From 3b09618c50133a567fa777764b916302bc681d72 Mon Sep 17 00:00:00 2001 From: kat witch Date: Mon, 6 Sep 2021 16:17:04 +0100 Subject: [PATCH] services/xmpp -> services/prosody --- README.md | 20 +- config/hosts/athame/nixos.nix | 2 +- config/modules/nixos/glauth.nix | 176 ------------------ config/services/{xmpp => prosody}/default.nix | 0 4 files changed, 11 insertions(+), 187 deletions(-) delete mode 100644 config/modules/nixos/glauth.nix rename config/services/{xmpp => prosody}/default.nix (100%) diff --git a/README.md b/README.md index c766f6b5..6a592f7a 100644 --- a/README.md +++ b/README.md @@ -10,16 +10,16 @@ These are the NixOS configurations for my systems. I run nothing other than NixO ## Nodes -| Node | Purpose | -|------------------|----------------------------------------------------------| -| [athame][] | Currently the main server. Ad-hoc hetzner cloud box. | -| [daiyousei][] | Intended athame replacement. Provisioned OCI Ampere box. | -| [rinnosuke][] | My primary nameserver. Provisioned OCI EPYC box. | -| [shinmyoumaru][] | My Raspberry Pi 1 Model B+. DHT22 sensors box. | -| [beltane][] | Home server. NAS + HTPC, does DVB stuff. | -| [samhain][] | Beloved workstation. Does VFIO. | -| [yule][] | Main laptop. | -| [ostara][] | CCTV netbook. | +| Node | Network | Purpose | +|------------------|---------|----------------------------------------------------------| +| [athame][] | Public | Currently the main server. Ad-hoc hetzner cloud box. | +| [daiyousei][] | Public | Intended athame replacement. Provisioned OCI Ampere box. | +| [rinnosuke][] | Public | My primary nameserver. Provisioned OCI EPYC box. | +| [shinmyoumaru][] | Public | My Raspberry Pi 1 Model B+. DHT22 sensors box. | +| [beltane][] | Private | Home server. NAS + HTPC, does DVB stuff. | +| [samhain][] | Private | Beloved workstation. Does VFIO. | +| [yule][] | Private | Main laptop. | +| [ostara][] | Private | CCTV netbook. | ## Profiles diff --git a/config/hosts/athame/nixos.nix b/config/hosts/athame/nixos.nix index 0e3ec32b..0b0cb4f9 100644 --- a/config/hosts/athame/nixos.nix +++ b/config/hosts/athame/nixos.nix @@ -17,6 +17,7 @@ with lib; services.murmur services.nginx services.postgres + services.prosody services.radicale services.restic services.roundcube @@ -25,7 +26,6 @@ with lib; services.vaultwarden services.website services.weechat - services.xmpp services.znc ]; diff --git a/config/modules/nixos/glauth.nix b/config/modules/nixos/glauth.nix deleted file mode 100644 index 2d97c0ee..00000000 --- a/config/modules/nixos/glauth.nix +++ /dev/null @@ -1,176 +0,0 @@ -{ config, pkgs, lib, ... }: with lib; let - cfg = config.services.glauth; - dbcfg = config.services.glauth.database; -in -{ - options.services.glauth = { - enable = mkEnableOption "GLAuth"; - package = mkOption { - type = types.package; - default = pkgs.glauth; - }; - configFile = mkOption { - description = "The config path that GLAuth uses"; - type = types.path; - default = pkgs.writeText "glauth-config" (toTOML cfg.settings); - }; - database = { - enable = mkEnableOption "use a database"; - local = mkEnableOption "local database creation" // { default = true; }; - type = mkOption { - type = types.enum [ - "postgres" - "mysql" - "sqlite" - ]; - default = "postgres"; - }; - host = mkOption { - type = types.str; - default = "localhost"; - }; - port = mkOption { - type = types.port; - default = 5432; - }; - username = mkOption { - type = types.str; - default = "glauth"; - }; - passwordFile = mkOption { - type = types.nullOr types.path; - default = null; - }; - ssl = mkEnableOption "use ssl for the database connection"; - }; - settings = mkOption { - type = json.types.attrs; - default = {}; - }; - }; - config = let - localCheck = dbcfg.local && dbcfg.enable && dbcfg.host == "localhost"; - postgresCheck = localCheck && dbcfg.type == "postgres"; - mysqlCheck = localCheck && dbcfg.type == "mysql"; - in mkIf cfg.enable { - services.glauth.settings = mkIf cfg.database.enable { - backend = - let - pluginHandlers = { - "mysql" = "NewMySQLHandler"; - "postgres" = "NewPostgresHandler"; - "sqlite" = "NewSQLiteHandler"; - }; - in - { - datastore = "plugin"; - plugin = "${cfg.package}/bin/${dbcfg.type}.so"; - pluginhandler = pluginHandlers.${dbcfg.type}; - database = if (dbcfg.type != "sqlite") then (builtins.replaceStrings (singleton "\n") (singleton " ") '' - host=${dbcfg.host} - port=${toString dbcfg.port} - dbname=glauth - user=${dbcfg.username} - password=@db-password@ - sslmode=${if dbcfg.ssl then "enable" else "disable"} - '') else "database = \"gl.db\""; - }; - }; - - - systemd.services.glauthPostgreSQLInit = lib.mkIf postgresCheck { - after = [ "postgresql.service" ]; - before = [ "glauth.service" ]; - bindsTo = [ "postgresql.service" ]; - path = [ config.services.postgresql.package ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - User = "postgres"; - Group = "postgres"; - }; - script = '' - set -o errexit -o pipefail -o nounset -o errtrace - shopt -s inherit_errexit - create_role="$(mktemp)" - trap 'rm -f "$create_role"' ERR EXIT - echo "CREATE ROLE glauth WITH LOGIN PASSWORD '$(<'${dbcfg.passwordFile}')' CREATEDB" > "$create_role" - psql -tAc "SELECT 1 FROM pg_roles WHERE rolname='glauth'" | grep -q 1 || psql -tA --file="$create_role" - psql -tAc "SELECT 1 FROM pg_database WHERE datname = 'glauth'" | grep -q 1 || psql -tAc 'CREATE DATABASE "glauth" OWNER "glauth"' - ''; - }; - - systemd.services.glauthMySQLInit = lib.mkIf mysqlCheck { - after = [ "mysql.service" ]; - before = [ "glauth.service" ]; - bindsTo = [ "mysql.service" ]; - path = [ config.services.mysql.package ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - User = config.services.mysql.user; - Group = config.services.mysql.group; - }; - script = '' - set -o errexit -o pipefail -o nounset -o errtrace - shopt -s inherit_errexit - db_password="$(<'${dbcfg.passwordFile}')" - ( echo "CREATE USER IF NOT EXISTS 'glauth'@'localhost' IDENTIFIED BY '$db_password';" - echo "CREATE DATABASE glauth CHARACTER SET utf8 COLLATE utf8_unicode_ci;" - echo "GRANT ALL PRIVILEGES ON glauth.* TO 'glauth'@'localhost';" - ) | mysql -N - ''; - }; - - users.groups.glauth = { }; - users.users.glauth = { - isSystemUser = true; - extraGroups = singleton "glauth"; - }; - - systemd.services.glauth = - let - databaseServices = attrByPath [ dbcfg.type ] [ ] { - "mysql" = [ "glauthMySQLInit.service" "mysql.service" ]; - "postgres" = [ "glauthPostgreSQLInit.service" "postgresql.service" ]; - }; - in { - after = databaseServices; - bindsTo = databaseServices; - wantedBy = singleton "multi-user.target"; - path = with pkgs; [ - cfg.package - replace-secret - ]; - serviceConfig = { - ExecStartPre = - let - startPreFullPrivileges = '' - set -o errexit -o pipefail -o nounset -o errtrace - shopt -s inherit_errexit - umask u=rwx,g=,o= - mkdir -p /run/glauth/secrets - chown -R glauth:glauth /run/glauth/ - install -T -m 0400 -o glauth -g glauth '${dbcfg.passwordFile}' /run/glauth/secrets/db_password - ''; - startPre = '' - install -T -m 0600 ${cfg.configFile} /run/glauth/config.cfg - replace-secret '@db-password@' '/run/glauth/secrets/db_password' /run/glauth/config.cfg - ''; - in - [ - "+${pkgs.writeShellScript "glauth-start-pre-full-privileges" startPreFullPrivileges}" - "${pkgs.writeShellScript "glauth-start-pre" startPre}" - ]; - ExecStart = "${cfg.package}/bin/glauth -c /run/glauth/config.cfg"; - User = "glauth"; - Group = "glauth"; - RuntimeDirectory = "glauth"; - LogsDirectory = "glauth"; - AmbientCapabilities = "CAP_NET_BIND_SERVICE"; - }; - }; - }; - - meta.maintainers = with maintainers; [ kittywitch ]; -} diff --git a/config/services/xmpp/default.nix b/config/services/prosody/default.nix similarity index 100% rename from config/services/xmpp/default.nix rename to config/services/prosody/default.nix