From 8ad19f72fc931c8bcc1d7f825064b80220675e61 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20B=C3=A4dorf?= Date: Sun, 29 Oct 2023 14:12:10 +0100 Subject: [PATCH 1/6] fix: small nextcloud fixes * Add admin pass * Increase max post size * Fix secret owner --- hosts/nachtigall/apps/nextcloud.nix | 18 +++++++++++++++--- secrets/nextcloud-admin-pass.age | 27 +++++++++++++++++++++++++++ secrets/secrets.nix | 1 + 3 files changed, 43 insertions(+), 3 deletions(-) create mode 100644 secrets/nextcloud-admin-pass.age diff --git a/hosts/nachtigall/apps/nextcloud.nix b/hosts/nachtigall/apps/nextcloud.nix index ca9ac87..51869e0 100644 --- a/hosts/nachtigall/apps/nextcloud.nix +++ b/hosts/nachtigall/apps/nextcloud.nix @@ -1,9 +1,20 @@ -{ config, pkgs, ... }: +{ + config, + pkgs, + flake, + ... +}: { age.secrets."nextcloud-secrets" = { file = "${flake.self}/secrets/nextcloud-secrets.age"; mode = "400"; - owner = config.services.mastodon.user; + owner = "nextcloud"; + }; + + age.secrets."nextcloud-admin-pass" = { + file = "${flake.self}/secrets/nextcloud-admin-pass.age"; + mode = "400"; + owner = "nextcloud"; }; services.nginx.virtualHosts."cloud.pub.solar" = { @@ -18,7 +29,7 @@ enable = true; https = true; secretFile = config.age.secrets."nextcloud-secrets".path; # secret - phpPackage = pkgs.php82; + maxUploadSize = "1G"; configureRedis = true; @@ -28,6 +39,7 @@ config = { adminuser = "admin"; + adminpassFile = config.age.secrets."nextcloud-admin-pass".path; dbuser = "nextcloud"; dbtype = "pgsql"; dbname = "nextcloud"; diff --git a/secrets/nextcloud-admin-pass.age b/secrets/nextcloud-admin-pass.age new file mode 100644 index 0000000..30d1629 --- /dev/null +++ b/secrets/nextcloud-admin-pass.age @@ -0,0 +1,27 @@ +age-encryption.org/v1 +-> ssh-ed25519 iDKjwg 1a8hvqTn2un3yxJkdltenSSfEhKMHxXAKlfSnD9vCWo +xOzDWr87QMnE9UgnNimz/C+5aKhspG38RQDhhRqg/EE +-> ssh-ed25519 uYcDNw Grc5lFL8+r+Evi3bDl5sCidZMZzLU1K8qiZ+Mhqc8gc +mu0L16Ar7H6ZGsSMGw9W9AwS+JusygM8fM6LMtMsCo4 +-> ssh-rsa kFDS0A +nJnBVo6ArUYVRYUDRAPfBdxPPjCaOqM8fi+7LNLtThnyDzRm31Fgq/07Xy7ual2O +0k10QbXZv3nnhjW+qimfOK9qDpnub0bULBAMKxAGrapb8KdTqpMgMhK7tuySHH+P +L8VTLt5woBz+hkla6P0o1s7pcPCmmQ6vITpGDUEGwFS/orYZdGbAe7+sPanagBx7 +3xh8JRh1VszNa7pRhkRLM9wwLtDCGETT1+5iwdxR18IijvJRbVKkONX6UYkCzy0t +8UmVlfO7m7FN7sdvX+59+70nxhxeECuwZh52TZHaio2NyNvIioFquFZ3SfiLzdd8 +hpUGH1/fPTHvlCTtvI95lXbB370Ta6vpR4uOvAiHz1Oc6aAhbl6QPcZuUr6pFHK0 +5zxlOgc0+3nN9Iv41KbNfoyJYrEVVuMCizdbeyFGTJe+kKjdKbBblJSla0hUGINB +ZsKhzLG5jmCXDo/WC3vVImBN2R+0AWvqoL2jME+jrOmbAcqYToJrv886cEkxdaxs +O3DeXLO2hIGpVMVsrsMyHrF7cBPQ0lahM1tlIzdlzbMeDjM6HO/WYa2fz8XGwXu8 +puBTtRyg0DL/06s9Hr9WqzE1WiEPVl2jhze8jsIzshcN1yCoV/dKnmOVBPj6rBxd +dl5XfpO1d6AOtHx1RquWa2BQWp3nkWvYMgTRaPbpK44 +-> ssh-ed25519 YFSOsg eqXDfDhoOgy4g7nb1X1mfT20kfPkixWs9QqpaaDwCyg ++4aFNWh+b1BeKUqPGU79R9EkbFDp/YMSBYMMunV2YrI +-> ssh-ed25519 iHV63A F0kH/Uq+wX9F+RDZwTQW4MF8hSo+nwOSTH4vOQF53nA +d20TVZfePKn9y5PWZ0XWV2Xr7N2Ma6V3eSroOiZcgXM +-> ssh-ed25519 BVsyTA VvabFmOpUc+TCAFKQYFmlPokmFyqYiD0W9hELvOXv24 +QJ3LX0bqOgujAB/2T//oCctA/fv1Jc8WugVu6iM9gxE +-> x\:P|P,}-grease @YO [b'lw5 *.WKU +hfTYY2Pu +--- vCfB3aNBGwwBSvtdjzAUKCzCt/z7YvufcAf/VhaZfcg +a9r_GMSs#(;a(y&|!wiG!e4xc \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 5b060b5..2b0bdc9 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -37,4 +37,5 @@ in { "matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ baseKeys; "nextcloud-secrets.age".publicKeys = nachtigallKeys ++ baseKeys; + "nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ baseKeys; } -- 2.44.1 From 7b4b79f5d4d28e4773dcd29c638ee76acbffd5eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20B=C3=A4dorf?= Date: Sun, 29 Oct 2023 19:04:32 +0100 Subject: [PATCH 2/6] fix: add host header to collabora nginx proxy_pass --- hosts/nachtigall/apps/collabora.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/hosts/nachtigall/apps/collabora.nix b/hosts/nachtigall/apps/collabora.nix index cfe875e..e126fd0 100644 --- a/hosts/nachtigall/apps/collabora.nix +++ b/hosts/nachtigall/apps/collabora.nix @@ -9,7 +9,10 @@ enableACME = true; forceSSL = true; - locations."/".proxyPass = "http://127.0.0.1:9980"; + locations."/".extraConfig = '' + proxy_pass http://127.0.0.1:9980; + proxy_set_header Host $host; + ''; }; virtualisation = { -- 2.44.1 From 2c2d77456e0b29cf1b3375e85291d09b379997fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20B=C3=A4dorf?= Date: Sun, 29 Oct 2023 19:05:02 +0100 Subject: [PATCH 3/6] chore: update nextcloud to v27 --- hosts/nachtigall/apps/nextcloud.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/nachtigall/apps/nextcloud.nix b/hosts/nachtigall/apps/nextcloud.nix index 51869e0..e6378b9 100644 --- a/hosts/nachtigall/apps/nextcloud.nix +++ b/hosts/nachtigall/apps/nextcloud.nix @@ -27,6 +27,7 @@ home = "/var/lib/nextcloud"; enable = true; + package = pkgs.nextcloud27; https = true; secretFile = config.age.secrets."nextcloud-secrets".path; # secret maxUploadSize = "1G"; -- 2.44.1 From 13d46c22c58060055b0f810b878977439bc4ee5f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20B=C3=A4dorf?= Date: Sun, 29 Oct 2023 19:17:53 +0100 Subject: [PATCH 4/6] fix: nextcloud connections to other applications --- hosts/nachtigall/apps/nextcloud.nix | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/hosts/nachtigall/apps/nextcloud.nix b/hosts/nachtigall/apps/nextcloud.nix index e6378b9..a138d90 100644 --- a/hosts/nachtigall/apps/nextcloud.nix +++ b/hosts/nachtigall/apps/nextcloud.nix @@ -46,6 +46,11 @@ dbname = "nextcloud"; dbtableprefix = "oc_"; overwriteProtocol = "https"; + + trustedProxies = [ + "127.0.0.1" + "::1" + ]; }; extraOptions = { @@ -64,6 +69,13 @@ mail_smtphost = "mx2.greenbaum.cloud"; mail_smtpport = "587"; + # This is to allow connections to collabora and keycloak, among other services + # running on the same host + # + # https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/config_sample_php_parameters.html?highlight=allow_local_remote_servers%20true + # https://github.com/ONLYOFFICE/onlyoffice-nextcloud/issues/293 + allow_local_remote_servers = true; + enable_previews = true; enabledPreviewProviders = [ "OC\\Preview\\PNG" -- 2.44.1 From a10d77dcf65cb48c07cb5557d716320810797837 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20B=C3=A4dorf?= Date: Sun, 29 Oct 2023 19:28:39 +0100 Subject: [PATCH 5/6] fix: increase php strings cache size for nextcloud https://github.com/nextcloud/server/issues/31223 --- hosts/nachtigall/apps/nextcloud.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hosts/nachtigall/apps/nextcloud.nix b/hosts/nachtigall/apps/nextcloud.nix index a138d90..d3f430d 100644 --- a/hosts/nachtigall/apps/nextcloud.nix +++ b/hosts/nachtigall/apps/nextcloud.nix @@ -111,6 +111,10 @@ simpleSignUpLink.shown = false; }; + phpOptions = { + "opcache.interned_strings_buffer" = "16"; + }; + caching.redis = true; autoUpdateApps.enable = true; database.createLocally = true; -- 2.44.1 From f013c6e3f8789bced59ef8a7d9867f573c17402e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20B=C3=A4dorf?= Date: Sun, 29 Oct 2023 20:33:11 +0100 Subject: [PATCH 6/6] feat: make docker run on zfs, add unlocking docs --- docs/unlocking-root.md | 8 +++++++- flake.nix | 2 ++ hosts/nachtigall/hardware-configuration.nix | 5 +++++ 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/docs/unlocking-root.md b/docs/unlocking-root.md index 8832b93..2ec0d9a 100644 --- a/docs/unlocking-root.md +++ b/docs/unlocking-root.md @@ -1,3 +1,9 @@ # Unlocking the root partition on boot -After a boot, the encrypted root partition will have to be unlocked. This is done by accessing the server via SSH on port 2222. After connecting, paste the crypt passphrase you can find in the shared keepass. This will disconnect the SSH session right away and the server will keep booting into stage 2. +After a boot, the encrypted root partition will have to be unlocked. This is done by accessing the server via SSH with user root on port 2222. + +``` +ssh root@nachtigall.pub.solar -p2222 +``` + + After connecting, paste the crypt passphrase you can find in the shared keepass. This will disconnect the SSH session right away and the server will keep booting into stage 2. diff --git a/flake.nix b/flake.nix index 76ab217..329bc9c 100644 --- a/flake.nix +++ b/flake.nix @@ -107,6 +107,7 @@ extraOptions = '' --data-root /var/lib/docker ''; + storageDriver = "zfs"; }; services.openssh.enable = true; @@ -153,6 +154,7 @@ }; }; }; + deploy.nodes = self.pub-solar.lib.deploy.mkDeployNodes self.nixosConfigurations { nachtigall = { sshUser = username; diff --git a/hosts/nachtigall/hardware-configuration.nix b/hosts/nachtigall/hardware-configuration.nix index 0224632..9aab804 100644 --- a/hosts/nachtigall/hardware-configuration.nix +++ b/hosts/nachtigall/hardware-configuration.nix @@ -28,6 +28,11 @@ fsType = "zfs"; }; + fileSystems."/var/lib/docker" = + { device = "root_pool/data/docker"; + fsType = "zfs"; + }; + fileSystems."/boot1" = { device = "/dev/disk/by-uuid/5493-EFF5"; fsType = "vfat"; -- 2.44.1