Compare commits
No commits in common. "7f12cb9bdc471bf74abb2b65c5354e710bbbe069" and "265b9c549e2c30df2257bea1bdcc339d3ee37c33" have entirely different histories.
7f12cb9bdc
...
265b9c549e
|
@ -9,6 +9,5 @@ in
|
||||||
forgejo.enable = mkEnableOption "forgejo";
|
forgejo.enable = mkEnableOption "forgejo";
|
||||||
kavita.enable = mkEnableOption "kavita";
|
kavita.enable = mkEnableOption "kavita";
|
||||||
samba.enable = mkEnableOption "samba";
|
samba.enable = mkEnableOption "samba";
|
||||||
nextcloud.enable = mkEnableOption "nextcloud";
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -33,7 +33,6 @@
|
||||||
forgejo.enable = true;
|
forgejo.enable = true;
|
||||||
kavita.enable = true;
|
kavita.enable = true;
|
||||||
samba.enable = true;
|
samba.enable = true;
|
||||||
nextcloud.enable = true;
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
router: ENC[AES256_GCM,data:AulD1VVGGYhEEnHEr8TSYLfMyA14BfTUF3QKxlKpbH7G5Eo/CGZaTSQYBzehgmNZKVAZAG1Efe60aSNhlk1ZlGxMnODGw1wV/dAnuTrqd7ixEE/hz9hO1qr1daWRmb73jQpw3XmFeAHBl4XnLIhdLFNXKEcgZBJ7piw5ZXDpG5EhaUrPhKpRMQb+yPkA9eBTI023iFOiJ8du1TF0RuqTUExUSCkcVaNgpn0pwd5tgnM/gAg7SJ0MGNRPaVL0Bq2S5e6SSO90mFcXPEQDk/1jy3Ml7ZFFQ9GrN612X3j2lYLKcwfBH5327pU=,iv:UBxOzdVt8Nof+I/H2wY0Tng8rrKZyt3fPRVLzygxIuo=,tag:TIWvIFy2QGkP1qMlnnMlbQ==,type:str]
|
forgejo: ENC[AES256_GCM,data:w/qGCqEsbzhgCmGiy4pqvwjEbIWhOIPjQyQyNtbiBzadrFxG6+cxFQJ1gY/q9tENuogKoVdCtKdHYONM6gs+yd3+/Xk=,iv:u5P7so4J3OeHmnf33ss2X7f8GAA04I0/mw1/MUy6C3Y=,tag:nYhY/ecas7dPYP6FwEnOsg==,type:str]
|
||||||
|
cockpit: ENC[AES256_GCM,data:5/ztOP1mJwKlcLS0RLqbre2nMOphIg59+/Dqz3njZW7jDJm37gMdgaPpY+eA5IWBMW7gZNCcVA==,iv:mmGsqA7U3rzhZ40BUReMlDaKxzKsDTw0mSZzcpu2QB4=,tag:jwmqiMGbENjX4B8GbPHcjw==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
@ -14,8 +15,8 @@ sops:
|
||||||
OTBPaGdUZ1ZueUlKMVlhOHBreFV6OVEKBhcqTTA9Vufnn/WAhR5zb08Nsn48zmD2
|
OTBPaGdUZ1ZueUlKMVlhOHBreFV6OVEKBhcqTTA9Vufnn/WAhR5zb08Nsn48zmD2
|
||||||
+bdJf+0B68Z57Q/47fNjvXclqLdDCWToTlIjOTnzVH2oXOWKQQxj6g==
|
+bdJf+0B68Z57Q/47fNjvXclqLdDCWToTlIjOTnzVH2oXOWKQQxj6g==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-06-13T13:48:11Z"
|
lastmodified: "2024-06-13T06:44:09Z"
|
||||||
mac: ENC[AES256_GCM,data:LjWV/1NPeN58VHH/lgHTukHHDu0zfqCCLeFoVS4yN91IkjdvvqwvTD74GDigw7lm++6LWILjF0zIlryUHJKg4T+Xztsj/kRntVuhSTXsDUU9mu/AOCLu5P7k4fn+N9rAMh5ML9ukeU+ZxTaOHLfezYMLv2c+01B1iMfjZ2qJ9Q4=,iv:Dh4WG98sfRUrTYnbfrZt0gX0co8lI8DUpdxFMy165GI=,tag:9Nn9UcKijyu6RhUjiUDd4g==,type:str]
|
mac: ENC[AES256_GCM,data:S0/He8nAYp524SIteg1bd7aa4b7OJ2jshP/x+m9Grt+9fI8ZN42XpcW/u7JA6xV2eAJ7ZS4YBt965V6ttJu/Ric0xRzdG/evK9zrG0CFcoY8Di9eBU/KqBSyXxO7E/ZYamp9AQpkO9KzsSBYYStkZe4FjPy/5o4bSCjkLOIPO1w=,iv:OR42uFaNxMHAdaq1JZLz4B+cPZPJw5TP97W+rbHckK0=,tag:BXKF4WSHDZ63eyzNNBR2JA==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.8.1
|
version: 3.8.1
|
||||||
|
|
|
@ -1,22 +0,0 @@
|
||||||
nextcloud:
|
|
||||||
homeserver: ENC[AES256_GCM,data:ZX0LfvXQ1h1LInuvRajKpyhAP8AbyGbTs40=,iv:gpADsYG655zUdDC+j0idtVdMCmwjWSFhSJ2Us0BgBkM=,tag:JPHrZ0YZSEI+AqUm6Bb48Q==,type:str]
|
|
||||||
sops:
|
|
||||||
kms: []
|
|
||||||
gcp_kms: []
|
|
||||||
azure_kv: []
|
|
||||||
hc_vault: []
|
|
||||||
age:
|
|
||||||
- recipient: age1kruum2varzua7w5n6n52vhwyek2arc685rhcwt0u7k2jf5mecsjslkl9ll
|
|
||||||
enc: |
|
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPeWIrNllOYlhnd3FYZGls
|
|
||||||
TUdDaSs0RHhVMHBxRFJwSWFxS0N5WVUxYXhNCmRTdnNMQy9TMDd1MUxLYSt0OEs5
|
|
||||||
VTg4TnpqVUdEY1Ywa280NktQYnVVUDgKLS0tIExtUjZXdTViMklLYVFqOHBkQnBV
|
|
||||||
bDN6M1ZEK3ZsdW5ydHNIc282TVo4YVkKeOgUwUJanhOn034l2B6Xp0UxogGP0/US
|
|
||||||
Bl+Mt+MYolkkNo3CT6w1bmsDXEDOb1Za8lmsMM1OH13bVpSQ/ygVzQ==
|
|
||||||
-----END AGE ENCRYPTED FILE-----
|
|
||||||
lastmodified: "2024-06-13T16:14:14Z"
|
|
||||||
mac: ENC[AES256_GCM,data:QbHr/M2lcH0RFMHA5w+cdft803ZeDLgD7k45/gtM+09PmmQG4UMoHns4PoSxBtHUQkjNtHo53jet+sduC5fuO4Rek8xNsgmoIk7Zd46UU8I4QLxGcXLLWyOvddvR2LH5JpQCXbfHULJBynZskBtTntPg2h9F13PuTehOM0lHykM=,iv:su2ZOOK2v8x9vLgCcGTUJTSREMcxCAQXvhC/FKMk4nU=,tag:t5G+vnMw2KgiWYpSqQN1Cw==,type:str]
|
|
||||||
pgp: []
|
|
||||||
unencrypted_suffix: _unencrypted
|
|
||||||
version: 3.8.1
|
|
|
@ -11,11 +11,5 @@ in
|
||||||
import /etc/caddy/sites-enabled/*
|
import /etc/caddy/sites-enabled/*
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
sops.secrets."router" = {
|
|
||||||
sopsFile = ../../secrets/caddy_reverse_proxy.yaml;
|
|
||||||
path = "/etc/caddy/sites-enabled/router";
|
|
||||||
mode = "0444";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -5,6 +5,5 @@
|
||||||
./cockpit.nix
|
./cockpit.nix
|
||||||
./forgejo.nix
|
./forgejo.nix
|
||||||
./samba.nix
|
./samba.nix
|
||||||
./nextcloud.nix
|
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
|
@ -6,11 +6,6 @@ in
|
||||||
{
|
{
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
services.caddy.virtualHosts."git.tigor.web.id".extraConfig = ''
|
services.caddy.virtualHosts."git.tigor.web.id".extraConfig = ''
|
||||||
@home_not_login {
|
|
||||||
not header_regexp Cookie gitea_incredible
|
|
||||||
path /
|
|
||||||
}
|
|
||||||
redir @home_not_login /Tigor
|
|
||||||
reverse_proxy * unix//run/forgejo/forgejo.sock
|
reverse_proxy * unix//run/forgejo/forgejo.sock
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
@ -18,11 +13,11 @@ in
|
||||||
services.forgejo = {
|
services.forgejo = {
|
||||||
enable = true;
|
enable = true;
|
||||||
settings = {
|
settings = {
|
||||||
server = rec {
|
server = {
|
||||||
PROTOCOL = "http+unix";
|
PROTOCOL = "http+unix";
|
||||||
DOMAIN = "git.tigor.web.id";
|
DOMAIN = "git.tigor.web.id";
|
||||||
HTTP_PORT = 443;
|
HTTP_PORT = 443;
|
||||||
ROOT_URL = "https://${DOMAIN}:${toString HTTP_PORT}";
|
ROOT_URL = "https://${config.services.forgejo.settings.server.DOMAIN}:${toString config.services.forgejo.settings.server.HTTP_PORT}";
|
||||||
};
|
};
|
||||||
service = {
|
service = {
|
||||||
DISABLE_REGISTRATION = true;
|
DISABLE_REGISTRATION = true;
|
||||||
|
|
|
@ -1,175 +0,0 @@
|
||||||
# Directly ripped from https://github.com/onny/nixos-nextcloud-testumgebung/blob/main/nextcloud-extras.nix
|
|
||||||
|
|
||||||
{ config
|
|
||||||
, lib
|
|
||||||
, ...
|
|
||||||
}:
|
|
||||||
let
|
|
||||||
|
|
||||||
inherit
|
|
||||||
(lib)
|
|
||||||
optionalString
|
|
||||||
escapeShellArg
|
|
||||||
types
|
|
||||||
concatStringsSep
|
|
||||||
mapAttrsToList
|
|
||||||
mkIf
|
|
||||||
mkOption
|
|
||||||
mkDefault
|
|
||||||
mkForce
|
|
||||||
;
|
|
||||||
|
|
||||||
cfg = config.services.nextcloud;
|
|
||||||
fpm = config.services.phpfpm.pools.nextcloud;
|
|
||||||
webserver = config.services.${cfg.webserver};
|
|
||||||
|
|
||||||
in
|
|
||||||
{
|
|
||||||
|
|
||||||
options = {
|
|
||||||
services.nextcloud = {
|
|
||||||
|
|
||||||
ensureUsers = mkOption {
|
|
||||||
default = { };
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
List of user accounts which get automatically created if they don't
|
|
||||||
exist yet. This option does not delete accounts which are not listed
|
|
||||||
anymore.
|
|
||||||
'';
|
|
||||||
example = {
|
|
||||||
user1 = {
|
|
||||||
passwordFile = /secrets/user1-localhost;
|
|
||||||
email = "user1@localhost";
|
|
||||||
};
|
|
||||||
user2 = {
|
|
||||||
passwordFile = /secrets/user2-localhost;
|
|
||||||
email = "user2@localhost";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
type = types.attrsOf (types.submodule {
|
|
||||||
options = {
|
|
||||||
passwordFile = mkOption {
|
|
||||||
type = types.path;
|
|
||||||
example = "/path/to/file";
|
|
||||||
default = null;
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
Specifies the path to a file containing the
|
|
||||||
clear text password for the user.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
email = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
example = "user1@localhost";
|
|
||||||
default = null;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
});
|
|
||||||
};
|
|
||||||
|
|
||||||
webserver = mkOption {
|
|
||||||
type = types.enum [ "nginx" "caddy" ];
|
|
||||||
default = "nginx";
|
|
||||||
description = ''
|
|
||||||
Whether to use nginx or caddy for virtual host management.
|
|
||||||
Further nginx configuration can be done by adapting <literal>services.nginx.virtualHosts.<name></literal>.
|
|
||||||
See <xref linkend="opt-services.nginx.virtualHosts"/> for further information.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
|
||||||
|
|
||||||
systemd.services.nextcloud-ensure-users = {
|
|
||||||
enable = true;
|
|
||||||
script = ''
|
|
||||||
${optionalString (cfg.ensureUsers != {}) ''
|
|
||||||
${concatStringsSep "\n" (mapAttrsToList (name: cfg: ''
|
|
||||||
if ${config.services.nextcloud.occ}/bin/nextcloud-occ user:info "${name}" | grep "user not found"; then
|
|
||||||
export OC_PASS="$(cat ${escapeShellArg cfg.passwordFile})"
|
|
||||||
${config.services.nextcloud.occ}/bin/nextcloud-occ user:add --password-from-env "${name}"
|
|
||||||
fi
|
|
||||||
if ! ${config.services.nextcloud.occ}/bin/nextcloud-occ user:info "${name}" | grep "user not found"; then
|
|
||||||
${optionalString (cfg.email != null) ''
|
|
||||||
${config.services.nextcloud.occ}/bin/nextcloud-occ user:setting "${name}" settings email "${cfg.email}"
|
|
||||||
''}
|
|
||||||
fi
|
|
||||||
'') cfg.ensureUsers)}
|
|
||||||
''}
|
|
||||||
'';
|
|
||||||
wantedBy = [ "multi-user.target" ];
|
|
||||||
after = [ "nextcloud-setup.service" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
services.phpfpm.pools.nextcloud.settings = {
|
|
||||||
"listen.owner" = webserver.user;
|
|
||||||
"listen.group" = webserver.group;
|
|
||||||
};
|
|
||||||
|
|
||||||
users.groups.nextcloud.members = [ "nextcloud" webserver.user ];
|
|
||||||
|
|
||||||
services.nginx = lib.mkIf (cfg.webserver == "caddy") {
|
|
||||||
enable = mkForce false;
|
|
||||||
};
|
|
||||||
|
|
||||||
services.caddy = lib.mkIf (cfg.webserver == "caddy") {
|
|
||||||
enable = mkDefault true;
|
|
||||||
virtualHosts."${if cfg.https then "https" else "http"}://${cfg.hostName}" = {
|
|
||||||
extraConfig = ''
|
|
||||||
encode zstd gzip
|
|
||||||
|
|
||||||
root * ${config.services.nginx.virtualHosts.${cfg.hostName}.root}
|
|
||||||
|
|
||||||
redir /.well-known/carddav /remote.php/dav 301
|
|
||||||
redir /.well-known/caldav /remote.php/dav 301
|
|
||||||
redir /.well-known/* /index.php{uri} 301
|
|
||||||
redir /remote/* /remote.php{uri} 301
|
|
||||||
|
|
||||||
header {
|
|
||||||
Strict-Transport-Security max-age=31536000
|
|
||||||
Permissions-Policy interest-cohort=()
|
|
||||||
X-Content-Type-Options nosniff
|
|
||||||
X-Frame-Options SAMEORIGIN
|
|
||||||
Referrer-Policy no-referrer
|
|
||||||
X-XSS-Protection "1; mode=block"
|
|
||||||
X-Permitted-Cross-Domain-Policies none
|
|
||||||
X-Robots-Tag "noindex, nofollow"
|
|
||||||
-X-Powered-By
|
|
||||||
}
|
|
||||||
|
|
||||||
php_fastcgi unix/${fpm.socket} {
|
|
||||||
root ${config.services.nginx.virtualHosts.${cfg.hostName}.root}
|
|
||||||
env front_controller_active true
|
|
||||||
env modHeadersAvailable true
|
|
||||||
}
|
|
||||||
|
|
||||||
@forbidden {
|
|
||||||
path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
|
|
||||||
path /.* /autotest* /occ* /issue* /indie* /db_* /console*
|
|
||||||
not path /.well-known/*
|
|
||||||
}
|
|
||||||
error @forbidden 404
|
|
||||||
|
|
||||||
@immutable {
|
|
||||||
path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
|
|
||||||
query v=*
|
|
||||||
}
|
|
||||||
header @immutable Cache-Control "max-age=15778463, immutable"
|
|
||||||
|
|
||||||
@static {
|
|
||||||
path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
|
|
||||||
not query v=*
|
|
||||||
}
|
|
||||||
header @static Cache-Control "max-age=15778463"
|
|
||||||
|
|
||||||
@woff2 path *.woff2
|
|
||||||
header @woff2 Cache-Control "max-age=604800"
|
|
||||||
|
|
||||||
file_server
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,42 +0,0 @@
|
||||||
{ config, lib, pkgs, ... }:
|
|
||||||
let
|
|
||||||
cfg = config.profile.services.nextcloud;
|
|
||||||
in
|
|
||||||
{
|
|
||||||
imports = [ ./nextcloud-extras.nix ];
|
|
||||||
config = lib.mkIf cfg.enable {
|
|
||||||
users.groups.nextcloud.members = [ config.profile.user.name ];
|
|
||||||
sops.secrets =
|
|
||||||
let
|
|
||||||
opts = {
|
|
||||||
owner = "nextcloud";
|
|
||||||
sopsFile = ../../secrets/nextcloud.yaml;
|
|
||||||
};
|
|
||||||
in
|
|
||||||
{
|
|
||||||
"nextcloud/homeserver" = opts;
|
|
||||||
};
|
|
||||||
|
|
||||||
# Do not set services.nextcloud.home. Issues with sandboxing nature of NixOS.
|
|
||||||
# Instead uses bind mount and fstab to mount seeked directory to /var/lib/nextcloud.
|
|
||||||
fileSystems."/nas/nextcloud" = {
|
|
||||||
device = "/var/lib/nextcloud";
|
|
||||||
fsType = "none";
|
|
||||||
options = [ "bind" ];
|
|
||||||
};
|
|
||||||
services.nextcloud =
|
|
||||||
let
|
|
||||||
secrets = config.sops.secrets;
|
|
||||||
in
|
|
||||||
{
|
|
||||||
enable = true;
|
|
||||||
https = true;
|
|
||||||
webserver = "caddy";
|
|
||||||
hostName = "nextcloud.tigor.web.id"; # The nextcloud-extras will ensure Caddy to take care of this.
|
|
||||||
config = {
|
|
||||||
adminuser = "homeserver";
|
|
||||||
adminpassFile = secrets."nextcloud/homeserver".path;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
Loading…
Reference in a new issue