From 8acfe6ee0cbd4b814f17eefaf63fe98b8e7b6ac1 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Thu, 14 Dec 2023 15:42:10 +0100 Subject: [PATCH] fix checks --- modules/base.nix | 2 +- modules/course-management.nix | 4 +--- modules/courses-phil.nix | 4 +--- modules/gitea.nix | 29 ++++++++++++++++------------- modules/hedgedoc.nix | 4 +--- modules/mailman.nix | 12 ++++-------- modules/mautrix-telegram.nix | 4 +--- modules/nextcloud.nix | 1 - modules/sogo.nix | 4 +--- modules/vaultwarden.nix | 4 +--- 10 files changed, 27 insertions(+), 41 deletions(-) diff --git a/modules/base.nix b/modules/base.nix index 348aa2c..c9b4db8 100755 --- a/modules/base.nix +++ b/modules/base.nix @@ -93,7 +93,7 @@ sysstat tree whois - exa + eza zsh ]; } diff --git a/modules/course-management.nix b/modules/course-management.nix index d5ed99a..098d40e 100644 --- a/modules/course-management.nix +++ b/modules/course-management.nix @@ -38,9 +38,7 @@ in enable = lib.mkForce true; # upstream bacula config wants to disable it, so we need to force ensureUsers = [{ name = "course-management"; - ensurePermissions = { - "DATABASE \"course-management\"" = "ALL PRIVILEGES"; - }; + ensureDBOwnership = true; }]; ensureDatabases = [ "course-management" ]; }; diff --git a/modules/courses-phil.nix b/modules/courses-phil.nix index 8b358dc..78c03b1 100644 --- a/modules/courses-phil.nix +++ b/modules/courses-phil.nix @@ -67,9 +67,7 @@ in enableTCPIP = lib.mkForce false; ensureUsers = [{ name = "course-management"; - ensurePermissions = { - "DATABASE \"course-management\"" = "ALL PRIVILEGES"; - }; + ensureDBOwnership = true; }]; ensureDatabases = [ "course-management" ]; }; diff --git a/modules/gitea.nix b/modules/gitea.nix index 9924f61..1d49a8f 100644 --- a/modules/gitea.nix +++ b/modules/gitea.nix @@ -1,40 +1,43 @@ { config, lib, pkgs, ... }: let domain = "git.${config.networking.domain}"; - giteaUser = "git"; + gitUser = "git"; in { sops.secrets.gitea_ldap_search = { key = "portunus/search-password"; - owner = config.services.gitea.user; + owner = config.services.forgejo.user; }; - users.users.${giteaUser} = { + users.users.${gitUser} = { isSystemUser = true; home = config.services.gitea.stateDir; - group = giteaUser; + group = gitUser; useDefaultShell = true; }; - users.groups.${giteaUser} = { }; + users.groups.${gitUser} = { }; - services.gitea = { + services.forgejo = { enable = true; - package = pkgs.forgejo; # community fork - user = giteaUser; - group = giteaUser; - appName = "iFSR Git"; + # package = pkgs.forgejo; # community fork + user = gitUser; + group = gitUser; lfs.enable = true; database = { type = "postgres"; + name = "git"; # legacy createDatabase = true; - user = giteaUser; + user = gitUser; }; # TODO: enable periodic dumps of the DB and repos, maybe use this for backups? # dump = { }; settings = { + DEFAULT = { + APP_NAME = "iFSR Git"; + }; server = { PROTOCOL = "http+unix"; DOMAIN = domain; @@ -68,7 +71,7 @@ in systemd.services.gitea.preStart = let - exe = lib.getExe config.services.gitea.package; + exe = lib.getExe config.services.forgejo.package; portunus = config.services.portunus; basedn = "ou=users,${portunus.ldap.suffix}"; ldapConfigArgs = '' @@ -108,7 +111,7 @@ in enableACME = true; forceSSL = true; locations."/" = { - proxyPass = "http://unix:${config.services.gitea.settings.server.HTTP_ADDR}:/"; + proxyPass = "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}:/"; proxyWebsockets = true; }; locations."/api/v1/users/search".return = "403"; diff --git a/modules/hedgedoc.nix b/modules/hedgedoc.nix index bbe2c47..3061aba 100644 --- a/modules/hedgedoc.nix +++ b/modules/hedgedoc.nix @@ -14,9 +14,7 @@ in ensureUsers = [ { name = "hedgedoc"; - ensurePermissions = { - "DATABASE hedgedoc" = "ALL PRIVILEGES"; - }; + ensureDBOwnership = true; } ]; ensureDatabases = [ "hedgedoc" ]; diff --git a/modules/mailman.nix b/modules/mailman.nix index efaee90..90b2767 100644 --- a/modules/mailman.nix +++ b/modules/mailman.nix @@ -20,7 +20,7 @@ webSettings = { DATABASES.default = { ENGINE = "django.db.backends.postgresql"; - NAME = "mailmanweb"; + NAME = "mailman-web"; }; }; ldap = { @@ -45,18 +45,14 @@ ensureUsers = [ { name = "mailman"; - ensurePermissions = { - "DATABASE mailman" = "ALL PRIVILEGES"; - }; + ensureDBOwnership = true; } { name = "mailman-web"; - ensurePermissions = { - "DATABASE mailmanweb" = "ALL PRIVILEGES"; - }; + ensureDBOwnership = true; } ]; - ensureDatabases = [ "mailman" "mailmanweb" ]; + ensureDatabases = [ "mailman" "mailman-web" ]; }; services.nginx.virtualHosts."lists.${config.networking.domain}" = { enableACME = true; diff --git a/modules/mautrix-telegram.nix b/modules/mautrix-telegram.nix index f17f29b..270ccc7 100644 --- a/modules/mautrix-telegram.nix +++ b/modules/mautrix-telegram.nix @@ -10,9 +10,7 @@ in enable = true; ensureUsers = [{ name = "mautrix-telegram"; - ensurePermissions = { - "DATABASE \"mautrix-telegram\"" = "ALL PRIVILEGES"; - }; + ensureDBOwnership = true; }]; ensureDatabases = [ "mautrix-telegram" ]; }; diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix index 268fbb5..ec60b7b 100644 --- a/modules/nextcloud.nix +++ b/modules/nextcloud.nix @@ -17,7 +17,6 @@ in enable = true; configureRedis = true; package = pkgs.nextcloud27; - enableBrokenCiphersForSSE = false; # disable the openssl warning hostName = domain; https = true; # Use https for all urls phpExtraExtensions = all: [ diff --git a/modules/sogo.nix b/modules/sogo.nix index 8b2490b..cc45369 100644 --- a/modules/sogo.nix +++ b/modules/sogo.nix @@ -51,9 +51,7 @@ in ensureUsers = [ { name = "sogo"; - ensurePermissions = { - "DATABASE sogo" = "ALL PRIVILEGES"; - }; + ensureDBOwnership = true; } ]; ensureDatabases = [ "sogo" ]; diff --git a/modules/vaultwarden.nix b/modules/vaultwarden.nix index 3ec5e09..4add3f6 100644 --- a/modules/vaultwarden.nix +++ b/modules/vaultwarden.nix @@ -25,9 +25,7 @@ in ensureUsers = [ { name = "vaultwarden"; - ensurePermissions = { - "DATABASE vaultwarden" = "ALL PRIVILEGES"; - }; + ensureDBOwnership = true; } ]; ensureDatabases = [ "vaultwarden" ];