Merge pull request 'fix: small nextcloud fixes' (#36) from feat/nextcloud into main

Reviewed-on: pub-solar/infra-new#36
Reviewed-by: teutat3s <teutates@mailbox.org>
This commit is contained in:
teutat3s 2023-10-29 19:52:16 +00:00
commit 67c3be1c43
Signed by: pub.solar gitea
GPG key ID: F0332B04B7054873
7 changed files with 78 additions and 5 deletions

View file

@ -1,3 +1,9 @@
# Unlocking the root partition on boot # Unlocking the root partition on boot
After a boot, the encrypted root partition will have to be unlocked. This is done by accessing the server via SSH on port 2222. After connecting, paste the crypt passphrase you can find in the shared keepass. This will disconnect the SSH session right away and the server will keep booting into stage 2. After a boot, the encrypted root partition will have to be unlocked. This is done by accessing the server via SSH with user root on port 2222.
```
ssh root@nachtigall.pub.solar -p2222
```
After connecting, paste the crypt passphrase you can find in the shared keepass. This will disconnect the SSH session right away and the server will keep booting into stage 2.

View file

@ -107,6 +107,7 @@
extraOptions = '' extraOptions = ''
--data-root /var/lib/docker --data-root /var/lib/docker
''; '';
storageDriver = "zfs";
}; };
services.openssh.enable = true; services.openssh.enable = true;
@ -153,6 +154,7 @@
}; };
}; };
}; };
deploy.nodes = self.pub-solar.lib.deploy.mkDeployNodes self.nixosConfigurations { deploy.nodes = self.pub-solar.lib.deploy.mkDeployNodes self.nixosConfigurations {
nachtigall = { nachtigall = {
sshUser = username; sshUser = username;

View file

@ -9,7 +9,10 @@
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:9980"; locations."/".extraConfig = ''
proxy_pass http://127.0.0.1:9980;
proxy_set_header Host $host;
'';
}; };
virtualisation = { virtualisation = {

View file

@ -1,9 +1,20 @@
{ config, pkgs, ... }: {
config,
pkgs,
flake,
...
}:
{ {
age.secrets."nextcloud-secrets" = { age.secrets."nextcloud-secrets" = {
file = "${flake.self}/secrets/nextcloud-secrets.age"; file = "${flake.self}/secrets/nextcloud-secrets.age";
mode = "400"; mode = "400";
owner = config.services.mastodon.user; owner = "nextcloud";
};
age.secrets."nextcloud-admin-pass" = {
file = "${flake.self}/secrets/nextcloud-admin-pass.age";
mode = "400";
owner = "nextcloud";
}; };
services.nginx.virtualHosts."cloud.pub.solar" = { services.nginx.virtualHosts."cloud.pub.solar" = {
@ -16,9 +27,10 @@
home = "/var/lib/nextcloud"; home = "/var/lib/nextcloud";
enable = true; enable = true;
package = pkgs.nextcloud27;
https = true; https = true;
secretFile = config.age.secrets."nextcloud-secrets".path; # secret secretFile = config.age.secrets."nextcloud-secrets".path; # secret
phpPackage = pkgs.php82; maxUploadSize = "1G";
configureRedis = true; configureRedis = true;
@ -28,11 +40,17 @@
config = { config = {
adminuser = "admin"; adminuser = "admin";
adminpassFile = config.age.secrets."nextcloud-admin-pass".path;
dbuser = "nextcloud"; dbuser = "nextcloud";
dbtype = "pgsql"; dbtype = "pgsql";
dbname = "nextcloud"; dbname = "nextcloud";
dbtableprefix = "oc_"; dbtableprefix = "oc_";
overwriteProtocol = "https"; overwriteProtocol = "https";
trustedProxies = [
"127.0.0.1"
"::1"
];
}; };
extraOptions = { extraOptions = {
@ -51,6 +69,13 @@
mail_smtphost = "mx2.greenbaum.cloud"; mail_smtphost = "mx2.greenbaum.cloud";
mail_smtpport = "587"; mail_smtpport = "587";
# This is to allow connections to collabora and keycloak, among other services
# running on the same host
#
# https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/config_sample_php_parameters.html?highlight=allow_local_remote_servers%20true
# https://github.com/ONLYOFFICE/onlyoffice-nextcloud/issues/293
allow_local_remote_servers = true;
enable_previews = true; enable_previews = true;
enabledPreviewProviders = [ enabledPreviewProviders = [
"OC\\Preview\\PNG" "OC\\Preview\\PNG"
@ -86,6 +111,10 @@
simpleSignUpLink.shown = false; simpleSignUpLink.shown = false;
}; };
phpOptions = {
"opcache.interned_strings_buffer" = "16";
};
caching.redis = true; caching.redis = true;
autoUpdateApps.enable = true; autoUpdateApps.enable = true;
database.createLocally = true; database.createLocally = true;

View file

@ -28,6 +28,11 @@
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/var/lib/docker" =
{ device = "root_pool/data/docker";
fsType = "zfs";
};
fileSystems."/boot1" = fileSystems."/boot1" =
{ device = "/dev/disk/by-uuid/5493-EFF5"; { device = "/dev/disk/by-uuid/5493-EFF5";
fsType = "vfat"; fsType = "vfat";

View file

@ -0,0 +1,27 @@
age-encryption.org/v1
-> ssh-ed25519 iDKjwg 1a8hvqTn2un3yxJkdltenSSfEhKMHxXAKlfSnD9vCWo
xOzDWr87QMnE9UgnNimz/C+5aKhspG38RQDhhRqg/EE
-> ssh-ed25519 uYcDNw Grc5lFL8+r+Evi3bDl5sCidZMZzLU1K8qiZ+Mhqc8gc
mu0L16Ar7H6ZGsSMGw9W9AwS+JusygM8fM6LMtMsCo4
-> ssh-rsa kFDS0A
nJnBVo6ArUYVRYUDRAPfBdxPPjCaOqM8fi+7LNLtThnyDzRm31Fgq/07Xy7ual2O
0k10QbXZv3nnhjW+qimfOK9qDpnub0bULBAMKxAGrapb8KdTqpMgMhK7tuySHH+P
L8VTLt5woBz+hkla6P0o1s7pcPCmmQ6vITpGDUEGwFS/orYZdGbAe7+sPanagBx7
3xh8JRh1VszNa7pRhkRLM9wwLtDCGETT1+5iwdxR18IijvJRbVKkONX6UYkCzy0t
8UmVlfO7m7FN7sdvX+59+70nxhxeECuwZh52TZHaio2NyNvIioFquFZ3SfiLzdd8
hpUGH1/fPTHvlCTtvI95lXbB370Ta6vpR4uOvAiHz1Oc6aAhbl6QPcZuUr6pFHK0
5zxlOgc0+3nN9Iv41KbNfoyJYrEVVuMCizdbeyFGTJe+kKjdKbBblJSla0hUGINB
ZsKhzLG5jmCXDo/WC3vVImBN2R+0AWvqoL2jME+jrOmbAcqYToJrv886cEkxdaxs
O3DeXLO2hIGpVMVsrsMyHrF7cBPQ0lahM1tlIzdlzbMeDjM6HO/WYa2fz8XGwXu8
puBTtRyg0DL/06s9Hr9WqzE1WiEPVl2jhze8jsIzshcN1yCoV/dKnmOVBPj6rBxd
dl5XfpO1d6AOtHx1RquWa2BQWp3nkWvYMgTRaPbpK44
-> ssh-ed25519 YFSOsg eqXDfDhoOgy4g7nb1X1mfT20kfPkixWs9QqpaaDwCyg
+4aFNWh+b1BeKUqPGU79R9EkbFDp/YMSBYMMunV2YrI
-> ssh-ed25519 iHV63A F0kH/Uq+wX9F+RDZwTQW4MF8hSo+nwOSTH4vOQF53nA
d20TVZfePKn9y5PWZ0XWV2Xr7N2Ma6V3eSroOiZcgXM
-> ssh-ed25519 BVsyTA VvabFmOpUc+TCAFKQYFmlPokmFyqYiD0W9hELvOXv24
QJ3LX0bqOgujAB/2T//oCctA/fv1Jc8WugVu6iM9gxE
-> x\:P|P,}-grease @YO [b'lw5 *.WKU
hfTYY2Pu
--- vCfB3aNBGwwBSvtdjzAUKCzCt/z7YvufcAf/VhaZfcg
•Àâa9™r†ûÏ_GMSs˜˜Œ#ˆ(¾»;´a±·(Ãy<C383>ƒ&¤ï|<7C>!wá„iGÈÁ!¾e4¥Ùxc<78>

View file

@ -37,4 +37,5 @@ in {
"matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ baseKeys; "matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ baseKeys;
"nextcloud-secrets.age".publicKeys = nachtigallKeys ++ baseKeys; "nextcloud-secrets.age".publicKeys = nachtigallKeys ++ baseKeys;
"nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ baseKeys;
} }