forked from pub-solar/infra
Merge pull request 'fix: small nextcloud fixes' (#36) from feat/nextcloud into main
Reviewed-on: pub-solar/infra-new#36 Reviewed-by: teutat3s <teutates@mailbox.org>
This commit is contained in:
commit
67c3be1c43
|
@ -1,3 +1,9 @@
|
||||||
# Unlocking the root partition on boot
|
# Unlocking the root partition on boot
|
||||||
|
|
||||||
After a boot, the encrypted root partition will have to be unlocked. This is done by accessing the server via SSH on port 2222. After connecting, paste the crypt passphrase you can find in the shared keepass. This will disconnect the SSH session right away and the server will keep booting into stage 2.
|
After a boot, the encrypted root partition will have to be unlocked. This is done by accessing the server via SSH with user root on port 2222.
|
||||||
|
|
||||||
|
```
|
||||||
|
ssh root@nachtigall.pub.solar -p2222
|
||||||
|
```
|
||||||
|
|
||||||
|
After connecting, paste the crypt passphrase you can find in the shared keepass. This will disconnect the SSH session right away and the server will keep booting into stage 2.
|
||||||
|
|
|
@ -107,6 +107,7 @@
|
||||||
extraOptions = ''
|
extraOptions = ''
|
||||||
--data-root /var/lib/docker
|
--data-root /var/lib/docker
|
||||||
'';
|
'';
|
||||||
|
storageDriver = "zfs";
|
||||||
};
|
};
|
||||||
|
|
||||||
services.openssh.enable = true;
|
services.openssh.enable = true;
|
||||||
|
@ -153,6 +154,7 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
deploy.nodes = self.pub-solar.lib.deploy.mkDeployNodes self.nixosConfigurations {
|
deploy.nodes = self.pub-solar.lib.deploy.mkDeployNodes self.nixosConfigurations {
|
||||||
nachtigall = {
|
nachtigall = {
|
||||||
sshUser = username;
|
sshUser = username;
|
||||||
|
|
|
@ -9,7 +9,10 @@
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
|
||||||
locations."/".proxyPass = "http://127.0.0.1:9980";
|
locations."/".extraConfig = ''
|
||||||
|
proxy_pass http://127.0.0.1:9980;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
virtualisation = {
|
virtualisation = {
|
||||||
|
|
|
@ -1,9 +1,20 @@
|
||||||
{ config, pkgs, ... }:
|
{
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
flake,
|
||||||
|
...
|
||||||
|
}:
|
||||||
{
|
{
|
||||||
age.secrets."nextcloud-secrets" = {
|
age.secrets."nextcloud-secrets" = {
|
||||||
file = "${flake.self}/secrets/nextcloud-secrets.age";
|
file = "${flake.self}/secrets/nextcloud-secrets.age";
|
||||||
mode = "400";
|
mode = "400";
|
||||||
owner = config.services.mastodon.user;
|
owner = "nextcloud";
|
||||||
|
};
|
||||||
|
|
||||||
|
age.secrets."nextcloud-admin-pass" = {
|
||||||
|
file = "${flake.self}/secrets/nextcloud-admin-pass.age";
|
||||||
|
mode = "400";
|
||||||
|
owner = "nextcloud";
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts."cloud.pub.solar" = {
|
services.nginx.virtualHosts."cloud.pub.solar" = {
|
||||||
|
@ -16,9 +27,10 @@
|
||||||
home = "/var/lib/nextcloud";
|
home = "/var/lib/nextcloud";
|
||||||
|
|
||||||
enable = true;
|
enable = true;
|
||||||
|
package = pkgs.nextcloud27;
|
||||||
https = true;
|
https = true;
|
||||||
secretFile = config.age.secrets."nextcloud-secrets".path; # secret
|
secretFile = config.age.secrets."nextcloud-secrets".path; # secret
|
||||||
phpPackage = pkgs.php82;
|
maxUploadSize = "1G";
|
||||||
|
|
||||||
configureRedis = true;
|
configureRedis = true;
|
||||||
|
|
||||||
|
@ -28,11 +40,17 @@
|
||||||
|
|
||||||
config = {
|
config = {
|
||||||
adminuser = "admin";
|
adminuser = "admin";
|
||||||
|
adminpassFile = config.age.secrets."nextcloud-admin-pass".path;
|
||||||
dbuser = "nextcloud";
|
dbuser = "nextcloud";
|
||||||
dbtype = "pgsql";
|
dbtype = "pgsql";
|
||||||
dbname = "nextcloud";
|
dbname = "nextcloud";
|
||||||
dbtableprefix = "oc_";
|
dbtableprefix = "oc_";
|
||||||
overwriteProtocol = "https";
|
overwriteProtocol = "https";
|
||||||
|
|
||||||
|
trustedProxies = [
|
||||||
|
"127.0.0.1"
|
||||||
|
"::1"
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
extraOptions = {
|
extraOptions = {
|
||||||
|
@ -51,6 +69,13 @@
|
||||||
mail_smtphost = "mx2.greenbaum.cloud";
|
mail_smtphost = "mx2.greenbaum.cloud";
|
||||||
mail_smtpport = "587";
|
mail_smtpport = "587";
|
||||||
|
|
||||||
|
# This is to allow connections to collabora and keycloak, among other services
|
||||||
|
# running on the same host
|
||||||
|
#
|
||||||
|
# https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/config_sample_php_parameters.html?highlight=allow_local_remote_servers%20true
|
||||||
|
# https://github.com/ONLYOFFICE/onlyoffice-nextcloud/issues/293
|
||||||
|
allow_local_remote_servers = true;
|
||||||
|
|
||||||
enable_previews = true;
|
enable_previews = true;
|
||||||
enabledPreviewProviders = [
|
enabledPreviewProviders = [
|
||||||
"OC\\Preview\\PNG"
|
"OC\\Preview\\PNG"
|
||||||
|
@ -86,6 +111,10 @@
|
||||||
simpleSignUpLink.shown = false;
|
simpleSignUpLink.shown = false;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
phpOptions = {
|
||||||
|
"opcache.interned_strings_buffer" = "16";
|
||||||
|
};
|
||||||
|
|
||||||
caching.redis = true;
|
caching.redis = true;
|
||||||
autoUpdateApps.enable = true;
|
autoUpdateApps.enable = true;
|
||||||
database.createLocally = true;
|
database.createLocally = true;
|
||||||
|
|
|
@ -28,6 +28,11 @@
|
||||||
fsType = "zfs";
|
fsType = "zfs";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
fileSystems."/var/lib/docker" =
|
||||||
|
{ device = "root_pool/data/docker";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
fileSystems."/boot1" =
|
fileSystems."/boot1" =
|
||||||
{ device = "/dev/disk/by-uuid/5493-EFF5";
|
{ device = "/dev/disk/by-uuid/5493-EFF5";
|
||||||
fsType = "vfat";
|
fsType = "vfat";
|
||||||
|
|
27
secrets/nextcloud-admin-pass.age
Normal file
27
secrets/nextcloud-admin-pass.age
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 iDKjwg 1a8hvqTn2un3yxJkdltenSSfEhKMHxXAKlfSnD9vCWo
|
||||||
|
xOzDWr87QMnE9UgnNimz/C+5aKhspG38RQDhhRqg/EE
|
||||||
|
-> ssh-ed25519 uYcDNw Grc5lFL8+r+Evi3bDl5sCidZMZzLU1K8qiZ+Mhqc8gc
|
||||||
|
mu0L16Ar7H6ZGsSMGw9W9AwS+JusygM8fM6LMtMsCo4
|
||||||
|
-> ssh-rsa kFDS0A
|
||||||
|
nJnBVo6ArUYVRYUDRAPfBdxPPjCaOqM8fi+7LNLtThnyDzRm31Fgq/07Xy7ual2O
|
||||||
|
0k10QbXZv3nnhjW+qimfOK9qDpnub0bULBAMKxAGrapb8KdTqpMgMhK7tuySHH+P
|
||||||
|
L8VTLt5woBz+hkla6P0o1s7pcPCmmQ6vITpGDUEGwFS/orYZdGbAe7+sPanagBx7
|
||||||
|
3xh8JRh1VszNa7pRhkRLM9wwLtDCGETT1+5iwdxR18IijvJRbVKkONX6UYkCzy0t
|
||||||
|
8UmVlfO7m7FN7sdvX+59+70nxhxeECuwZh52TZHaio2NyNvIioFquFZ3SfiLzdd8
|
||||||
|
hpUGH1/fPTHvlCTtvI95lXbB370Ta6vpR4uOvAiHz1Oc6aAhbl6QPcZuUr6pFHK0
|
||||||
|
5zxlOgc0+3nN9Iv41KbNfoyJYrEVVuMCizdbeyFGTJe+kKjdKbBblJSla0hUGINB
|
||||||
|
ZsKhzLG5jmCXDo/WC3vVImBN2R+0AWvqoL2jME+jrOmbAcqYToJrv886cEkxdaxs
|
||||||
|
O3DeXLO2hIGpVMVsrsMyHrF7cBPQ0lahM1tlIzdlzbMeDjM6HO/WYa2fz8XGwXu8
|
||||||
|
puBTtRyg0DL/06s9Hr9WqzE1WiEPVl2jhze8jsIzshcN1yCoV/dKnmOVBPj6rBxd
|
||||||
|
dl5XfpO1d6AOtHx1RquWa2BQWp3nkWvYMgTRaPbpK44
|
||||||
|
-> ssh-ed25519 YFSOsg eqXDfDhoOgy4g7nb1X1mfT20kfPkixWs9QqpaaDwCyg
|
||||||
|
+4aFNWh+b1BeKUqPGU79R9EkbFDp/YMSBYMMunV2YrI
|
||||||
|
-> ssh-ed25519 iHV63A F0kH/Uq+wX9F+RDZwTQW4MF8hSo+nwOSTH4vOQF53nA
|
||||||
|
d20TVZfePKn9y5PWZ0XWV2Xr7N2Ma6V3eSroOiZcgXM
|
||||||
|
-> ssh-ed25519 BVsyTA VvabFmOpUc+TCAFKQYFmlPokmFyqYiD0W9hELvOXv24
|
||||||
|
QJ3LX0bqOgujAB/2T//oCctA/fv1Jc8WugVu6iM9gxE
|
||||||
|
-> x\:P|P,}-grease @YO [b'lw5 *.WKU
|
||||||
|
hfTYY2Pu
|
||||||
|
--- vCfB3aNBGwwBSvtdjzAUKCzCt/z7YvufcAf/VhaZfcg
|
||||||
|
•Àâa9™r†ûÏ_GMSs˜˜Œ#ˆ(¾»;´›a±·(Ãy<C383>ƒ&¤ï|<7C>!wá„i–GÈÁ!¾e4¥Ùxc<78>
|
|
@ -37,4 +37,5 @@ in {
|
||||||
"matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ baseKeys;
|
"matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ baseKeys;
|
||||||
|
|
||||||
"nextcloud-secrets.age".publicKeys = nachtigallKeys ++ baseKeys;
|
"nextcloud-secrets.age".publicKeys = nachtigallKeys ++ baseKeys;
|
||||||
|
"nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ baseKeys;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue