Start migration to NixOS for storage1

modules/custom-backup-job.nix

@@ -10,12 +10,12 @@ in
       default = [ ];
     };
 
-    additionalReadWritePaths = mkOption {
+    readWritePaths = mkOption {
       type = with types; listOf path;
       default = [ ];
     };
 
-    additionalPreHook = mkOption {
+    preHook = mkOption {
       type = types.lines;
       default = "";
     };
@@ -24,25 +24,31 @@ in
       type = with types; either str (listOf str);
       default = "03:30";
     };
+
+    sshKey = mkOption {
+      type = with types; path;
+    };
   };
 
   config = {
+
+    sops.secrets = {
+      borgPassphrase = {
+        owner = config.services.borgbackup.jobs.data.user;
+        key = "borg/passphrase";
+      };
+    };
     services.borgbackup.jobs.data = {
-      paths = [ "/nix/var/data" ] ++ cfg.additionalPaths;
+      paths = [ "/nix/var/data" cfg.sshKey ] ++ cfg.additionalPaths;
       doInit = false;
       repo = "backup@212.129.12.205:./";
       encryption = {
         mode = "repokey-blake2";
-        passCommand = "cat /var/keys/borgbackup-passphrase";
+        passCommand = "cat ${config.sops.secrets.borgPassphrase.path}";
       };
-      readWritePaths = [
-        "/var/keys/borgbackup-ssh-key"
-      ] ++ cfg.additionalReadWritePaths;
-      preHook = ''
-        #There is no way to specify the permissions on keys so we fix them here
-        chmod 0600 /var/keys/borgbackup-ssh-key
-      '' + cfg.additionalPreHook;
-      environment = { BORG_RSH = "ssh -i /var/keys/borgbackup-ssh-key"; };
+      readWritePaths = cfg.readWritePaths;
+      preHook = cfg.preHook;
+      environment = { BORG_RSH = "ssh -i ${cfg.sshKey}"; };
       compression = "lz4";
       startAt = cfg.startAt;
       prune.keep = {

modules/mailserver.nix

@@ -0,0 +1,39 @@
+{ config, lib, pkgs, ... }:
+{
+
+  sops.secrets = {
+    paultrialPassword = {
+      key = "email/accounts_passwords/paultrial";
+    };
+  };
+
+  mailserver = {
+    enable = true;
+    fqdn = "mail2.banditlair.com";
+    domains = [ "banditlair.com" "froidmont.org" "falbo.fr" ];
+    # mailDirectory = "/nix/var/data/vmail";
+    loginAccounts = {
+      "paultrial@banditlair.com" = {
+        # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 > /hashed/password/file/location
+        hashedPasswordFile = config.sops.secrets.paultrialPassword.path;
+      };
+    };
+    extraVirtualAliases = {
+      "info@banditlair.com" = "paultrial@banditlair.com";
+      "postmaster@banditlair.com" = "paultrial@banditlair.com";
+      "abuse@banditlair.com" = "paultrial@banditlair.com";
+
+      "info@froidmont.org" = "paultrial@banditlair.com";
+      "postmaster@froidmont.org" = "paultrial@banditlair.com";
+      "abuse@froidmont.org" = "paultrial@banditlair.com";
+
+      "info@falbo.fr" = "paultrial@banditlair.com";
+      "postmaster@falbo.fr" = "paultrial@banditlair.com";
+      "abuse@falbo.fr" = "paultrial@banditlair.com";
+    };
+
+
+    # certificateScheme = 3;
+  };
+
+}

modules/murmur.nix

@@ -1,11 +1,15 @@
 { config, lib, pkgs, ... }:
 {
+  sops.secrets.murmurEnvFile = {
+    owner = config.systemd.services.murmur.serviceConfig.User;
+    key = "murmur.env";
+    restartUnits = [ "murmur.service" ];
+  };
+
   services.murmur = {
     enable = true;
     bandwidth = 128000;
     password = "$MURMURD_PASSWORD";
-    environmentFile = "/var/keys/murmur.env";
+    environmentFile = config.sops.secrets.murmurEnvFile.path;
   };
-
-  users.users.murmur.extraGroups = [ "keys" ];
 }

modules/nextcloud.nix

@@ -6,29 +6,54 @@ let
   gidFile = pkgs.writeText "gidfile" ''
     nextcloud:33
   '';
-  sshfsOptions = [
-    "nofail"
-    "identityfile=/var/keys/sshfs-ssh-key"
-    "ServerAliveInterval=15"
-    "idmap=file"
-    "uidfile=${uidFile}"
-    "gidfile=${gidFile}"
-    "allow_other"
-    "default_permissions"
-    "nomap=ignore"
-  ];
 in
 {
+  sops.secrets = {
+    sshfsKey = {
+      key = "sshfs_keys/private";
+      restartUnits = [ "var-lib-nextcloud-data.mount" ];
+    };
+    nextcloudDbPassword = {
+      owner = config.users.users.nextcloud.name;
+      key = "nextcloud/db_password";
+      restartUnits = [ "nextcloud-setup.service" ];
+    };
+    nextcloudAdminPassword = {
+      owner = config.users.users.nextcloud.name;
+      key = "nextcloud/admin_password";
+      restartUnits = [ "nextcloud-setup.service" ];
+    };
+  };
+
   environment.systemPackages = with pkgs; [
     sshfs
   ];
 
-  fileSystems."/var/lib/nextcloud/data" =
-    {
-      device = " www-data@10.0.2.2:/var/lib/nextcloud/data";
-      fsType = "fuse.sshfs";
-      options = sshfsOptions;
+  systemd.services.nextcloud-data-sshfs = {
+    wantedBy = [ "multi-user.target" ];
+    before = [ "phpfpm-nextcloud.service" ];
+    restartIfChanged = false;
+    serviceConfig = {
+      ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p /var/lib/nextcloud/data";
+      ExecStart =
+        let
+          options = builtins.concatStringsSep "," [
+            "identityfile=${config.sops.secrets.sshfsKey.path}"
+            "ServerAliveInterval=15"
+            "idmap=file"
+            "uidfile=${uidFile}"
+            "gidfile=${gidFile}"
+            "allow_other"
+            "default_permissions"
+            "nomap=ignore"
+          ];
+        in
+        "${pkgs.sshfs}/bin/mount.fuse.sshfs www-data@10.0.2.2:/var/lib/nextcloud/data "
+        + "/var/lib/nextcloud/data -o ${options}";
+      ExecStopPost = "-${pkgs.fuse}/bin/fusermount -u /var/lib/nextcloud/data";
+      KillMode = "process";
     };
+  };
 
   services.nginx = {
     virtualHosts = {
@@ -48,12 +73,11 @@ in
       dbuser = "nextcloud";
       dbhost = "10.0.1.11";
       dbname = "nextcloud";
-      dbpassFile = "/var/keys/nextcloud-db-pass";
-      adminpassFile = "/var/keys/nextcloud-admin-pass";
+      dbpassFile = "${config.sops.secrets.nextcloudDbPassword.path}";
+      adminpassFile = "${config.sops.secrets.nextcloudAdminPassword.path}";
       adminuser = "root";
       overwriteProtocol = "https";
       defaultPhoneRegion = "BE";
     };
   };
-  users.users.nextcloud.extraGroups = [ "keys" ];
 }

modules/postgresql.nix

@@ -1,9 +1,13 @@
 { config, lib, pkgs, ... }:
 {
+
   services.postgresql = {
     enable = true;
     package = pkgs.postgresql_12;
-    initialScript = "/var/keys/postgres-init.sql";
+    initialScript = pkgs.writeText "postgres-init.sql" ''
+      CREATE ROLE "synapse";
+      CREATE ROLE "nextcloud";
+    '';
     enableTCPIP = true;
     identMap = ''
       root_as_others         root                  postgres
@@ -16,5 +20,47 @@
       host   all     all     10.0.1.0/24    md5
     '';
   };
-  users.users.postgres.extraGroups = [ "keys" ];
+
+  sops.secrets = {
+    synapseDbPassword = {
+      owner = config.services.postgresql.superUser;
+      key = "synapse/db_password";
+      restartUnits = [ "postgresql-setup.service" ];
+    };
+    nextcloudDbPassword = {
+      owner = config.services.postgresql.superUser;
+      key = "nextcloud/db_password";
+      restartUnits = [ "postgresql-setup.service" ];
+    };
+  };
+
+  systemd.services.postgresql-setup = let pgsql = config.services.postgresql; in
+    {
+      after = [ "postgresql.service" ];
+      bindsTo = [ "postgresql.service" ];
+      wantedBy = [ "postgresql.service" ];
+      path = [
+        pgsql.package
+        pkgs.util-linux
+      ];
+      script = ''
+        set -eu
+        PSQL() {
+            psql --port=${toString pgsql.port} "$@"
+        }
+        PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'synapse'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "synapse" OWNER "synapse" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"'
+        PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'nextcloud'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "nextcloud" OWNER "nextcloud"'
+
+        synapse_password="$(<'${config.sops.secrets.synapseDbPassword.path}')"
+        PSQL -tAc  "ALTER ROLE synapse WITH PASSWORD '$synapse_password'"
+        nextcloud_password="$(<'${config.sops.secrets.nextcloudDbPassword.path}')"
+        PSQL -tAc  "ALTER ROLE nextcloud WITH PASSWORD '$nextcloud_password'"
+      '';
+
+      serviceConfig = {
+        User = pgsql.superUser;
+        Type = "oneshot";
+        RemainAfterExit = true;
+      };
+    };
 }

modules/synapse.nix

@@ -4,7 +4,17 @@ let
     let
       join = hostName: domain: hostName + lib.optionalString (domain != null) ".${domain}";
     in
-      join "matrix" config.networking.domain;
+    join "matrix" config.networking.domain;
+  synapseDbConfig = pkgs.writeText "synapse-db-config.yaml" ''
+    database:
+        name: psycopg2
+        args:
+          database: synapse
+          host: "10.0.1.11"
+          user: "synapse"
+          password: "SYNAPSE_DB_PASSWORD"
+    macaroon_secret_key: "MACAROON_SECRET_KEY"
+  '';
 in
 {
   security.acme.email = "letsencrypt.account@banditlair.com";
@@ -26,10 +36,10 @@ in
             # the client-server and server-server port for simplicity
             server = { "m.server" = "${fqdn}:443"; };
           in
-            ''
-              add_header Content-Type application/json;
-              return 200 '${builtins.toJSON server}';
-            '';
+          ''
+            add_header Content-Type application/json;
+            return 200 '${builtins.toJSON server}';
+          '';
         locations."= /.well-known/matrix/client".extraConfig =
           let
             client = {
@@ -38,11 +48,11 @@ in
             };
             # ACAO required to allow element-web on any URL to request this json file
           in
-            ''
-              add_header Content-Type application/json;
-              add_header Access-Control-Allow-Origin *;
-              return 200 '${builtins.toJSON client}';
-            '';
+          ''
+            add_header Content-Type application/json;
+            add_header Access-Control-Allow-Origin *;
+            return 200 '${builtins.toJSON client}';
+          '';
       };
 
       # Reverse proxy for Matrix client-server and server-server communication
@@ -64,6 +74,43 @@ in
     };
   };
 
+  sops.secrets = {
+    synapseDbPassword = {
+      owner = config.systemd.services.matrix-synapse.serviceConfig.User;
+      key = "synapse/db_password";
+      restartUnits = [ "matrix-synapse-setup" ];
+    };
+    macaroonSecretKey = {
+      owner = config.systemd.services.matrix-synapse.serviceConfig.User;
+      key = "synapse/macaroon_secret_key";
+      restartUnits = [ "matrix-synapse-setup" ];
+    };
+  };
+
+  systemd.services.matrix-synapse-setup = {
+    before = [ "matrix-synapse.service" ];
+
+    script = ''
+      set -euo pipefail
+      install -m 600 ${synapseDbConfig} /run/synapse/synapse-db-config.yaml
+      ${pkgs.replace-secret}/bin/replace-secret 'SYNAPSE_DB_PASSWORD' '${config.sops.secrets.synapseDbPassword.path}' /run/synapse/synapse-db-config.yaml
+      ${pkgs.replace-secret}/bin/replace-secret 'MACAROON_SECRET_KEY' '${config.sops.secrets.macaroonSecretKey.path}' /run/synapse/synapse-db-config.yaml
+    '';
+
+    serviceConfig = {
+      User = config.systemd.services.matrix-synapse.serviceConfig.User;
+      Group = config.systemd.services.matrix-synapse.serviceConfig.Group;
+      Type = "oneshot";
+      RemainAfterExit = true;
+      RuntimeDirectory = "synapse";
+    };
+  };
+
+  systemd.services.matrix-synapse = {
+    after = [ "matrix-synapse-setup.service" "network.target" ];
+    bindsTo = [ "matrix-synapse-setup.service" ];
+  };
+
   services.matrix-synapse = {
     enable = true;
     server_name = config.networking.domain;
@@ -87,7 +134,6 @@ in
       host = "fake"; # This section is overriden in deploy_nixos keys
     };
     dataDir = "/nix/var/data/matrix-synapse";
-    extraConfigFiles = [ "/var/keys/synapse-extra-config.yaml" ];
+    extraConfigFiles = [ "/run/synapse/synapse-db-config.yaml" ];
   };
-  users.users.matrix-synapse.extraGroups = [ "keys" ];
 }