diff options
Diffstat (limited to 'flakes/private/environment')
-rw-r--r-- | flakes/private/environment/flake.nix | 1135 |
1 files changed, 1135 insertions, 0 deletions
diff --git a/flakes/private/environment/flake.nix b/flakes/private/environment/flake.nix new file mode 100644 index 0000000..15c079a --- /dev/null +++ b/flakes/private/environment/flake.nix | |||
@@ -0,0 +1,1135 @@ | |||
1 | { | ||
2 | outputs = { self }: { | ||
3 | nixosModule = self.nixosModules.environment; | ||
4 | nixosModules.environment = { config, lib, name, ... }: | ||
5 | with lib; | ||
6 | with types; | ||
7 | with lists; | ||
8 | let | ||
9 | ldapOptions = { | ||
10 | base = mkOption { description = "Base of the LDAP tree"; type = str; }; | ||
11 | host = mkOption { description = "Host to access LDAP"; type = str; }; | ||
12 | root_dn = mkOption { description = "DN of the root user"; type = str; }; | ||
13 | root_pw = mkOption { description = "Hashed password of the root user"; type = str; }; | ||
14 | replication_dn = mkOption { description = "DN of the user allowed to replicate the LDAP directory"; type = str; }; | ||
15 | replication_pw = mkOption { description = "Password of the user allowed to replicate the LDAP directory"; type = str; }; | ||
16 | }; | ||
17 | mkLdapOptions = name: more: mkOption { | ||
18 | description = "${name} LDAP configuration"; | ||
19 | type = submodule { | ||
20 | options = ldapOptions // { | ||
21 | dn = mkOption { description = "DN of the ${name} user"; type = str; }; | ||
22 | password = mkOption { description = "password of the ${name} user"; type = str; }; | ||
23 | filter = mkOption { description = "Filter for ${name} users"; type = str; default = ""; }; | ||
24 | } // more; | ||
25 | }; | ||
26 | }; | ||
27 | mysqlOptions = { | ||
28 | host = mkOption { description = "Host to access Mysql"; type = str; }; | ||
29 | remoteHost = mkOption { description = "Host to access Mysql from outside"; type = str; }; | ||
30 | port = mkOption { description = "Port to access Mysql"; type = int; }; | ||
31 | socket = mkOption { description = "Socket to access Mysql"; type = path; }; | ||
32 | systemUsers = mkOption { | ||
33 | description = "Attrs of user-passwords allowed to access mysql"; | ||
34 | type = attrsOf str; | ||
35 | }; | ||
36 | pam = mkOption { | ||
37 | description = "PAM configuration for mysql"; | ||
38 | type = submodule { | ||
39 | options = { | ||
40 | dn = mkOption { description = "DN to connect as to check users"; type = str; }; | ||
41 | password = mkOption { description = "DN password to connect as to check users"; type = str; }; | ||
42 | filter = mkOption { description = "filter to match users"; type = str; }; | ||
43 | }; | ||
44 | }; | ||
45 | }; | ||
46 | }; | ||
47 | mkMysqlOptions = name: more: mkOption { | ||
48 | description = "${name} mysql configuration"; | ||
49 | type = submodule { | ||
50 | options = mysqlOptions // { | ||
51 | database = mkOption { description = "${name} database"; type = str; }; | ||
52 | user = mkOption { description = "${name} user"; type = str; }; | ||
53 | password = mkOption { description = "mysql password of the ${name} user"; type = str; }; | ||
54 | } // more; | ||
55 | }; | ||
56 | }; | ||
57 | psqlOptions = { | ||
58 | host = mkOption { description = "Host to access Postgresql"; type = str; }; | ||
59 | port = mkOption { description = "Port to access Postgresql"; type = str; }; | ||
60 | socket = mkOption { description = "Socket to access Postgresql"; type = path; }; | ||
61 | pam = mkOption { | ||
62 | description = "PAM configuration for psql"; | ||
63 | type = submodule { | ||
64 | options = { | ||
65 | dn = mkOption { description = "DN to connect as to check users"; type = str; }; | ||
66 | password = mkOption { description = "DN password to connect as to check users"; type = str; }; | ||
67 | filter = mkOption { description = "filter to match users"; type = str; }; | ||
68 | }; | ||
69 | }; | ||
70 | }; | ||
71 | }; | ||
72 | mkPsqlOptions = name: mkOption { | ||
73 | description = "${name} psql configuration"; | ||
74 | type = submodule { | ||
75 | options = psqlOptions // { | ||
76 | database = mkOption { description = "${name} database"; type = str; }; | ||
77 | schema = mkOption { description = "${name} schema"; type = nullOr str; default = null; }; | ||
78 | user = mkOption { description = "${name} user"; type = str; }; | ||
79 | password = mkOption { description = "psql password of the ${name} user"; type = str; }; | ||
80 | }; | ||
81 | }; | ||
82 | }; | ||
83 | redisOptions = { | ||
84 | host = mkOption { description = "Host to access Redis"; type = str; }; | ||
85 | port = mkOption { description = "Port to access Redis"; type = str; }; | ||
86 | socket = mkOption { description = "Socket to access Redis"; type = path; }; | ||
87 | dbs = mkOption { | ||
88 | description = "Attrs of db number. Each number should be unique to avoid collision!"; | ||
89 | type = attrsOf str; | ||
90 | }; | ||
91 | spiped_key = mkOption { | ||
92 | type = str; | ||
93 | description = '' | ||
94 | Key to use with spiped to make a secure channel to replication | ||
95 | ''; | ||
96 | }; | ||
97 | predixy = mkOption { | ||
98 | description = "Predixy configuration. Unused yet"; | ||
99 | type = submodule { | ||
100 | options = { | ||
101 | read = mkOption { type = str; description = "Read password"; }; | ||
102 | }; | ||
103 | }; | ||
104 | }; | ||
105 | }; | ||
106 | mkRedisOptions = name: mkOption { | ||
107 | description = "${name} redis configuration"; | ||
108 | type = submodule { | ||
109 | options = redisOptions // { | ||
110 | db = mkOption { description = "${name} database"; type = str; }; | ||
111 | }; | ||
112 | }; | ||
113 | }; | ||
114 | smtpOptions = { | ||
115 | host = mkOption { description = "Host to access SMTP"; type = str; }; | ||
116 | port = mkOption { description = "Port to access SMTP"; type = str; }; | ||
117 | }; | ||
118 | mkSmtpOptions = name: mkOption { | ||
119 | description = "${name} smtp configuration"; | ||
120 | type = submodule { | ||
121 | options = smtpOptions // { | ||
122 | email = mkOption { description = "${name} email"; type = str; }; | ||
123 | password = mkOption { description = "SMTP password of the ${name} user"; type = str; }; | ||
124 | }; | ||
125 | }; | ||
126 | }; | ||
127 | hostEnv = submodule { | ||
128 | options = { | ||
129 | fqdn = mkOption { | ||
130 | description = "Host FQDN"; | ||
131 | type = str; | ||
132 | }; | ||
133 | hostKey = mkOption { | ||
134 | type = nullOr str; | ||
135 | default = null; | ||
136 | description = '' | ||
137 | ssh host key | ||
138 | ''; | ||
139 | }; | ||
140 | isVm = mkEnableOption "The host is a vm"; | ||
141 | users = mkOption { | ||
142 | type = unspecified; | ||
143 | default = pkgs: []; | ||
144 | description = '' | ||
145 | Sublist of users from realUsers. Function that takes pkgs as | ||
146 | argument and gives an array as a result | ||
147 | ''; | ||
148 | }; | ||
149 | emails = mkOption { | ||
150 | default = []; | ||
151 | description = "List of e-mails that the server can be a sender of"; | ||
152 | type = listOf str; | ||
153 | }; | ||
154 | ldap = mkOption { | ||
155 | description = '' | ||
156 | LDAP credentials for the host | ||
157 | ''; | ||
158 | type = submodule { | ||
159 | options = { | ||
160 | password = mkOption { type = str; description = "Password for the LDAP connection"; }; | ||
161 | dn = mkOption { type = str; description = "DN for the LDAP connection"; }; | ||
162 | }; | ||
163 | }; | ||
164 | }; | ||
165 | mx = mkOption { | ||
166 | description = "subdomain and priority for MX server"; | ||
167 | default = { enable = false; }; | ||
168 | type = submodule { | ||
169 | options = { | ||
170 | enable = mkEnableOption "Enable MX"; | ||
171 | subdomain = mkOption { type = nullOr str; description = "Subdomain name (mx-*)"; }; | ||
172 | priority = mkOption { type = nullOr int; description = "Priority"; }; | ||
173 | }; | ||
174 | }; | ||
175 | }; | ||
176 | ips = mkOption { | ||
177 | description = '' | ||
178 | attrs of ip4/ip6 grouped by section | ||
179 | ''; | ||
180 | type = attrsOf (submodule { | ||
181 | options = { | ||
182 | alias = mkOption { | ||
183 | type = nullOr str; | ||
184 | default = null; | ||
185 | description = '' | ||
186 | alias to use in DNS for that group | ||
187 | ''; | ||
188 | }; | ||
189 | ip4 = mkOption { | ||
190 | type = listOf str; | ||
191 | default = []; | ||
192 | description = '' | ||
193 | ip4 addresses of the host | ||
194 | ''; | ||
195 | }; | ||
196 | ip6 = mkOption { | ||
197 | type = listOf str; | ||
198 | default = []; | ||
199 | description = '' | ||
200 | ip6 addresses of the host | ||
201 | ''; | ||
202 | }; | ||
203 | }; | ||
204 | }); | ||
205 | }; | ||
206 | }; | ||
207 | }; | ||
208 | in | ||
209 | { | ||
210 | # Necessary for situations where flake gets included multiple times | ||
211 | key = builtins.hashString "sha256" (builtins.path { path = self.sourceInfo.outPath; name = "source"; }); | ||
212 | |||
213 | options.myEnv = { | ||
214 | servers = mkOption { | ||
215 | description = '' | ||
216 | Attrs of servers information in the cluster (not necessarily handled by nixops) | ||
217 | ''; | ||
218 | default = {}; | ||
219 | type = attrsOf hostEnv; | ||
220 | }; | ||
221 | hetznerCloud = mkOption { | ||
222 | description = '' | ||
223 | Hetzner Cloud credential information | ||
224 | ''; | ||
225 | type = submodule { | ||
226 | options = { | ||
227 | authToken = mkOption { | ||
228 | type = str; | ||
229 | description = '' | ||
230 | The API auth token. | ||
231 | ''; | ||
232 | }; | ||
233 | }; | ||
234 | }; | ||
235 | }; | ||
236 | hetzner = mkOption { | ||
237 | description = '' | ||
238 | Hetzner credential information | ||
239 | ''; | ||
240 | type = submodule { | ||
241 | options = { | ||
242 | user = mkOption { type = str; description = "User"; }; | ||
243 | pass = mkOption { type = str; description = "Password"; }; | ||
244 | }; | ||
245 | }; | ||
246 | }; | ||
247 | sshd = mkOption { | ||
248 | description = '' | ||
249 | sshd service credential information | ||
250 | ''; | ||
251 | type = submodule { | ||
252 | options = { | ||
253 | rootKeys = mkOption { type = attrsOf str; description = "Keys of root users"; }; | ||
254 | ldap = mkOption { | ||
255 | description = '' | ||
256 | LDAP credentials for cn=ssh,ou=services,dc=immae,dc=eu dn | ||
257 | ''; | ||
258 | type = submodule { | ||
259 | options = { | ||
260 | password = mkOption { description = "Password"; type = str; }; | ||
261 | }; | ||
262 | }; | ||
263 | }; | ||
264 | psql = mkOption { | ||
265 | description = '' | ||
266 | PSQL credentials for immae_auth_read | ||
267 | ''; | ||
268 | type = submodule { | ||
269 | options = { | ||
270 | password = mkOption { description = "Password"; type = str; }; | ||
271 | }; | ||
272 | }; | ||
273 | }; | ||
274 | }; | ||
275 | }; | ||
276 | }; | ||
277 | ports = mkOption { | ||
278 | description = '' | ||
279 | non-standard reserved ports. Must be unique! | ||
280 | ''; | ||
281 | type = attrsOf port; | ||
282 | default = {}; | ||
283 | apply = let | ||
284 | noDupl = x: builtins.length (builtins.attrValues x) == builtins.length (unique (builtins.attrValues x)); | ||
285 | in | ||
286 | x: if isAttrs x && noDupl x then x else throw "Non unique values for ports"; | ||
287 | }; | ||
288 | httpd = mkOption { | ||
289 | description = '' | ||
290 | httpd service credential information | ||
291 | ''; | ||
292 | type = submodule { | ||
293 | options = { | ||
294 | ldap = mkOption { | ||
295 | description = '' | ||
296 | LDAP credentials for cn=httpd,ou=services,dc=immae,dc=eu dn | ||
297 | ''; | ||
298 | type = submodule { | ||
299 | options = { | ||
300 | password = mkOption { description = "Password"; type = str; }; | ||
301 | }; | ||
302 | }; | ||
303 | }; | ||
304 | }; | ||
305 | }; | ||
306 | }; | ||
307 | smtp = mkOption { | ||
308 | type = submodule { options = smtpOptions; }; | ||
309 | description = "SMTP configuration"; | ||
310 | }; | ||
311 | ldap = mkOption { | ||
312 | description = '' | ||
313 | LDAP server configuration | ||
314 | ''; | ||
315 | type = submodule { | ||
316 | options = ldapOptions; | ||
317 | }; | ||
318 | }; | ||
319 | databases = mkOption { | ||
320 | description = "Databases configuration"; | ||
321 | type = submodule { | ||
322 | options = { | ||
323 | mysql = mkOption { | ||
324 | type = submodule { options = mysqlOptions; }; | ||
325 | description = "Mysql configuration"; | ||
326 | }; | ||
327 | redis = mkOption { | ||
328 | type = submodule { options = redisOptions; }; | ||
329 | description = "Redis configuration"; | ||
330 | }; | ||
331 | postgresql = mkOption { | ||
332 | type = submodule { options = psqlOptions; }; | ||
333 | description = "Postgresql configuration"; | ||
334 | }; | ||
335 | }; | ||
336 | }; | ||
337 | }; | ||
338 | jabber = mkOption { | ||
339 | description = "Jabber configuration"; | ||
340 | type = submodule { | ||
341 | options = { | ||
342 | postfix_user_filter = mkOption { type = str; description = "Postfix filter to get xmpp users"; }; | ||
343 | ldap = mkLdapOptions "Jabber" {}; | ||
344 | postgresql = mkPsqlOptions "Jabber"; | ||
345 | }; | ||
346 | }; | ||
347 | }; | ||
348 | realUsers = mkOption { | ||
349 | description = '' | ||
350 | Attrset of function taking pkgs as argument. | ||
351 | Real users settings, should provide a subattr of users.users.<name> | ||
352 | with at least: name, (hashed)Password, shell | ||
353 | ''; | ||
354 | type = attrsOf unspecified; | ||
355 | }; | ||
356 | users = mkOption { | ||
357 | description = "System and regular users uid/gid"; | ||
358 | type = attrsOf (submodule { | ||
359 | options = { | ||
360 | uid = mkOption { | ||
361 | description = "user uid"; | ||
362 | type = int; | ||
363 | }; | ||
364 | gid = mkOption { | ||
365 | description = "user gid"; | ||
366 | type = int; | ||
367 | }; | ||
368 | }; | ||
369 | }); | ||
370 | }; | ||
371 | dns = mkOption { | ||
372 | description = "DNS configuration"; | ||
373 | type = submodule { | ||
374 | options = { | ||
375 | ns = mkOption { | ||
376 | description = "Attrs of NS servers group"; | ||
377 | example = { | ||
378 | foo = { | ||
379 | "ns1.foo.com" = [ "198.51.100.10" "2001:db8:abcd::1" ]; | ||
380 | "ns2.foo.com" = [ "198.51.100.15" "2001:db8:1234::1" ]; | ||
381 | }; | ||
382 | }; | ||
383 | type = attrsOf (attrsOf (listOf str)); | ||
384 | }; | ||
385 | }; | ||
386 | }; | ||
387 | }; | ||
388 | backup = mkOption { | ||
389 | description = '' | ||
390 | Remote backup with duplicity | ||
391 | ''; | ||
392 | type = submodule { | ||
393 | options = { | ||
394 | password = mkOption { type = str; description = "Password for encrypting files"; }; | ||
395 | remotes = mkOption { | ||
396 | type = attrsOf (submodule { | ||
397 | options = { | ||
398 | remote = mkOption { | ||
399 | type = functionTo str; | ||
400 | example = literalExample '' | ||
401 | bucket: "s3://some_host/${bucket}"; | ||
402 | ''; | ||
403 | description = '' | ||
404 | Function. | ||
405 | Takes a bucket name as argument and returns a url | ||
406 | ''; | ||
407 | }; | ||
408 | accessKeyId = mkOption { type = str; description = "Remote access-key"; }; | ||
409 | secretAccessKey = mkOption { type = str; description = "Remote access secret"; }; | ||
410 | }; | ||
411 | }); | ||
412 | }; | ||
413 | }; | ||
414 | }; | ||
415 | }; | ||
416 | zrepl_backup = mkOption { | ||
417 | type = submodule { | ||
418 | options = { | ||
419 | ssh_key = mkOption { | ||
420 | description = "SSH key information"; | ||
421 | type = submodule { | ||
422 | options = { | ||
423 | public = mkOption { type = str; description = "Public part of the key"; }; | ||
424 | private = mkOption { type = lines; description = "Private part of the key"; }; | ||
425 | }; | ||
426 | }; | ||
427 | }; | ||
428 | mysql = mkMysqlOptions "Zrepl" {}; | ||
429 | certs = mkOption { | ||
430 | description = "Certificates"; | ||
431 | type = attrsOf (submodule { | ||
432 | options = { | ||
433 | key = mkOption { type = str; description = "Key"; }; | ||
434 | certificate = mkOption { type = str; description = "Certificate"; }; | ||
435 | }; | ||
436 | }); | ||
437 | }; | ||
438 | }; | ||
439 | }; | ||
440 | }; | ||
441 | rsync_backup = mkOption { | ||
442 | description ='' | ||
443 | Rsync backup configuration from controlled host | ||
444 | ''; | ||
445 | type = submodule { | ||
446 | options = { | ||
447 | ssh_key = mkOption { | ||
448 | description = "SSH key information"; | ||
449 | type = submodule { | ||
450 | options = { | ||
451 | public = mkOption { type = str; description = "Public part of the key"; }; | ||
452 | private = mkOption { type = lines; description = "Private part of the key"; }; | ||
453 | }; | ||
454 | }; | ||
455 | }; | ||
456 | profiles = mkOption { | ||
457 | description = "Attrs of profiles to backup"; | ||
458 | default = {}; | ||
459 | type = attrsOf (submodule { | ||
460 | options = { | ||
461 | keep = mkOption { type = int; description = "Number of backups to keep"; }; | ||
462 | check_command = mkOption { type = str; description = "command to check if backup needs to be done"; default = "backup"; }; | ||
463 | login = mkOption { type = str; description = "Login to connect to host"; }; | ||
464 | port = mkOption { type = str; default = "22"; description = "Port to connect to host"; }; | ||
465 | host = mkOption { type = str; description = "Host to connect to"; }; | ||
466 | host_key = mkOption { type = str; description = "Host key"; }; | ||
467 | host_key_type = mkOption { type = str; description = "Host key type"; }; | ||
468 | parts = mkOption { | ||
469 | description = "Parts to backup for this host"; | ||
470 | type = attrsOf (submodule { | ||
471 | options = { | ||
472 | remote_folder = mkOption { type = path; description = "Remote folder to backup";}; | ||
473 | exclude_from = mkOption { | ||
474 | type = listOf path; | ||
475 | default = []; | ||
476 | description = "List of folders/files to exclude from the backup"; | ||
477 | }; | ||
478 | files_from = mkOption { | ||
479 | type = listOf path; | ||
480 | default = []; | ||
481 | description = "List of folders/files to backup in the base folder"; | ||
482 | }; | ||
483 | args = mkOption { | ||
484 | type = nullOr str; | ||
485 | default = null; | ||
486 | description = "Extra arguments to pass to rsync"; | ||
487 | }; | ||
488 | }; | ||
489 | }); | ||
490 | }; | ||
491 | }; | ||
492 | }); | ||
493 | }; | ||
494 | }; | ||
495 | }; | ||
496 | }; | ||
497 | monitoring = mkOption { | ||
498 | description = "Monitoring configuration"; | ||
499 | type = submodule { | ||
500 | options = { | ||
501 | status_url = mkOption { type = str; description = "URL to push status to"; }; | ||
502 | status_token = mkOption { type = str; description = "Token for the status url"; }; | ||
503 | http_user_password = mkOption { type = str; description = "HTTP credentials to check services behind wall"; }; | ||
504 | email = mkOption { type = str; description = "Admin E-mail"; }; | ||
505 | ssh_public_key = mkOption { type = str; description = "SSH public key"; }; | ||
506 | ssh_secret_key = mkOption { type = str; description = "SSH secret key"; }; | ||
507 | imap_login = mkOption { type = str; description = "IMAP login"; }; | ||
508 | imap_password = mkOption { type = str; description = "IMAP password"; }; | ||
509 | eriomem_keys = mkOption { type = listOf (listOf str); description = "Eriomem keys"; default = []; }; | ||
510 | ovh_sms = mkOption { | ||
511 | description = "OVH credentials for sms script"; | ||
512 | type = submodule { | ||
513 | options = { | ||
514 | endpoint = mkOption { type = str; default = "ovh-eu"; description = "OVH endpoint"; }; | ||
515 | application_key = mkOption { type = str; description = "Application key"; }; | ||
516 | application_secret = mkOption { type = str; description = "Application secret"; }; | ||
517 | consumer_key = mkOption { type = str; description = "Consumer key"; }; | ||
518 | account = mkOption { type = str; description = "Account"; }; | ||
519 | }; | ||
520 | }; | ||
521 | }; | ||
522 | nrdp_tokens = mkOption { type = listOf str; description = "Tokens allowed to push status update"; }; | ||
523 | apprise_urls = mkOption { type = str; description = "Apprise space-separated urls to push status update"; }; | ||
524 | netdata_aggregator = mkOption { type = str; description = "Url where netdata information should be sent"; }; | ||
525 | netdata_keys = mkOption { type = attrsOf str; description = "netdata host keys"; }; | ||
526 | immae_contact = mkOption { type = str; description = "Immae Contact e-mail"; }; | ||
527 | email_check = mkOption { | ||
528 | description = "Emails services to check"; | ||
529 | type = attrsOf (submodule { | ||
530 | options = { | ||
531 | local = mkOption { type = bool; default = false; description = "Use local configuration"; }; | ||
532 | port = mkOption { type = nullOr str; default = null; description = "Port to connect to ssh"; }; | ||
533 | login = mkOption { type = nullOr str; default = null; description = "Login to connect to ssh"; }; | ||
534 | targets = mkOption { type = listOf str; description = "Hosts to send E-mails to"; }; | ||
535 | mail_address = mkOption { type = nullOr str; default = null; description = "E-mail recipient part to send e-mail to"; }; | ||
536 | mail_domain = mkOption { type = nullOr str; default = null; description = "E-mail domain part to send e-mail to"; }; | ||
537 | }; | ||
538 | }); | ||
539 | }; | ||
540 | }; | ||
541 | }; | ||
542 | }; | ||
543 | mpd = mkOption { | ||
544 | description = "MPD configuration"; | ||
545 | type = submodule { | ||
546 | options = { | ||
547 | folder = mkOption { type = str; description = "Folder to serve from the MPD instance"; }; | ||
548 | password = mkOption { type = str; description = "Password to connect to the MPD instance"; }; | ||
549 | host = mkOption { type = str; description = "Host to connect to the MPD instance"; }; | ||
550 | port = mkOption { type = str; description = "Port to connect to the MPD instance"; }; | ||
551 | }; | ||
552 | }; | ||
553 | }; | ||
554 | ftp = mkOption { | ||
555 | description = "FTP configuration"; | ||
556 | type = submodule { | ||
557 | options = { | ||
558 | ldap = mkLdapOptions "FTP" { | ||
559 | proftpd_filter = mkOption { type = str; description = "Filter for proftpd listing in LDAP"; }; | ||
560 | pure-ftpd_filter = mkOption { type = str; description = "Filter for pure-ftpd listing in LDAP"; }; | ||
561 | }; | ||
562 | }; | ||
563 | }; | ||
564 | }; | ||
565 | vpn = mkOption { | ||
566 | description = "VPN configuration"; | ||
567 | type = attrsOf (submodule { | ||
568 | options = { | ||
569 | prefix = mkOption { type = str; description = "ipv6 prefix for the vpn subnet"; }; | ||
570 | privateKey = mkOption { type = str; description = "Private key for the host"; }; | ||
571 | publicKey = mkOption { type = str; description = "Public key for the host"; }; | ||
572 | }; | ||
573 | }); | ||
574 | }; | ||
575 | mail = mkOption { | ||
576 | description = "Mail configuration"; | ||
577 | type = submodule { | ||
578 | options = { | ||
579 | dmarc = mkOption { | ||
580 | description = "DMARC configuration"; | ||
581 | type = submodule { | ||
582 | options = { | ||
583 | ignore_hosts = mkOption { | ||
584 | type = lines; | ||
585 | description = '' | ||
586 | Hosts to ignore when checking for dmarc | ||
587 | ''; | ||
588 | }; | ||
589 | }; | ||
590 | }; | ||
591 | }; | ||
592 | dkim = mkOption { | ||
593 | description = "DKIM configuration"; | ||
594 | type = attrsOf (submodule { | ||
595 | options = { | ||
596 | public = mkOption { | ||
597 | type = attrsOf str; | ||
598 | example = literalExample '' | ||
599 | { | ||
600 | v = "DKIM1"; | ||
601 | k = "rsa"; | ||
602 | p = "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3w1a2aMxWw9+hdcmbqX4UevcVqr204y0K73Wdc7MPZiOOlUJQYsMNSYR1Y/SC7jmPKeitpcJCpQgn/cveJZbuikjjPLsDReHyFEYmC278ZLRTELHx6f1IXM8WE08JIRT69CfZiMi1rVcOh9qRT4F93PyjCauU8Y5hJjtg9ThsWwIDAQAB"; | ||
603 | } | ||
604 | ''; | ||
605 | description = "Public entry to put in DNS TXT field"; | ||
606 | }; | ||
607 | private = mkOption { type = nullOr str; default = null; description = "Private key"; }; | ||
608 | }; | ||
609 | }); | ||
610 | }; | ||
611 | postfix = mkOption { | ||
612 | description = "Postfix configuration"; | ||
613 | type = submodule { | ||
614 | options = { | ||
615 | mysql = mkMysqlOptions "Postfix" { | ||
616 | password_encrypt = mkOption { type = str; description = "Key to encrypt relay password in database"; }; | ||
617 | }; | ||
618 | admins = mkOption { | ||
619 | description = '' | ||
620 | List of admins meant to receive common aliases | ||
621 | ''; | ||
622 | type = listOf str; | ||
623 | }; | ||
624 | common_aliases = mkOption { | ||
625 | description = '' | ||
626 | List of aliases common to all hosts, to forward to admins | ||
627 | ''; | ||
628 | type = listOf str; | ||
629 | }; | ||
630 | other_aliases = mkOption { | ||
631 | description = '' | ||
632 | Other list of aliases, to forward to admins | ||
633 | ''; | ||
634 | type = listOf str; | ||
635 | }; | ||
636 | }; | ||
637 | }; | ||
638 | }; | ||
639 | dovecot = mkOption { | ||
640 | description = "Dovecot configuration"; | ||
641 | type = submodule { | ||
642 | options = { | ||
643 | ldap = mkLdapOptions "Dovecot" { | ||
644 | pass_attrs = mkOption { type = str; description = "Password attribute in LDAP"; }; | ||
645 | user_attrs = mkOption { type = str; description = "User attribute mapping in LDAP"; }; | ||
646 | iterate_attrs = mkOption { type = str; description = "User attribute mapping for listing in LDAP"; }; | ||
647 | iterate_filter = mkOption { type = str; description = "User attribute filter for listing in LDAP"; }; | ||
648 | postfix_mailbox_filter = mkOption { type = str; description = "Postfix filter to get mailboxes"; }; | ||
649 | }; | ||
650 | }; | ||
651 | }; | ||
652 | }; | ||
653 | rspamd = mkOption { | ||
654 | description = "rspamd configuration"; | ||
655 | type = submodule { | ||
656 | options = { | ||
657 | redis = mkRedisOptions "Redis"; | ||
658 | read_password_hashed = mkOption { type = str; description = "Hashed read password for rspamd"; }; | ||
659 | write_password_hashed = mkOption { type = str; description = "Hashed write password for rspamd"; }; | ||
660 | read_password = mkOption { | ||
661 | type = str; | ||
662 | description = "Read password for rspamd. Unused"; | ||
663 | apply = x: ""; | ||
664 | }; | ||
665 | write_password = mkOption { | ||
666 | type = str; | ||
667 | description = "Write password for rspamd. Unused"; | ||
668 | apply = x: ""; | ||
669 | }; | ||
670 | }; | ||
671 | }; | ||
672 | }; | ||
673 | sympa = mkOption { | ||
674 | description = "Sympa configuration"; | ||
675 | type = submodule { | ||
676 | options = { | ||
677 | listmasters = mkOption { | ||
678 | type = listOf str; | ||
679 | description = "Listmasters"; | ||
680 | }; | ||
681 | postgresql = mkPsqlOptions "Sympa"; | ||
682 | data_sources = mkOption { | ||
683 | type = attrsOf str; | ||
684 | default = {}; | ||
685 | description = "Data sources to make available to sympa"; | ||
686 | }; | ||
687 | scenari = mkOption { | ||
688 | type = attrsOf str; | ||
689 | default = {}; | ||
690 | description = "Scenari to make available to sympa"; | ||
691 | }; | ||
692 | }; | ||
693 | }; | ||
694 | }; | ||
695 | }; | ||
696 | }; | ||
697 | }; | ||
698 | coturn = mkOption { | ||
699 | description = "Coturn configuration"; | ||
700 | type = submodule { | ||
701 | options = { | ||
702 | auth_access_key = mkOption { type = str; description = "key to access coturn"; }; | ||
703 | }; | ||
704 | }; | ||
705 | }; | ||
706 | buildbot = mkOption { | ||
707 | description = "Buildbot configuration"; | ||
708 | type = submodule { | ||
709 | options = { | ||
710 | ssh_key = mkOption { | ||
711 | description = "SSH key information"; | ||
712 | type = submodule { | ||
713 | options = { | ||
714 | public = mkOption { type = str; description = "Public part of the key"; }; | ||
715 | private = mkOption { type = lines; description = "Private part of the key"; }; | ||
716 | }; | ||
717 | }; | ||
718 | }; | ||
719 | workerPassword = mkOption { description = "Buildbot worker password"; type = str; }; | ||
720 | user = mkOption { | ||
721 | description = "Buildbot user"; | ||
722 | type = submodule { | ||
723 | options = { | ||
724 | uid = mkOption { | ||
725 | description = "user uid"; | ||
726 | type = int; | ||
727 | }; | ||
728 | gid = mkOption { | ||
729 | description = "user gid"; | ||
730 | type = int; | ||
731 | }; | ||
732 | }; | ||
733 | }; | ||
734 | }; | ||
735 | ldap = mkOption { | ||
736 | description = "Ldap configuration for buildbot"; | ||
737 | type = submodule { | ||
738 | options = { | ||
739 | password = mkOption { type = str; description = "Buildbot password"; }; | ||
740 | }; | ||
741 | }; | ||
742 | }; | ||
743 | projects = mkOption { | ||
744 | description = "Projects to make a buildbot for"; | ||
745 | type = attrsOf (submodule { | ||
746 | options = { | ||
747 | name = mkOption { type = str; description = "Project name"; }; | ||
748 | src = mkOption { type = path; description = "source of the project configuration"; }; | ||
749 | packages = mkOption { | ||
750 | type = listOf package; | ||
751 | example = literalExample '' | ||
752 | [ pkgs.bash pkgs.git pkgs.gzip pkgs.openssh ]; | ||
753 | ''; | ||
754 | description = '' | ||
755 | Builds packages list to make available to buildbot project. | ||
756 | ''; | ||
757 | }; | ||
758 | pythonPathHome = mkOption { type = bool; description = "Whether to add project’s python home to python path"; }; | ||
759 | workerPort = mkOption { type = port; description = "Port for the worker"; }; | ||
760 | secrets = mkOption { | ||
761 | type = attrsOf lines; | ||
762 | description = "Secrets for the project to dump as files"; | ||
763 | }; | ||
764 | secretsDeps = mkOption { | ||
765 | type = listOf package; | ||
766 | default = []; | ||
767 | description = "Dependencies of file that will land in secrets"; | ||
768 | }; | ||
769 | environment = mkOption { | ||
770 | type = attrsOf str; | ||
771 | description = '' | ||
772 | Environment variables for the project. | ||
773 | BUILDBOT_ is prefixed to the variable names | ||
774 | ''; | ||
775 | }; | ||
776 | activationScript = mkOption { | ||
777 | type = lines; | ||
778 | description = '' | ||
779 | Activation script to run during deployment | ||
780 | ''; | ||
781 | }; | ||
782 | webhookTokens = mkOption { | ||
783 | type = nullOr (listOf str); | ||
784 | default = null; | ||
785 | description = '' | ||
786 | List of tokens allowed to push to project’s change_hook/base endpoint | ||
787 | ''; | ||
788 | }; | ||
789 | }; | ||
790 | }); | ||
791 | }; | ||
792 | }; | ||
793 | }; | ||
794 | }; | ||
795 | tools = mkOption { | ||
796 | description = "Tools configurations"; | ||
797 | type = submodule { | ||
798 | options = { | ||
799 | contact = mkOption { type = str; description = "Contact e-mail address"; }; | ||
800 | assets = mkOption { | ||
801 | default = {}; | ||
802 | type = attrsOf (submodule { | ||
803 | options = { | ||
804 | assetType = mkOption { type = enum ["tgz" "url" "googleFont"]; default = "url"; description = "Type of asset"; }; | ||
805 | tgzRemoveComponents = mkOption { type = int; default = 0; description = "Remove components when extracting"; }; | ||
806 | url = mkOption { type = str; description = "URL to fetch"; }; | ||
807 | sha256 = mkOption { type = str; description = "Hash of the url"; }; | ||
808 | }; | ||
809 | }); | ||
810 | description = "Assets to provide on assets.immae.eu"; | ||
811 | }; | ||
812 | davical = mkOption { | ||
813 | description = "Davical configuration"; | ||
814 | type = submodule { | ||
815 | options = { | ||
816 | postgresql = mkPsqlOptions "Davical"; | ||
817 | ldap = mkLdapOptions "Davical" {}; | ||
818 | }; | ||
819 | }; | ||
820 | }; | ||
821 | diaspora = mkOption { | ||
822 | description = "Diaspora configuration"; | ||
823 | type = submodule { | ||
824 | options = { | ||
825 | postgresql = mkPsqlOptions "Diaspora"; | ||
826 | redis = mkRedisOptions "Diaspora"; | ||
827 | ldap = mkLdapOptions "Diaspora" {}; | ||
828 | secret_token = mkOption { type = str; description = "Secret token"; }; | ||
829 | }; | ||
830 | }; | ||
831 | }; | ||
832 | dmarc_reports = mkOption { | ||
833 | description = "DMARC reports configuration"; | ||
834 | type = submodule { | ||
835 | options = { | ||
836 | mysql = mkMysqlOptions "DMARC" {}; | ||
837 | anonymous_key = mkOption { type = str; description = "Anonymous hashing key"; }; | ||
838 | }; | ||
839 | }; | ||
840 | }; | ||
841 | etherpad-lite = mkOption { | ||
842 | description = "Etherpad configuration"; | ||
843 | type = submodule { | ||
844 | options = { | ||
845 | postgresql = mkPsqlOptions "Etherpad"; | ||
846 | ldap = mkLdapOptions "Etherpad" { | ||
847 | group_filter = mkOption { type = str; description = "Filter for groups"; }; | ||
848 | }; | ||
849 | adminPassword = mkOption { type = str; description = "Admin password for mypads / admin"; }; | ||
850 | session_key = mkOption { type = str; description = "Session key"; }; | ||
851 | api_key = mkOption { type = str; description = "API key"; }; | ||
852 | }; | ||
853 | }; | ||
854 | }; | ||
855 | gitolite = mkOption { | ||
856 | description = "Gitolite configuration"; | ||
857 | type = submodule { | ||
858 | options = { | ||
859 | ldap = mkLdapOptions "Gitolite" {}; | ||
860 | ssh_key = mkOption { | ||
861 | description = "SSH key information"; | ||
862 | type = submodule { | ||
863 | options = { | ||
864 | public = mkOption { type = str; description = "Public part of the key"; }; | ||
865 | private = mkOption { type = lines; description = "Private part of the key"; }; | ||
866 | }; | ||
867 | }; | ||
868 | }; | ||
869 | }; | ||
870 | }; | ||
871 | }; | ||
872 | landing = mkOption { | ||
873 | description = "Landing configuration"; | ||
874 | type = submodule { | ||
875 | options = { | ||
876 | postgresql = mkPsqlOptions "Landing"; | ||
877 | }; | ||
878 | }; | ||
879 | }; | ||
880 | kanboard = mkOption { | ||
881 | description = "Kanboard configuration"; | ||
882 | type = submodule { | ||
883 | options = { | ||
884 | postgresql = mkPsqlOptions "Kanboard"; | ||
885 | ldap = mkLdapOptions "Kanboard" { | ||
886 | admin_dn = mkOption { type = str; description = "Admin DN"; }; | ||
887 | }; | ||
888 | }; | ||
889 | }; | ||
890 | }; | ||
891 | mantisbt = mkOption { | ||
892 | description = "Mantisbt configuration"; | ||
893 | type = submodule { | ||
894 | options = { | ||
895 | postgresql = mkPsqlOptions "Mantisbt"; | ||
896 | ldap = mkLdapOptions "Mantisbt" {}; | ||
897 | master_salt = mkOption { type = str; description = "Master salt for password hash"; }; | ||
898 | }; | ||
899 | }; | ||
900 | }; | ||
901 | mastodon = mkOption { | ||
902 | description = "Mastodon configuration"; | ||
903 | type = submodule { | ||
904 | options = { | ||
905 | postgresql = mkPsqlOptions "Mastodon"; | ||
906 | redis = mkRedisOptions "Mastodon"; | ||
907 | ldap = mkLdapOptions "Mastodon" {}; | ||
908 | paperclip_secret = mkOption { type = str; description = "Paperclip secret"; }; | ||
909 | otp_secret = mkOption { type = str; description = "OTP secret"; }; | ||
910 | secret_key_base = mkOption { type = str; description = "Secret key base"; }; | ||
911 | vapid = mkOption { | ||
912 | description = "vapid key"; | ||
913 | type = submodule { | ||
914 | options = { | ||
915 | private = mkOption { type = str; description = "Private key"; }; | ||
916 | public = mkOption { type = str; description = "Public key"; }; | ||
917 | }; | ||
918 | }; | ||
919 | }; | ||
920 | }; | ||
921 | }; | ||
922 | }; | ||
923 | mediagoblin = mkOption { | ||
924 | description = "Mediagoblin configuration"; | ||
925 | type = submodule { | ||
926 | options = { | ||
927 | postgresql = mkPsqlOptions "Mediagoblin"; | ||
928 | redis = mkRedisOptions "Mediagoblin"; | ||
929 | ldap = mkLdapOptions "Mediagoblin" {}; | ||
930 | }; | ||
931 | }; | ||
932 | }; | ||
933 | nextcloud = mkOption { | ||
934 | description = "Nextcloud configuration"; | ||
935 | type = submodule { | ||
936 | options = { | ||
937 | postgresql = mkPsqlOptions "Nextcloud"; | ||
938 | redis = mkRedisOptions "Nextcloud"; | ||
939 | password_salt = mkOption { type = str; description = "Password salt"; }; | ||
940 | instance_id = mkOption { type = str; description = "Instance ID"; }; | ||
941 | secret = mkOption { type = str; description = "App secret"; }; | ||
942 | }; | ||
943 | }; | ||
944 | }; | ||
945 | peertube = mkOption { | ||
946 | description = "Peertube configuration"; | ||
947 | type = submodule { | ||
948 | options = { | ||
949 | listenPort = mkOption { type = port; description = "Port to listen to"; }; | ||
950 | postgresql = mkPsqlOptions "Peertube"; | ||
951 | redis = mkRedisOptions "Peertube"; | ||
952 | ldap = mkLdapOptions "Peertube" {}; | ||
953 | }; | ||
954 | }; | ||
955 | }; | ||
956 | phpldapadmin = mkOption { | ||
957 | description = "phpLdapAdmin configuration"; | ||
958 | type = submodule { | ||
959 | options = { | ||
960 | ldap = mkLdapOptions "phpldapadmin" {}; | ||
961 | }; | ||
962 | }; | ||
963 | }; | ||
964 | rompr = mkOption { | ||
965 | description = "Rompr configuration"; | ||
966 | type = submodule { | ||
967 | options = { | ||
968 | mpd = mkOption { | ||
969 | description = "MPD configuration"; | ||
970 | type = submodule { | ||
971 | options = { | ||
972 | host = mkOption { type = str; description = "Host for MPD"; }; | ||
973 | port = mkOption { type = port; description = "Port to access MPD host"; }; | ||
974 | }; | ||
975 | }; | ||
976 | }; | ||
977 | }; | ||
978 | }; | ||
979 | }; | ||
980 | roundcubemail = mkOption { | ||
981 | description = "Roundcubemail configuration"; | ||
982 | type = submodule { | ||
983 | options = { | ||
984 | postgresql = mkPsqlOptions "TT-RSS"; | ||
985 | secret = mkOption { type = str; description = "Secret"; }; | ||
986 | }; | ||
987 | }; | ||
988 | }; | ||
989 | shaarli = mkOption { | ||
990 | description = "Shaarli configuration"; | ||
991 | type = submodule { | ||
992 | options = { | ||
993 | ldap = mkLdapOptions "Shaarli" {}; | ||
994 | }; | ||
995 | }; | ||
996 | }; | ||
997 | status_engine = mkOption { | ||
998 | description = "Status Engine configuration"; | ||
999 | type = submodule { | ||
1000 | options = { | ||
1001 | mysql = mkMysqlOptions "StatusEngine" {}; | ||
1002 | ldap = mkLdapOptions "StatusEngine" {}; | ||
1003 | }; | ||
1004 | }; | ||
1005 | }; | ||
1006 | task = mkOption { | ||
1007 | description = "Taskwarrior configuration"; | ||
1008 | type = submodule { | ||
1009 | options = { | ||
1010 | ldap = mkLdapOptions "Taskwarrior" {}; | ||
1011 | taskwarrior-web = mkOption { | ||
1012 | description = "taskwarrior-web profiles"; | ||
1013 | default = {}; | ||
1014 | type = attrsOf (submodule { | ||
1015 | options = { | ||
1016 | uid = mkOption { | ||
1017 | type = listOf str; | ||
1018 | description = "List of ldap uids having access to this profile"; | ||
1019 | }; | ||
1020 | org = mkOption { type = str; description = "Taskd organisation"; }; | ||
1021 | key = mkOption { type = str; description = "Taskd key"; }; | ||
1022 | date = mkOption { type = str; description = "Preferred date format"; }; | ||
1023 | }; | ||
1024 | }); | ||
1025 | }; | ||
1026 | }; | ||
1027 | }; | ||
1028 | }; | ||
1029 | ttrss = mkOption { | ||
1030 | description = "TT-RSS configuration"; | ||
1031 | type = submodule { | ||
1032 | options = { | ||
1033 | postgresql = mkPsqlOptions "TT-RSS"; | ||
1034 | ldap = mkLdapOptions "TT-RSS" {}; | ||
1035 | }; | ||
1036 | }; | ||
1037 | }; | ||
1038 | wallabag = mkOption { | ||
1039 | description = "Wallabag configuration"; | ||
1040 | type = submodule { | ||
1041 | options = { | ||
1042 | postgresql = mkPsqlOptions "Wallabag"; | ||
1043 | ldap = mkLdapOptions "Wallabag" { | ||
1044 | admin_filter = mkOption { type = str; description = "Admin users filter"; }; | ||
1045 | }; | ||
1046 | redis = mkRedisOptions "Wallabag"; | ||
1047 | secret = mkOption { type = str; description = "App secret"; }; | ||
1048 | }; | ||
1049 | }; | ||
1050 | }; | ||
1051 | webhooks = mkOption { | ||
1052 | type = attrsOf str; | ||
1053 | description = "Mapping 'name'.php => script for webhooks"; | ||
1054 | }; | ||
1055 | csp_reports = mkOption { | ||
1056 | description = "CSP report configuration"; | ||
1057 | type = submodule { | ||
1058 | options = { | ||
1059 | report_uri = mkOption { type = str; description = "URI to report CSP violations to"; }; | ||
1060 | policies = mkOption { type = attrsOf str; description = "CSP policies to apply"; }; | ||
1061 | }; | ||
1062 | }; | ||
1063 | }; | ||
1064 | commento = mkOption { | ||
1065 | description = "Commento configuration"; | ||
1066 | type = submodule { | ||
1067 | options = { | ||
1068 | listenPort = mkOption { type = port; description = "Port to listen to"; }; | ||
1069 | postgresql = mkPsqlOptions "Commento"; | ||
1070 | smtp = mkSmtpOptions "Commento"; | ||
1071 | }; | ||
1072 | }; | ||
1073 | }; | ||
1074 | cryptpad = mkOption { | ||
1075 | description = "Cryptpad configuration"; | ||
1076 | type = submodule { | ||
1077 | options = { | ||
1078 | email = mkOption { type = str; description = "Admin e-mail"; }; | ||
1079 | admins = mkOption { type = listOf str; description = "Instance admin public keys"; }; | ||
1080 | port = mkOption { type = port; description = "Port to listen to"; }; | ||
1081 | }; | ||
1082 | }; | ||
1083 | }; | ||
1084 | ympd = mkOption { | ||
1085 | description = "Ympd configuration"; | ||
1086 | type = submodule { | ||
1087 | options = { | ||
1088 | listenPort = mkOption { type = port; description = "Port to listen to"; }; | ||
1089 | mpd = mkOption { | ||
1090 | description = "MPD configuration"; | ||
1091 | type = submodule { | ||
1092 | options = { | ||
1093 | password = mkOption { type = str; description = "Password to access MPD host"; }; | ||
1094 | host = mkOption { type = str; description = "Host for MPD"; }; | ||
1095 | port = mkOption { type = port; description = "Port to access MPD host"; }; | ||
1096 | }; | ||
1097 | }; | ||
1098 | }; | ||
1099 | }; | ||
1100 | }; | ||
1101 | }; | ||
1102 | umami = mkOption { | ||
1103 | description = "Umami configuration"; | ||
1104 | type = submodule { | ||
1105 | options = { | ||
1106 | listenPort = mkOption { type = port; description = "Port to listen to"; }; | ||
1107 | postgresql = mkPsqlOptions "Umami"; | ||
1108 | hashSalt = mkOption { type = str; description = "Hash salt"; }; | ||
1109 | }; | ||
1110 | }; | ||
1111 | }; | ||
1112 | yourls = mkOption { | ||
1113 | description = "Yourls configuration"; | ||
1114 | type = submodule { | ||
1115 | options = { | ||
1116 | mysql = mkMysqlOptions "Yourls" {}; | ||
1117 | ldap = mkLdapOptions "Yourls" {}; | ||
1118 | cookieKey = mkOption { type = str; description = "Cookie key"; }; | ||
1119 | }; | ||
1120 | }; | ||
1121 | }; | ||
1122 | }; | ||
1123 | }; | ||
1124 | }; | ||
1125 | serverSpecific = mkOption { type = attrsOf unspecified; description = "Server specific configuration"; }; | ||
1126 | }; | ||
1127 | options.hostEnv = mkOption { | ||
1128 | readOnly = true; | ||
1129 | type = hostEnv; | ||
1130 | default = config.myEnv.servers."${name}"; | ||
1131 | description = "Host environment"; | ||
1132 | }; | ||
1133 | }; | ||
1134 | }; | ||
1135 | } | ||