
}; };
services.nginx.virtualHosts."auth.pub.solar" = { config = lib.mkIf config.pub-solar-os.auth.enable {
enableACME = true; age.secrets.keycloak-database-password = {
forceSSL = true; file = "${flake.self}/secrets/keycloak-database-password.age";
mode = "600";
#owner = "keycloak";
};
locations = { services.nginx.virtualHosts."auth.${config.pub-solar-os.networking.domain}" = {
"= /" = { enableACME = true;
extraConfig = '' forceSSL = true;
return 302 /realms/pub.solar/account;
'';
};
"/" = { locations = {
extraConfig = '' "= /" = {
proxy_pass http://127.0.0.1:8080; extraConfig = ''
proxy_buffer_size 8k; return 302 /realms/${config.pub-solar-os.auth.realm}/account;
''; '';
};
"/" = {
extraConfig = ''
proxy_pass http://127.0.0.1:8080;
proxy_buffer_size 8k;
'';
};
}; };
}; };
};
# keycloak # keycloak
services.keycloak = { services.keycloak = {
enable = true; enable = true;
database.passwordFile = config.age.secrets.keycloak-database-password.path; database.passwordFile = config.age.secrets.keycloak-database-password.path;
settings = { settings = {
hostname = "auth.pub.solar"; hostname = "auth.${config.pub-solar-os.networking.domain}";
http-host = "127.0.0.1"; http-host = "127.0.0.1";
http-port = 8080; http-port = 8080;
proxy = "edge"; proxy = "edge";
features = "declarative-user-profile"; features = "declarative-user-profile";
};
themes = {
"pub.solar" = flake.inputs.keycloak-theme-pub-solar.legacyPackages.${pkgs.system}.keycloak-theme-pub-solar;
};
}; };
themes = {
"pub.solar" = flake.inputs.keycloak-theme-pub-solar.legacyPackages.${pkgs.system}.keycloak-theme-pub-solar;
};
};
services.restic.backups.keycloak-droppie = { services.restic.backups.keycloak-droppie = {
paths = [ paths = [
"/tmp/keycloak-backup.sql" "/tmp/keycloak-backup.sql"
]; ];
timerConfig = { timerConfig = {
OnCalendar = "*-*-* 02:00:00 Etc/UTC"; OnCalendar = "*-*-* 02:00:00 Etc/UTC";
# droppie will be offline if nachtigall misses the timer # droppie will be offline if nachtigall misses the timer
Persistent = false; Persistent = false;
};
initialize = true;
passwordFile = config.age.secrets."restic-repo-droppie".path;
repository = "sftp:yule@droppie.b12f.io:/media/internal/pub.solar";
backupPrepareCommand = ''
${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d keycloak > /tmp/keycloak-backup.sql
'';
backupCleanupCommand = ''
rm /tmp/keycloak-backup.sql
'';
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 4"
"--keep-monthly 3"
];
}; };
initialize = true;
passwordFile = config.age.secrets."restic-repo-droppie".path;
repository = "sftp:yule@droppie.b12f.io:/media/internal/pub.solar";
backupPrepareCommand = ''
${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d keycloak > /tmp/keycloak-backup.sql
'';
backupCleanupCommand = ''
rm /tmp/keycloak-backup.sql
'';
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 4"
"--keep-monthly 3"
];
};
services.restic.backups.keycloak-storagebox = { services.restic.backups.keycloak-storagebox = {
paths = [ paths = [
"/tmp/keycloak-backup.sql" "/tmp/keycloak-backup.sql"
]; ];
timerConfig = { timerConfig = {
OnCalendar = "*-*-* 04:10:00 Etc/UTC"; OnCalendar = "*-*-* 04:10:00 Etc/UTC";
};
initialize = true;
passwordFile = config.age.secrets."restic-repo-storagebox".path;
repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
backupPrepareCommand = ''
${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d keycloak > /tmp/keycloak-backup.sql
'';
backupCleanupCommand = ''
rm /tmp/keycloak-backup.sql
'';
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 4"
"--keep-monthly 3"
];
}; };
initialize = true;
passwordFile = config.age.secrets."restic-repo-storagebox".path;
repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
backupPrepareCommand = ''
${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d keycloak > /tmp/keycloak-backup.sql
'';
backupCleanupCommand = ''
rm /tmp/keycloak-backup.sql
'';
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 4"
"--keep-monthly 3"
];
}; };
} }

View file

@ -4,6 +4,19 @@
, flake , flake
, ... , ...
}: { }: {
services.caddy.virtualHosts = {
"flora-6.${config.pub-solar-os.networking.domain}" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
basicauth * {
${config.pub-solar-os.authentication.robot.username} $2a$14$mmIAy/Ezm6YGohUtXa2mWeW6Bcw1MQXPhrRbz14jAD2iUu3oob/t.
}
reverse_proxy :${toString config.services.loki.configuration.server.http_listen_port}
'';
};
};
# source: https://gist.github.com/rickhull/895b0cb38fdd537c1078a858cf15d63e # source: https://gist.github.com/rickhull/895b0cb38fdd537c1078a858cf15d63e
# https://grafana.com/docs/loki/latest/configure/examples/#1-local-configuration-exampleyaml # https://grafana.com/docs/loki/latest/configure/examples/#1-local-configuration-exampleyaml
services.loki = { services.loki = {

View file

@ -9,7 +9,7 @@
users.users.nginx.extraGroups = [ "mailman" ]; users.users.nginx.extraGroups = [ "mailman" ];
services.nginx.virtualHosts."list.pub.solar" = { services.nginx.virtualHosts."list.${config.pub-solar-os.networking.domain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
}; };
@ -24,15 +24,15 @@
enable = true; enable = true;
relayDomains = [ "hash:/var/lib/mailman/data/postfix_domains" ]; relayDomains = [ "hash:/var/lib/mailman/data/postfix_domains" ];
# get TLS certs for list.pub.solar from acme # get TLS certs for list.pub.solar from acme
sslCert = "/var/lib/acme/list.pub.solar/fullchain.pem"; sslCert = "/var/lib/acme/list.${config.pub-solar-os.networking.domain}/fullchain.pem";
sslKey = "/var/lib/acme/list.pub.solar/key.pem"; sslKey = "/var/lib/acme/list.${config.pub-solar-os.networking.domain}/key.pem";
config = { config = {
transport_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ]; transport_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
local_recipient_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ]; local_recipient_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
}; };
rootAlias = "admins@pub.solar"; rootAlias = "admins@pub.solar";
postmasterAlias = "admins@pub.solar"; postmasterAlias = "admins@pub.solar";
hostname = "list.pub.solar"; hostname = "list.${config.pub-solar-os.networking.domain}";
}; };
systemd.paths.watcher-acme-ssl-file = { systemd.paths.watcher-acme-ssl-file = {
@ -40,7 +40,7 @@
documentation = [ "systemd.path(5)" ]; documentation = [ "systemd.path(5)" ];
partOf = [ "postfix-reload.service" ]; partOf = [ "postfix-reload.service" ];
pathConfig = { pathConfig = {
PathChanged = "/var/lib/acme/list.pub.solar/fullchain.pem"; PathChanged = "/var/lib/acme/list.${config.pub-solar-os.networking.domain}/fullchain.pem";
Unit = "postfix-reload.service"; Unit = "postfix-reload.service";
}; };
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
@ -64,7 +64,7 @@
enable = true; enable = true;
serve.enable = true; serve.enable = true;
hyperkitty.enable = true; hyperkitty.enable = true;
webHosts = [ "list.pub.solar" ]; webHosts = [ "list.${config.pub-solar-os.networking.domain}" ];
siteOwner = "admins@pub.solar"; siteOwner = "admins@pub.solar";
}; };

View file

@ -38,7 +38,7 @@
services.mastodon = { services.mastodon = {
enable = true; enable = true;
# Different from WEB_DOMAIN in our case # Different from WEB_DOMAIN in our case
localDomain = "pub.solar"; localDomain = "${config.pub-solar-os.networking.domain}";
enableUnixSocket = true; enableUnixSocket = true;
# Number of processes used by the mastodon-streaming service # Number of processes used by the mastodon-streaming service
# Recommended is the amount of your CPU cores minus one # Recommended is the amount of your CPU cores minus one
@ -68,7 +68,7 @@
"/run/agenix/mastodon-extra-env-secrets" "/run/agenix/mastodon-extra-env-secrets"
]; ];
extraConfig = { extraConfig = {
WEB_DOMAIN = "mastodon.pub.solar"; WEB_DOMAIN = "mastodon.${config.pub-solar-os.networking.domain}";
# Defined in ./opensearch.nix # Defined in ./opensearch.nix
ES_HOST = "127.0.0.1"; ES_HOST = "127.0.0.1";
# S3 File storage (optional) # S3 File storage (optional)
@ -77,7 +77,7 @@
S3_BUCKET = "pub-solar-mastodon"; S3_BUCKET = "pub-solar-mastodon";
S3_REGION = "europe-west-1"; S3_REGION = "europe-west-1";
S3_ENDPOINT = "https://gateway.tardigradeshare.io"; S3_ENDPOINT = "https://gateway.tardigradeshare.io";
S3_ALIAS_HOST = "files.pub.solar"; S3_ALIAS_HOST = "files.${config.pub-solar-os.networking.domain}";
# Translation (optional) # Translation (optional)
# ----------------------- # -----------------------
DEEPL_PLAN = "free"; DEEPL_PLAN = "free";
@ -85,11 +85,11 @@
# -------------- # --------------
OIDC_ENABLED = "true"; OIDC_ENABLED = "true";
OIDC_DISPLAY_NAME = "pub.solar ID"; OIDC_DISPLAY_NAME = "pub.solar ID";
OIDC_ISSUER = "https://auth.pub.solar/realms/pub.solar"; OIDC_ISSUER = "https://auth.${config.pub-solar-os.networking.domain}/realms/${config.pub-solar-os.auth.realm}";
OIDC_DISCOVERY = "true"; OIDC_DISCOVERY = "true";
OIDC_SCOPE = "openid,profile,email"; OIDC_SCOPE = "openid,profile,email";
OIDC_UID_FIELD = "preferred_username"; OIDC_UID_FIELD = "preferred_username";
OIDC_REDIRECT_URI = "https://mastodon.pub.solar/auth/auth/openid_connect/callback"; OIDC_REDIRECT_URI = "https://mastodon.${config.pub-solar-os.networking.domain}/auth/auth/openid_connect/callback";
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true"; OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true";
# only use OIDC for login / registration # only use OIDC for login / registration
OMNIAUTH_ONLY = "true"; OMNIAUTH_ONLY = "true";

View file

@ -25,9 +25,9 @@ in
registrationUrl = "http://localhost:8010"; registrationUrl = "http://localhost:8010";
settings = { settings = {
homeserver = { homeserver = {
domain = "pub.solar"; domain = "${config.pub-solar-os.networking.domain}";
url = "http://127.0.0.1:${synapseClientPort}"; url = "http://127.0.0.1:${synapseClientPort}";
media_url = "https://matrix.pub.solar"; media_url = "https://matrix.${config.pub-solar-os.networking.domain}";
enablePresence = false; enablePresence = false;
}; };
ircService = { ircService = {

View file

@ -13,7 +13,7 @@
homeserver = { homeserver = {
# TODO: Use the port from synapse config # TODO: Use the port from synapse config
address = "http://127.0.0.1:8008"; address = "http://127.0.0.1:8008";
domain = "pub.solar"; domain = "${config.pub-solar-os.networking.domain}";
verify_ssl = true; verify_ssl = true;
}; };
appservice = { appservice = {
@ -34,7 +34,7 @@
}; };
public = { public = {
enabled = true; enabled = true;
external = "https://matrix.pub.solar/c3c3f34b-29fb-5feb-86e5-98c75ec8214b"; external = "https://matrix.${config.pub-solar-os.networking.domain}/c3c3f34b-29fb-5feb-86e5-98c75ec8214b";
prefix = "/c3c3f34b-29fb-5feb-86e5-98c75ec8214b"; prefix = "/c3c3f34b-29fb-5feb-86e5-98c75ec8214b";
}; };
}; };
@ -140,7 +140,7 @@
username_template = "telegram_{userid}"; username_template = "telegram_{userid}";
permissions = { permissions = {
"pub.solar" = "full"; "${config.pub-solar-os.networking.domain}" = "full";
}; };
}; };

View file

@ -1,7 +1,7 @@
{ flake, config, pkgs, ... }: { flake, config, pkgs, ... }:
let let
publicDomain = "matrix.pub.solar"; publicDomain = "matrix.${config.pub-solar-os.networking.domain}";
serverDomain = "pub.solar"; serverDomain = "${config.pub-solar-os.networking.domain}";
in in
{ {
age.secrets."matrix-synapse-signing-key" = { age.secrets."matrix-synapse-signing-key" = {

View file

@ -26,14 +26,14 @@ let
## For more information on customizing the URLs ## For more information on customizing the URLs
## (like /w/index.php/Page_title to /wiki/Page_title) please see: ## (like /w/index.php/Page_title to /wiki/Page_title) please see:
## https://www.mediawiki.org/wiki/Manual:Short_URL ## https://www.mediawiki.org/wiki/Manual:Short_URL
$wgScriptPath = "https://wiki.pub.solar"; $wgScriptPath = "https://wiki.${config.pub-solar-os.networking.domain}";
## https://www.mediawiki.org/wiki/Manual:Short_URL ## https://www.mediawiki.org/wiki/Manual:Short_URL
## https://www.mediawiki.org/wiki/Extension:OpenID_Connect#Known_issues ## https://www.mediawiki.org/wiki/Extension:OpenID_Connect#Known_issues
$wgArticlePath = "/index.php/$1"; $wgArticlePath = "/index.php/$1";
## The protocol and server name to use in fully-qualified URLs ## The protocol and server name to use in fully-qualified URLs
$wgServer = "https://wiki.pub.solar"; $wgServer = "https://wiki.${config.pub-solar-os.networking.domain}";
## The URL path to static resources (images, scripts, etc.) ## The URL path to static resources (images, scripts, etc.)
$wgResourceBasePath = $wgScriptPath; $wgResourceBasePath = $wgScriptPath;
@ -143,7 +143,7 @@ let
$wgPluggableAuth_Config[] = [ $wgPluggableAuth_Config[] = [
'plugin' => 'OpenIDConnect', 'plugin' => 'OpenIDConnect',
'data' => [ 'data' => [
'providerURL' => 'https://auth.pub.solar/realms/pub.solar', 'providerURL' => 'https://auth.${config.pub-solar-os.networking.domain}/realms/${config.pub-solar-os.auth.realm}',
'clientID' => 'mediawiki', 'clientID' => 'mediawiki',
'clientsecret' => trim(file_get_contents('/run/mediawiki/oidc-client-secret')) 'clientsecret' => trim(file_get_contents('/run/mediawiki/oidc-client-secret'))
] ]
@ -189,7 +189,7 @@ in
''; '';
}; };
services.nginx.virtualHosts."wiki.pub.solar" = { services.nginx.virtualHosts."wiki.${config.pub-solar-os.networking.domain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;

View file

@ -16,13 +16,13 @@
owner = "nextcloud"; owner = "nextcloud";
}; };
services.nginx.virtualHosts."cloud.pub.solar" = { services.nginx.virtualHosts."cloud.${config.pub-solar-os.networking.domain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
}; };
services.nextcloud = { services.nextcloud = {
hostName = "cloud.pub.solar"; hostName = "cloud.${config.pub-solar-os.networking.domain}";
home = "/var/lib/nextcloud"; home = "/var/lib/nextcloud";
enable = true; enable = true;
@ -50,7 +50,7 @@
}; };
extraOptions = { extraOptions = {
overwrite.cli.url = "http://cloud.pub.solar"; overwrite.cli.url = "http://cloud.${config.pub-solar-os.networking.domain}";
installed = true; installed = true;
default_phone_region = "+49"; default_phone_region = "+49";

View file

@ -1,4 +1,7 @@
{ ... }: {
config,
...
}:
let let
objStorHost = "link.tardigradeshare.io"; objStorHost = "link.tardigradeshare.io";
@ -6,7 +9,7 @@ let
in in
{ {
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"files.pub.solar" = { "files.${config.pub-solar-os.networking.domain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;

View file

@ -5,7 +5,7 @@ in
{ {
services.nginx = { services.nginx = {
virtualHosts = { virtualHosts = {
"mastodon.pub.solar" = { "mastodon.${config.pub-solar-os.networking.domain}" = {
root = "${cfg.package}/public/"; root = "${cfg.package}/public/";
# mastodon only supports https, but you can override this if you offload tls elsewhere. # mastodon only supports https, but you can override this if you offload tls elsewhere.
forceSSL = lib.mkDefault true; forceSSL = lib.mkDefault true;
@ -16,11 +16,11 @@ in
''; '';
locations."/auth/confirmation/new".extraConfig = '' locations."/auth/confirmation/new".extraConfig = ''
return 302 https://auth.pub.solar/realms/pub.solar/login-actions/reset-credentials?client_id=mastodon; return 302 https://auth.${config.pub-solar-os.networking.domain}/realms/${config.pub-solar-os.auth.realm}/login-actions/reset-credentials?client_id=mastodon;
''; '';
locations."/auth/password/new".extraConfig = '' locations."/auth/password/new".extraConfig = ''
return 302 https://auth.pub.solar/realms/pub.solar/login-actions/reset-credentials?client_id=mastodon; return 302 https://auth.${config.pub-solar-os.networking.domain}/realms/${config.pub-solar-os.auth.realm}/login-actions/reset-credentials?client_id=mastodon;
''; '';
locations."/system/".alias = "/var/lib/mastodon/public-system/"; locations."/system/".alias = "/var/lib/mastodon/public-system/";

View file

@ -1,4 +1,4 @@
{ lib, pkgs, ... }: { lib, pkgs, config, ... }:
let let
commonHeaders = '' commonHeaders = ''
add_header Permissions-Policy interest-cohort=() always; add_header Permissions-Policy interest-cohort=() always;
@ -44,7 +44,7 @@ let
role = "m.role.admin"; role = "m.role.admin";
} }
]; ];
support_page = "https://pub.solar/about"; support_page = "https://${config.pub-solar-os.networking.domain}/about";
}; };
mkWellKnown = data: '' mkWellKnown = data: ''
add_header Content-Type application/json; add_header Content-Type application/json;
@ -64,11 +64,11 @@ in
# This is already in production use # # This is already in production use #
##################################### #####################################
"pub.solar" = { "${config.pub-solar-os.networking.domain}" = {
locations = wellKnownLocations "pub.solar"; locations = wellKnownLocations "${config.pub-solar-os.networking.domain}";
}; };
"chat.pub.solar" = { "chat.${config.pub-solar-os.networking.domain}" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
root = pkgs.element-web.override { root = pkgs.element-web.override {
@ -76,13 +76,13 @@ in
}; };
}; };
"stickers.chat.pub.solar" = { "stickers.chat.${config.pub-solar-os.networking.domain}" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
root = pkgs.element-stickerpicker; root = pkgs.element-stickerpicker;
}; };
"matrix.pub.solar" = { "matrix.${config.pub-solar-os.networking.domain}" = {
root = "/dev/null"; root = "/dev/null";
forceSSL = lib.mkDefault true; forceSSL = lib.mkDefault true;
@ -122,8 +122,8 @@ in
}; };
}; };
}; };
"matrix.pub.solar-federation" = { "matrix.${config.pub-solar-os.networking.domain}-federation" = {
serverName = "matrix.pub.solar"; serverName = "matrix.${config.pub-solar-os.networking.domain}";
forceSSL = lib.mkDefault true; forceSSL = lib.mkDefault true;
enableACME = lib.mkDefault true; enableACME = lib.mkDefault true;
listen = [{ listen = [{

View file

@ -17,7 +17,7 @@ in
owner = "nginx"; owner = "nginx";
}; };
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"nachtigall.pub.solar" = { "nachtigall.${config.pub-solar-os.networking.domain}" = {
enableACME = true; enableACME = true;
addSSL = true; addSSL = true;
basicAuthFile = "${config.age.secrets.nachtigall-metrics-nginx-basic-auth.path}"; basicAuthFile = "${config.age.secrets.nachtigall-metrics-nginx-basic-auth.path}";

View file

@ -1,10 +1,11 @@
{ lib, ... }: { {
lib, config, ... }: {
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d '/srv/www/pub.solar' 0750 hakkonaut hakkonaut - -" "d '/srv/www/${config.pub-solar-os.networking.domain}' 0750 hakkonaut hakkonaut - -"
]; ];
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"www.pub.solar" = { "www.${config.pub-solar-os.networking.domain}" = {
enableACME = true; enableACME = true;
addSSL = true; addSSL = true;
@ -15,12 +16,12 @@
locations."/" = { locations."/" = {
extraConfig = '' extraConfig = ''
return 301 https://pub.solar$request_uri; return 301 https://${config.pub-solar-os.networking.domain}$request_uri;
''; '';
}; };
}; };
"pub.solar" = { "${config.pub-solar-os.networking.domain}" = {
default = true; default = true;
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
@ -35,7 +36,7 @@
# https://masto.host/mastodon-usernames-different-from-the-domain-used-for-installation/ # https://masto.host/mastodon-usernames-different-from-the-domain-used-for-installation/
"/.well-known/host-meta" = { "/.well-known/host-meta" = {
extraConfig = '' extraConfig = ''
return 301 https://mastodon.pub.solar$request_uri; return 301 https://mastodon.${config.pub-solar-os.networking.domain}$request_uri;
''; '';
}; };
@ -44,11 +45,11 @@
# Redirect requests that match /.well-known/webfinger?resource=* to Mastodon # Redirect requests that match /.well-known/webfinger?resource=* to Mastodon
extraConfig = '' extraConfig = ''
if ($arg_resource) { if ($arg_resource) {
return 301 https://mastodon.pub.solar$request_uri; return 301 https://mastodon.${config.pub-solar-os.networking.domain}$request_uri;
} }
add_header Content-Type text/plain; add_header Content-Type text/plain;
return 200 '{\n "subject": "acct:admins@pub.solar",\n "links": [\n {\n "rel": "http://openid.net/specs/connect/1.0/issuer",\n "href": "https://auth.pub.solar/realms/pub.solar"\n }\n ]\n}'; return 200 '{\n "subject": "acct:admins@pub.solar",\n "links": [\n {\n "rel": "http://openid.net/specs/connect/1.0/issuer",\n "href": "https://auth.${config.pub-solar-os.networking.domain}/realms/pub.solar"\n }\n ]\n}';
''; '';
}; };
@ -59,7 +60,7 @@
"Expires: 2025-01-04T23:00:00.000Z" "Expires: 2025-01-04T23:00:00.000Z"
"Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/8A8987ADE3736C8CA2EB315A9B809EBBDD62BAE3" "Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/8A8987ADE3736C8CA2EB315A9B809EBBDD62BAE3"
"Preferred-Languages: en,de" "Preferred-Languages: en,de"
"Canonical: https://pub.solar/.well-known/security.txt" "Canonical: https://${config.pub-solar-os.networking.domain}/.well-known/security.txt"
]; ];
in { in {
extraConfig = '' extraConfig = ''
@ -70,12 +71,12 @@
"/satzung" = { "/satzung" = {
extraConfig = '' extraConfig = ''
return 302 https://cloud.pub.solar/s/iaKqiW25QJpHPYs; return 302 https://cloud.${config.pub-solar-os.networking.domain}/s/iaKqiW25QJpHPYs;
''; '';
}; };
"/" = { "/" = {
root = "/srv/www/pub.solar"; root = "/srv/www/${config.pub-solar-os.networking.domain}";
index = "index.html"; index = "index.html";
tryFiles = "$uri $uri/ =404"; tryFiles = "$uri $uri/ =404";
}; };

View file

@ -5,7 +5,7 @@
, ... , ...
}: }:
let let
acmeEmailAddress = "admins@pub.solar"; acmeEmailAddress = config.pub-solar-os.adminEmail;
webserverGroup = "hakkonaut"; webserverGroup = "hakkonaut";
in in
{ {

View file

@ -14,8 +14,8 @@ FRONTEND_URL = None
FRONTEND_HTTPS = True FRONTEND_HTTPS = True
FRONTEND_DIR = "../frontend/build/" FRONTEND_DIR = "../frontend/build/"
FRONTEND_CONFIG = { FRONTEND_CONFIG = {
"imprintUrl": "https://pub.solar/about", "imprintUrl": "${config.pub-solar-os.imprintUrl}",
"privacyPolicyUrl": "https://pub.solar/privacy", "privacyPolicyUrl": "${config.pub-solar-os.privacyPolicyUrl}",
"mapHome": {"zoom": 12, "latitude": 50.93, "longitude": 6.97}, "mapHome": {"zoom": 12, "latitude": 50.93, "longitude": 6.97},
"banner": { "banner": {
"text": "This is an installation serving the Cologne/Bonn region run for Team OBSKöln by pub.solar n.e.V.", "text": "This is an installation serving the Cologne/Bonn region run for Team OBSKöln by pub.solar n.e.V.",
@ -27,15 +27,15 @@ ADDITIONAL_CORS_ORIGINS = None
''; '';
env = { env = {
OBS_KEYCLOAK_URI = "auth.pub.solar"; OBS_KEYCLOAK_URI = "auth.${config.pub-solar-os.networking.domain}";
OBS_PORTAL_URI = "obs-portal.pub.solar"; OBS_PORTAL_URI = "obs-portal.${config.pub-solar-os.networking.domain}";
OBS_POSTGRES_MAX_OVERFLOW = "20"; OBS_POSTGRES_MAX_OVERFLOW = "20";
OBS_POSTGRES_POOL_SIZE = "40"; OBS_POSTGRES_POOL_SIZE = "40";
OBS_HOST = "0.0.0.0"; OBS_HOST = "0.0.0.0";
OBS_PORT = "3000"; OBS_PORT = "3000";
OBS_KEYCLOAK_URL = "https://auth.pub.solar/realms/pub.solar/"; OBS_KEYCLOAK_URL = "https://auth.${config.pub-solar-os.networking.domain}/realms/${config.pub-solar-os.auth.realm}/";
OBS_KEYCLOAK_CLIENT_ID = "openbikesensor-portal"; OBS_KEYCLOAK_CLIENT_ID = "openbikesensor-portal";
OBS_DEDICATED_WORKER = "True"; OBS_DEDICATED_WORKER = "True";
OBS_DATA_DIR = "/data"; OBS_DATA_DIR = "/data";
@ -66,7 +66,7 @@ in {
''; '';
}; };
services.nginx.virtualHosts."obs-portal.pub.solar" = { services.nginx.virtualHosts."obs-portal.${config.pub-solar-os.networking.domain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;

View file

@ -4,7 +4,7 @@
, pkgs , pkgs
, ... , ...
}: { }: {
services.nginx.virtualHosts."stream.pub.solar" = { services.nginx.virtualHosts."stream.${config.pub-solar-os.networking.domain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {

View file

@ -43,7 +43,7 @@
password_file = "${config.age.secrets.nachtigall-metrics-prometheus-basic-auth-password.path}"; password_file = "${config.age.secrets.nachtigall-metrics-prometheus-basic-auth-password.path}";
}; };
static_configs = [{ static_configs = [{
targets = [ "nachtigall.pub.solar" ]; targets = [ "nachtigall.${config.pub-solar-os.networking.domain}" ];
labels = { labels = {
instance = "nachtigall"; instance = "nachtigall";
}; };
@ -58,7 +58,7 @@
password_file = "${config.age.secrets.nachtigall-metrics-prometheus-basic-auth-password.path}"; password_file = "${config.age.secrets.nachtigall-metrics-prometheus-basic-auth-password.path}";
}; };
static_configs = [{ static_configs = [{
targets = [ "nachtigall.pub.solar" ]; targets = [ "nachtigall.${config.pub-solar-os.networking.domain}" ];
labels = { labels = {
instance = "nachtigall"; instance = "nachtigall";
}; };

View file

@ -21,7 +21,7 @@
filename = "/tmp/positions.yaml"; filename = "/tmp/positions.yaml";
}; };
clients = [{ clients = [{
url = "https://flora-6.pub.solar/loki/api/v1/push"; url = "https://flora-6.${config.pub-solar-os.networking.domain}/loki/api/v1/push";
basic_auth = { basic_auth = {
username = "hakkonaut"; username = "hakkonaut";
password_file = "${config.age.secrets.nachtigall-metrics-prometheus-basic-auth-password.path}"; password_file = "${config.age.secrets.nachtigall-metrics-prometheus-basic-auth-password.path}";

View file

@ -10,7 +10,7 @@
mode = "600"; mode = "600";
}; };
services.nginx.virtualHosts."search.pub.solar" = { services.nginx.virtualHosts."search.${config.pub-solar-os.networking.domain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
@ -38,14 +38,14 @@
use_default_settings = true; use_default_settings = true;
server = { server = {
base_url = "https://search.pub.solar"; base_url = "https://search.${config.pub-solar-os.networking.domain}";
secret_key = "@SEARX_SECRET_KEY@"; secret_key = "@SEARX_SECRET_KEY@";
}; };
general = { general = {
debug = false; debug = false;
instance_name = "search.pub.solar"; instance_name = "search.${config.pub-solar-os.networking.domain}";
privacypolicy_url = "https://pub.solar/privacy"; privacypolicy_url = config.pub-solar-os.privacyPolicyUrl;
# use true to use your own donation page written in searx/info/en/donate.md # use true to use your own donation page written in searx/info/en/donate.md
# use false to disable the donation link # use false to disable the donation link
donation_url = false; donation_url = false;

View file

@ -1,9 +1,9 @@
{ ... }: { config,... }:
{ {
services.tmate-ssh-server = { services.tmate-ssh-server = {
enable = true; enable = true;
port = 2222; port = 2222;
openFirewall = true; openFirewall = true;
host = "tmate.pub.solar"; host = "tmate.${config.pub-solar-os.networking.domain}";
}; };
} }