diff --git a/flake.nix b/flake.nix index 0bc7545e..48b6fa15 100644 --- a/flake.nix +++ b/flake.nix @@ -103,7 +103,13 @@ nixosModules = { # Common nixos/nix-darwin configuration shared between Linux and macOS. common = { pkgs, ... }: { - virtualisation.docker.enable = true; + virtualisation.docker = { + enable = true; + extraOptions = '' + --data-root /var/lib/docker + ''; + }; + services.openssh.enable = true; services.openssh.settings.PermitRootLogin = "prohibit-password"; services.openssh.settings.PasswordAuthentication = false; diff --git a/hosts/nachtigall/apps/collabora.nix b/hosts/nachtigall/apps/collabora.nix new file mode 100644 index 00000000..cfe875e0 --- /dev/null +++ b/hosts/nachtigall/apps/collabora.nix @@ -0,0 +1,39 @@ +{ + config, + lib, + pkgs, + self, + ... +}: { + services.nginx.virtualHosts."collabora.pub.solar" = { + enableACME = true; + forceSSL = true; + + locations."/".proxyPass = "http://127.0.0.1:9980"; + }; + + virtualisation = { + oci-containers = { + backend = "docker"; + + containers."collabora" = { + image = "collabora/code"; + autoStart = true; + ports = [ + "127.0.0.1:9980:9980" + ]; + extraOptions = [ + "--cap-add=MKNOD" + "--pull=always" + ]; + environment = { + server_name = "collabora.pub.solar"; + aliasgroup1 = "https://cloud.pub.solar:443"; + DONT_GEN_SSL_CERT = "1"; + extra_params = "--o:ssl.enable=false --o:ssl.termination=true"; + SLEEPFORDEBUGGER = "0"; + }; + }; + }; + }; +} diff --git a/hosts/nachtigall/apps/nextcloud.nix b/hosts/nachtigall/apps/nextcloud.nix new file mode 100644 index 00000000..ca9ac871 --- /dev/null +++ b/hosts/nachtigall/apps/nextcloud.nix @@ -0,0 +1,93 @@ +{ config, pkgs, ... }: +{ + age.secrets."nextcloud-secrets" = { + file = "${flake.self}/secrets/nextcloud-secrets.age"; + mode = "400"; + owner = config.services.mastodon.user; + }; + + services.nginx.virtualHosts."cloud.pub.solar" = { + enableACME = true; + forceSSL = true; + }; + + services.nextcloud = { + hostName = "cloud.pub.solar"; + home = "/var/lib/nextcloud"; + + enable = true; + https = true; + secretFile = config.age.secrets."nextcloud-secrets".path; # secret + phpPackage = pkgs.php82; + + configureRedis = true; + + notify_push = { + enable = true; + }; + + config = { + adminuser = "admin"; + dbuser = "nextcloud"; + dbtype = "pgsql"; + dbname = "nextcloud"; + dbtableprefix = "oc_"; + overwriteProtocol = "https"; + }; + + extraOptions = { + overwrite.cli.url = "http://cloud.pub.solar"; + + installed = true; + default_phone_region = "+49"; + mail_sendmailmode = "smtp"; + mail_from_address = "nextcloud"; + mail_smtpmode = "smtp"; + mail_smtpauthtype = "PLAIN"; + mail_domain = "pub.solar"; + mail_smtpname = "admins@pub.solar"; + mail_smtpsecure = "tls"; + mail_smtpauth = 1; + mail_smtphost = "mx2.greenbaum.cloud"; + mail_smtpport = "587"; + + enable_previews = true; + enabledPreviewProviders = [ + "OC\\Preview\\PNG" + "OC\\Preview\\JPEG" + "OC\\Preview\\GIF" + "OC\\Preview\\BMP" + "OC\\Preview\\XBitmap" + "OC\\Preview\\Movie" + "OC\\Preview\\PDF" + "OC\\Preview\\MP3" + "OC\\Preview\\TXT" + "OC\\Preview\\MarkDown" + ]; + preview_max_x = "1024"; + preview_max_y = "768"; + preview_max_scale_factor = "1"; + + auth.bruteforce.protection.enabled = true; + trashbin_retention_obligation = "auto,7"; + skeletondirectory = ""; + defaultapp = "file"; + activity_expire_days = "14"; + integrity.check.disabled = false; + updater.release.channel = "stable"; + loglevel = 0; + # maintenance = false; + app_install_overwrite = [ + "pdfdraw" + "integration_whiteboard" + ]; + htaccess.RewriteBase = "/"; + theme = ""; + simpleSignUpLink.shown = false; + }; + + caching.redis = true; + autoUpdateApps.enable = true; + database.createLocally = true; + }; +} diff --git a/hosts/nachtigall/default.nix b/hosts/nachtigall/default.nix index ccd276ff..f4c1ed82 100644 --- a/hosts/nachtigall/default.nix +++ b/hosts/nachtigall/default.nix @@ -10,10 +10,12 @@ ./nix.nix ./apps/nginx.nix + ./apps/collabora.nix ./apps/forgejo.nix ./apps/keycloak.nix ./apps/mailman.nix ./apps/mastodon.nix + ./apps/nextcloud.nix ./apps/nginx-mastodon.nix ./apps/nginx-mastodon-files.nix ./apps/nginx-website.nix diff --git a/secrets/nextcloud-secrets.age b/secrets/nextcloud-secrets.age new file mode 100644 index 00000000..937ccecc --- /dev/null +++ b/secrets/nextcloud-secrets.age @@ -0,0 +1,28 @@ +age-encryption.org/v1 +-> ssh-ed25519 iDKjwg GHVh1GUADEN6UVTUYntCaYfEqH+LX+gvaICkBHJ5OUY +rfoD++gVdnZ5HSlXbCOy8Pn7if6QM2WRaShpk0dCJ48 +-> ssh-ed25519 uYcDNw kKeYQIaKjVDKMDBkluuxarRfv2wR9W5TKHzbu1DR2hQ +bfFYcbcQ7De5hwkCng/CIZXWLHgr/cum0+OfRs5ESvI +-> ssh-rsa kFDS0A +pAZ0JEVyYZk3U1vFH/STAuHucNECpbhDdnJR7asfMt2bgTs1dvI9ZA5XBpJs3U4a +PntBwgYebJyHhgeZ0L7q5NYE6eLVThkxnWvm5OP2NjPyTgGUxjp+NA7WNw+Fc/gA +mz//NLMmKVHuknKBVEaZn+2lBWaIXyTkD3KetqxChDcXSnKswesLa6LdHLfE97jP +gHX5Y+JVNeGOlHPn0Ds40I/aFGJJ56p3cD3nTsgoQyGpoQGVIVHO6ghRmVjhSkW4 +7ZfPluq9G0u3NbSD3YjnLrAmUzdJsLPmYme2vvu0YKJr40TG6i5m196DSDuvAtM4 +XhiClq7a2KJfmEF+epVdoXo/7GrPs/F9Bb+NV1S7bVJX7Q87gQ3bbFq2LISu8QvD +HUlx2hJh0fZXpBv6yHIqXutEL1g6XCtpkli15wrHBfEQHOxP6mB/pNeM3gCYwOLX +ZdVqpR46OzOErNDwXTniwQecuKrRB9ecTjmmRZycEZErgEcASEZgAlfu2Q8EIW30 +65byX4EWskm6qlhLxp6SfRXlVcA9XcwIg6q2E2UIoEukZQ5zJNKcFAYec7/xTXs0 +DrLyGkOO+8C0lmCDY8Escd4cge2hIbIcsnQdkfh3NQT1ZqXEXkef/XB6yMEzvysg +3Z13W4dcxwc0ylRFwm2VKcBQD9jDwCyeV4iKohFIyJk +-> ssh-ed25519 YFSOsg X4DtlP1y5JXKyaYXJ/l18S7cOGIDlwk3vhrO0Vk6t3U +OXzEp3tRncra6pBvDoeiLkF4SlaHZ6E6j+UV0q1WB80 +-> ssh-ed25519 iHV63A AYUNvys+v75VarEdcZ1g9r9bnW76Tfq91gWnyED7kB0 +zloI/t4Dfa4re850ldwdFEjbF1OR/5G8VBAl9n7umEs +-> ssh-ed25519 BVsyTA glhHHYg1w7qntg8J3y+6zKJHBaC6PZWFQJnmiQR6axw +WiIDKiuzouGyiyANmEp25T1Dv2IRyRx+lovSpdFP/Dc +-> wcj`iUv7-grease }SsQ!/4Y)V\Q\y_g+HڄHoN@wd @ <: NO X!/̬Y7_ ˂ʠѦA}^q +؃ ɐ`:/"iqjGc[>YtT:h$Oh#, R[ץF3a]{Jѷב"Ƣު \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index cb063560..5b060b56 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -35,4 +35,6 @@ in { "matrix-mautrix-telegram-env-file.age".publicKeys = nachtigallKeys ++ baseKeys; "matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ baseKeys; "matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ baseKeys; + + "nextcloud-secrets.age".publicKeys = nachtigallKeys ++ baseKeys; }