feat: add complete nextcloud config without secrets

feat: nextcloud initial commit
Merge pull request 'use nginx' (#19 ) from feature/switch-from-caddy-to-nginx into main
2023-10-28 16:53:40 +02:00 · 2023-10-28 16:32:11 +02:00 · 2023-10-28 15:35:17 +02:00 · 2023-10-28 15:34:31 +02:00 · 2023-10-28 15:20:56 +02:00 · 2023-10-28 15:19:48 +02:00
13 changed files with 397 additions and 191 deletions
--- a/.envrc
+++ b/.envrc
@ -0,0 +1 @@
+use flake
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,3 @@
 *.tf.json
 /tags.*
+.direnv
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,31 @@
 {
  "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": [
+          "nix-darwin"
+        ],
+        "home-manager": [
+          "home-manager"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1696775529,
+        "narHash": "sha256-TYlE4B0ktPtlJJF9IFxTWrEeq+XKG8Ny0gc2FGEAdj0=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "daf42cb35b2dc614d1551e37f96406e4c4a2d3e4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
    "bats-assert": {
      "flake": false,
      "locked": {
@ -35,7 +61,9 @@
    "deploy-rs": {
      "inputs": {
        "flake-compat": "flake-compat",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
        "utils": "utils"
      },
      "locked": {
@ -73,11 +101,11 @@
        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
-        "lastModified": 1688466019,
-        "narHash": "sha256-VeM2akYrBYMsb4W/MmBo1zmaMfgbL4cH3Pu8PGyIwJ0=",
+        "lastModified": 1696343447,
+        "narHash": "sha256-B2xAZKLkkeRFG5XcHHSXXcP7To9Xzr59KXeZiRf4vdQ=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "8e8d955c22df93dbe24f19ea04f47a74adbdc5ec",
+        "rev": "c9afaba3dfa4085dbd2ccb38dfade5141e33d9d4",
        "type": "github"
      },
      "original": {
@ -108,15 +136,16 @@
        ]
      },
      "locked": {
-        "lastModified": 1690652600,
-        "narHash": "sha256-Dy09g7mezToVwtFPyY25fAx1hzqNXv73/QmY5/qyR44=",
+        "lastModified": 1695108154,
+        "narHash": "sha256-gSg7UTVtls2yO9lKtP0yb66XBHT1Fx5qZSZbGMpSn2c=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "f58889c07efa8e1328fdf93dc1796ec2a5c47f38",
+        "rev": "07682fff75d41f18327a871088d20af2710d4744",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
+        "ref": "release-23.05",
        "repo": "home-manager",
        "type": "github"
      }
@ -128,11 +157,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1690431538,
-        "narHash": "sha256-Uml8ivMMOFPB9fNSDcw72imGHRdJpaK12sRm2DTLLe8=",
+        "lastModified": 1698429334,
+        "narHash": "sha256-Gq3+QabboczSu7RMpcy79RSLMSqnySO3wsnHQk4DfbE=",
        "owner": "lnl7",
        "repo": "nix-darwin",
-        "rev": "16c07487ac9bc59f58b121d13160c67befa3342e",
+        "rev": "afe83cbc2e673b1f08d32dd0f70df599678ff1e7",
        "type": "github"
      },
      "original": {
@ -144,11 +173,11 @@
    },
    "nixos-flake": {
      "locked": {
-        "lastModified": 1690424850,
-        "narHash": "sha256-pPELqUXbNdZ7nMLPL8A+BSyUsxjxMO3q2Wb7plW/Wf8=",
+        "lastModified": 1692742948,
+        "narHash": "sha256-19LQQFGshuQNrrXZYVt+mWY0O3NbhEXeMy3MZwzYZGo=",
        "owner": "srid",
        "repo": "nixos-flake",
-        "rev": "df6fe273ff64dc29de2c93805045b5348d70bc26",
+        "rev": "2c25190ceacdaaae7e8afbecfa87096bb499a431",
        "type": "github"
      },
      "original": {
@ -159,16 +188,16 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1671417167,
-        "narHash": "sha256-JkHam6WQOwZN1t2C2sbp1TqMv3TVRjzrdoejqfefwrM=",
-        "owner": "NixOS",
+        "lastModified": 1698288402,
+        "narHash": "sha256-jIIjApPdm+4yt8PglX8pUOexAdEiAax/DXW3S/Mb21E=",
+        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "bb31220cca6d044baa6dc2715b07497a2a7c4bc7",
+        "rev": "60b9db998f71ea49e1a9c41824d09aa274be1344",
        "type": "github"
      },
      "original": {
-        "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
+        "owner": "nixos",
+        "ref": "nixos-23.05",
        "repo": "nixpkgs",
        "type": "github"
      }
@ -176,11 +205,11 @@
    "nixpkgs-lib": {
      "locked": {
        "dir": "lib",
-        "lastModified": 1688049487,
-        "narHash": "sha256-100g4iaKC9MalDjUW9iN6Jl/OocTDtXdeAj7pEGIRh4=",
+        "lastModified": 1696019113,
+        "narHash": "sha256-X3+DKYWJm93DRSdC5M6K5hLqzSya9BjibtBsuARoPco=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "4bc72cae107788bf3f24f30db2e2f685c9298dc9",
+        "rev": "f5892ddac112a1e9b3612c39af1b72987ee5783a",
        "type": "github"
      },
      "original": {
@ -191,46 +220,17 @@
        "type": "github"
      }
    },
-    "nixpkgs_2": {
-      "locked": {
-        "lastModified": 1690548937,
-        "narHash": "sha256-x3ZOPGLvtC0/+iFAg9Kvqm/8hTAIkGjc634SqtgaXTA=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "2a9d660ff0f7ffde9d73be328ee6e6f10ef66b28",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_3": {
-      "locked": {
-        "lastModified": 1636823747,
-        "narHash": "sha256-oWo1nElRAOZqEf90Yek2ixdHyjD+gqtS/pAgwaQ9UhQ=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "f6a2ed2082d9a51668c86ba27d0b5496f7a2ea93",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
    "root": {
      "inputs": {
+        "agenix": "agenix",
        "deploy-rs": "deploy-rs",
        "flake-parts": "flake-parts",
        "home-manager": "home-manager",
        "nix-darwin": "nix-darwin",
        "nixos-flake": "nixos-flake",
-        "nixpkgs": "nixpkgs_2",
-        "terranix": "terranix"
+        "nixpkgs": "nixpkgs",
+        "terranix": "terranix",
+        "unstable": "unstable"
      }
    },
    "terranix": {
@ -238,15 +238,17 @@
        "bats-assert": "bats-assert",
        "bats-support": "bats-support",
        "flake-utils": "flake-utils",
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
        "terranix-examples": "terranix-examples"
      },
      "locked": {
-        "lastModified": 1684906298,
-        "narHash": "sha256-pNuJxmVMGbBHw7pa+Bx0HY0orXIXoyyAXOKuQ1zpfus=",
+        "lastModified": 1695406838,
+        "narHash": "sha256-xiUfVD6rtsVWFotVtUW3Q1nQh4obKzgvpN1wqZuGXvM=",
        "owner": "terranix",
        "repo": "terranix",
-        "rev": "c0dd15076856c6cb425795b8c7d5d37d3a1e922a",
+        "rev": "fc9077ca02ab5681935dbf0ecd725c4d889b9275",
        "type": "github"
      },
      "original": {
@ -270,6 +272,22 @@
        "type": "github"
      }
    },
+    "unstable": {
+      "locked": {
+        "lastModified": 1698318101,
+        "narHash": "sha256-gUihHt3yPD7bVqg+k/UVHgngyaJ3DMEBchbymBMvK1E=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "63678e9f3d3afecfeafa0acead6239cdb447574c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "utils": {
      "locked": {
        "lastModified": 1667395993,
--- a/flake.nix
+++ b/flake.nix
@ -1,23 +1,33 @@
 {
  inputs = {
-    # Principle inputs (updated by `nix run .#update`)
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    # Track channels with commits tested and built by hydra
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
+    unstable.url = "github:nixos/nixpkgs/nixos-unstable";
+
    nix-darwin.url = "github:lnl7/nix-darwin/master";
    nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
-    home-manager.url = "github:nix-community/home-manager";
+
+    home-manager.url = "github:nix-community/home-manager/release-23.05";
    home-manager.inputs.nixpkgs.follows = "nixpkgs";

    flake-parts.url = "github:hercules-ci/flake-parts";
    nixos-flake.url = "github:srid/nixos-flake";

    terranix.url = "github:terranix/terranix";
+    terranix.inputs.nixpkgs.follows = "nixpkgs";

    deploy-rs.url = "github:serokell/deploy-rs";
+    deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
+
+    agenix.url = "github:ryantm/agenix";
+    agenix.inputs.nixpkgs.follows = "nixpkgs";
+    agenix.inputs.darwin.follows = "nix-darwin";
+    agenix.inputs.home-manager.follows = "home-manager";
  };

  outputs = inputs@{ self, terranix, ... }:
    inputs.flake-parts.lib.mkFlake { inherit inputs; } {
-      systems = [ "x86_64-linux" "aarch64-darwin" "x86_64-darwin" ];
+      systems = [ "x86_64-linux" "aarch64-linux" ];

      imports = [
        inputs.nixos-flake.flakeModule
@ -26,7 +36,35 @@
        ./lib
      ];

-      perSystem = { config, ... }: { };
+      perSystem = { system, pkgs, config, ... }: {
+        _module.args = {
+          inherit inputs;
+          pkgs = import inputs.nixpkgs {
+            inherit system;
+            overlays = [
+              inputs.agenix.overlays.default
+            ];
+          };
+          unstable = import inputs.unstable { inherit system; };
+          master = import inputs.master { inherit system; };
+        };
+        devShells.default = pkgs.mkShell {
+          buildInputs = with pkgs; [
+            deploy-rs
+            nixpkgs-fmt
+            agenix
+            cachix
+            editorconfig-checker
+            nix
+            nodePackages.prettier
+            nvfetcher
+            shellcheck
+            shfmt
+            treefmt
+            nixos-generators
+          ];
+        };
+      };

      flake =
        let
@ -34,13 +72,14 @@
          system = "x86_64-linux";
        in {
          nixosConfigurations = {
-            nachtigall = self.nixos-flake.lib.mkLinuxSystem system {
+            nachtigall = self.nixos-flake.lib.mkLinuxSystem {
              imports = [
                self.nixosModules.common
                ./hosts/nachtigall
                self.pub-solar.lib.linux.unlockZFSOnBoot
                self.nixosModules.home-manager
                self.nixosModules.linux
+                inputs.agenix.nixosModules.default
                {
                  home-manager.users.${username} = {
                    imports = [
@ -53,12 +92,15 @@
            };
          };

+          checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;
+
          nixosModules = {
            # Common nixos/nix-darwin configuration shared between Linux and macOS.
            common = { pkgs, ... }: {
              virtualisation.docker.enable = true;
              services.openssh.enable = true;
              services.openssh.settings.PermitRootLogin = "prohibit-password";
+              services.openssh.settings.PasswordAuthentication = false;
            };

            # NixOS specific configuration
--- a/hosts/nachtigall/apps/nextcloud.nix
+++ b/hosts/nachtigall/apps/nextcloud.nix
@ -0,0 +1,81 @@
+{ config, pkgs, ... }:
+{
+  services.nextcloud = {
+    hostName = "cloud.pub.solar";
+    home = "/var/lib/nextcloud";
+
+    enable = true;
+    https = true;
+    secretFile = ""; # secret
+
+    configureRedis = true;
+
+    notify_push = {
+      enable = true;
+    };
+
+    config = {
+      adminuser = "admin";
+      dbuser = "nextcloud";
+      dbtype = "pgsql";
+      dbname = "nextcloud";
+      dbtableprefix = "oc_";
+      overwriteProtocol = "https";
+    };
+
+    extraOptions = {
+      overwrite.cli.url = "http://cloud.pub.solar";
+
+      installed = true;
+      default_phone_region = "+49";
+      mail_sendmailmode = "smtp";
+      mail_from_address = "nextcloud";
+      mail_smtpmode = "smtp";
+      mail_smtpauthtype = "PLAIN";
+      mail_domain = "pub.solar";
+      mail_smtpname = "admins@pub.solar";
+      mail_smtpsecure = "tls";
+      mail_smtpauth = 1;
+      mail_smtphost = "mx2.greenbaum.cloud";
+      mail_smtpport = "587";
+
+      enable_previews = true;
+      enabledPreviewProviders = [
+        "OC\\Preview\\PNG"
+        "OC\\Preview\\JPEG"
+        "OC\\Preview\\GIF"
+        "OC\\Preview\\BMP"
+        "OC\\Preview\\XBitmap"
+        "OC\\Preview\\Movie"
+        "OC\\Preview\\PDF"
+        "OC\\Preview\\MP3"
+        "OC\\Preview\\TXT"
+        "OC\\Preview\\MarkDown"
+      ];
+      preview_max_x = "1024";
+      preview_max_y = "768";
+      preview_max_scale_factor = "1";
+
+      auth.bruteforce.protection.enabled = true;
+      trashbin_retention_obligation = "auto,7";
+      skeletondirectory = "";
+      defaultapp = "file";
+      activity_expire_days = "14";
+      integrity.check.disabled = false;
+      updater.release.channel = "stable";
+      loglevel = 0;
+      maintenance = false;
+      app_install_overwrite = [
+        "pdfdraw"
+        "integration_whiteboard"
+      ];
+      htaccess.RewriteBase = "/";
+      theme = "";
+      simpleSignUpLink.shown = false;
+    };
+
+    caching.redis = true;
+    autoUpdateApps.enable = true;
+    database.createLocally = true;
+  };
+}
--- a/hosts/nachtigall/apps/nginx.nix
+++ b/hosts/nachtigall/apps/nginx.nix
@ -0,0 +1,23 @@
+{
+  config,
+  lib,
+  pkgs,
+  self,
+  ...
+}: let
+  acmeEmailAddress = "admins@pub.solar";
+  webserverGroup = "hakkonaut";
+in {
+  services.nginx = {
+    enable = true;
+    group = webserverGroup;
+    enableReload = true;
+  };
+  
+  security.acme = {
+    acceptTerms = true;
+    email = acmeEmailAddress;
+  };
+
+  networking.firewall.allowedTCPPorts = [80 443];
+}
--- a/hosts/nachtigall/configuration.nix
+++ b/hosts/nachtigall/configuration.nix
@ -0,0 +1,66 @@
+{ config, pkgs, ... }:
+{
+  # Use GRUB2 as the boot loader.
+  # We don't use systemd-boot because Hetzner uses BIOS legacy boot.
+  boot.loader.systemd-boot.enable = false;
+  boot.loader.grub = {
+    enable = true;
+    efiSupport = false;
+    mirroredBoots = [
+      {
+        devices = [
+          "/dev/disk/by-id/nvme-SAMSUNG_MZVL21T0HCLR-00B00_S676NF0R517371"
+        ];
+        path = "/boot1";
+      }
+      {
+        devices = [
+          "/dev/disk/by-id/nvme-KXG60ZNV1T02_TOSHIBA_Z9NF704ZF9ZL"
+        ];
+        path = "/boot2";
+      }
+    ];
+    copyKernels = true;
+  };
+  boot.supportedFilesystems = [ "zfs" ];
+
+  boot.kernelParams = [
+    "boot.shell_on_fail=1"
+    "ip=138.201.80.102::138.201.80.65:255.255.255.192:nachtigall::off"
+  ];
+
+  boot.initrd.availableKernelModules = [ "igb" ];
+
+  # Set your time zone.
+  time.timeZone = "Etc/UTC";
+
+  environment = {
+    # just a couple of packages to make our lives easier
+    systemPackages = with pkgs; [ vim ];
+  };
+
+  users.users.hakkonaut = {
+    description = "CI and automation user";
+    home = "/var/nix/iso-cache";
+    useDefaultShell = true;
+    uid = 998;
+    group = "hakkonaut";
+    isSystemUser = true;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5MvCwNRtCcP1pSDrn0XZTNlpOqYnjHDm9/OI4hECW hakkonaut@flora-6"
+    ];
+  };
+
+  # https://nixos.wiki/wiki/ZFS#declarative_mounting_of_ZFS_datasets
+  systemd.services.zfs-mount.enable = false;
+
+  users.groups.hakkonaut = {};
+
+  users.users.root.initialHashedPassword = "$y$j9T$bIN6GjQkmPMllOcQsq52K0$q0Z5B5.KW/uxXK9fItB8H6HO79RYAcI/ZZdB0Djke32";
+
+  # This value determines the NixOS release with which your system is to be
+  # compatible, in order to avoid breaking some software such as database
+  # servers. You should change this only after NixOS release notes say you
+  # should.
+  system.stateVersion = "23.05"; # Did you read the comment?
+}
--- a/hosts/nachtigall/default.nix
+++ b/hosts/nachtigall/default.nix
@ -1,95 +1,14 @@
-{ config, pkgs, ... }:
+{ ... }:

 {
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
-      ./nextcloud.nix
+      ./configuration.nix
+
+      ./networking.nix
+      ./nix.nix
+      ./apps/nginx.nix
+      ./apps/nextcloud.nix
    ];
-
-  # Use GRUB2 as the boot loader.
-  # We don't use systemd-boot because Hetzner uses BIOS legacy boot.
-  boot.loader.systemd-boot.enable = false;
-  boot.loader.grub = {
-    enable = true;
-    efiSupport = false;
-    mirroredBoots = [
-      {
-        devices = [
-          "/dev/disk/by-id/nvme-SAMSUNG_MZVL21T0HCLR-00B00_S676NF0R517371"
-        ];
-        path = "/boot1";
-      }
-      {
-        devices = [
-          "/dev/disk/by-id/nvme-KXG60ZNV1T02_TOSHIBA_Z9NF704ZF9ZL"
-        ];
-        path = "/boot2";
-      }
-    ];
-    copyKernels = true;
-  };
-  boot.supportedFilesystems = [ "zfs" ];
-
-  boot.kernelParams = [
-    "boot.shell_on_fail=1"
-    "ip=138.201.80.102::138.201.80.65:255.255.255.192:nachtigall::off"
-  ];
-
-  boot.initrd.availableKernelModules = [ "igb" ];
-
-  networking.hostName = "nachtigall";
-  networking.domain = "pub.solar";
-  networking.hostId = "00000001";
-
-  # enable flakes by default
-  nix = {
-    package = pkgs.nixFlakes;
-    extraOptions = ''
-      experimental-features = nix-command flakes
-    '';
-  };
-
-  # Set your time zone.
-  time.timeZone = "Etc/UTC";
-
-  environment = {
-    # just a couple of packages to make our lives easier
-    systemPackages = with pkgs; [ vim ];
-  };
-
-  # Network (Hetzner uses static IP assignments, and we don't use DHCP here)
-  networking.useDHCP = false;
-  networking.interfaces."enp35s0".ipv4.addresses = [
-    {
-      address = "138.201.80.102";
-      prefixLength = 26;
-    }
-  ];
-  networking.interfaces."enp35s0".ipv6.addresses = [
-    {
-      address = "2a01:4f8:172:1c25::1";
-      prefixLength = 64;
-    }
-  ];
-  networking.defaultGateway = "138.201.80.65";
-  networking.defaultGateway6 = { address = "fe80::1"; interface = "enp35s0"; };
-
-  services.resolved = {
-    enable = true;
-    extraConfig = ''
-      DNS=9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net 193.110.81.0#dns0.eu 185.253.5.0#dns0.eu 2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu
-      FallbackDNS=5.1.66.255#dot.ffmuc.net 185.150.99.255#dot.ffmuc.net 2001:678:e68:f000::#dot.ffmuc.net 2001:678:ed0:f000::#dot.ffmuc.net
-      Domains=~.
-      DNSOverTLS=yes
-    '';
-  };
-
-  users.users.root.initialHashedPassword = "$y$j9T$bIN6GjQkmPMllOcQsq52K0$q0Z5B5.KW/uxXK9fItB8H6HO79RYAcI/ZZdB0Djke32";
-
-  # This value determines the NixOS release with which your system is to be
-  # compatible, in order to avoid breaking some software such as database
-  # servers. You should change this only after NixOS release notes say you
-  # should.
-  system.stateVersion = "23.05"; # Did you read the comment?
 }
--- a/hosts/nachtigall/hardware-configuration.nix
+++ b/hosts/nachtigall/hardware-configuration.nix
@ -18,6 +18,11 @@
      fsType = "zfs";
    };

+  fileSystems."/var/lib" =
+    { device = "root_pool/data";
+      fsType = "zfs";
+    };
+
  fileSystems."/var/lib/postgresql" =
    { device = "root_pool/data/postgresql";
      fsType = "zfs";
--- a/hosts/nachtigall/networking.nix
+++ b/hosts/nachtigall/networking.nix
@ -0,0 +1,34 @@
+{ config, pkgs, ... }:
+{
+
+  networking.hostName = "nachtigall";
+  networking.domain = "pub.solar";
+  networking.hostId = "00000001";
+
+  # Network (Hetzner uses static IP assignments, and we don't use DHCP here)
+  networking.useDHCP = false;
+  networking.interfaces."enp35s0".ipv4.addresses = [
+    {
+      address = "138.201.80.102";
+      prefixLength = 26;
+    }
+  ];
+  networking.interfaces."enp35s0".ipv6.addresses = [
+    {
+      address = "2a01:4f8:172:1c25::1";
+      prefixLength = 64;
+    }
+  ];
+  networking.defaultGateway = "138.201.80.65";
+  networking.defaultGateway6 = { address = "fe80::1"; interface = "enp35s0"; };
+
+  services.resolved = {
+    enable = true;
+    extraConfig = ''
+      DNS=193.110.81.0#dns0.eu 185.253.5.0#dns0.eu 2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
+      FallbackDNS=5.1.66.255#dot.ffmuc.net 185.150.99.255#dot.ffmuc.net 2001:678:e68:f000::#dot.ffmuc.net 2001:678:ed0:f000::#dot.ffmuc.net
+      Domains=~.
+      DNSOverTLS=yes
+    '';
+  };
+}
--- a/hosts/nachtigall/nextcloud.nix
+++ b/hosts/nachtigall/nextcloud.nix
@ -1,37 +0,0 @@
-{ config, pkgs, ... }:
-{
-  services.caddy.virtualHosts."cloud.pub.solar" = {
-    # logFormat = lib.mkForce ''
-    #   output discard
-    # '';
-    extraConfig = ''
-      reverse_proxy :8080
-    '';
-  };
-
-  services.nginx.virtualHosts."localhost".listen = [ { addr = "127.0.0.1"; port = 8080; } ];
-
-  services.nextcloud = {
-    enable = true;
-    https = true;
-    secretFile = ""; # secret
-
-    notify_push = {
-      enable = true;
-    };
-
-    config = {
-      adminuser = "admin";
-      dbuser = "nextcloud";
-      dbtype = "pgsql";
-      dbname = "nextcloud";
-      dbtableprefix = "oc_";
-      trustedProxies = [
-        "cloud.pub.solar"
-      ];
-    };
-
-    autoUpdateApps.enable = true;
-    database.createLocally = true;
-  };
-}
--- a/hosts/nachtigall/nix.nix
+++ b/hosts/nachtigall/nix.nix
@ -0,0 +1,43 @@
+{
+  config,
+  pkgs,
+  lib,
+  flake,
+  ...
+}: {
+  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
+  ];
+
+  nix = {
+    # Use default version alias for nix package
+    package = pkgs.nix;
+    gc.automatic = true;
+    optimise.automatic = true;
+
+    settings = {
+      # Improve nix store disk usage
+      auto-optimise-store = true;
+      # Prevents impurities in builds
+      sandbox = true;
+      # Give root and @wheel special privileges with nix
+      trusted-users = ["root" "@wheel"];
+      # Allow only group wheel to connect to the nix daemon
+      allowed-users = ["@wheel"];
+    };
+
+    # Generally useful nix option defaults
+    extraOptions = lib.mkForce ''
+      experimental-features = flakes nix-command
+      min-free = 536870912
+      keep-outputs = true
+      keep-derivations = true
+      fallback = true
+    '';
+
+    nixPath = [
+      "nixpkgs=${flake.inputs.nixpkgs}"
+      "nixos-config=${../../lib/compat/nixos}"
+      "home-manager=${flake.inputs.home-manager}"
+    ];
+  };
+}
--- a/lib/deploy.nix
+++ b/lib/deploy.nix
@ -6,6 +6,16 @@
 */

 { lib, inputs }: let
+  # https://github.com/serokell/deploy-rs#overall-usage
+  system = "x86_64-linux";
+  pkgs = import inputs.nixpkgs { inherit system; };
+  deployPkgs = import inputs.nixpkgs {
+    inherit system;
+    overlays = [
+      inputs.deploy-rs.overlay
+      (self: super: { deploy-rs = { inherit (pkgs) deploy-rs; lib = super.deploy-rs.lib; }; })
+    ];
+  };
  getFqdn = c: let
    net = c.config.networking;
    fqdn =
@ -53,7 +63,7 @@ in {
          hostname = getFqdn c;
          profiles.system = {
            user = "root";
-            path = inputs.deploy-rs.lib.${c.pkgs.stdenv.hostPlatform.system}.activate.nixos c;
+            path = deployPkgs.deploy-rs.lib.activate.nixos c;
          };
        }
      )
Author	SHA1	Message	Date
Benjamin Bädorf	7fc6f60b11	feat: add complete nextcloud config without secrets	2023-10-28 16:53:40 +02:00
Benjamin Bädorf	d9c92dc9d5	feat: nextcloud initial commit	2023-10-28 16:32:11 +02:00
Hendrik Sokolowski	1fde142895	Merge pull request 'use nginx' (#19 ) from feature/switch-from-caddy-to-nginx into main Reviewed-on: pub-solar/infra-new#19 Reviewed-by: b12f <hello@benjaminbaedorf.eu>	2023-10-28 15:35:17 +02:00
Hendrik Sokolowski	710b81c94c	use nginx	2023-10-28 15:34:31 +02:00
b12f	f0eb3fd4f4	Merge pull request 'fix: mount zfs datasets declaratively' (#18 ) from fix-zfs-mount into main Reviewed-on: pub-solar/infra-new#18 Reviewed-by: b12f <hello@benjaminbaedorf.eu>	2023-10-28 15:20:56 +02:00
teutat3s	3690b3cf9d	fix: mount zfs datasets declaratively	2023-10-28 15:19:48 +02:00
b12f	14c647e8f7	Merge pull request 'Use deploy-rs from nixpkgs, use caddy module from nixos-unstable' (#17 ) from deploy-rs-from-nixpkgs into main Reviewed-on: pub-solar/infra-new#17 Reviewed-by: b12f <hello@benjaminbaedorf.eu>	2023-10-28 15:07:29 +02:00
teutat3s	a5b32302c1	fix: use caddy module from nixos-unstable	2023-10-28 15:06:57 +02:00
teutat3s	3c9f9c9fc7	fix: use deploy-rs overlay to force usage of nixpkgs	2023-10-28 15:06:57 +02:00
Akshay Mankar	49890bc53d	Merge pull request 'nachtigall: Mount /var/lib as a separate ZFS dataset' (#16 ) from var-lib-is-zfs into main Reviewed-on: pub-solar/infra-new#16 Reviewed-by: hensoko <hensoko@gssws.de>	2023-10-28 14:18:27 +02:00
Akshay Mankar	fcc2115c0b	Merge pull request 'nachtigall/apps/caddy: Remove option from nixos-unstable' (#15 ) from fix-caddy into main Reviewed-on: pub-solar/infra-new#15 Reviewed-by: hensoko <hensoko@gssws.de>	2023-10-28 14:17:13 +02:00
Akshay Mankar	c42fadab6d	nachtigall: Mount /var/lib as a separate ZFS dataset This would help keep all application data out of the root partion by default	2023-10-28 14:14:29 +02:00
Akshay Mankar	bdc5033bf4	nachtigall/apps/caddy: Remove option from nixos-unstable It is anyway enabled by default	2023-10-28 14:10:25 +02:00
b12f	44f301c772	Merge pull request 'feat: caddy' (#11 ) from feat/caddy into main Reviewed-on: pub-solar/infra-new#11 Reviewed-by: teutat3s <teutates@mailbox.org>	2023-10-28 14:00:40 +02:00
Benjamin Bädorf	8aee160fd1	fix: import networking and nix modules	2023-10-28 14:00:32 +02:00
Benjamin Bädorf	b921201645	feat: caddy	2023-10-28 14:00:32 +02:00
Akshay Mankar	41d6c334bc	Merge pull request 'Use nixos-23.05 instead of unstable' (#14 ) from use-nixos-stable into main Reviewed-on: pub-solar/infra-new#14 Reviewed-by: b12f <hello@benjaminbaedorf.eu>	2023-10-28 14:00:29 +02:00
teutat3s	b6f75c2c27	Merge pull request 'chore: remove darwin systems from flake' (#12 ) from flake-update-systems into main Reviewed-on: pub-solar/infra-new#12 Reviewed-by: Akshay Mankar <axeman@noreply.git.pub.solar>	2023-10-28 13:51:18 +02:00
teutat3s	e7febf5403	chore: remove darwin systems	2023-10-28 13:48:56 +02:00
Akshay Mankar	c23bc00f19	Use nixos-23.05 instead of unstable	2023-10-28 13:47:10 +02:00
Akshay Mankar	5a7d81d787	flake.nix: Fix usage of self.nixos-flake.lib.mkLinuxSystem	2023-10-28 13:46:05 +02:00
Akshay Mankar	c9beea7f82	Merge pull request 'Add dev shell' (#10 ) from dev-shell into main Reviewed-on: pub-solar/infra-new#10 Reviewed-by: teutat3s <teutates@mailbox.org>	2023-10-28 13:38:05 +02:00
teutat3s	3ceec80aab	chore: pin more inputs and bump flake lock • Updated input 'flake-parts': 'github:hercules-ci/flake-parts/8e8d955c22df93dbe24f19ea04f47a74adbdc5ec' (2023-07-04) → 'github:hercules-ci/flake-parts/c9afaba3dfa4085dbd2ccb38dfade5141e33d9d4' (2023-10-03) • Updated input 'flake-parts/nixpkgs-lib': 'github:NixOS/nixpkgs/4bc72cae107788bf3f24f30db2e2f685c9298dc9?dir=lib' (2023-06-29) → 'github:NixOS/nixpkgs/f5892ddac112a1e9b3612c39af1b72987ee5783a?dir=lib' (2023-09-29) • Updated input 'home-manager': 'github:nix-community/home-manager/f58889c07efa8e1328fdf93dc1796ec2a5c47f38' (2023-07-29) → 'github:nix-community/home-manager/f92a54fef4eacdbe86b0a2054054dd58b0e2a2a4' (2023-10-28) • Updated input 'nix-darwin': 'github:lnl7/nix-darwin/16c07487ac9bc59f58b121d13160c67befa3342e' (2023-07-27) → 'github:lnl7/nix-darwin/afe83cbc2e673b1f08d32dd0f70df599678ff1e7' (2023-10-27) • Updated input 'nixos-flake': 'github:srid/nixos-flake/df6fe273ff64dc29de2c93805045b5348d70bc26' (2023-07-27) → 'github:srid/nixos-flake/2c25190ceacdaaae7e8afbecfa87096bb499a431' (2023-08-22) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/2a9d660ff0f7ffde9d73be328ee6e6f10ef66b28' (2023-07-28) → 'github:nixos/nixpkgs/63678e9f3d3afecfeafa0acead6239cdb447574c' (2023-10-26) • Updated input 'terranix': 'github:terranix/terranix/c0dd15076856c6cb425795b8c7d5d37d3a1e922a' (2023-05-24) → 'github:terranix/terranix/fc9077ca02ab5681935dbf0ecd725c4d889b9275' (2023-09-22)	2023-10-28 13:36:43 +02:00
Akshay Mankar	b788a9f383	Add dev shell	2023-10-28 12:38:14 +02:00
b12f	02e570c85a	Merge pull request 'Disable Password authentication in SSH' (#9 ) from ssh-disable-password into main Reviewed-on: pub-solar/infra-new#9	2023-10-28 12:04:56 +02:00
Akshay Mankar	e0c6530d97	Disable Password authentication in SSH	2023-10-28 12:01:48 +02:00
b12f	41b85714a6	Merge pull request 'hosts/nachtigall: Move config to configuration.nix' (#8 ) from restructure-nachtigall into main Reviewed-on: pub-solar/infra-new#8	2023-10-28 11:56:56 +02:00
Akshay Mankar	d8e0bbb43b	hosts/nachtigall: Move config to configuration.nix	2023-10-28 11:28:41 +02:00