Sovran_Systems/Sovran_SystemsOS
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

set services to default retooling

Browse Source
This commit is contained in:
naturallaw77
2026-03-27 14:58:45 -05:00
parent 10b0ac6cea
commit fdca877096
10 changed files with 485 additions and 680 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
custom.nix
View File

@@ -1,8 +1,10 @@
{ config, pkgs, lib, ... }:
{ {
# Only enable what this machine needs # ── Disable services you don't want ─────────────
sovran_systemsOS.services.wordpress.enable = true; sovran_systemsOS.services.wordpress = false;
sovran_systemsOS.services.nextcloud.enable = true; sovran_systemsOS.services.nextcloud = false;
sovran_systemsOS.services.synapse.enable = true;
# btcpayserver is NOT enabled — no domain file needed, no vhost created # ── Enable features you do want ─────────────────
} sovran_systemsOS.features.haven = true;
sovran_systemsOS.features.element-calling = true;
sovran_systemsOS.nostr_npub = "npub1abc123...";
}

135
modules/bitcoinecosystem.nix
View File

@@ -1,95 +1,72 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
lib.mkIf config.sovran_systemsOS.features.bitcoin { lib.mkIf config.sovran_systemsOS.services.bitcoin {
## Bitcoind services.bitcoind = {
enable = true;
services.bitcoind = {
enable = true;
package = config.nix-bitcoin.pkgs.bitcoind-knots; package = config.nix-bitcoin.pkgs.bitcoind-knots;
dataDir = "/run/media/Second_Drive/BTCEcoandBackup/Bitcoin_Node"; dataDir = "/run/media/Second_Drive/BTCEcoandBackup/Bitcoin_Node";
txindex = true; txindex = true;
tor.proxy = true; tor.proxy = true;
tor.enforce = true; tor.enforce = true;
disablewallet = true; disablewallet = true;
extraConfig = '' extraConfig = ''
peerbloomfilters=1 peerbloomfilters=1
server=1 server=1
''; '';
}; };
nix-bitcoin.onionServices.bitcoind.enable = true; nix-bitcoin.onionServices.bitcoind.enable = true;
nix-bitcoin.onionServices.electrs.enable = true; nix-bitcoin.onionServices.electrs.enable = true;
nix-bitcoin.onionServices.rtl.enable = true; nix-bitcoin.onionServices.rtl.enable = true;
services.electrs = {
enable = true;
tor.enforce = true;
dataDir = "/run/media/Second_Drive/BTCEcoandBackup/Electrs_Data";
};
## Electrs services.lnd = {
enable = true;
services.electrs = { tor.enforce = true;
enable = true; tor.proxy = true;
tor.enforce = true; extraConfig = ''
dataDir = "/run/media/Second_Drive/BTCEcoandBackup/Electrs_Data"; protocol.option-scid-alias=true
}; '';
};
nix-bitcoin.onionServices.lnd.public = true;
## LND services.lnd.lndconnect = {
enable = true;
services.lnd = { onion = true;
enable = true; };
tor.enforce = true;
tor.proxy = true;
extraConfig = ''
protocol.option-scid-alias=true
'';
};
nix-bitcoin.onionServices.lnd.public = true; services.rtl = {
enable = true;
tor.enforce = true;
port = 3050;
nightTheme = true;
nodes = {
lnd = {
enable = true;
};
};
};
services.btcpayserver = {
enable = true;
};
## LNDconnect services.btcpayserver.lightningBackend = "lnd";
services.lnd.lndconnect = { nix-bitcoin.generateSecrets = true;
enable = true; nix-bitcoin.nodeinfo.enable = true;
onion = true;
};
nix-bitcoin.operator = {
## RTL enable = true;
name = "free";
services.rtl = { };
enable = true;
tor.enforce = true;
port = 3050;
nightTheme = true;
nodes = {
lnd = {
enable = true;
};
};
};
nix-bitcoin.useVersionLockedPkgs = false;
## BTCpayserver
services.btcpayserver = {
enable = true;
};
services.btcpayserver.lightningBackend = "lnd";
## System
nix-bitcoin.generateSecrets = true;
nix-bitcoin.nodeinfo.enable = true;
nix-bitcoin.operator = {
enable = true;
name = "free";
};
nix-bitcoin.useVersionLockedPkgs = false;
} }

26
modules/core/role-logic.nix
View File

@@ -3,20 +3,11 @@
{ {
config = lib.mkMerge [ config = lib.mkMerge [
# Server-Desktop Role most services enabled # Server-Desktop Role services already default to on,
# so we only need to set features here
(lib.mkIf config.sovran_systemsOS.roles.server-desktop { (lib.mkIf config.sovran_systemsOS.roles.server-desktop {
sovran_systemsOS.features = { # All services are default=true, nothing to set
synapse = true; # All features are default=false, nothing to set
bitcoin = true;
coturn = true;
vaultwarden = true;
haven = false;
mempool = false;
bip110 = false;
element-calling = false;
bitcoin-core = false;
rdp = false;
};
}) })
# Desktop role # Desktop role
@@ -25,11 +16,14 @@
services.desktopManager.gnome.enable = true; services.desktopManager.gnome.enable = true;
}) })
# Bitcoin node role # Bitcoin node role — only bitcoin, disable other services
(lib.mkIf config.sovran_systemsOS.roles.node { (lib.mkIf config.sovran_systemsOS.roles.node {
sovran_systemsOS.features = { sovran_systemsOS.services = {
bitcoin = true; bitcoin = true;
bip110 = false; synapse = false;
vaultwarden = false;
wordpress = false;
nextcloud = false;
}; };
}) })

39
modules/core/roles.nix
View File

@@ -11,11 +11,37 @@
node = lib.mkEnableOption "Bitcoin Node Only Role"; node = lib.mkEnableOption "Bitcoin Node Only Role";
}; };
# ── Services (default ON — user can disable in custom.nix) ──
services = {
synapse = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Matrix Synapse homeserver";
};
bitcoin = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Bitcoin Ecosystem (bitcoind, electrs, lnd, rtl, btcpay)";
};
vaultwarden = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Vaultwarden password manager";
};
wordpress = lib.mkOption {
type = lib.types.bool;
default = true;
description = "WordPress (raw PHP served by Caddy)";
};
nextcloud = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Nextcloud (raw PHP served by Caddy)";
};
};
# ── Features (default OFF — user can enable in custom.nix) ──
features = { features = {
coturn = lib.mkEnableOption "TURN server";
synapse = lib.mkEnableOption "Matrix Synapse";
bitcoin = lib.mkEnableOption "Bitcoin Ecosystem";
vaultwarden = lib.mkEnableOption "Vaultwarden";
haven = lib.mkEnableOption "Haven NOSTR relay"; haven = lib.mkEnableOption "Haven NOSTR relay";
bip110 = lib.mkEnableOption "BIP-110 Bitcoin Better Money"; bip110 = lib.mkEnableOption "BIP-110 Bitcoin Better Money";
mempool = lib.mkEnableOption "Bitcoin Mempool Explorer"; mempool = lib.mkEnableOption "Bitcoin Mempool Explorer";
@@ -29,5 +55,10 @@
default = ""; default = "";
description = "Nostr public key (npub1...) for Haven relay"; description = "Nostr public key (npub1...) for Haven relay";
}; };
packages.bip110 = lib.mkOption {
type = lib.types.package;
description = "BIP-110 bitcoind-knots package";
};
}; };
} }

34
modules/modules.nix
View File

@@ -1,46 +1,30 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
{ {
<<<<<<< HEAD
imports = [ imports = [
# ── Core (always loaded) ──────────────────────────────────
./core/roles.nix ./core/roles.nix
./core/role-logic.nix ./core/role-logic.nix
./core/caddy.nix ./core/caddy.nix
./core/sovran-manage.nix ./core/sovran-manage.nix
./php.nix
./Sovran_SystemsOS_File_Fixes_And_New_Services.nix # ── Always on (no flag) ───────────────────────────────────
./synapse.nix
./coturn.nix
./wordpress.nix
./nextcloud.nix
./btcpayserver.nix
=======
imports = [
./core/roles.nix
./core/role-logic.nix
./php.nix ./php.nix
./Sovran_SystemsOS_File_Fixes_And_New_Services.nix ./Sovran_SystemsOS_File_Fixes_And_New_Services.nix
# Always imported feature modules # ── Services (default ON — disable in custom.nix) ─────────
./synapse.nix ./synapse.nix
./coturn.nix ./wordpress.nix
./bitcoinecosystem.nix ./nextcloud.nix
>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
./vaultwarden.nix ./vaultwarden.nix
./bitcoinecosystem.nix
# ── Features (default OFF — enable in custom.nix) ─────────
./haven.nix ./haven.nix
./bip110.nix ./bip110.nix
./element-calling.nix ./element-calling.nix
./mempool.nix ./mempool.nix
./bitcoin-core.nix ./bitcoin-core.nix
./rdp.nix ./rdp.nix
<<<<<<< HEAD
./bitcoinecosystem.nix
]; ];
=======
];
>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
} }

348
modules/nextcloud.nix
View File

@@ -1,224 +1,186 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let lib.mkIf config.sovran_systemsOS.services.nextcloud {
cfg = config.sovran_systemsOS.services.nextcloud;
in # ── PostgreSQL database ───────────────────────────────────
{ services.postgresql = {
options.sovran_systemsOS.services.nextcloud = { enable = true;
enable = lib.mkEnableOption "Nextcloud (raw PHP served by Caddy)";
}; };
config = lib.mkIf cfg.enable { # ── Auto-generate DB password and initialize ──────────────
systemd.services.nextcloud-db-init = {
description = "Initialize Nextcloud PostgreSQL database with auto-generated password";
after = [ "postgresql.service" ];
requires = [ "postgresql.service" ];
before = [ "nextcloud-init.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
path = [ config.services.postgresql.package pkgs.pwgen pkgs.coreutils ];
script = ''
set -euo pipefail
# ── Caddy vhost is now handled centrally in caddy.nix ───── SECRET_FILE="/var/lib/secrets/nextclouddb"
# ── PostgreSQL database ─────────────────────────────────── if [ ! -f "$SECRET_FILE" ]; then
services.postgresql = { mkdir -p /var/lib/secrets
enable = true; pwgen -s 64 1 > "$SECRET_FILE"
chmod 600 "$SECRET_FILE"
fi
DB_PASS=$(cat "$SECRET_FILE")
psql -U postgres <<SQL
DO \$\$
BEGIN
IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'ncusr') THEN
CREATE ROLE "ncusr" WITH LOGIN PASSWORD '$DB_PASS';
ELSE
ALTER ROLE "ncusr" WITH LOGIN PASSWORD '$DB_PASS';
END IF;
END
\$\$;
SQL
if ! psql -U postgres -lqt | cut -d \| -f 1 | grep -qw "nextclouddb"; then
psql -U postgres -c "CREATE DATABASE nextclouddb WITH OWNER ncusr TEMPLATE template0 LC_COLLATE = 'C' LC_CTYPE = 'C';"
fi
'';
};
# ── Fully automated Nextcloud setup ───────────────────────
systemd.services.nextcloud-init = {
description = "Download, extract, and fully configure Nextcloud";
after = [ "network-online.target" "postgresql.service" "phpfpm-mypool.service" "nextcloud-db-init.service" ];
wants = [ "network-online.target" ];
requires = [ "postgresql.service" "nextcloud-db-init.service" ];
wantedBy = [ "multi-user.target" ];
unitConfig = {
ConditionPathExists = "!/var/lib/www/nextcloud/config/config.php";
}; };
# ── Auto-generate DB password and initialize ────────────── serviceConfig = {
systemd.services.nextcloud-db-init = { Type = "oneshot";
description = "Initialize Nextcloud PostgreSQL database with auto-generated password"; RemainAfterExit = true;
after = [ "postgresql.service" ];
requires = [ "postgresql.service" ];
before = [ "nextcloud-init.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
path = [ config.services.postgresql.package pkgs.pwgen pkgs.coreutils ];
script = ''
set -euo pipefail
SECRET_FILE="/var/lib/secrets/nextclouddb"
# Existing machines already have this file leave it alone
if [ ! -f "$SECRET_FILE" ]; then
mkdir -p /var/lib/secrets
pwgen -s 64 1 > "$SECRET_FILE"
chmod 600 "$SECRET_FILE"
fi
DB_PASS=$(cat "$SECRET_FILE")
# Create role if it doesn't exist, update password either way
psql -U postgres <<SQL
DO \$\$
BEGIN
IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'ncusr') THEN
CREATE ROLE "ncusr" WITH LOGIN PASSWORD '$DB_PASS';
ELSE
ALTER ROLE "ncusr" WITH LOGIN PASSWORD '$DB_PASS';
END IF;
END
\$\$;
SQL
# Create database if it doesn't exist
if ! psql -U postgres -lqt | cut -d \| -f 1 | grep -qw "nextclouddb"; then
psql -U postgres -c "CREATE DATABASE nextclouddb WITH OWNER ncusr TEMPLATE template0 LC_COLLATE = 'C' LC_CTYPE = 'C';"
fi
'';
}; };
# ── Fully automated Nextcloud setup ─────────────────────── path = with pkgs; [ curl unzip php pwgen coreutils ];
systemd.services.nextcloud-init = {
description = "Download, extract, and fully configure Nextcloud";
after = [ "network-online.target" "postgresql.service" "phpfpm-mypool.service" "nextcloud-db-init.service" ];
wants = [ "network-online.target" ];
requires = [ "postgresql.service" "nextcloud-db-init.service" ];
wantedBy = [ "multi-user.target" ];
unitConfig = { script = ''
ConditionPathExists = "!/var/lib/www/nextcloud/config/config.php"; set -euo pipefail
};
serviceConfig = { INSTALL_DIR="/var/lib/www/nextcloud"
Type = "oneshot"; DATA_DIR="/var/lib/www/nextcloud-data"
RemainAfterExit = true; DOMAIN=$(cat /var/lib/domains/nextcloud)
}; DB_NAME="nextclouddb"
DB_USER="ncusr"
DB_PASS=$(cat /var/lib/secrets/nextclouddb)
DB_HOST="localhost"
ADMIN_USER=$(pwgen -s 16 1)
ADMIN_PASS=$(pwgen -s 24 1)
path = with pkgs; [ curl unzip php pwgen coreutils ]; echo ""
echo " Nextcloud Automated Installation"
echo ""
script = '' if [ ! -f "$INSTALL_DIR/occ" ]; then
set -euo pipefail echo "Downloading Nextcloud..."
TEMP_DIR=$(mktemp -d)
curl -L -o "$TEMP_DIR/nextcloud.zip" "https://download.nextcloud.com/server/releases/latest.zip"
unzip -q "$TEMP_DIR/nextcloud.zip" -d "$TEMP_DIR"
mkdir -p "$INSTALL_DIR"
cp -a "$TEMP_DIR/nextcloud/"* "$INSTALL_DIR/"
rm -rf "$TEMP_DIR"
echo "Download complete."
fi
INSTALL_DIR="/var/lib/www/nextcloud" mkdir -p "$DATA_DIR"
DATA_DIR="/var/lib/www/nextcloud-data"
DOMAIN=$(cat /var/lib/domains/nextcloud)
DB_NAME="nextclouddb"
DB_USER="ncusr"
DB_PASS=$(cat /var/lib/secrets/nextclouddb)
DB_HOST="localhost"
ADMIN_USER=$(pwgen -s 16 1)
ADMIN_PASS=$(pwgen -s 24 1)
echo "" chown -R caddy:root "$INSTALL_DIR"
echo " Nextcloud Automated Installation" chown -R caddy:root "$DATA_DIR"
echo "" find "$INSTALL_DIR" -type d -exec chmod 750 {} \;
find "$INSTALL_DIR" -type f -exec chmod 640 {} \;
chmod -R 770 "$INSTALL_DIR/apps"
chmod -R 770 "$INSTALL_DIR/config"
chmod -R 770 "$DATA_DIR"
# Download echo "Waiting for PostgreSQL..."
if [ ! -f "$INSTALL_DIR/occ" ]; then for i in $(seq 1 30); do
echo "Downloading Nextcloud..." if su -s /bin/sh caddy -c "php -r \"new PDO('pgsql:host=$DB_HOST;dbname=$DB_NAME', '$DB_USER', '$DB_PASS');\"" 2>/dev/null; then
TEMP_DIR=$(mktemp -d) echo "Database ready."
curl -L -o "$TEMP_DIR/nextcloud.zip" "https://download.nextcloud.com/server/releases/latest.zip" break
unzip -q "$TEMP_DIR/nextcloud.zip" -d "$TEMP_DIR" fi
mkdir -p "$INSTALL_DIR" sleep 2
cp -a "$TEMP_DIR/nextcloud/"* "$INSTALL_DIR/" done
rm -rf "$TEMP_DIR"
echo "Download complete."
fi
# Create data directory echo "Running Nextcloud installation..."
mkdir -p "$DATA_DIR" su -s /bin/sh caddy -c "
php $INSTALL_DIR/occ maintenance:install \
--database 'pgsql' \
--database-name '$DB_NAME' \
--database-user '$DB_USER' \
--database-pass '$DB_PASS' \
--database-host '$DB_HOST' \
--admin-user '$ADMIN_USER' \
--admin-pass '$ADMIN_PASS' \
--data-dir '$DATA_DIR'
"
# Set permissions su -s /bin/sh caddy -c "
chown -R caddy:root "$INSTALL_DIR" php $INSTALL_DIR/occ config:system:set trusted_domains 0 --value='$DOMAIN'
chown -R caddy:root "$DATA_DIR" php $INSTALL_DIR/occ config:system:set overwrite.cli.url --value='https://$DOMAIN'
find "$INSTALL_DIR" -type d -exec chmod 750 {} \; php $INSTALL_DIR/occ config:system:set overwriteprotocol --value='https'
find "$INSTALL_DIR" -type f -exec chmod 640 {} \; "
chmod -R 770 "$INSTALL_DIR/apps"
chmod -R 770 "$INSTALL_DIR/config"
chmod -R 770 "$DATA_DIR"
# Wait for database su -s /bin/sh caddy -c "
echo "Waiting for PostgreSQL..." php $INSTALL_DIR/occ config:system:set default_phone_region --value='US'
for i in $(seq 1 30); do php $INSTALL_DIR/occ config:system:set memcache.local --value='\OC\Memcache\APCu'
if su -s /bin/sh caddy -c "php -r \"new PDO('pgsql:host=$DB_HOST;dbname=$DB_NAME', '$DB_USER', '$DB_PASS');\"" 2>/dev/null; then php $INSTALL_DIR/occ background:cron
echo "Database ready." "
break
fi
sleep 2
done
# Run Nextcloud install via occ su -s /bin/sh caddy -c "
echo "Running Nextcloud installation..." php $INSTALL_DIR/occ app:install calendar || true
su -s /bin/sh caddy -c " php $INSTALL_DIR/occ app:install contacts || true
php $INSTALL_DIR/occ maintenance:install \ php $INSTALL_DIR/occ app:install tasks || true
--database 'pgsql' \ php $INSTALL_DIR/occ app:install notes || true
--database-name '$DB_NAME' \ php $INSTALL_DIR/occ app:install deck || true
--database-user '$DB_USER' \ php $INSTALL_DIR/occ app:enable calendar || true
--database-pass '$DB_PASS' \ php $INSTALL_DIR/occ app:enable contacts || true
--database-host '$DB_HOST' \ php $INSTALL_DIR/occ app:enable tasks || true
--admin-user '$ADMIN_USER' \ php $INSTALL_DIR/occ app:enable notes || true
--admin-pass '$ADMIN_PASS' \ php $INSTALL_DIR/occ app:enable deck || true
--data-dir '$DATA_DIR' "
"
# Configure trusted domains CREDS_FILE="/var/lib/secrets/nextcloud-admin"
echo "Configuring trusted domains..." cat > "$CREDS_FILE" << CREDS
su -s /bin/sh caddy -c "
php $INSTALL_DIR/occ config:system:set trusted_domains 0 --value='$DOMAIN'
php $INSTALL_DIR/occ config:system:set overwrite.cli.url --value='https://$DOMAIN'
php $INSTALL_DIR/occ config:system:set overwriteprotocol --value='https'
"
# Set recommended settings <EFBFBD><EFBFBD>
echo "Applying recommended settings..."
su -s /bin/sh caddy -c "
php $INSTALL_DIR/occ config:system:set default_phone_region --value='US'
php $INSTALL_DIR/occ config:system:set memcache.local --value='\OC\Memcache\APCu'
php $INSTALL_DIR/occ background:cron
"
# Install default apps
echo "Installing default apps..."
su -s /bin/sh caddy -c "
php $INSTALL_DIR/occ app:install calendar || true
php $INSTALL_DIR/occ app:install contacts || true
php $INSTALL_DIR/occ app:install tasks || true
php $INSTALL_DIR/occ app:install notes || true
php $INSTALL_DIR/occ app:install deck || true
php $INSTALL_DIR/occ app:enable calendar || true
php $INSTALL_DIR/occ app:enable contacts || true
php $INSTALL_DIR/occ app:enable tasks || true
php $INSTALL_DIR/occ app:enable notes || true
php $INSTALL_DIR/occ app:enable deck || true
"
# Save admin credentials
CREDS_FILE="/var/lib/secrets/nextcloud-admin"
cat > "$CREDS_FILE" << CREDS
Nextcloud Admin Credentials Nextcloud Admin Credentials
URL: https://$DOMAIN/ URL: https://$DOMAIN/
Username: $ADMIN_USER Username: $ADMIN_USER
Password: $ADMIN_PASS Password: $ADMIN_PASS
CREDS CREDS
chmod 600 "$CREDS_FILE" chmod 600 "$CREDS_FILE"
echo "" echo ""
echo "" echo ""
echo " Nextcloud installation complete!" echo " Nextcloud installation complete!"
echo "" echo " Credentials saved to: $CREDS_FILE"
echo " URL: https://$DOMAIN/" echo ""
echo " Username: $ADMIN_USER" '';
echo " Password: $ADMIN_PASS"
echo ""
echo " Installed apps: Calendar, Contacts, Tasks,"
echo " Notes, Deck"
echo ""
echo " Credentials saved to: $CREDS_FILE"
echo ""
'';
};
# ── Cron ──────────────────────────────────────────────────
services.cron.systemCronJobs = [
"*/5 * * * * caddy /run/current-system/sw/bin/php -f /var/lib/www/nextcloud/cron.php"
];
# ── Ensure directories ────────────────────────────────────
systemd.tmpfiles.rules = [
"d /var/lib/www 0755 caddy root -"
"d /var/lib/www/nextcloud 0750 caddy root -"
"d /var/lib/www/nextcloud-data 0770 caddy root -"
];
environment.systemPackages = with pkgs; [
unzip
];
}; };
services.cron.systemCronJobs = [
"*/5 * * * * caddy /run/current-system/sw/bin/php -f /var/lib/www/nextcloud/cron.php"
];
systemd.tmpfiles.rules = [
"d /var/lib/www 0755 caddy root -"
"d /var/lib/www/nextcloud 0750 caddy root -"
"d /var/lib/www/nextcloud-data 0770 caddy root -"
];
environment.systemPackages = with pkgs; [ unzip ];
} }

24
modules/personalization.nix
View File

@@ -1,24 +0,0 @@
{
matrix_url = builtins.readFile /var/lib/domains/matrix;
wordpress_url = builtins.readFile /var/lib/domains/wordpress;
nextcloud_url = builtins.readFile /var/lib/domains/nextcloud;
btcpayserver_url = builtins.readFile /var/lib/domains/btcpayserver;
caddy_email_for_acme = builtins.readFile /var/lib/domains/sslemail;
vaultwarden_url = builtins.readFile /var/lib/domains/vaultwarden;
haven_url = builtins.readFile /var/lib/domains/haven;
element-calling_url = builtins.readFile /var/lib/domains/element-calling;
##
external_ip_secret = builtins.readFile /var/lib/secrets/external_ip;
coturn_static_auth_secret = builtins.readFile /var/lib/secrets/turn;
##
matrixdb = builtins.readFile /var/lib/secrets/matrixdb;
nextclouddb = builtins.readFile /var/lib/secrets/nextclouddb;
wordpressdb = builtins.readFile /var/lib/secrets/wordpressdb;
}

208
modules/synapse.nix
View File

@@ -1,7 +1,7 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
<<<<<<< HEAD lib.mkIf config.sovran_systemsOS.services.synapse {
{
# ── PostgreSQL database for Matrix ────────────────────────── # ── PostgreSQL database for Matrix ──────────────────────────
services.postgresql = { services.postgresql = {
enable = true; enable = true;
@@ -27,6 +27,8 @@
}; };
path = [ config.services.postgresql.package pkgs.pwgen pkgs.coreutils ]; path = [ config.services.postgresql.package pkgs.pwgen pkgs.coreutils ];
script = '' script = ''
set -euo pipefail
SECRET_DIR="/var/lib/secrets" SECRET_DIR="/var/lib/secrets"
SECRET_FILE="$SECRET_DIR/matrix_db_secret" SECRET_FILE="$SECRET_DIR/matrix_db_secret"
@@ -48,7 +50,7 @@
''; '';
}; };
# ── Generate Synapse runtime config from /var/lib/domains ─── # ── Generate Synapse runtime config from domain files ───────
systemd.services.matrix-synapse-runtime-config = { systemd.services.matrix-synapse-runtime-config = {
description = "Generate Matrix Synapse runtime config from domain files"; description = "Generate Matrix Synapse runtime config from domain files";
before = [ "matrix-synapse.service" ]; before = [ "matrix-synapse.service" ];
@@ -61,13 +63,27 @@
}; };
path = [ pkgs.coreutils ]; path = [ pkgs.coreutils ];
script = '' script = ''
set -euo pipefail
MATRIX=$(cat /var/lib/domains/matrix) MATRIX=$(cat /var/lib/domains/matrix)
RUNTIME_DIR="/run/matrix-synapse" RUNTIME_DIR="/run/matrix-synapse"
mkdir -p "$RUNTIME_DIR" mkdir -p "$RUNTIME_DIR"
cat > "$RUNTIME_DIR/runtime-config.yaml" <<EOF # Include TURN config if coturn secret exists (deployed machines)
server_name: "$MATRIX" if [ -f /var/lib/secrets/coturn_static_auth_secret ]; then
EOF COTURN_SECRET=$(cat /var/lib/secrets/coturn_static_auth_secret)
cat > "$RUNTIME_DIR/runtime-config.yaml" <<EOF
server_name: "$MATRIX"
turn_shared_secret: "$COTURN_SECRET"
turn_uris:
- "turn:$MATRIX:5349?transport=udp"
- "turn:$MATRIX:5349?transport=tcp"
EOF
else
cat > "$RUNTIME_DIR/runtime-config.yaml" <<EOF
server_name: "$MATRIX"
EOF
fi
chown matrix-synapse:matrix-synapse "$RUNTIME_DIR/runtime-config.yaml" chown matrix-synapse:matrix-synapse "$RUNTIME_DIR/runtime-config.yaml"
chmod 640 "$RUNTIME_DIR/runtime-config.yaml" chmod 640 "$RUNTIME_DIR/runtime-config.yaml"
@@ -75,135 +91,55 @@
}; };
# ── Synapse service ───────────────────────────────────────── # ── Synapse service ─────────────────────────────────────────
lib.mkIf config.sovran_systemsOS.features.synapse { services.matrix-synapse = {
services.matrix-synapse = { enable = true;
enable = true; extraConfigFiles = [ "/run/matrix-synapse/runtime-config.yaml" ];
extraConfigFiles = [ "/run/matrix-synapse/runtime-config.yaml" ]; settings = {
settings = { # server_name, turn_shared_secret, turn_uris injected at runtime
push.include_content = false; push.include_content = false;
group_unread_count_by_room = false; group_unread_count_by_room = false;
encryption_enabled_by_default_for_room_type = "invite"; encryption_enabled_by_default_for_room_type = "invite";
allow_profile_lookup_over_federation = false; allow_profile_lookup_over_federation = false;
allow_device_name_lookup_over_federation = false; allow_device_name_lookup_over_federation = false;
# server_name is injected at runtime via extraConfigFiles url_preview_enabled = true;
url_preview_enabled = true; max_upload_size = "1024M";
max_upload_size = "1024M"; url_preview_ip_range_blacklist = [
url_preview_ip_range_blacklist = [ "10.0.0.0/8"
"10.0.0.0/8" "100.64.0.0/10"
"100.64.0.0/10" "169.254.0.0/16"
"169.254.0.0/16" "172.16.0.0/12"
"172.16.0.0/12" "192.0.0.0/24"
"192.0.0.0/24" "192.0.2.0/24"
"192.0.2.0/24" "192.168.0.0/16"
"192.168.0.0/16" "192.88.99.0/24"
"192.88.99.0/24" "198.18.0.0/15"
"198.18.0.0/15" "198.51.100.0/24"
"198.51.100.0/24" "2001:db8::/32"
"2001:db8::/32" "203.0.113.0/24"
"203.0.113.0/24" "224.0.0.0/4"
"224.0.0.0/4" "::1/128"
"::1/128" "fc00::/7"
"fc00::/7" "fe80::/10"
"fe80::/10" "fec0::/10"
"fec0::/10" "ff00::/8"
"ff00::/8" ];
]; url_preview_ip_ranger_whitelist = [ "127.0.0.1" ];
url_preview_ip_ranger_whitelist = [ "127.0.0.1" ]; presence.enabled = true;
presence.enabled = true; enable_registration = false;
enable_registration = false; registration_shared_secret = config.age.secrets.matrix_reg_secret.path;
registration_shared_secret = config.age.secrets.matrix_reg_secret.path; listeners = [
listeners = [ {
{ port = 8008;
port = 8008; bind_addresses = [ "::1" ];
bind_addresses = [ "::1" ]; type = "http";
type = "http"; tls = false;
tls = false; x_forwarded = true;
x_forwarded = true; resources = [
resources = [ { names = [ "client" ]; compress = true; }
{ { names = [ "federation" ]; compress = false; }
names = [ "client" ]; ];
compress = true; }
} ];
{
names = [ "federation" ];
compress = false;
}
];
}
];
};
}; };
} };
=======
####### CREATE NEW USER (ADMIN OR NOT) VIA TERMINAL #######
# (Run as root in terminal) matrix-synapse-register_new_matrix_user #
####### #######
let
personalization = import ./personalization.nix;
in
lib.mkIf config.sovran_systemsOS.features.synapse {
services.matrix-synapse = {
enable = true;
settings = {
push.include_content = false;
group_unread_count_by_room = false;
encryption_enabled_by_default_for_room_type = "invite";
allow_profile_lookup_over_federation = false;
allow_device_name_lookup_over_federation = false;
server_name = personalization.matrix_url;
url_preview_enabled = true;
max_upload_size = "1024M";
url_preview_ip_range_blacklist = [
"10.0.0.0/8"
"100.64.0.0/10"
"169.254.0.0/16"
"172.16.0.0/12"
"192.0.0.0/24"
"192.0.2.0/24"
"192.168.0.0/16"
"192.88.99.0/24"
"198.18.0.0/15"
"198.51.100.0/24"
"2001:db8::/32"
"203.0.113.0/24"
"224.0.0.0/4"
"::1/128"
"fc00::/7"
"fe80::/10"
"fec0::/10"
"ff00::/8"
];
url_preview_ip_ranger_whitelist = [ "127.0.0.1" ];
turn_shared_secret = "${personalization.coturn_static_auth_secret}";
turn_uris = [
"turn:${personalization.matrix_url}:5349?transport=udp"
"turn:${personalization.matrix_url}:5349?transport=tcp"
];
presence.enabled = true;
enable_registration = false;
registration_shared_secret = config.age.secrets.matrix_reg_secret.path;
listeners = [
{
port = 8008;
bind_addresses = [ "::1" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [ {
names = [ "client" ];
compress = true;
}
{
names = [ "federation" ];
compress = false;
} ];
}
];
};
};
>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
} }

32
modules/vaultwarden.nix
View File

@@ -1,11 +1,7 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
<<<<<<< HEAD lib.mkIf config.sovran_systemsOS.services.vaultwarden {
lib.mkIf config.sovran_systemsOS.features.vaultwarden {
# ── Caddy vhost is now handled centrally in caddy.nix ─────
# ── Generate Vaultwarden runtime config from domain files ──
systemd.services.vaultwarden-runtime-config = { systemd.services.vaultwarden-runtime-config = {
description = "Generate Vaultwarden runtime config from domain files"; description = "Generate Vaultwarden runtime config from domain files";
before = [ "vaultwarden.service" ]; before = [ "vaultwarden.service" ];
@@ -22,8 +18,8 @@ lib.mkIf config.sovran_systemsOS.features.vaultwarden {
mkdir -p /run/vaultwarden mkdir -p /run/vaultwarden
cat > /run/vaultwarden/runtime.env <<EOF cat > /run/vaultwarden/runtime.env <<EOF
DOMAIN=https://$VAULTWARDEN DOMAIN=https://$VAULTWARDEN
EOF EOF
chmod 640 /run/vaultwarden/runtime.env chmod 640 /run/vaultwarden/runtime.env
''; '';
@@ -32,7 +28,6 @@ lib.mkIf config.sovran_systemsOS.features.vaultwarden {
services.vaultwarden = { services.vaultwarden = {
enable = true; enable = true;
config = { config = {
# DOMAIN injected at runtime via EnvironmentFile
SIGNUPS_ALLOWED = false; SIGNUPS_ALLOWED = false;
ROCKET_ADDRESS = "127.0.0.1"; ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8777; ROCKET_PORT = 8777;
@@ -45,25 +40,4 @@ lib.mkIf config.sovran_systemsOS.features.vaultwarden {
systemd.services.vaultwarden.serviceConfig.EnvironmentFile = lib.mkAfter [ systemd.services.vaultwarden.serviceConfig.EnvironmentFile = lib.mkAfter [
"/run/vaultwarden/runtime.env" "/run/vaultwarden/runtime.env"
]; ];
=======
let
personalization = import ./personalization.nix;
in
lib.mkIf config.sovran_systemsOS.features.vaultwarden {
services.vaultwarden = {
enable = true;
config = {
DOMAIN = "https://${personalization.vaultwarden_url}";
SIGNUPS_ALLOWED = false;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8777;
ROCKET_LOG = "critical";
};
dbBackend = "sqlite";
environmentFile = "/var/lib/secrets/vaultwarden/vaultwarden.env";
};
>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
} }

303
modules/wordpress.nix
View File

@@ -1,167 +1,146 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let lib.mkIf config.sovran_systemsOS.services.wordpress {
cfg = config.sovran_systemsOS.services.wordpress;
in # ── MariaDB database ──────────────────────────────────────
{ services.mysql = {
options.sovran_systemsOS.services.wordpress = { enable = true;
enable = lib.mkEnableOption "WordPress (raw PHP served by Caddy)"; package = pkgs.mariadb;
}; };
config = lib.mkIf cfg.enable { # ── Auto-generate DB password and initialize ────────<E29480><E29480><EFBFBD>─────
systemd.services.wordpress-db-init = {
description = "Initialize WordPress MariaDB database with auto-generated password";
after = [ "mysql.service" ];
requires = [ "mysql.service" ];
before = [ "wordpress-init.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
path = [ config.services.mysql.package pkgs.pwgen pkgs.coreutils ];
script = ''
set -euo pipefail
# ── Caddy vhost is now handled centrally in caddy.nix ───── SECRET_FILE="/var/lib/secrets/wordpressdb"
# ── MariaDB database ────────────────────────────────────── if [ ! -f "$SECRET_FILE" ]; then
services.mysql = { mkdir -p /var/lib/secrets
enable = true; pwgen -s 64 1 > "$SECRET_FILE"
package = pkgs.mariadb; chmod 600 "$SECRET_FILE"
fi
DB_PASS=$(cat "$SECRET_FILE")
mysql -u root <<SQL
CREATE DATABASE IF NOT EXISTS wordpressdb;
CREATE USER IF NOT EXISTS 'wpusr'@'localhost' IDENTIFIED BY '$DB_PASS';
ALTER USER 'wpusr'@'localhost' IDENTIFIED BY '$DB_PASS';
GRANT ALL ON wordpressdb.* TO 'wpusr'@'localhost';
FLUSH PRIVILEGES;
SQL
'';
};
# ── Fully automated WordPress setup ───────────────────────
systemd.services.wordpress-init = {
description = "Download, extract, and fully configure WordPress";
after = [ "network-online.target" "mysql.service" "phpfpm-mypool.service" "wordpress-db-init.service" ];
wants = [ "network-online.target" ];
requires = [ "mysql.service" "wordpress-db-init.service" ];
wantedBy = [ "multi-user.target" ];
unitConfig = {
ConditionPathExists = "!/var/lib/www/wordpress/wp-config.php";
}; };
# ── Auto-generate DB password and initialize ────────────── serviceConfig = {
systemd.services.wordpress-db-init = { Type = "oneshot";
description = "Initialize WordPress MariaDB database with auto-generated password"; RemainAfterExit = true;
after = [ "mysql.service" ];
requires = [ "mysql.service" ];
before = [ "wordpress-init.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
path = [ config.services.mysql.package pkgs.pwgen pkgs.coreutils ];
script = ''
set -euo pipefail
SECRET_FILE="/var/lib/secrets/wordpressdb"
# Existing machines already have this file leave it alone
if [ ! -f "$SECRET_FILE" ]; then
mkdir -p /var/lib/secrets
pwgen -s 64 1 > "$SECRET_FILE"
chmod 600 "$SECRET_FILE"
fi
DB_PASS=$(cat "$SECRET_FILE")
mysql -u root <<SQL
CREATE DATABASE IF NOT EXISTS wordpressdb;
CREATE USER IF NOT EXISTS 'wpusr'@'localhost' IDENTIFIED BY '$DB_PASS';
ALTER USER 'wpusr'@'localhost' IDENTIFIED BY '$DB_PASS';
GRANT ALL ON wordpressdb.* TO 'wpusr'@'localhost';
FLUSH PRIVILEGES;
SQL
'';
}; };
# ── Fully automated WordPress setup ─────────────────────── path = with pkgs; [ curl unzip wp-cli pwgen php coreutils ];
systemd.services.wordpress-init = {
description = "Download, extract, and fully configure WordPress";
after = [ "network-online.target" "mysql.service" "phpfpm-mypool.service" "wordpress-db-init.service" ];
wants = [ "network-online.target" ];
requires = [ "mysql.service" "wordpress-db-init.service" ];
wantedBy = [ "multi-user.target" ];
unitConfig = { script = ''
ConditionPathExists = "!/var/lib/www/wordpress/wp-config.php"; set -euo pipefail
};
serviceConfig = { INSTALL_DIR="/var/lib/www/wordpress"
Type = "oneshot"; DOMAIN=$(cat /var/lib/domains/wordpress)
RemainAfterExit = true; DB_NAME="wordpressdb"
}; DB_USER="wpusr"
DB_PASS=$(cat /var/lib/secrets/wordpressdb)
DB_HOST="localhost"
ADMIN_USER=$(pwgen -s 16 1)
ADMIN_PASS=$(pwgen -s 24 1)
ADMIN_EMAIL="$ADMIN_USER@''${DOMAIN#*.}"
path = with pkgs; [ curl unzip wp-cli pwgen php coreutils ]; echo ""
echo " WordPress Automated Installation"
echo ""
script = '' if [ ! -f "$INSTALL_DIR/wp-includes/version.php" ]; then
set -euo pipefail echo "Downloading WordPress..."
TEMP_DIR=$(mktemp -d)
curl -L -o "$TEMP_DIR/wordpress.zip" "https://wordpress.org/latest.zip"
unzip -q "$TEMP_DIR/wordpress.zip" -d "$TEMP_DIR"
mkdir -p "$INSTALL_DIR"
cp -a "$TEMP_DIR/wordpress/"* "$INSTALL_DIR/"
rm -rf "$TEMP_DIR"
echo "Download complete."
fi
INSTALL_DIR="/var/lib/www/wordpress" chown -R caddy:root "$INSTALL_DIR"
DOMAIN=$(cat /var/lib/domains/wordpress) find "$INSTALL_DIR" -type d -exec chmod 755 {} \;
DB_NAME="wordpressdb" find "$INSTALL_DIR" -type f -exec chmod 644 {} \;
DB_USER="wpusr" chmod -R 775 "$INSTALL_DIR/wp-content"
DB_PASS=$(cat /var/lib/secrets/wordpressdb)
DB_HOST="localhost"
ADMIN_USER=$(pwgen -s 16 1)
ADMIN_PASS=$(pwgen -s 24 1)
ADMIN_EMAIL="$ADMIN_USER@''${DOMAIN#*.}"
echo "" echo "Generating wp-config.php..."
echo " WordPress Automated Installation" cd "$INSTALL_DIR"
echo "" su -s /bin/sh caddy -c "
wp config create \
--dbname='$DB_NAME' \
--dbuser='$DB_USER' \
--dbpass='$DB_PASS' \
--dbhost='$DB_HOST' \
--skip-check
"
# Download echo "Waiting for database..."
if [ ! -f "$INSTALL_DIR/wp-includes/version.php" ]; then for i in $(seq 1 30); do
echo "Downloading WordPress..." if su -s /bin/sh caddy -c "wp db check" 2>/dev/null; then
TEMP_DIR=$(mktemp -d) break
curl -L -o "$TEMP_DIR/wordpress.zip" "https://wordpress.org/latest.zip" fi
unzip -q "$TEMP_DIR/wordpress.zip" -d "$TEMP_DIR" sleep 2
mkdir -p "$INSTALL_DIR" done
cp -a "$TEMP_DIR/wordpress/"* "$INSTALL_DIR/"
rm -rf "$TEMP_DIR"
echo "Download complete."
fi
# Set permissions echo "Running WordPress core install..."
chown -R caddy:root "$INSTALL_DIR" su -s /bin/sh caddy -c "
find "$INSTALL_DIR" -type d -exec chmod 755 {} \; wp core install \
find "$INSTALL_DIR" -type f -exec chmod 644 {} \; --url='https://$DOMAIN' \
chmod -R 775 "$INSTALL_DIR/wp-content" --title='Sovran_SystemsOS' \
--admin_user='$ADMIN_USER' \
--admin_password='$ADMIN_PASS' \
--admin_email='$ADMIN_EMAIL' \
--skip-email
"
# Generate wp-config.php su -s /bin/sh caddy -c "
echo "Generating wp-config.php..." wp option update blogdescription 'Powered by Sovran_SystemsOS'
cd "$INSTALL_DIR" wp option update permalink_structure '/%postname%/'
su -s /bin/sh caddy -c " wp option update default_ping_status 'closed'
wp config create \ wp option update default_comment_status 'closed'
--dbname='$DB_NAME' \ wp rewrite flush
--dbuser='$DB_USER' \ "
--dbpass='$DB_PASS' \
--dbhost='$DB_HOST' \
--skip-check
"
# Wait for database to be ready su -s /bin/sh caddy -c "
echo "Waiting for database..." wp config set DISALLOW_FILE_EDIT true --raw
for i in $(seq 1 30); do wp config set WP_AUTO_UPDATE_CORE true --raw
if su -s /bin/sh caddy -c "wp db check" 2>/dev/null; then wp config set FORCE_SSL_ADMIN true --raw
break "
fi
sleep 2
done
# Run WordPress install CREDS_FILE="/var/lib/secrets/wordpress-admin"
echo "Running WordPress core install..." cat > "$CREDS_FILE" << CREDS
su -s /bin/sh caddy -c "
wp core install \
--url='https://$DOMAIN' \
--title='Sovran_SystemsOS' \
--admin_user='$ADMIN_USER' \
--admin_password='$ADMIN_PASS' \
--admin_email='$ADMIN_EMAIL' \
--skip-email
"
# Configure WordPress settings
echo "Configuring WordPress..."
su -s /bin/sh caddy -c "
wp option update blogdescription 'Powered by Sovran_SystemsOS'
wp option update permalink_structure '/%postname%/'
wp option update default_ping_status 'closed'
wp option update default_comment_status 'closed'
wp rewrite flush
"
# Security hardening
echo "Applying security settings..."
su -s /bin/sh caddy -c "
wp config set DISALLOW_FILE_EDIT true --raw
wp config set WP_AUTO_UPDATE_CORE true --raw
wp config set FORCE_SSL_ADMIN true --raw
"
# Save admin credentials
CREDS_FILE="/var/lib/secrets/wordpress-admin"
cat > "$CREDS_FILE" << CREDS
WordPress Admin Credentials WordPress Admin Credentials
URL: https://$DOMAIN/wp-admin/ URL: https://$DOMAIN/wp-admin/
@@ -169,30 +148,20 @@ Username: $ADMIN_USER
Password: $ADMIN_PASS Password: $ADMIN_PASS
Email: $ADMIN_EMAIL Email: $ADMIN_EMAIL
CREDS CREDS
chmod 600 "$CREDS_FILE" chmod 600 "$CREDS_FILE"
echo "" echo ""
echo "" echo ""
echo " WordPress installation complete!" echo " WordPress installation complete!"
echo "" echo " Credentials saved to: $CREDS_FILE"
echo " URL: https://$DOMAIN/wp-admin/" echo ""
echo " Username: $ADMIN_USER" '';
echo " Password: $ADMIN_PASS"
echo ""
echo " Credentials saved to: $CREDS_FILE"
echo ""
'';
};
# ── Ensure directories ────────────────────────────────────
systemd.tmpfiles.rules = [
"d /var/lib/www 0755 caddy root -"
"d /var/lib/www/wordpress 0755 caddy root -"
];
environment.systemPackages = with pkgs; [
wp-cli
unzip
];
}; };
systemd.tmpfiles.rules = [
"d /var/lib/www 0755 caddy root -"
"d /var/lib/www/wordpress 0755 caddy root -"
];
environment.systemPackages = with pkgs; [ wp-cli unzip ];
} }