3 nixosModule = self.nixosModules.environment;
4 nixosModules.environment = { config, lib, name, ... }:
10 base = mkOption { description = "Base of the LDAP tree"; type = str; };
11 host = mkOption { description = "Host to access LDAP"; type = str; };
12 root_dn = mkOption { description = "DN of the root user"; type = str; };
13 root_pw = mkOption { description = "Hashed password of the root user"; type = str; };
14 replication_dn = mkOption { description = "DN of the user allowed to replicate the LDAP directory"; type = str; };
15 replication_pw = mkOption { description = "Password of the user allowed to replicate the LDAP directory"; type = str; };
17 mkLdapOptions = name: more: mkOption {
18 description = "${name} LDAP configuration";
20 options = ldapOptions // {
21 dn = mkOption { description = "DN of the ${name} user"; type = str; };
22 password = mkOption { description = "password of the ${name} user"; type = str; };
23 filter = mkOption { description = "Filter for ${name} users"; type = str; default = ""; };
28 host = mkOption { description = "Host to access Mysql"; type = str; };
29 remoteHost = mkOption { description = "Host to access Mysql from outside"; type = str; };
30 port = mkOption { description = "Port to access Mysql"; type = int; };
31 socket = mkOption { description = "Socket to access Mysql"; type = path; };
32 systemUsers = mkOption {
33 description = "Attrs of user-passwords allowed to access mysql";
37 description = "PAM configuration for mysql";
40 dn = mkOption { description = "DN to connect as to check users"; type = str; };
41 password = mkOption { description = "DN password to connect as to check users"; type = str; };
42 filter = mkOption { description = "filter to match users"; type = str; };
47 mkMysqlOptions = name: more: mkOption {
48 description = "${name} mysql configuration";
50 options = mysqlOptions // {
51 database = mkOption { description = "${name} database"; type = str; };
52 user = mkOption { description = "${name} user"; type = str; };
53 password = mkOption { description = "mysql password of the ${name} user"; type = str; };
58 host = mkOption { description = "Host to access Postgresql"; type = str; };
59 port = mkOption { description = "Port to access Postgresql"; type = str; };
60 socket = mkOption { description = "Socket to access Postgresql"; type = path; };
62 description = "PAM configuration for psql";
65 dn = mkOption { description = "DN to connect as to check users"; type = str; };
66 password = mkOption { description = "DN password to connect as to check users"; type = str; };
67 filter = mkOption { description = "filter to match users"; type = str; };
72 mkPsqlOptions = name: mkOption {
73 description = "${name} psql configuration";
75 options = psqlOptions // {
76 database = mkOption { description = "${name} database"; type = str; };
77 schema = mkOption { description = "${name} schema"; type = nullOr str; default = null; };
78 user = mkOption { description = "${name} user"; type = str; };
79 password = mkOption { description = "psql password of the ${name} user"; type = str; };
84 host = mkOption { description = "Host to access Redis"; type = str; };
85 port = mkOption { description = "Port to access Redis"; type = str; };
86 socket = mkOption { description = "Socket to access Redis"; type = path; };
88 description = "Attrs of db number. Each number should be unique to avoid collision!";
91 spiped_key = mkOption {
94 Key to use with spiped to make a secure channel to replication
98 description = "Predixy configuration. Unused yet";
101 read = mkOption { type = str; description = "Read password"; };
106 mkRedisOptions = name: mkOption {
107 description = "${name} redis configuration";
109 options = redisOptions // {
110 db = mkOption { description = "${name} database"; type = str; };
115 host = mkOption { description = "Host to access SMTP"; type = str; };
116 port = mkOption { description = "Port to access SMTP"; type = str; };
118 mkSmtpOptions = name: mkOption {
119 description = "${name} smtp configuration";
121 options = smtpOptions // {
122 email = mkOption { description = "${name} email"; type = str; };
123 password = mkOption { description = "SMTP password of the ${name} user"; type = str; };
127 hostEnv = submodule {
130 description = "Host FQDN";
140 isVm = mkEnableOption "The host is a vm";
143 description = "List of e-mails that the server can be a sender of";
148 LDAP credentials for the host
152 password = mkOption { type = str; description = "Password for the LDAP connection"; };
153 dn = mkOption { type = str; description = "DN for the LDAP connection"; };
158 description = "subdomain and priority for MX server";
159 default = { enable = false; };
162 enable = mkEnableOption "Enable MX";
163 subdomain = mkOption { type = nullOr str; description = "Subdomain name (mx-*)"; };
164 priority = mkOption { type = nullOr int; description = "Priority"; };
170 attrs of ip4/ip6 grouped by section
172 type = attrsOf (submodule {
178 alias to use in DNS for that group
185 ip4 addresses of the host
192 ip6 addresses of the host
202 # Necessary for situations where flake gets included multiple times
203 key = builtins.hashString "sha256" (builtins.path { path = self.sourceInfo.outPath; name = "source"; });
208 Attrs of servers information in the cluster (not necessarily handled by nixops)
211 type = attrsOf hostEnv;
213 hetznerCloud = mkOption {
215 Hetzner Cloud credential information
219 authToken = mkOption {
230 Hetzner credential information
234 user = mkOption { type = str; description = "User"; };
235 pass = mkOption { type = str; description = "Password"; };
241 sshd service credential information
245 rootKeys = mkOption { type = attrsOf str; description = "Keys of root users"; };
248 LDAP credentials for cn=ssh,ou=services,dc=immae,dc=eu dn
252 password = mkOption { description = "Password"; type = str; };
258 PSQL credentials for immae_auth_read
262 password = mkOption { description = "Password"; type = str; };
271 non-standard reserved ports. Must be unique!
276 noDupl = x: builtins.length (builtins.attrValues x) == builtins.length (unique (builtins.attrValues x));
278 x: if isAttrs x && noDupl x then x else throw "Non unique values for ports";
282 httpd service credential information
288 LDAP credentials for cn=httpd,ou=services,dc=immae,dc=eu dn
292 password = mkOption { description = "Password"; type = str; };
300 type = submodule { options = smtpOptions; };
301 description = "SMTP configuration";
305 LDAP server configuration
308 options = ldapOptions;
311 databases = mkOption {
312 description = "Databases configuration";
316 type = submodule { options = mysqlOptions; };
317 description = "Mysql configuration";
320 type = submodule { options = redisOptions; };
321 description = "Redis configuration";
323 postgresql = mkOption {
324 type = submodule { options = psqlOptions; };
325 description = "Postgresql configuration";
331 description = "Jabber configuration";
334 postfix_user_filter = mkOption { type = str; description = "Postfix filter to get xmpp users"; };
335 ldap = mkLdapOptions "Jabber" {};
336 postgresql = mkPsqlOptions "Jabber";
341 description = "System and regular users uid/gid";
342 type = attrsOf (submodule {
345 description = "user uid";
349 description = "user gid";
356 description = "DNS configuration";
360 description = "Attrs of NS servers group";
363 "ns1.foo.com" = [ "198.51.100.10" "2001:db8:abcd::1" ];
364 "ns2.foo.com" = [ "198.51.100.15" "2001:db8:1234::1" ];
367 type = attrsOf (attrsOf (listOf str));
374 Remote backup with duplicity
378 password = mkOption { type = str; description = "Password for encrypting files"; };
380 type = attrsOf (submodule {
383 type = functionTo str;
384 example = literalExample ''
385 bucket: "s3://some_host/${bucket}";
389 Takes a bucket name as argument and returns a url
392 accessKeyId = mkOption { type = str; description = "Remote access-key"; };
393 secretAccessKey = mkOption { type = str; description = "Remote access secret"; };
400 zrepl_backup = mkOption {
404 description = "SSH key information";
407 public = mkOption { type = str; description = "Public part of the key"; };
408 private = mkOption { type = lines; description = "Private part of the key"; };
412 mysql = mkMysqlOptions "Zrepl" {};
414 description = "Certificates";
415 type = attrsOf (submodule {
417 key = mkOption { type = str; description = "Key"; };
418 certificate = mkOption { type = str; description = "Certificate"; };
425 rsync_backup = mkOption {
427 Rsync backup configuration from controlled host
432 description = "SSH key information";
435 public = mkOption { type = str; description = "Public part of the key"; };
436 private = mkOption { type = lines; description = "Private part of the key"; };
440 profiles = mkOption {
441 description = "Attrs of profiles to backup";
443 type = attrsOf (submodule {
445 keep = mkOption { type = int; description = "Number of backups to keep"; };
446 check_command = mkOption { type = str; description = "command to check if backup needs to be done"; default = "backup"; };
447 login = mkOption { type = str; description = "Login to connect to host"; };
448 port = mkOption { type = str; default = "22"; description = "Port to connect to host"; };
449 host = mkOption { type = str; description = "Host to connect to"; };
450 host_key = mkOption { type = str; description = "Host key"; };
451 host_key_type = mkOption { type = str; description = "Host key type"; };
453 description = "Parts to backup for this host";
454 type = attrsOf (submodule {
456 remote_folder = mkOption { type = path; description = "Remote folder to backup";};
457 exclude_from = mkOption {
460 description = "List of folders/files to exclude from the backup";
462 files_from = mkOption {
465 description = "List of folders/files to backup in the base folder";
470 description = "Extra arguments to pass to rsync";
481 monitoring = mkOption {
482 description = "Monitoring configuration";
485 status_url = mkOption { type = str; description = "URL to push status to"; };
486 status_token = mkOption { type = str; description = "Token for the status url"; };
487 http_user_password = mkOption { type = str; description = "HTTP credentials to check services behind wall"; };
488 email = mkOption { type = str; description = "Admin E-mail"; };
489 ssh_public_key = mkOption { type = str; description = "SSH public key"; };
490 ssh_secret_key = mkOption { type = str; description = "SSH secret key"; };
491 imap_login = mkOption { type = str; description = "IMAP login"; };
492 imap_password = mkOption { type = str; description = "IMAP password"; };
493 eriomem_keys = mkOption { type = listOf (listOf str); description = "Eriomem keys"; default = []; };
495 description = "OVH credentials for sms script";
498 endpoint = mkOption { type = str; default = "ovh-eu"; description = "OVH endpoint"; };
499 application_key = mkOption { type = str; description = "Application key"; };
500 application_secret = mkOption { type = str; description = "Application secret"; };
501 consumer_key = mkOption { type = str; description = "Consumer key"; };
502 account = mkOption { type = str; description = "Account"; };
506 nrdp_tokens = mkOption { type = listOf str; description = "Tokens allowed to push status update"; };
507 apprise_urls = mkOption { type = str; description = "Apprise space-separated urls to push status update"; };
508 netdata_aggregator = mkOption { type = str; description = "Url where netdata information should be sent"; };
509 netdata_keys = mkOption { type = attrsOf str; description = "netdata host keys"; };
510 immae_contact = mkOption { type = str; description = "Immae Contact e-mail"; };
511 email_check = mkOption {
512 description = "Emails services to check";
513 type = attrsOf (submodule {
515 local = mkOption { type = bool; default = false; description = "Use local configuration"; };
516 port = mkOption { type = nullOr str; default = null; description = "Port to connect to ssh"; };
517 login = mkOption { type = nullOr str; default = null; description = "Login to connect to ssh"; };
518 targets = mkOption { type = listOf str; description = "Hosts to send E-mails to"; };
519 mail_address = mkOption { type = nullOr str; default = null; description = "E-mail recipient part to send e-mail to"; };
520 mail_domain = mkOption { type = nullOr str; default = null; description = "E-mail domain part to send e-mail to"; };
528 description = "MPD configuration";
531 folder = mkOption { type = str; description = "Folder to serve from the MPD instance"; };
532 password = mkOption { type = str; description = "Password to connect to the MPD instance"; };
533 host = mkOption { type = str; description = "Host to connect to the MPD instance"; };
534 port = mkOption { type = str; description = "Port to connect to the MPD instance"; };
539 description = "FTP configuration";
542 ldap = mkLdapOptions "FTP" {
543 proftpd_filter = mkOption { type = str; description = "Filter for proftpd listing in LDAP"; };
544 pure-ftpd_filter = mkOption { type = str; description = "Filter for pure-ftpd listing in LDAP"; };
550 description = "VPN configuration";
551 type = attrsOf (submodule {
553 prefix = mkOption { type = str; description = "ipv6 prefix for the vpn subnet"; };
554 privateKey = mkOption { type = str; description = "Private key for the host"; };
555 publicKey = mkOption { type = str; description = "Public key for the host"; };
560 description = "Mail configuration";
564 description = "DMARC configuration";
567 ignore_hosts = mkOption {
570 Hosts to ignore when checking for dmarc
577 description = "DKIM configuration";
578 type = attrsOf (submodule {
582 example = literalExample ''
586 p = "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3w1a2aMxWw9+hdcmbqX4UevcVqr204y0K73Wdc7MPZiOOlUJQYsMNSYR1Y/SC7jmPKeitpcJCpQgn/cveJZbuikjjPLsDReHyFEYmC278ZLRTELHx6f1IXM8WE08JIRT69CfZiMi1rVcOh9qRT4F93PyjCauU8Y5hJjtg9ThsWwIDAQAB";
589 description = "Public entry to put in DNS TXT field";
591 private = mkOption { type = nullOr str; default = null; description = "Private key"; };
596 description = "Postfix configuration";
599 mysql = mkMysqlOptions "Postfix" {
600 password_encrypt = mkOption { type = str; description = "Key to encrypt relay password in database"; };
604 List of admins meant to receive common aliases
608 common_aliases = mkOption {
610 List of aliases common to all hosts, to forward to admins
614 other_aliases = mkOption {
616 Other list of aliases, to forward to admins
624 description = "Dovecot configuration";
627 mysql = mkMysqlOptions "Dovecot" {};
628 ldap = mkLdapOptions "Dovecot" {
629 pass_attrs = mkOption { type = str; description = "Password attribute in LDAP"; };
630 user_attrs = mkOption { type = str; description = "User attribute mapping in LDAP"; };
631 iterate_attrs = mkOption { type = str; description = "User attribute mapping for listing in LDAP"; };
632 iterate_filter = mkOption { type = str; description = "User attribute filter for listing in LDAP"; };
633 postfix_mailbox_filter = mkOption { type = str; description = "Postfix filter to get mailboxes"; };
639 description = "rspamd configuration";
642 redis = mkRedisOptions "Redis";
643 read_password_hashed = mkOption { type = str; description = "Hashed read password for rspamd"; };
644 write_password_hashed = mkOption { type = str; description = "Hashed write password for rspamd"; };
645 read_password = mkOption {
647 description = "Read password for rspamd. Unused";
650 write_password = mkOption {
652 description = "Write password for rspamd. Unused";
659 description = "Sympa configuration";
662 listmasters = mkOption {
664 description = "Listmasters";
666 postgresql = mkPsqlOptions "Sympa";
667 data_sources = mkOption {
670 description = "Data sources to make available to sympa";
675 description = "Scenari to make available to sympa";
684 description = "Coturn configuration";
687 auth_access_key = mkOption { type = str; description = "key to access coturn"; };
691 buildbot = mkOption {
692 description = "Buildbot configuration";
696 description = "SSH key information";
699 public = mkOption { type = str; description = "Public part of the key"; };
700 private = mkOption { type = lines; description = "Private part of the key"; };
704 workerPassword = mkOption { description = "Buildbot worker password"; type = str; };
706 description = "Buildbot user";
710 description = "user uid";
714 description = "user gid";
721 description = "Ldap configuration for buildbot";
724 password = mkOption { type = str; description = "Buildbot password"; };
728 projects = mkOption {
729 description = "Projects to make a buildbot for";
730 type = attrsOf (submodule {
732 name = mkOption { type = str; description = "Project name"; };
733 src = mkOption { type = path; description = "source of the project configuration"; };
734 packages = mkOption {
735 type = listOf package;
736 example = literalExample ''
737 [ pkgs.bash pkgs.git pkgs.gzip pkgs.openssh ];
740 Builds packages list to make available to buildbot project.
743 pythonPathHome = mkOption { type = bool; description = "Whether to add project’s python home to python path"; };
744 workerPort = mkOption { type = port; description = "Port for the worker"; };
746 type = attrsOf lines;
747 description = "Secrets for the project to dump as files";
749 secretsDeps = mkOption {
750 type = listOf package;
752 description = "Dependencies of file that will land in secrets";
754 environment = mkOption {
757 Environment variables for the project.
758 BUILDBOT_ is prefixed to the variable names
761 activationScript = mkOption {
764 Activation script to run during deployment
767 webhookTokens = mkOption {
768 type = nullOr (listOf str);
771 List of tokens allowed to push to project’s change_hook/base endpoint
781 description = "Tools configurations";
784 contact = mkOption { type = str; description = "Contact e-mail address"; };
787 type = attrsOf (submodule {
789 assetType = mkOption { type = enum ["tgz" "url" "googleFont"]; default = "url"; description = "Type of asset"; };
790 tgzRemoveComponents = mkOption { type = int; default = 0; description = "Remove components when extracting"; };
791 url = mkOption { type = str; description = "URL to fetch"; };
792 sha256 = mkOption { type = str; description = "Hash of the url"; };
795 description = "Assets to provide on assets.immae.eu";
798 description = "Davical configuration";
801 postgresql = mkPsqlOptions "Davical";
802 ldap = mkLdapOptions "Davical" {};
806 diaspora = mkOption {
807 description = "Diaspora configuration";
810 postgresql = mkPsqlOptions "Diaspora";
811 redis = mkRedisOptions "Diaspora";
812 ldap = mkLdapOptions "Diaspora" {};
813 secret_token = mkOption { type = str; description = "Secret token"; };
817 dmarc_reports = mkOption {
818 description = "DMARC reports configuration";
821 mysql = mkMysqlOptions "DMARC" {};
822 anonymous_key = mkOption { type = str; description = "Anonymous hashing key"; };
826 etherpad-lite = mkOption {
827 description = "Etherpad configuration";
830 postgresql = mkPsqlOptions "Etherpad";
831 ldap = mkLdapOptions "Etherpad" {
832 group_filter = mkOption { type = str; description = "Filter for groups"; };
834 adminPassword = mkOption { type = str; description = "Admin password for mypads / admin"; };
835 session_key = mkOption { type = str; description = "Session key"; };
836 api_key = mkOption { type = str; description = "API key"; };
840 gitolite = mkOption {
841 description = "Gitolite configuration";
844 ldap = mkLdapOptions "Gitolite" {};
846 description = "SSH key information";
849 public = mkOption { type = str; description = "Public part of the key"; };
850 private = mkOption { type = lines; description = "Private part of the key"; };
858 description = "Landing configuration";
861 postgresql = mkPsqlOptions "Landing";
865 kanboard = mkOption {
866 description = "Kanboard configuration";
869 postgresql = mkPsqlOptions "Kanboard";
870 ldap = mkLdapOptions "Kanboard" {
871 admin_dn = mkOption { type = str; description = "Admin DN"; };
876 mantisbt = mkOption {
877 description = "Mantisbt configuration";
880 postgresql = mkPsqlOptions "Mantisbt";
881 ldap = mkLdapOptions "Mantisbt" {};
882 master_salt = mkOption { type = str; description = "Master salt for password hash"; };
886 mastodon = mkOption {
887 description = "Mastodon configuration";
890 postgresql = mkPsqlOptions "Mastodon";
891 redis = mkRedisOptions "Mastodon";
892 ldap = mkLdapOptions "Mastodon" {};
893 paperclip_secret = mkOption { type = str; description = "Paperclip secret"; };
894 otp_secret = mkOption { type = str; description = "OTP secret"; };
895 secret_key_base = mkOption { type = str; description = "Secret key base"; };
897 description = "vapid key";
900 private = mkOption { type = str; description = "Private key"; };
901 public = mkOption { type = str; description = "Public key"; };
908 mediagoblin = mkOption {
909 description = "Mediagoblin configuration";
912 postgresql = mkPsqlOptions "Mediagoblin";
913 redis = mkRedisOptions "Mediagoblin";
914 ldap = mkLdapOptions "Mediagoblin" {};
918 nextcloud = mkOption {
919 description = "Nextcloud configuration";
922 postgresql = mkPsqlOptions "Nextcloud";
923 redis = mkRedisOptions "Nextcloud";
924 password_salt = mkOption { type = str; description = "Password salt"; };
925 instance_id = mkOption { type = str; description = "Instance ID"; };
926 secret = mkOption { type = str; description = "App secret"; };
930 peertube = mkOption {
931 description = "Peertube configuration";
934 listenPort = mkOption { type = port; description = "Port to listen to"; };
935 postgresql = mkPsqlOptions "Peertube";
936 redis = mkRedisOptions "Peertube";
937 ldap = mkLdapOptions "Peertube" {};
941 phpldapadmin = mkOption {
942 description = "phpLdapAdmin configuration";
945 ldap = mkLdapOptions "phpldapadmin" {};
950 description = "Rompr configuration";
954 description = "MPD configuration";
957 host = mkOption { type = str; description = "Host for MPD"; };
958 port = mkOption { type = port; description = "Port to access MPD host"; };
965 roundcubemail = mkOption {
966 description = "Roundcubemail configuration";
969 postgresql = mkPsqlOptions "TT-RSS";
970 secret = mkOption { type = str; description = "Secret"; };
975 description = "Shaarli configuration";
978 ldap = mkLdapOptions "Shaarli" {};
982 status_engine = mkOption {
983 description = "Status Engine configuration";
986 mysql = mkMysqlOptions "StatusEngine" {};
987 ldap = mkLdapOptions "StatusEngine" {};
992 description = "Taskwarrior configuration";
995 ldap = mkLdapOptions "Taskwarrior" {};
996 taskwarrior-web = mkOption {
997 description = "taskwarrior-web profiles";
999 type = attrsOf (submodule {
1003 description = "List of ldap uids having access to this profile";
1005 org = mkOption { type = str; description = "Taskd organisation"; };
1006 key = mkOption { type = str; description = "Taskd key"; };
1007 date = mkOption { type = str; description = "Preferred date format"; };
1015 description = "TT-RSS configuration";
1018 postgresql = mkPsqlOptions "TT-RSS";
1019 ldap = mkLdapOptions "TT-RSS" {};
1023 wallabag = mkOption {
1024 description = "Wallabag configuration";
1027 postgresql = mkPsqlOptions "Wallabag";
1028 ldap = mkLdapOptions "Wallabag" {
1029 admin_filter = mkOption { type = str; description = "Admin users filter"; };
1031 redis = mkRedisOptions "Wallabag";
1032 secret = mkOption { type = str; description = "App secret"; };
1036 webhooks = mkOption {
1038 description = "Mapping 'name'.php => script for webhooks";
1040 csp_reports = mkOption {
1041 description = "CSP report configuration";
1044 report_uri = mkOption { type = str; description = "URI to report CSP violations to"; };
1045 policies = mkOption { type = attrsOf str; description = "CSP policies to apply"; };
1049 commento = mkOption {
1050 description = "Commento configuration";
1053 listenPort = mkOption { type = port; description = "Port to listen to"; };
1054 postgresql = mkPsqlOptions "Commento";
1055 smtp = mkSmtpOptions "Commento";
1059 cryptpad = mkOption {
1060 description = "Cryptpad configuration";
1063 email = mkOption { type = str; description = "Admin e-mail"; };
1064 admins = mkOption { type = listOf str; description = "Instance admin public keys"; };
1065 port = mkOption { type = port; description = "Port to listen to"; };
1070 description = "Ympd configuration";
1073 listenPort = mkOption { type = port; description = "Port to listen to"; };
1075 description = "MPD configuration";
1078 password = mkOption { type = str; description = "Password to access MPD host"; };
1079 host = mkOption { type = str; description = "Host for MPD"; };
1080 port = mkOption { type = port; description = "Port to access MPD host"; };
1088 description = "Umami configuration";
1091 listenPort = mkOption { type = port; description = "Port to listen to"; };
1092 postgresql = mkPsqlOptions "Umami";
1093 hashSalt = mkOption { type = str; description = "Hash salt"; };
1098 description = "Yourls configuration";
1101 mysql = mkMysqlOptions "Yourls" {};
1102 ldap = mkLdapOptions "Yourls" {};
1103 cookieKey = mkOption { type = str; description = "Cookie key"; };
1111 options.hostEnv = mkOption {
1114 default = config.myEnv.servers."${name}";
1115 description = "Host environment";