Use docker instead of nspawn to host onlyoffice

2026-01-21 14:01:34 +01:00 · 2024-09-17 21:38:02 +02:00 · 2024-09-17 21:38:02 +02:00 · 18bbe1fd27
commit 18bbe1fd27
parent 982dc99e7a
5 changed files with 53 additions and 61 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -9,7 +9,6 @@ keys:
  # Containers
  - &forgejo age12k607dpdjt5dyq0w3hpgyfdyfrrfuutxgra0tgt8qja30er7cupsfps60n
  - &nextcloud age1jutruntzdaqs26mpe68pafje23m9n4klm04fva05fcdyvyqnaamsvqf3jr
-  - &onlyoffice age1es9tg5225aum5k5ahu8u9q0jprzzte6d64jmwxr2w33ylctqs4lqykdtx5
  - &paperless age1y82j460w5fh0fpquatqar0zqet0vzzfzjnegrp686na3gejapdtsc37vuh

  # Users
@ -45,11 +44,6 @@ creation_rules:
      - age:
          - *admin
          - *nextcloud
-  - path_regex: hosts/stratus/containers/nspawn/onlyoffice/secrets.yaml$
-    key_groups:
-      - age:
-          - *admin
-          - *onlyoffice
  - path_regex: hosts/stratus/containers/nspawn/paperless/secrets.yaml$
    key_groups:
      - age:
--- a/hosts/stratus/containers/docker/onlyoffice/default.nix
+++ b/hosts/stratus/containers/docker/onlyoffice/default.nix
@ -0,0 +1,48 @@
+{ config, pkgs, ... }:
+{
+  sops.secrets = {
+    "container/onlyoffice/tailscale-auth-key" = { };
+    "container/onlyoffice/jwt-secret" = { };
+  };
+
+  virtualisation.oci-containers.containers = {
+    onlyoffice = {
+      image = "onlyoffice/documentserver";
+      environmentFiles = [
+        # Contains "JWT_SECRET=<token>"
+        config.sops.secrets."container/onlyoffice/jwt-secret".path
+      ];
+    };
+
+    tailscale-onlyoffice =
+      let
+        configPath = pkgs.writeTextFile {
+          name = "config";
+          destination = "/tailscale-serve.json";
+          text = builtins.toJSON {
+            TCP."443".HTTPS = true;
+            Web."onlyoffice.${config.networking.domain}:443".Handlers."/".Proxy = "http://127.0.0.1:80";
+          };
+        };
+      in
+      {
+        image = "ghcr.io/tailscale/tailscale:latest";
+        environment = {
+          TS_HOSTNAME = "onlyoffice";
+          TS_STATE_DIR = "/var/lib/tailscale";
+          TS_SERVE_CONFIG = "/config/tailscale-serve.json";
+          TS_USERSPACE = "true"; # https://github.com/tailscale/tailscale/issues/11372
+        };
+        environmentFiles = [
+          # Contains "TS_AUTHKEY=<token>"
+          config.sops.secrets."container/onlyoffice/tailscale-auth-key".path
+        ];
+        volumes = [
+          "/var/lib/tailscale-onlyoffice:/var/lib/tailscale"
+          "${configPath}:/config"
+        ];
+        extraOptions = [ "--network=container:onlyoffice" ];
+        dependsOn = [ "onlyoffice" ];
+      };
+  };
+}
--- a/hosts/stratus/containers/nspawn/onlyoffice/default.nix
+++ b/hosts/stratus/containers/nspawn/onlyoffice/default.nix
@ -1,20 +0,0 @@
-{
-  containers.onlyoffice.config =
-    { config, lib, ... }:
-    {
-      sops.secrets."onlyoffice-secret-key" = {
-        owner = config.users.users.onlyoffice.name;
-        inherit (config.users.users.onlyoffice) group;
-      };
-
-      nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "corefonts" ];
-
-      services.onlyoffice = {
-        enable = true;
-        hostname = "onlyoffice.stork-atlas.ts.net";
-        jwtSecretFile = config.sops.secrets."onlyoffice-secret-key".path;
-      };
-
-      myConfig.tailscale.serve = "8000";
-    };
-}
--- a/hosts/stratus/containers/nspawn/onlyoffice/secrets.yaml
+++ b/hosts/stratus/containers/nspawn/onlyoffice/secrets.yaml
@ -1,31 +0,0 @@
-tailscale-auth-key: ENC[AES256_GCM,data:rbESOOvhOWXx7fPsM4rfHZ83qiynHADz7QJjINfrPhpk7KddBkWpzfrHzsUszNEo3jaWOx67G71rhRZxEA==,iv:8PYmou/U2jsYenxk+APYlW4w4WhTSzv95aV5qq4/5pQ=,tag:iukHBj3GQ/ePpzaasXGm4g==,type:str]
-onlyoffice-secret-key: ENC[AES256_GCM,data:FtIKFZrajzZ5nDTO1/JbJh9Kixo=,iv:l4rjxiNrdjGP1YRYp/QSEFn/1SOnN8i77dCYBRtb7lM=,tag:dbPD1otFzUDLTPvhXQowwQ==,type:str]
-sops:
-  kms: []
-  gcp_kms: []
-  azure_kv: []
-  hc_vault: []
-  age:
-    - recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5
-      enc: |
-        -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYZW5ZOUhRM1NYOS8yWTRh
-        andCVjNIWDA0c294WmxwRGd4b3BTcHZRK0JFCmJyS1Rsd1JxaUgvQ05xelVQYWEy
-        dExxejRQUUpwajhBcHlTRG04UHpVY1EKLS0tIGRGTDBDVzU2N0h1aFdEMHNzSUhU
-        SnhUM1BHUzV2TDJKaVFDbkJqUW5rRmsKtBWX5Qf1XexmRvZkATZkcW51HJCGmEzq
-        5A61eA/RIhRwdDCxR1omIzhUq+BId1MwjuygapIgLsaTkUWnfKltNA==
-        -----END AGE ENCRYPTED FILE-----
-    - recipient: age1es9tg5225aum5k5ahu8u9q0jprzzte6d64jmwxr2w33ylctqs4lqykdtx5
-      enc: |
-        -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoUG1PTEN1Y1JjaVJrc3VW
-        OTN5eEt0SXg2VmZzOTNUMVlQaHZlaFd4Y1FvCkxRejFqOGYzbnR1UDBVMllqYTJt
-        Q2RXeW5tSEFiTVRMTFVtR00zQ1crQXMKLS0tIFFQTFYzQWlhbzVkNmUzM3Y0ejFj
-        V0V4ZkNucExLUGZVWUFuTWdaN3hSTkEKAJy3TKI+oUJS+1A2f47ck2xiOcW7TsFl
-        UCAaT19sZHVjaF/0CoPVmOZ3H5t3lh7BRo7di1TACr1TjYfCxEYRVw==
-        -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2024-09-14T10:13:24Z"
-  mac: ENC[AES256_GCM,data:JuCYiDYHt7lO5i+XbXkuOFFmfGNmmhdEoLrUTHpHA/ex9goRwPLwQ8KcmSonf3cIT7+d/U+sv3U77zCPaVzI848a7liyXnxByulRkUUdnhoqUtGt4bNE+gBq/+y2jsb8QGJIeotHoQS+gEIGnKCv2OAP0RBNfveyYvzedoDVfmo=,iv:AHbzDqLXgngiQZPiv581dNPtKNQzEWGnXkHWgAj+oTc=,tag:qe1lfXkLOq4c/5z62wkk6g==,type:str]
-  pgp: []
-  unencrypted_suffix: _unencrypted
-  version: 3.9.0
--- a/hosts/stratus/secrets.yaml
+++ b/hosts/stratus/secrets.yaml
@ -3,12 +3,13 @@ tailscale-auth-key: ENC[AES256_GCM,data:vwFTBVQr7T8/Wrc3jOCF3TeQhuEpFyJ0M9yES2g+
 container:
  actualbudget:
    tailscale-auth-key: ENC[AES256_GCM,data:n6sxwHbhKyvk1gubSIg6qXyDONob2LJOWOUCvLwmZDe3tCVxkq62vwfgiqAA5is2HEaLi72JdgdYMFQNoggwEnZ5X1YcS8WC,iv:0rJJiL+T9y45nZqRqpMobP1XmVYHeLfZei7jQoofMLE=,tag:RKPj2JwBlhNMvYH27lGsaQ==,type:str]
+  onlyoffice:
+    tailscale-auth-key: ENC[AES256_GCM,data:nxNiy9AKzspdPx3OfdT1WFjO+De1k9xHMaITZZ0y/gYCj6hsOnF9cOq1A+YV5N/zYB5RbPd9Hg77kLwfPeHYgnJklNbVMNfs,iv:ruk+riD2BVlv+gTsRDBhMB7+trvxioq7M8rUlyrG2fk=,tag:RCtXHI16EWOnl+cljqQyxg==,type:str]
+    jwt-secret: ENC[AES256_GCM,data:cLEV5yTwzrcUWjS+RSOy4QGmB+yP24j/Bo51LCS+2yX9fpeeJ+tPAuA=,iv:4R/1YcVQjLTcEKJbQ5oq1/vUM+dc4zBLkFLSgH4wq0w=,tag:i0ub07cM9FwV2ryu+XTLbQ==,type:str]
  forgejo:
    ssh-key: ENC[AES256_GCM,data:PbPRioKPPE/sv8jceAzuV5NFSVSBNOZAejCfUJUYmhLblLSuDsZ7fdgk5+TFjf7baVPhWasUGAo588z7fqzMlTgHfT/RtwDJ4QUMaPXts68CxdZemdjVa8LbV96i9UNlCJP8Sz/7Wvc8axnmyIApAhcLBA7d9KTQn/7lXgaGs9QtDDpSSmJluQHDe1t4QG2UqV73ZZ4I1MY9nVYO9lmaKBej43247cnw8FrkeCQLx4nXuArCp88rBug0CpgY8z15eK4RWXonBjBe5TDoCOWpENyD/6uVFeQIow5TSJgKlkh1w+dj9IiCBfYBllH5xQxjsjlVpDba4A+hfoBhah+EWhK3J765UGn4ufslVMNTQeL9yD87WMa1EkYwGSCVgCTD+/BfgP4HjzgGbM0OuU2Z5t2WV/R9Dm69w+wISbcjTmqqk+q6hle0RR5SkY9bOax2AKsOkcp/k6BS9QmNnajD7qnIVgGTLEwqgWjbQJGFLEE5mSNmZU5oV2gatrbPnN609LbaH6d6Zj28l7Hwr6jH,iv:fgUklpj946AqYe5hh3gwII4CUoUXsrrk3cW2TVugm0c=,tag:ypVvK3K/lSunq2g/LFIWRA==,type:str]
  nextcloud:
    ssh-key: ENC[AES256_GCM,data:HXCYEpNL6Y5GOLp5bhQY9M6NTLV0+e8DiQz2PbnCskvMSiZSp4yHr3wcAzgZttWhLmAydY4moelGzsmkvH8O/DiR2Gkw9Ex4uFEffS2HjlEzTwi7qL70Av6ZbF395NCP82M34Gnnl143+y7wZiJjCPL/oY5QZSzbgg3FgHrqo7f1xcSPcv4LukZ33zcsn4irOGRi2KktiDgcvAdVMLiChWxO0snqS+h7zPIaX4NIcNFW3BgOmUJ42cAoKcsR2ORDDbq0FmSSePh67pKqQJPbBoya6OzfYufNKek0nuwfWVkIjnQbqi0sicx4lks4WXYWMj1WapbIFzPkabfVysfHXcYPpt6OXNqnXTN9bn9Ww/dgEeQyyO+Qc7MHjfXxcLZd8p4bmiP+9bVJ6/ed0YHdCUkt14IxTOiXu0n5lI8/NMam4YLaGiMbRyYAGN6q8W7UYurFBOoKajVByUPTa7FK4H8rZDsNd6HYtTc4lqyeqzKYA9EU/99P9GCmMhrkQYMcoF77tLAAsDdn74OfS2AY86z7xGHCRg67ROMb,iv:pj3P1p5wBn67wGyguLFHJs2+Qhz1X7U9EoD8OsdNTKc=,tag:lKogFelSJIXugKYm/gVy8w==,type:str]
-  onlyoffice:
-    ssh-key: ENC[AES256_GCM,data:xonFRcLVBVXJZlDQViT1YD28uPasQYUeIaZn+He5C/cvrzxubjqO9uVLbj2sy6vYB5kBHof1xYJBePYg1YDEcYNcw1vuyc06EXgVxI5vB4U2jiyGd6H588S89dCmnpHKfF7jBvdaTyuvKLAg0m0juQQPUsEjomtiYmgj4rRUpLmjoewhtUSkddNvnIS21dD5lAP9xNbsgO2jSaYwTOHgitURdISnZNW+OJFvwqdnwwKVwCBwRBi2VbVBUN/KW/UzKIlhYsp+1SMsyBYdGUeBPysB/PTs0D/FYz031ALtjb1zeHf6vGyeyOqUZPIv8mCb/2qn/0Ou4wwf8RDjdGdj+usw2Af4i+8bdbcJaSZqbrdYGJpVkT+W9NVMddE+Edah6f13Gl4VV/av1L0cFpARbNu+X3NzEZOBKSn5shK0uu8cYXUrPpCzqBO+vTyG6FI0Kugd8kkBvhCsylO8CAiQjtLNjXv23TVqDyIpsXKSYFGNBbYiUKvAKRLvCputgqcr0osi998tgT77JZxDC3l31ljtdp7yEPKezFuF,iv:dB5TqLXea6DXnhMiwdxjtTSDL9NjWvqfRbVy/ZsVJs4=,tag:ItwDOkN+W1/YxOSU6oduaA==,type:str]
  paperless:
    ssh-key: ENC[AES256_GCM,data:9A82GwjT+6Vf9uVGUcgkZZZtbVD7Fqc7C4TtGZ97WaTSNDku9LDRZN/qwk2neHrUb5s3V4Ag4hoszvfe9Hqz+1wDLHu6DyDZNhz9awdZbRD6y7ZavB67cTQtj/qjR5sfqWABVHOFaJxH74+cxvUZjBNOaUEhYBmnKow4AL4CpXjkF+DfT0WcpCWJCBagUA2tfvdScASShbu2bA3+NouY/KR54nOrHTI9cqio+3NNs0Ux1R8D1tzzKj1B4oM8u7e5AFyX7E7W9dJmIFEW9JkfqyToZwX9KxkLJG4T12tuReXLHy1HJtsll1OVytznDp4//pHOC64TFvRgcuHrdldXhUtILqd6we5Lt2Cg+HdITie0Veuvce8V9vVnNX8j7I4Wr6z1HHwWFhcRp/JgVCBOInRVGByF0IA5j4lG3XZ5WZgXKVHgLHN1mqkyPJC8pu7ZL57rdDUOCuSZxKT6aG54glD/PtqayFS0+8G0zeZ6xQ6UYSVCvD1VjDGKWDsZgeLHMV+IE2tTdzp0+AahhgW0RmCXh/FCgrMDfnJk,iv:I65+PTiDG2z8k1kE1ngp3kI/dD3bevIug8/CV5TqKPQ=,tag:fAwumpJkO66Uune9i0e3ug==,type:str]
 sops:
@ -35,8 +36,8 @@ sops:
        aW00MUpGdXpYam5LYVFUenh2VndzcE0KT6Hfx1CYJFseFaEZxwi4Fds4v1HEFzBo
        FdSC6pzpZkfXso8EtSftq0lPx10GfJ6GZXYb+bCB2S9ROvUMPYDH3A==
        -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2024-09-17T19:24:26Z"
-  mac: ENC[AES256_GCM,data:J8Yb58+LhtuLck/T0dDyVxJUkn/C0NjQX2BcqwZXcBFKDrFzCOEDIlcAh0xipm5GD1vOtG+aTGTim0ukd7Nyixqihi6Idz36aGXcvV1honkrWh6lJK74ptJfAwt5tCeg8EPUAaDDeWXjkzG75nZo+gyFCiD70KwlM6hbJzWHvy8=,iv:QG37NsN6yGLnv2AWnAeMm/3r+xxbSGlLjnY35IGV6B4=,tag:LWynqPIJoYePUP35DfyY4A==,type:str]
+  lastmodified: "2024-09-17T19:31:27Z"
+  mac: ENC[AES256_GCM,data:dHNRqEXwYMK02HY4suuLQb1nkPQrq4s1jzgG6thpfOMYhVZ4ARe9xAx1aUjZM+eeqqvL7Jn9kyGoJ4aItADUguce3mTbdMR5gy3E7B0mm/jBO3op1Ec0hgivf+Cf2D8Ex53seqJTxFbH3/wqtHwvl9c1WTI5j81jn4u13wFnARg=,iv:BX/7+AhdJKl9y583vBrszmQDYocOuXNCbBEB1E2mxXM=,tag:DgErmskmRdRv+iMAOTo2OA==,type:str]
  pgp: []
  unencrypted_suffix: _unencrypted
  version: 3.9.0