diff --git a/nixos/beefcake.nix b/nixos/beefcake.nix index 56ad8bf..a11e6e9 100644 --- a/nixos/beefcake.nix +++ b/nixos/beefcake.nix @@ -233,12 +233,35 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 } { # nextcloud - # TODO: investigate https://carlosvaz.com/posts/the-holy-grail-nextcloud-setup-made-easy-by-nixos/ - /* + users.users.nextcloud = { + isSystemUser = true; + createHome = false; + group = "nextcloud"; + }; + users.groups.nextcloud = {}; + sops.secrets = { + nextcloud-admin-password = { + owner = "nextcloud"; + group = "nextcloud"; + mode = "400"; + }; + }; + systemd.tmpfiles.settings = { + "10-nextcloud" = { + "/storage/nextcloud" = { + "d" = { + mode = "0750"; + user = "nextcloud"; + group = "nextcloud"; + }; + }; + }; + }; + services.restic.commonPaths = [ + "/storage/nextcloud" + ]; services.postgresql = { - ensureDatabases = [ - "nextcloud" - ]; + ensureDatabases = ["nextcloud"]; ensureUsers = [ { name = "nextcloud"; @@ -246,13 +269,107 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 } ]; }; - nextcloud - users.users.nextcloud = { - isSystemUser = true; - createHome = false; - group = "nextcloud"; + services.nextcloud = { + enable = true; + hostName = "nextcloud.h.lyte.dev"; + maxUploadSize = "100G"; + extraAppsEnable = true; + autoUpdateApps.enable = true; + extraApps = with config.services.nextcloud.package.packages.apps; { + inherit calendar contacts notes onlyoffice tasks; + }; + package = pkgs.nextcloud28; + home = "/storage/nextcloud"; + configureRedis = true; + caching.redis = true; + settings = { + # TODO: SMTP + maintenance_window_start = 1; + }; + config = { + adminpassFile = config.sops.secrets.nextcloud-admin-password.path; + adminuser = "daniel"; + dbtype = "pgsql"; + dbhost = "/run/postgresql"; + }; + phpOptions = { + "xdebug.mode" = "debug"; + "xdebug.client_host" = "10.0.2.2"; + "xdebug.client_port" = "9000"; + "xdebug.start_with_request" = "yes"; + "xdebug.idekey" = "ECLIPSE"; + }; }; - */ + services.nginx.enable = false; + systemd.services.nextcloud = { + serviceConfig.User = "nextcloud"; + serviceConfig.Group = "nextcloud"; + }; + + services.phpfpm.pools.nextcloud.settings = { + "listen.owner" = "caddy"; + "listen.group" = "caddy"; + }; + + services.caddy.virtualHosts."nextcloud.h.lyte.dev" = let + fpm-nextcloud-pool = config.services.phpfpm.pools.nextcloud; + root = config.services.nginx.virtualHosts.${config.services.nextcloud.hostName}.root; + in + lib.mkIf config.services.nextcloud.enable { + extraConfig = '' + encode zstd gzip + + root * ${root} + + redir /.well-known/carddav /remote.php/dav 301 + redir /.well-known/caldav /remote.php/dav 301 + redir /.well-known/* /index.php{uri} 301 + redir /remote/* /remote.php{uri} 301 + + header { + Strict-Transport-Security max-age=31536000 + Permissions-Policy interest-cohort=() + X-Content-Type-Options nosniff + X-Frame-Options SAMEORIGIN + Referrer-Policy no-referrer + X-XSS-Protection "1; mode=block" + X-Permitted-Cross-Domain-Policies none + X-Robots-Tag "noindex, nofollow" + X-Forwarded-Host nextcloud.h.lyte.dev + -X-Powered-By + } + + php_fastcgi unix/${fpm-nextcloud-pool.socket} { + root ${root} + env front_controller_active true + env modHeadersAvailable true + } + + @forbidden { + path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/* + path /.* /autotest* /occ* /issue* /indie* /db_* /console* + not path /.well-known/* + } + error @forbidden 404 + + @immutable { + path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite + query v=* + } + header @immutable Cache-Control "max-age=15778463, immutable" + + @static { + path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite + not query v=* + } + header @static Cache-Control "max-age=15778463" + + @woff2 path *.woff2 + header @woff2 Cache-Control "max-age=604800" + + file_server + ''; + }; } { # plausible @@ -423,6 +540,12 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 ensureUsers = [ { name = "daniel"; + ensureClauses = { + # superuser = true; + # createrole = true; + # createdb = true; + # bypassrls = true; + }; ensureDBOwnership = true; } ]; @@ -513,6 +636,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 # https://www.postgresql.org/docs/current/auth-pg-hba-conf.html # TODO: give the "daniel" user access to all databases + /* authentication = pkgs.lib.mkOverride 10 '' #type database user auth-method auth-options local all postgres peer map=superuser_map @@ -526,7 +650,9 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 # tailnet ipv4 host all daniel 100.64.0.0/10 trust ''; + */ + /* identMap = '' # map system_user db_user superuser_map root postgres @@ -536,6 +662,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 # Let other names login as themselves superuser_map /^(.*)$ \1 ''; + */ }; services.postgresqlBackup = { @@ -688,17 +815,17 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 }; } { - systemd.tmpfiles.settings = { - "10-forgejo" = { - "/storage/forgejo" = { - "d" = { - mode = "0700"; - user = "forgejo"; - group = "nogroup"; - }; - }; - }; - }; + # systemd.tmpfiles.settings = { + # "10-forgejo" = { + # "/storage/forgejo" = { + # "d" = { + # mode = "0700"; + # user = "forgejo"; + # group = "nogroup"; + # }; + # }; + # }; + # }; services.forgejo = { enable = true; stateDir = "/storage/forgejo"; diff --git a/nixos/router.nix b/nixos/router.nix index d3bd2dd..737fbda 100644 --- a/nixos/router.nix +++ b/nixos/router.nix @@ -59,6 +59,8 @@ "atuin.h.lyte.dev" "grafana.h.lyte.dev" "prometheus.h.lyte.dev" + "nextcloud.h.lyte.dev" + "onlyoffice.h.lyte.dev" "a.lyte.dev" ]; };