From 5ba582cabd86036de1f514cd715697ac80a88227 Mon Sep 17 00:00:00 2001 From: EuAndreh Date: Mon, 10 Aug 2020 14:15:46 -0300 Subject: Use password via stdin, and store the snapshot image configuration.nix --- TODOs.org | 2 - nixos-update.sh | 5 +- .../nix/e1d5f317b0f7a-snapshot-configuration.nix | Bin 0 -> 4309 bytes secrets/secret-envrc.sh | Bin 2839 -> 2896 bytes vps-configuration.env.nix | 118 +++++++++++++++++++++ vps-configuration.nix | 118 --------------------- 6 files changed, 121 insertions(+), 122 deletions(-) create mode 100644 secrets/nix/e1d5f317b0f7a-snapshot-configuration.nix create mode 100644 vps-configuration.env.nix delete mode 100644 vps-configuration.nix diff --git a/TODOs.org b/TODOs.org index 0df6ab4..bd38b22 100644 --- a/TODOs.org +++ b/TODOs.org @@ -1,6 +1,4 @@ * Tasks - v4 -** TODO Run =sudo= as =nixos= user in server -** TODO Change from =nixos= user to =andreh= user ** TODO nginx magic =sslCiphers= value Why not the default? What do those mean? ** TODO cron: borg and nixos update diff --git a/nixos-update.sh b/nixos-update.sh index bcadfd6..b4deb7e 100755 --- a/nixos-update.sh +++ b/nixos-update.sh @@ -7,5 +7,6 @@ cd "$(dirname "${BASH_SOURCE[0]}")" git crypt unlock direnv allow -envsubst < vps-configuration.env.nix | ssh "$TLD" 'cat > /etc/nixos/configuration.nix' -ssh "$TLD" sudo nixos-rebuild switch --upgrade +envsubst < vps-configuration.env.nix | ssh "$TLD" 'cat > /tmp/tmp.nix' +echo "${USER_PASSWORD}" | ssh "$TLD" sudo -S mv /tmp/tmp.nix /etc/nixos/configuration.nix +echo "${USER_PASSWORD}" | ssh "$TLD" sudo -S -i nixos-rebuild switch --upgrade diff --git a/secrets/nix/e1d5f317b0f7a-snapshot-configuration.nix b/secrets/nix/e1d5f317b0f7a-snapshot-configuration.nix new file mode 100644 index 0000000..46b7d09 Binary files /dev/null and b/secrets/nix/e1d5f317b0f7a-snapshot-configuration.nix differ diff --git a/secrets/secret-envrc.sh b/secrets/secret-envrc.sh index 214ac25..2a750f4 100644 Binary files a/secrets/secret-envrc.sh and b/secrets/secret-envrc.sh differ diff --git a/vps-configuration.env.nix b/vps-configuration.env.nix new file mode 100644 index 0000000..8afa57d --- /dev/null +++ b/vps-configuration.env.nix @@ -0,0 +1,118 @@ +{ config, pkgs, ... }: + +let + envsubstConfiguration = { + nextcloudTLD = "$NEXTCLOUD_TLD"; + gitTLD = "$GIT_TLD"; + letsencryptEmail = "$LETSENCRYPT_EMAIL"; + authorizedKey = "$AUTHORIZED_KEY"; + }; +in { + imports = [ ./hardware-configuration.nix ]; + + boot.loader.grub = { + enable = true; + version = 2; + device = "/dev/vda"; + }; + + networking = { + useDHCP = false; + interfaces.ens3.useDHCP = true; + }; + + environment.systemPackages = with pkgs; [ vim ]; + + networking.firewall.allowedTCPPorts = [ 80 443 22 ]; + + security.acme = { + acceptTerms = true; + email = envsubstConfiguration.letsencryptEmail; + }; + + services = { + openssh = { + enable = true; + permitRootLogin = "no"; + passwordAuthentication = false; + }; + + nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + virtualHosts = let + customConfigTLDs = { }; + defaultConfigTLDs = + [ envsubstConfiguration.nextcloudTLD envsubstConfiguration.gitTLD ]; + buildDefaultConfiguration = tld: { + "${tld}" = { + forceSSL = true; + enableACME = true; + }; + }; + in pkgs.lib.fold + (tldString: acc: acc // buildDefaultConfiguration tldString) + customConfigTLDs defaultConfigTLDs; + + gitweb = { + enable = true; + location = "/"; + virtualHost = envsubstConfiguration.gitTLD; + }; + }; + + nextcloud = { + enable = true; + hostName = envsubstConfiguration.nextcloudTLD; + nginx.enable = true; + https = true; + autoUpdateApps.enable = true; + autoUpdateApps.startAt = "05:00:00"; + config = { + overwriteProtocol = "https"; + + dbtype = "pgsql"; + dbuser = "nextcloud"; + dbhost = + "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself + dbname = "nextcloud"; + dbpassFile = "/var/nextcloud-db-pass"; + + adminpassFile = "/var/nextcloud-admin-pass"; + adminuser = "admin"; + }; + }; + + postgresql = { + enable = true; + ensureDatabases = [ "nextcloud" ]; + ensureUsers = [{ + name = "nextcloud"; + ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; + }]; + }; + + gitweb = { + gitwebTheme = true; + projectroot = "/srv/git"; + }; + }; + + systemd.services."nextcloud-setup" = { + requires = [ "postgresql.service" ]; + after = [ "postgresql.service" ]; + }; + + users.users.nixos = { + uid = 1000; + extraGroups = [ "wheel" ]; + useDefaultShell = true; + openssh.authorizedKeys.keys = [ envsubstConfiguration.authorizedKey ]; + }; + + system.stateVersion = "19.09"; +} diff --git a/vps-configuration.nix b/vps-configuration.nix deleted file mode 100644 index 8afa57d..0000000 --- a/vps-configuration.nix +++ /dev/null @@ -1,118 +0,0 @@ -{ config, pkgs, ... }: - -let - envsubstConfiguration = { - nextcloudTLD = "$NEXTCLOUD_TLD"; - gitTLD = "$GIT_TLD"; - letsencryptEmail = "$LETSENCRYPT_EMAIL"; - authorizedKey = "$AUTHORIZED_KEY"; - }; -in { - imports = [ ./hardware-configuration.nix ]; - - boot.loader.grub = { - enable = true; - version = 2; - device = "/dev/vda"; - }; - - networking = { - useDHCP = false; - interfaces.ens3.useDHCP = true; - }; - - environment.systemPackages = with pkgs; [ vim ]; - - networking.firewall.allowedTCPPorts = [ 80 443 22 ]; - - security.acme = { - acceptTerms = true; - email = envsubstConfiguration.letsencryptEmail; - }; - - services = { - openssh = { - enable = true; - permitRootLogin = "no"; - passwordAuthentication = false; - }; - - nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; - virtualHosts = let - customConfigTLDs = { }; - defaultConfigTLDs = - [ envsubstConfiguration.nextcloudTLD envsubstConfiguration.gitTLD ]; - buildDefaultConfiguration = tld: { - "${tld}" = { - forceSSL = true; - enableACME = true; - }; - }; - in pkgs.lib.fold - (tldString: acc: acc // buildDefaultConfiguration tldString) - customConfigTLDs defaultConfigTLDs; - - gitweb = { - enable = true; - location = "/"; - virtualHost = envsubstConfiguration.gitTLD; - }; - }; - - nextcloud = { - enable = true; - hostName = envsubstConfiguration.nextcloudTLD; - nginx.enable = true; - https = true; - autoUpdateApps.enable = true; - autoUpdateApps.startAt = "05:00:00"; - config = { - overwriteProtocol = "https"; - - dbtype = "pgsql"; - dbuser = "nextcloud"; - dbhost = - "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself - dbname = "nextcloud"; - dbpassFile = "/var/nextcloud-db-pass"; - - adminpassFile = "/var/nextcloud-admin-pass"; - adminuser = "admin"; - }; - }; - - postgresql = { - enable = true; - ensureDatabases = [ "nextcloud" ]; - ensureUsers = [{ - name = "nextcloud"; - ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; - }]; - }; - - gitweb = { - gitwebTheme = true; - projectroot = "/srv/git"; - }; - }; - - systemd.services."nextcloud-setup" = { - requires = [ "postgresql.service" ]; - after = [ "postgresql.service" ]; - }; - - users.users.nixos = { - uid = 1000; - extraGroups = [ "wheel" ]; - useDefaultShell = true; - openssh.authorizedKeys.keys = [ envsubstConfiguration.authorizedKey ]; - }; - - system.stateVersion = "19.09"; -} -- cgit v1.2.3