From 6f3bdbc4568d3cff04cd1ea21d69d6779b028061 Mon Sep 17 00:00:00 2001 From: Lucas Fugmann Date: Fri, 18 Nov 2022 17:00:20 +0100 Subject: [PATCH 1/3] add nextcloud config --- flake.lock | 14 ++++----- flake.nix | 3 +- modules/hedgedoc.nix | 4 +-- modules/nextcloud.nix | 66 +++++++++++++++++++++++++++++++++++++++++++ secrets/quitte.yaml | 6 ++-- secrets/test.yaml | 6 ++-- 6 files changed, 83 insertions(+), 16 deletions(-) create mode 100644 modules/nextcloud.nix diff --git a/flake.lock b/flake.lock index ce513b7..18a7033 100644 --- a/flake.lock +++ b/flake.lock @@ -87,18 +87,16 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1662496411, - "narHash": "sha256-BLzFzRQewnmzdCrcOv2f+IYQI9iY25MXBmJWHoxWynY=", - "owner": "revol-xut", + "lastModified": 1668650906, + "narHash": "sha256-JuiYfDO23O8oxUUOmhQflmOoJovyC5G4RjcYQMQjrRE=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "6d2d09e50ba9d12b80ed1c3be844f1d120e02682", + "rev": "3a86856a13c88c8c64ea32082a851fefc79aa700", "type": "github" }, "original": { - "owner": "revol-xut", - "ref": "nixos-22.05", - "repo": "nixpkgs", - "type": "github" + "id": "nixpkgs", + "type": "indirect" } }, "root": { diff --git a/flake.nix b/flake.nix index 087bed7..2149789 100755 --- a/flake.nix +++ b/flake.nix @@ -1,7 +1,5 @@ { inputs = { - nixpkgs.url = github:revol-xut/nixpkgs/nixos-22.05; - #nixpkgs.url = github:revol-xut/nixpkgs/master; sops-nix.url = github:Mic92/sops-nix; sops-nix.inputs.nixpkgs.follows = "nixpkgs"; fsr-infoscreen.url = github:fsr/infoscreen; @@ -64,6 +62,7 @@ ./modules/hedgedoc.nix ./modules/wiki.nix ./modules/stream.nix + ./modules/nextcloud.nix { sops.defaultSopsFile = ./secrets/quitte.yaml; } diff --git a/modules/hedgedoc.nix b/modules/hedgedoc.nix index 501b0d9..f85d2a7 100644 --- a/modules/hedgedoc.nix +++ b/modules/hedgedoc.nix @@ -19,7 +19,7 @@ in hedgedoc = { enable = true; - configuration = { + settings = { port = 3002; domain = "${domain}"; protocolUseSSL = true; @@ -44,7 +44,7 @@ in enableACME = true; forceSSL = true; locations."/" = { - proxyPass = "http://127.0.0.1:${toString config.services.hedgedoc.configuration.port}"; + proxyPass = "http://127.0.0.1:${toString config.services.hedgedoc.settings.port}"; proxyWebsockets = true; }; }; diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix new file mode 100644 index 0000000..7722c91 --- /dev/null +++ b/modules/nextcloud.nix @@ -0,0 +1,66 @@ +{ config, pkgs, lib, ... }: +let + domain = "nc.quitte.fugi.dev"; +in +{ + sops.secrets = { + postgres_nextcloud = { + owner = "nextcloud"; + group = "nextcloud"; + }; + nextcloud_adminpass = { + owner = "nextcloud"; + group = "nextcloud"; + }; + }; + + services = { + postgresql = { + enable = true; + ensureUsers = [ + { + name = "nextcloud"; + ensurePermissions = { + "DATABASE nextcloud" = "ALL PRIVILEGES"; + }; + } + ]; + ensureDatabases = [ "nextcloud" ]; + }; + + nextcloud = { + enable = true; + package = pkgs.nextcloud25; + hostName = "${domain}"; + https = true; + phpExtraExtensions = all: [ + all.ldap + ]; + config = { + dbtype = "pgsql"; + dbuser = "nextcloud"; + dbhost = "/run/postgresql"; + dbname = "nextcloud"; + dbpassFile = config.sops.secrets.postgres_nextcloud.path; + adminpassFile = config.sops.secrets.nextcloud_adminpass.path; + adminuser = "root"; + }; + }; + + nginx = { + recommendedProxySettings = true; + virtualHosts = { + "${domain}" = { + enableACME = true; + forceSSL = true; + }; + }; + }; + }; + + # ensure that postgres is running *before* running the setup + systemd.services."nextcloud-setup" = { + requires = ["postgresql.service"]; + after = ["postgresql.service"]; + }; +} diff --git a/secrets/quitte.yaml b/secrets/quitte.yaml index e43d2e7..2657cef 100644 --- a/secrets/quitte.yaml +++ b/secrets/quitte.yaml @@ -1,5 +1,7 @@ postgres_keycloak: ENC[AES256_GCM,data:Vi0NLjpYDvFGIYYL/VPdgOqAS51KXQynBFlBjK64elU=,iv:JY65V7b8zWSX4aNEK5pD7iyxnqIr8jexcG3pIBNbmvg=,tag:auDyPClH1VbWbFoWWK5E9w==,type:str] postgres_hedgedoc: ENC[AES256_GCM,data:VCoWXZbNGWfmorTNZRFWkDUp0B5JMmsA+bJFVrUREj0=,iv:fnSs3FOgmFn5/BqKTODpwIq023ZRMF8s/JiDyf2ZqkE=,tag:oit5sHf6QffhYYi/WJk5SQ==,type:str] +postgres_nextcloud: ENC[AES256_GCM,data:Lv0Ld3sf+hoUE2qrsf9qGSYf5aVLqm5GIbK2hEoR5Uc=,iv:/4hqMV42J37byJgZZGhMqsHNtutikcXhun2uk2HhsHY=,tag:+L4scIHq2nopBlr64KJgjA==,type:str] +nextcloud_adminpass: ENC[AES256_GCM,data:EMvcFOGJz45P4nvJ5Yy4SziWa2pUWBqt4ZZdde6wegk=,iv:tG9bhB7HPprZMnfV/uC/v7fqmjQd5d4Oj5avOtK2/0A=,tag:8jBDpnahwQsXsD2Ivf6jDw==,type:str] hedgedoc_session_secret: ENC[AES256_GCM,data:uz7KggZqeZ2eqiCnOcnYh2I1p5BBXTQbC8PUhB2kM2U=,iv:aJDHKCPkccCT/OF6AGZMfRESNmoV9muGHbuCUfLQhH8=,tag:uEVXylpE8MSebqRr+4mQOw==,type:str] wg-seckey: ENC[AES256_GCM,data:NHk6E5uu3CshC/0//LoGk6iCGKWbx49wVVkjoMqF19gc7MhdHAn9aJD+0Zc=,iv:N3PuU7+QSW9aD0ZhTI7CmMI3drLIzO7XaW3mgEDp/sk=,tag:fxH4eRIboy9O15oul7JOTw==,type:str] mediawiki: @@ -21,8 +23,8 @@ sops: N3R3emp1d0Z1OEZIU082Q2VXWHRLSVkKkw6L/Zm17zP6Ej0KCASv1uSibzDCG2Zp 22lr2Kw6qIgQn1zO8wEpgHMfiJMImMgon/EWpozz/De0C/xOWgYprg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-10-01T12:32:58Z" - mac: ENC[AES256_GCM,data:s0Fj8NhTEer1evxhlXU1sAuzZjHvw+tHFJdwRCrzc5ux/JQUjGGVzEH3fbdIX41PXEhKVi64J3EJCmLfPhXOrY7idGtEyzDOfny+mswbdo6tfAn/P+G+uNw96qXh3Msq+SwDnzWuhjPYfoXX9Ku5m9rYS/qodq+huKrxV6pfu8Q=,iv:0YBxmSC5CiPO2xk65sKP8+itp3xTjQRq0t845XFpGF0=,tag:F58Iz3cteXRNpj+Jtnnoqw==,type:str] + lastmodified: "2022-11-18T15:28:28Z" + mac: ENC[AES256_GCM,data:+o08gLLG3tz9uheJOMeKWtdvcRjgdcpOFUjSW3sHdFWC/FM5dcwDgBAtTO3/pPB6+e//SfpZgIWq1EASpgChPmE61K0U1lnYK/5gBY1QMDZ9tLgl8VjQ1ShVSeTL/dLWopBEVeDT0cR8jhJ+MIaVTEzMLK8I2qn/LaZqEktMPSg=,iv:N5TPSuijpULToU4EoZ7P6bL0sMZ1Jfu10Jxmnpzh4Ec=,tag:UIHIM+CMNS70ivKtEzbR3w==,type:str] pgp: - created_at: "2022-11-18T15:05:14Z" enc: | diff --git a/secrets/test.yaml b/secrets/test.yaml index effc1c5..6e56e70 100644 --- a/secrets/test.yaml +++ b/secrets/test.yaml @@ -1,5 +1,7 @@ postgres_keycloak: ENC[AES256_GCM,data:dHuqrGcrJUE5GZhhWG5a4Ko=,iv:bvbyDXhkovtX5BQKw36WTGyUl3KR0Df2fB5qmMWbqqU=,tag:95XJCjKJjrITsHXK8ABF6A==,type:str] postgres_hedgedoc: ENC[AES256_GCM,data:XWbf3F1b00RBFS9NXytzVkQ=,iv:dTbRUncYKsqOh0y0MTEJCpPcwfvROkIiO8v9OxZiHPU=,tag:YUxAkmbYKbGdGbIMS/8mOw==,type:str] +postgres_nextcloud: ENC[AES256_GCM,data:ySjpkMh1/6JuU2JwjlJcXh0D,iv:7CWZPjX7NZt4v1V3vbm42Iw7glz5/9F4TK9GUqTNsl8=,tag:701TSuhzyR4AnDHB4bG48Q==,type:str] +nextcloud_adminpass: ENC[AES256_GCM,data:G3FcJIAl0HmpCu4JAXQOZPmWCg==,iv:Bgk7j3EfD9a73hDe93hpzH2uZUcssgVPMxr3nEWvUvQ=,tag:ngBZEBSQHBlWr62dcQdvHA==,type:str] hedgedoc_session_secret: ENC[AES256_GCM,data:wi2hWcIAU2u2t0hJkSUBI5pp2T29V/M=,iv:Iph099lne6cH6V1gnobcGZl/mfJZiw1bFJMdSTiVsxE=,tag:xGI+S3Uygzmdnmd0l1kCaQ==,type:str] wg-seckey: ENC[AES256_GCM,data:wuDmkZgUzzK5,iv:sa2I3qVkXWddcZlItfmKj3K5vT10WE/knoVOaA/HrIQ=,tag:SzGnDifhyol63eQKeJevcA==,type:str] mediawiki: @@ -21,8 +23,8 @@ sops: NjZ6dDludHREWTFkdmFST08vb05MNGsKbvBFq6gn9m85fWVgrYuDDZz1uJvMYIwU NcptCTo8AVckjTNuP0z19TGt1oD+eYSe55W1hbUKJ1c7wqAys0VnkQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-11-05T11:24:00Z" - mac: ENC[AES256_GCM,data:IgW58nKqznUoWBhsI+HZD47HjJ7qF8/lS5nQ2Qg2VE7JkQgs/+AYVyMNAckjnpDtHEnK/YaFmnTfRpdQ7BMGaJtGu6TT0PR60jme82rg+iMwspSOVsAIDf9YyrjIv0rF7xwCF65p4/3TIc1OohV2GzLsAykKApMA5kqAo+UNSAs=,iv:sWURn1jmZ7myC2gEuo5BdcZn8JNSXQsopLWeOoLEpkc=,tag:E5kldjnyElfvJyilPiCYUg==,type:str] + lastmodified: "2022-11-18T15:23:26Z" + mac: ENC[AES256_GCM,data:meFon3NJLJ3E7pxGFvmol2WThaTPlPUKdRzeLnPhcLeJ2cGzj/DlnjTBmsk9hKhhTsQ4osdFo/DchId0MyV7Xi5ZmMVD0lyRZEPzguIbkg3UezRiNlosm21DpQ7Pl/yEXd02x/5kLast/Ud3zF1ZNGeGTxNriZvm5XY3KFiMCSY=,iv:oPPQnA82IbMTCsivp1fh4k9hS2keyh7Zm1C1jRkYUMU=,tag:vOkON7/N4v3yXu8kYkAEMg==,type:str] pgp: - created_at: "2022-11-18T15:05:25Z" enc: | From 67a76a0b2e807ccdd6993b42387656637e4202c3 Mon Sep 17 00:00:00 2001 From: Lucas Fugmann Date: Fri, 18 Nov 2022 17:13:58 +0100 Subject: [PATCH 2/3] fix tabs --- modules/nextcloud.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix index 7722c91..180737f 100644 --- a/modules/nextcloud.nix +++ b/modules/nextcloud.nix @@ -40,8 +40,8 @@ in dbtype = "pgsql"; dbuser = "nextcloud"; dbhost = "/run/postgresql"; - dbname = "nextcloud"; - dbpassFile = config.sops.secrets.postgres_nextcloud.path; + dbname = "nextcloud"; + dbpassFile = config.sops.secrets.postgres_nextcloud.path; adminpassFile = config.sops.secrets.nextcloud_adminpass.path; adminuser = "root"; }; From 970f1180cce812c2ac01ff1b3447a7186ea47bab Mon Sep 17 00:00:00 2001 From: Lucas Fugmann Date: Fri, 18 Nov 2022 17:40:12 +0100 Subject: [PATCH 3/3] add comments --- modules/nextcloud.nix | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix index 180737f..8769369 100644 --- a/modules/nextcloud.nix +++ b/modules/nextcloud.nix @@ -30,11 +30,11 @@ in nextcloud = { enable = true; - package = pkgs.nextcloud25; + package = pkgs.nextcloud25; # Use current latest nextcloud package hostName = "${domain}"; - https = true; + https = true; # Use https for all urls phpExtraExtensions = all: [ - all.ldap + all.ldap # Enable ldap php extension ]; config = { dbtype = "pgsql"; @@ -47,6 +47,7 @@ in }; }; + # Enable ACME and force SSL nginx = { recommendedProxySettings = true; virtualHosts = {