From a8dfc9276e43f2e9fa0a838797b1d373edce394f Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Tue, 24 Jan 2023 11:58:36 +0100 Subject: [PATCH] added nextcloud --- .sops.yaml | 7 +++ hosts/nuc/default.nix | 2 +- hosts/nuc/modules/nextcloud/default.nix | 64 +++++++++++++++++++++++++ hosts/nuc/modules/nginx/default.nix | 10 ++++ secrets/nuc.yaml | 43 +++++++++++++++++ 5 files changed, 125 insertions(+), 1 deletion(-) create mode 100644 hosts/nuc/modules/nextcloud/default.nix create mode 100644 hosts/nuc/modules/nginx/default.nix create mode 100644 secrets/nuc.yaml diff --git a/.sops.yaml b/.sops.yaml index 811cb10..ba8bfb7 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,6 +1,7 @@ keys: - &rouven 116987A8DD3F78FF8601BF4DB95E8FE6B11C4D09 - &thinkpad age1s5aes35ku7d2600mwxu8jndvngqrpuuu2h6yrcetytgstkuzlsvstut3ge + - &nuc age1930r9v2y57zkwghlxapj348c4rfnmr70de898cdhu5rue5cpagzq74wymk creation_rules: - path_regex: secrets/thinkpad\.yaml$ key_groups: @@ -8,3 +9,9 @@ creation_rules: - *rouven age: - *thinkpad + - path_regex: secrets/nuc\.yaml$ + key_groups: + - pgp: + - *rouven + age: + - *nuc diff --git a/hosts/nuc/default.nix b/hosts/nuc/default.nix index 10d8020..7434982 100644 --- a/hosts/nuc/default.nix +++ b/hosts/nuc/default.nix @@ -7,7 +7,7 @@ ./hardware-configuration.nix ./modules/networks ../../shared/vim.nix - # ../../shared/sops.nix + ../../shared/sops.nix ]; boot = { diff --git a/hosts/nuc/modules/nextcloud/default.nix b/hosts/nuc/modules/nextcloud/default.nix new file mode 100644 index 0000000..82aeff9 --- /dev/null +++ b/hosts/nuc/modules/nextcloud/default.nix @@ -0,0 +1,64 @@ +{ config, pkgs, lib, ... }: +let + domain = "nextcloud.rfive.de"; +in +{ + sops.secrets = { + "nextcloud/dbpass" = { + owner = "nextcloud"; + group = "nextcloud"; + }; + "nextcloud/adminpass" = { + owner = "nextcloud"; + group = "nextcloud"; + }; + }; + + services = { + postgresql = { + enable = true; + ensureUsers = [ + { + name = "nextcloud"; + ensurePermissions = { + "DATABASE nextcloud" = "ALL PRIVILEGES"; + }; + } + ]; + ensureDatabases = [ "nextcloud" ]; + }; + + nextcloud = { + enable = true; + package = pkgs.nextcloud25; # Use current latest nextcloud package + hostName = "${domain}"; + https = true; # Use https for all urls + config = { + dbtype = "pgsql"; + dbuser = "nextcloud"; + dbhost = "/run/postgresql"; + dbname = "nextcloud"; + dbpassFile = config.sops.secrets."nextcloud/dbpass".path; + adminpassFile = config.sops.secrets."nextcloud/adminpass".path; + adminuser = "admin"; + }; + }; + + # Enable ACME and force SSL + nginx = { + recommendedProxySettings = true; + virtualHosts = { + "${domain}" = { + enableACME = true; + forceSSL = true; + }; + }; + }; + }; + + # ensure that postgres is running *before* running the setup + systemd.services."nextcloud-setup" = { + requires = [ "postgresql.service" ]; + after = [ "postgresql.service" ]; + }; +} diff --git a/hosts/nuc/modules/nginx/default.nix b/hosts/nuc/modules/nginx/default.nix new file mode 100644 index 0000000..baaf493 --- /dev/null +++ b/hosts/nuc/modules/nginx/default.nix @@ -0,0 +1,10 @@ +{ config, ... }: +{ + services.nginx.enable = true; + security.acme = { + acceptTerms = true; + defaults = { + email = "rouven@rfive.de"; + }; + }; +} diff --git a/secrets/nuc.yaml b/secrets/nuc.yaml new file mode 100644 index 0000000..cd8da69 --- /dev/null +++ b/secrets/nuc.yaml @@ -0,0 +1,43 @@ +nextcloud: + dbpass: ENC[AES256_GCM,data:M8NrNlTJe9r5qUyGcSod5qGGRsJu18Ppng==,iv:YHjImCZEbJGC8Mj278Iz6ETMmCs3k+IZsCACI27bMM8=,tag:+nvMxCj8YxMIIbLoosxsvg==,type:str] + adminpass: ENC[AES256_GCM,data:w4gkgC0wnBh2NLjKz58JBg+FU7hLLkuaJQ==,iv:5FOBhbngHccVY9WxyjC1x93vXzHlBFsF06+oVTC1vl8=,tag:8sLPIBl2/QJTk134OEtAfw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1930r9v2y57zkwghlxapj348c4rfnmr70de898cdhu5rue5cpagzq74wymk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaS3dmRVZXV3hwbzFaYmlN + N2daRVlJalBkbU42OGNjU0puSFpjUEpNYXpJCkh6NmtSSllIVkl3NWdhTGpyelpw + VGdhcFNmQkFhcFVJUFdVa0hudXZaSTQKLS0tIExJUW9pTU9GSkltS2xqWVkzcW9i + cWdNRzdhOUdheFdaWlNNTG4rUFlaVlUKs+/IYY3/2n60+QbVkXZu9Sp57jh+7ncA + DqrjJGBo9MNXfSS7qJ+p7dVksA2kxCNwvKV7y/zbvtXKGusvs+Qe/A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-01-24T10:56:15Z" + mac: ENC[AES256_GCM,data:kpueAVFABUAZ6GO5NmNtTBWcxQ6SH1whTVueF5oxQFA+BxFY+J3fUBnxRk1oAlR1VEmevqtHmMYbp9U5pu17j9M7ZJ5fZZMxunB9tr3oSPDYHLgmIENaVoh1O9F/+MDA/6AamqhVlvq16Ltb/uHR7sSmR6GAh+tKEJLb7ivyPis=,iv:pN6B7GV+J+T0ZENKpH5UtWwzkjLNJkJ3hliqrcX8oBw=,tag:9Z6ujfpGu3pDcDUHnoXi3A==,type:str] + pgp: + - created_at: "2023-01-24T10:54:00Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMAzUXo8ZPJwGLAQ/9FUqs5nO82fNRJeDsjTlU/J6bo3dGZo0XzuRTGCSgMAQW + CB29HXbt4PV6aXF79HEVTYFWnZj0ygsyOCheI00w9Ab2MlVqMpFDB6lSYGzsVdEU + IyLiBALNr3ag6uBWErRVz4YOR1QVe0sTeBf/K6ei6k2A6sJGesR0awZtOvwGo7r1 + wp9EaaWugNM0ewwG/lPXjzFJLHL9H0RJ62K+ccGBUuj6NielHFvRweJLbpUdK6Mm + Wji/MjZWBMIMLolGo8P7MQ4OIeCjEz8NvNCwvrwddWeSDMKB08tX+DZGtFIJm5ll + mU6qeTWV/SV0LO6LwzhFwyrxlBfKFJ/6VWZWsFQbilOKuhElIo3NZxKGWXP8BvT6 + +mez3VYlPL4ExRjgzOl8DRcy/PmBRxB563PADDlAf6LSEdT886le6t6XY87RbHCa + oX/dmXFtC8tFsEKWsb3UP7ovhh7/z9DFexvG0nSi8mT0jvl90rCiL9lr2wLvo+dN + 3K9EMUrEKqJWLRwmnXY0LhzV47RryDo69rk7vGH4FrDYEPGQIXBt+OakYNMjzdzO + v6/yYx615nw89s5whIThJ2S53SYChnWxsTZ2qgNegqWkDg2KdoQxqRT1wM6hZdBx + 6U4DhmwIQDILaYPrWHHMsh9ob+PG9+xLemyn9SK9+zwk1v2QDqFwYnVzwLBTcU7S + UQGsXzXBwjxbdF0N+O8/wI/54UEMnpJ9baqFkDgGUDUeVbMMT1Rwu2Iqm5e8qwwl + mYY9Fgqn3ewi+7NxGb40AM/saCYlrorShiohBdvklmKvYQ== + =rHpH + -----END PGP MESSAGE----- + fp: 116987A8DD3F78FF8601BF4DB95E8FE6B11C4D09 + unencrypted_suffix: _unencrypted + version: 3.7.3