Comments
Some checks failed
/ check (push) Failing after 3m22s

This commit is contained in:
Daniel Flanagan 2024-09-12 22:37:20 -05:00
parent 262ef3bb45
commit 8bb7b4cac2
2 changed files with 151 additions and 22 deletions

View file

@ -233,12 +233,35 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
} }
{ {
# nextcloud # nextcloud
# TODO: investigate https://carlosvaz.com/posts/the-holy-grail-nextcloud-setup-made-easy-by-nixos/ users.users.nextcloud = {
/* isSystemUser = true;
createHome = false;
group = "nextcloud";
};
users.groups.nextcloud = {};
sops.secrets = {
nextcloud-admin-password = {
owner = "nextcloud";
group = "nextcloud";
mode = "400";
};
};
systemd.tmpfiles.settings = {
"10-nextcloud" = {
"/storage/nextcloud" = {
"d" = {
mode = "0750";
user = "nextcloud";
group = "nextcloud";
};
};
};
};
services.restic.commonPaths = [
"/storage/nextcloud"
];
services.postgresql = { services.postgresql = {
ensureDatabases = [ ensureDatabases = ["nextcloud"];
"nextcloud"
];
ensureUsers = [ ensureUsers = [
{ {
name = "nextcloud"; name = "nextcloud";
@ -246,13 +269,107 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
} }
]; ];
}; };
nextcloud services.nextcloud = {
users.users.nextcloud = { enable = true;
isSystemUser = true; hostName = "nextcloud.h.lyte.dev";
createHome = false; maxUploadSize = "100G";
group = "nextcloud"; extraAppsEnable = true;
autoUpdateApps.enable = true;
extraApps = with config.services.nextcloud.package.packages.apps; {
inherit calendar contacts notes onlyoffice tasks;
};
package = pkgs.nextcloud28;
home = "/storage/nextcloud";
configureRedis = true;
caching.redis = true;
settings = {
# TODO: SMTP
maintenance_window_start = 1;
};
config = {
adminpassFile = config.sops.secrets.nextcloud-admin-password.path;
adminuser = "daniel";
dbtype = "pgsql";
dbhost = "/run/postgresql";
};
phpOptions = {
"xdebug.mode" = "debug";
"xdebug.client_host" = "10.0.2.2";
"xdebug.client_port" = "9000";
"xdebug.start_with_request" = "yes";
"xdebug.idekey" = "ECLIPSE";
};
}; };
*/ services.nginx.enable = false;
systemd.services.nextcloud = {
serviceConfig.User = "nextcloud";
serviceConfig.Group = "nextcloud";
};
services.phpfpm.pools.nextcloud.settings = {
"listen.owner" = "caddy";
"listen.group" = "caddy";
};
services.caddy.virtualHosts."nextcloud.h.lyte.dev" = let
fpm-nextcloud-pool = config.services.phpfpm.pools.nextcloud;
root = config.services.nginx.virtualHosts.${config.services.nextcloud.hostName}.root;
in
lib.mkIf config.services.nextcloud.enable {
extraConfig = ''
encode zstd gzip
root * ${root}
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
redir /.well-known/* /index.php{uri} 301
redir /remote/* /remote.php{uri} 301
header {
Strict-Transport-Security max-age=31536000
Permissions-Policy interest-cohort=()
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
Referrer-Policy no-referrer
X-XSS-Protection "1; mode=block"
X-Permitted-Cross-Domain-Policies none
X-Robots-Tag "noindex, nofollow"
X-Forwarded-Host nextcloud.h.lyte.dev
-X-Powered-By
}
php_fastcgi unix/${fpm-nextcloud-pool.socket} {
root ${root}
env front_controller_active true
env modHeadersAvailable true
}
@forbidden {
path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
path /.* /autotest* /occ* /issue* /indie* /db_* /console*
not path /.well-known/*
}
error @forbidden 404
@immutable {
path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
query v=*
}
header @immutable Cache-Control "max-age=15778463, immutable"
@static {
path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
not query v=*
}
header @static Cache-Control "max-age=15778463"
@woff2 path *.woff2
header @woff2 Cache-Control "max-age=604800"
file_server
'';
};
} }
{ {
# plausible # plausible
@ -423,6 +540,12 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
ensureUsers = [ ensureUsers = [
{ {
name = "daniel"; name = "daniel";
ensureClauses = {
# superuser = true;
# createrole = true;
# createdb = true;
# bypassrls = true;
};
ensureDBOwnership = true; ensureDBOwnership = true;
} }
]; ];
@ -513,6 +636,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
# https://www.postgresql.org/docs/current/auth-pg-hba-conf.html # https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
# TODO: give the "daniel" user access to all databases # TODO: give the "daniel" user access to all databases
/*
authentication = pkgs.lib.mkOverride 10 '' authentication = pkgs.lib.mkOverride 10 ''
#type database user auth-method auth-options #type database user auth-method auth-options
local all postgres peer map=superuser_map local all postgres peer map=superuser_map
@ -526,7 +650,9 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
# tailnet ipv4 # tailnet ipv4
host all daniel 100.64.0.0/10 trust host all daniel 100.64.0.0/10 trust
''; '';
*/
/*
identMap = '' identMap = ''
# map system_user db_user # map system_user db_user
superuser_map root postgres superuser_map root postgres
@ -536,6 +662,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
# Let other names login as themselves # Let other names login as themselves
superuser_map /^(.*)$ \1 superuser_map /^(.*)$ \1
''; '';
*/
}; };
services.postgresqlBackup = { services.postgresqlBackup = {
@ -688,17 +815,17 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
}; };
} }
{ {
systemd.tmpfiles.settings = { # systemd.tmpfiles.settings = {
"10-forgejo" = { # "10-forgejo" = {
"/storage/forgejo" = { # "/storage/forgejo" = {
"d" = { # "d" = {
mode = "0700"; # mode = "0700";
user = "forgejo"; # user = "forgejo";
group = "nogroup"; # group = "nogroup";
}; # };
}; # };
}; # };
}; # };
services.forgejo = { services.forgejo = {
enable = true; enable = true;
stateDir = "/storage/forgejo"; stateDir = "/storage/forgejo";

View file

@ -59,6 +59,8 @@
"atuin.h.lyte.dev" "atuin.h.lyte.dev"
"grafana.h.lyte.dev" "grafana.h.lyte.dev"
"prometheus.h.lyte.dev" "prometheus.h.lyte.dev"
"nextcloud.h.lyte.dev"
"onlyoffice.h.lyte.dev"
"a.lyte.dev" "a.lyte.dev"
]; ];
}; };