gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 04:19:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

services/xmpp -> services/prosody

Browse source
This commit is contained in:
kat witch 2021-09-06 16:17:04 +01:00
parent bece500f71
commit 3b09618c50
No known key found for this signature in database
GPG key ID: 1B477797DCA5EC72
4 changed files with 11 additions and 187 deletions
Download patch file Download diff file Expand all files Collapse all files

20
README.md
View file

@ -10,16 +10,16 @@ These are the NixOS configurations for my systems. I run nothing other than NixO
## Nodes ## Nodes
| Node | Purpose | | Node | Network | Purpose |
|------------------|----------------------------------------------------------| |------------------|---------|----------------------------------------------------------|
| [athame][] | Currently the main server. Ad-hoc hetzner cloud box. | | [athame][] | Public | Currently the main server. Ad-hoc hetzner cloud box. |
| [daiyousei][] | Intended athame replacement. Provisioned OCI Ampere box. | | [daiyousei][] | Public | Intended athame replacement. Provisioned OCI Ampere box. |
| [rinnosuke][] | My primary nameserver. Provisioned OCI EPYC box. | | [rinnosuke][] | Public | My primary nameserver. Provisioned OCI EPYC box. |
| [shinmyoumaru][] | My Raspberry Pi 1 Model B+. DHT22 sensors box. | | [shinmyoumaru][] | Public | My Raspberry Pi 1 Model B+. DHT22 sensors box. |
| [beltane][] | Home server. NAS + HTPC, does DVB stuff. | | [beltane][] | Private | Home server. NAS + HTPC, does DVB stuff. |
| [samhain][] | Beloved workstation. Does VFIO. | | [samhain][] | Private | Beloved workstation. Does VFIO. |
| [yule][] | Main laptop. | | [yule][] | Private | Main laptop. |
| [ostara][] | CCTV netbook. | | [ostara][] | Private | CCTV netbook. |
## Profiles ## Profiles

2
config/hosts/athame/nixos.nix
View file

@ -17,6 +17,7 @@ with lib;
services.murmur services.murmur
services.nginx services.nginx
services.postgres services.postgres
services.prosody
services.radicale services.radicale
services.restic services.restic
services.roundcube services.roundcube
@ -25,7 +26,6 @@ with lib;
services.vaultwarden services.vaultwarden
services.website services.website
services.weechat services.weechat
services.xmpp
services.znc services.znc
]; ];

176
config/modules/nixos/glauth.nix
View file

@ -1,176 +0,0 @@
{ config, pkgs, lib, ... }: with lib; let
cfg = config.services.glauth;
dbcfg = config.services.glauth.database;
in
{
options.services.glauth = {
enable = mkEnableOption "GLAuth";
package = mkOption {
type = types.package;
default = pkgs.glauth;
};
configFile = mkOption {
description = "The config path that GLAuth uses";
type = types.path;
default = pkgs.writeText "glauth-config" (toTOML cfg.settings);
};
database = {
enable = mkEnableOption "use a database";
local = mkEnableOption "local database creation" // { default = true; };
type = mkOption {
type = types.enum [
"postgres"
"mysql"
"sqlite"
];
default = "postgres";
};
host = mkOption {
type = types.str;
default = "localhost";
};
port = mkOption {
type = types.port;
default = 5432;
};
username = mkOption {
type = types.str;
default = "glauth";
};
passwordFile = mkOption {
type = types.nullOr types.path;
default = null;
};
ssl = mkEnableOption "use ssl for the database connection";
};
settings = mkOption {
type = json.types.attrs;
default = {};
};
};
config = let
localCheck = dbcfg.local && dbcfg.enable && dbcfg.host == "localhost";
postgresCheck = localCheck && dbcfg.type == "postgres";
mysqlCheck = localCheck && dbcfg.type == "mysql";
in mkIf cfg.enable {
services.glauth.settings = mkIf cfg.database.enable {
backend =
let
pluginHandlers = {
"mysql" = "NewMySQLHandler";
"postgres" = "NewPostgresHandler";
"sqlite" = "NewSQLiteHandler";
};
in
{
datastore = "plugin";
plugin = "${cfg.package}/bin/${dbcfg.type}.so";
pluginhandler = pluginHandlers.${dbcfg.type};
database = if (dbcfg.type != "sqlite") then (builtins.replaceStrings (singleton "\n") (singleton " ") ''
host=${dbcfg.host}
port=${toString dbcfg.port}
dbname=glauth
user=${dbcfg.username}
password=@db-password@
sslmode=${if dbcfg.ssl then "enable" else "disable"}
'') else "database = \"gl.db\"";
};
};
systemd.services.glauthPostgreSQLInit = lib.mkIf postgresCheck {
after = [ "postgresql.service" ];
before = [ "glauth.service" ];
bindsTo = [ "postgresql.service" ];
path = [ config.services.postgresql.package ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
User = "postgres";
Group = "postgres";
};
script = ''
set -o errexit -o pipefail -o nounset -o errtrace
shopt -s inherit_errexit
create_role="$(mktemp)"
trap 'rm -f "$create_role"' ERR EXIT
echo "CREATE ROLE glauth WITH LOGIN PASSWORD '$(<'${dbcfg.passwordFile}')' CREATEDB" > "$create_role"
psql -tAc "SELECT 1 FROM pg_roles WHERE rolname='glauth'" | grep -q 1 || psql -tA --file="$create_role"
psql -tAc "SELECT 1 FROM pg_database WHERE datname = 'glauth'" | grep -q 1 || psql -tAc 'CREATE DATABASE "glauth" OWNER "glauth"'
'';
};
systemd.services.glauthMySQLInit = lib.mkIf mysqlCheck {
after = [ "mysql.service" ];
before = [ "glauth.service" ];
bindsTo = [ "mysql.service" ];
path = [ config.services.mysql.package ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
User = config.services.mysql.user;
Group = config.services.mysql.group;
};
script = ''
set -o errexit -o pipefail -o nounset -o errtrace
shopt -s inherit_errexit
db_password="$(<'${dbcfg.passwordFile}')"
( echo "CREATE USER IF NOT EXISTS 'glauth'@'localhost' IDENTIFIED BY '$db_password';"
echo "CREATE DATABASE glauth CHARACTER SET utf8 COLLATE utf8_unicode_ci;"
echo "GRANT ALL PRIVILEGES ON glauth.* TO 'glauth'@'localhost';"
) | mysql -N
'';
};
users.groups.glauth = { };
users.users.glauth = {
isSystemUser = true;
extraGroups = singleton "glauth";
};
systemd.services.glauth =
let
databaseServices = attrByPath [ dbcfg.type ] [ ] {
"mysql" = [ "glauthMySQLInit.service" "mysql.service" ];
"postgres" = [ "glauthPostgreSQLInit.service" "postgresql.service" ];
};
in {
after = databaseServices;
bindsTo = databaseServices;
wantedBy = singleton "multi-user.target";
path = with pkgs; [
cfg.package
replace-secret
];
serviceConfig = {
ExecStartPre =
let
startPreFullPrivileges = ''
set -o errexit -o pipefail -o nounset -o errtrace
shopt -s inherit_errexit
umask u=rwx,g=,o=
mkdir -p /run/glauth/secrets
chown -R glauth:glauth /run/glauth/
install -T -m 0400 -o glauth -g glauth '${dbcfg.passwordFile}' /run/glauth/secrets/db_password
'';
startPre = ''
install -T -m 0600 ${cfg.configFile} /run/glauth/config.cfg
replace-secret '@db-password@' '/run/glauth/secrets/db_password' /run/glauth/config.cfg
'';
in
[
"+${pkgs.writeShellScript "glauth-start-pre-full-privileges" startPreFullPrivileges}"
"${pkgs.writeShellScript "glauth-start-pre" startPre}"
];
ExecStart = "${cfg.package}/bin/glauth -c /run/glauth/config.cfg";
User = "glauth";
Group = "glauth";
RuntimeDirectory = "glauth";
LogsDirectory = "glauth";
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
};
};
};
meta.maintainers = with maintainers; [ kittywitch ];
}

0
config/services/xmpp/default.nix → config/services/prosody/default.nix
View file