parent
262ef3bb45
commit
8bb7b4cac2
2 changed files with 151 additions and 22 deletions
|
@ -233,12 +233,35 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
|
|||
}
|
||||
{
|
||||
# nextcloud
|
||||
# TODO: investigate https://carlosvaz.com/posts/the-holy-grail-nextcloud-setup-made-easy-by-nixos/
|
||||
/*
|
||||
users.users.nextcloud = {
|
||||
isSystemUser = true;
|
||||
createHome = false;
|
||||
group = "nextcloud";
|
||||
};
|
||||
users.groups.nextcloud = {};
|
||||
sops.secrets = {
|
||||
nextcloud-admin-password = {
|
||||
owner = "nextcloud";
|
||||
group = "nextcloud";
|
||||
mode = "400";
|
||||
};
|
||||
};
|
||||
systemd.tmpfiles.settings = {
|
||||
"10-nextcloud" = {
|
||||
"/storage/nextcloud" = {
|
||||
"d" = {
|
||||
mode = "0750";
|
||||
user = "nextcloud";
|
||||
group = "nextcloud";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
services.restic.commonPaths = [
|
||||
"/storage/nextcloud"
|
||||
];
|
||||
services.postgresql = {
|
||||
ensureDatabases = [
|
||||
"nextcloud"
|
||||
];
|
||||
ensureDatabases = ["nextcloud"];
|
||||
ensureUsers = [
|
||||
{
|
||||
name = "nextcloud";
|
||||
|
@ -246,13 +269,107 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
|
|||
}
|
||||
];
|
||||
};
|
||||
nextcloud
|
||||
users.users.nextcloud = {
|
||||
isSystemUser = true;
|
||||
createHome = false;
|
||||
group = "nextcloud";
|
||||
services.nextcloud = {
|
||||
enable = true;
|
||||
hostName = "nextcloud.h.lyte.dev";
|
||||
maxUploadSize = "100G";
|
||||
extraAppsEnable = true;
|
||||
autoUpdateApps.enable = true;
|
||||
extraApps = with config.services.nextcloud.package.packages.apps; {
|
||||
inherit calendar contacts notes onlyoffice tasks;
|
||||
};
|
||||
package = pkgs.nextcloud28;
|
||||
home = "/storage/nextcloud";
|
||||
configureRedis = true;
|
||||
caching.redis = true;
|
||||
settings = {
|
||||
# TODO: SMTP
|
||||
maintenance_window_start = 1;
|
||||
};
|
||||
config = {
|
||||
adminpassFile = config.sops.secrets.nextcloud-admin-password.path;
|
||||
adminuser = "daniel";
|
||||
dbtype = "pgsql";
|
||||
dbhost = "/run/postgresql";
|
||||
};
|
||||
phpOptions = {
|
||||
"xdebug.mode" = "debug";
|
||||
"xdebug.client_host" = "10.0.2.2";
|
||||
"xdebug.client_port" = "9000";
|
||||
"xdebug.start_with_request" = "yes";
|
||||
"xdebug.idekey" = "ECLIPSE";
|
||||
};
|
||||
};
|
||||
*/
|
||||
services.nginx.enable = false;
|
||||
systemd.services.nextcloud = {
|
||||
serviceConfig.User = "nextcloud";
|
||||
serviceConfig.Group = "nextcloud";
|
||||
};
|
||||
|
||||
services.phpfpm.pools.nextcloud.settings = {
|
||||
"listen.owner" = "caddy";
|
||||
"listen.group" = "caddy";
|
||||
};
|
||||
|
||||
services.caddy.virtualHosts."nextcloud.h.lyte.dev" = let
|
||||
fpm-nextcloud-pool = config.services.phpfpm.pools.nextcloud;
|
||||
root = config.services.nginx.virtualHosts.${config.services.nextcloud.hostName}.root;
|
||||
in
|
||||
lib.mkIf config.services.nextcloud.enable {
|
||||
extraConfig = ''
|
||||
encode zstd gzip
|
||||
|
||||
root * ${root}
|
||||
|
||||
redir /.well-known/carddav /remote.php/dav 301
|
||||
redir /.well-known/caldav /remote.php/dav 301
|
||||
redir /.well-known/* /index.php{uri} 301
|
||||
redir /remote/* /remote.php{uri} 301
|
||||
|
||||
header {
|
||||
Strict-Transport-Security max-age=31536000
|
||||
Permissions-Policy interest-cohort=()
|
||||
X-Content-Type-Options nosniff
|
||||
X-Frame-Options SAMEORIGIN
|
||||
Referrer-Policy no-referrer
|
||||
X-XSS-Protection "1; mode=block"
|
||||
X-Permitted-Cross-Domain-Policies none
|
||||
X-Robots-Tag "noindex, nofollow"
|
||||
X-Forwarded-Host nextcloud.h.lyte.dev
|
||||
-X-Powered-By
|
||||
}
|
||||
|
||||
php_fastcgi unix/${fpm-nextcloud-pool.socket} {
|
||||
root ${root}
|
||||
env front_controller_active true
|
||||
env modHeadersAvailable true
|
||||
}
|
||||
|
||||
@forbidden {
|
||||
path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
|
||||
path /.* /autotest* /occ* /issue* /indie* /db_* /console*
|
||||
not path /.well-known/*
|
||||
}
|
||||
error @forbidden 404
|
||||
|
||||
@immutable {
|
||||
path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
|
||||
query v=*
|
||||
}
|
||||
header @immutable Cache-Control "max-age=15778463, immutable"
|
||||
|
||||
@static {
|
||||
path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
|
||||
not query v=*
|
||||
}
|
||||
header @static Cache-Control "max-age=15778463"
|
||||
|
||||
@woff2 path *.woff2
|
||||
header @woff2 Cache-Control "max-age=604800"
|
||||
|
||||
file_server
|
||||
'';
|
||||
};
|
||||
}
|
||||
{
|
||||
# plausible
|
||||
|
@ -423,6 +540,12 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
|
|||
ensureUsers = [
|
||||
{
|
||||
name = "daniel";
|
||||
ensureClauses = {
|
||||
# superuser = true;
|
||||
# createrole = true;
|
||||
# createdb = true;
|
||||
# bypassrls = true;
|
||||
};
|
||||
ensureDBOwnership = true;
|
||||
}
|
||||
];
|
||||
|
@ -513,6 +636,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
|
|||
|
||||
# https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
|
||||
# TODO: give the "daniel" user access to all databases
|
||||
/*
|
||||
authentication = pkgs.lib.mkOverride 10 ''
|
||||
#type database user auth-method auth-options
|
||||
local all postgres peer map=superuser_map
|
||||
|
@ -526,7 +650,9 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
|
|||
# tailnet ipv4
|
||||
host all daniel 100.64.0.0/10 trust
|
||||
'';
|
||||
*/
|
||||
|
||||
/*
|
||||
identMap = ''
|
||||
# map system_user db_user
|
||||
superuser_map root postgres
|
||||
|
@ -536,6 +662,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
|
|||
# Let other names login as themselves
|
||||
superuser_map /^(.*)$ \1
|
||||
'';
|
||||
*/
|
||||
};
|
||||
|
||||
services.postgresqlBackup = {
|
||||
|
@ -688,17 +815,17 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
|
|||
};
|
||||
}
|
||||
{
|
||||
systemd.tmpfiles.settings = {
|
||||
"10-forgejo" = {
|
||||
"/storage/forgejo" = {
|
||||
"d" = {
|
||||
mode = "0700";
|
||||
user = "forgejo";
|
||||
group = "nogroup";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
# systemd.tmpfiles.settings = {
|
||||
# "10-forgejo" = {
|
||||
# "/storage/forgejo" = {
|
||||
# "d" = {
|
||||
# mode = "0700";
|
||||
# user = "forgejo";
|
||||
# group = "nogroup";
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
services.forgejo = {
|
||||
enable = true;
|
||||
stateDir = "/storage/forgejo";
|
||||
|
|
|
@ -59,6 +59,8 @@
|
|||
"atuin.h.lyte.dev"
|
||||
"grafana.h.lyte.dev"
|
||||
"prometheus.h.lyte.dev"
|
||||
"nextcloud.h.lyte.dev"
|
||||
"onlyoffice.h.lyte.dev"
|
||||
"a.lyte.dev"
|
||||
];
|
||||
};
|
||||
|
|
Loading…
Reference in a new issue