From 18bbe1fd2757eb265a6bb47221189f9867f51da1 Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Tue, 17 Sep 2024 21:38:02 +0200 Subject: [PATCH] Use docker instead of nspawn to host onlyoffice --- .sops.yaml | 6 --- .../containers/docker/onlyoffice/default.nix | 48 +++++++++++++++++++ .../containers/nspawn/onlyoffice/default.nix | 20 -------- .../containers/nspawn/onlyoffice/secrets.yaml | 31 ------------ hosts/stratus/secrets.yaml | 9 ++-- 5 files changed, 53 insertions(+), 61 deletions(-) create mode 100644 hosts/stratus/containers/docker/onlyoffice/default.nix delete mode 100644 hosts/stratus/containers/nspawn/onlyoffice/default.nix delete mode 100644 hosts/stratus/containers/nspawn/onlyoffice/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index 3b33b42..a45dd9a 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -9,7 +9,6 @@ keys: # Containers - &forgejo age12k607dpdjt5dyq0w3hpgyfdyfrrfuutxgra0tgt8qja30er7cupsfps60n - &nextcloud age1jutruntzdaqs26mpe68pafje23m9n4klm04fva05fcdyvyqnaamsvqf3jr - - &onlyoffice age1es9tg5225aum5k5ahu8u9q0jprzzte6d64jmwxr2w33ylctqs4lqykdtx5 - &paperless age1y82j460w5fh0fpquatqar0zqet0vzzfzjnegrp686na3gejapdtsc37vuh # Users @@ -45,11 +44,6 @@ creation_rules: - age: - *admin - *nextcloud - - path_regex: hosts/stratus/containers/nspawn/onlyoffice/secrets.yaml$ - key_groups: - - age: - - *admin - - *onlyoffice - path_regex: hosts/stratus/containers/nspawn/paperless/secrets.yaml$ key_groups: - age: diff --git a/hosts/stratus/containers/docker/onlyoffice/default.nix b/hosts/stratus/containers/docker/onlyoffice/default.nix new file mode 100644 index 0000000..0210207 --- /dev/null +++ b/hosts/stratus/containers/docker/onlyoffice/default.nix @@ -0,0 +1,48 @@ +{ config, pkgs, ... }: +{ + sops.secrets = { + "container/onlyoffice/tailscale-auth-key" = { }; + "container/onlyoffice/jwt-secret" = { }; + }; + + virtualisation.oci-containers.containers = { + onlyoffice = { + image = "onlyoffice/documentserver"; + environmentFiles = [ + # Contains "JWT_SECRET=" + config.sops.secrets."container/onlyoffice/jwt-secret".path + ]; + }; + + tailscale-onlyoffice = + let + configPath = pkgs.writeTextFile { + name = "config"; + destination = "/tailscale-serve.json"; + text = builtins.toJSON { + TCP."443".HTTPS = true; + Web."onlyoffice.${config.networking.domain}:443".Handlers."/".Proxy = "http://127.0.0.1:80"; + }; + }; + in + { + image = "ghcr.io/tailscale/tailscale:latest"; + environment = { + TS_HOSTNAME = "onlyoffice"; + TS_STATE_DIR = "/var/lib/tailscale"; + TS_SERVE_CONFIG = "/config/tailscale-serve.json"; + TS_USERSPACE = "true"; # https://github.com/tailscale/tailscale/issues/11372 + }; + environmentFiles = [ + # Contains "TS_AUTHKEY=" + config.sops.secrets."container/onlyoffice/tailscale-auth-key".path + ]; + volumes = [ + "/var/lib/tailscale-onlyoffice:/var/lib/tailscale" + "${configPath}:/config" + ]; + extraOptions = [ "--network=container:onlyoffice" ]; + dependsOn = [ "onlyoffice" ]; + }; + }; +} diff --git a/hosts/stratus/containers/nspawn/onlyoffice/default.nix b/hosts/stratus/containers/nspawn/onlyoffice/default.nix deleted file mode 100644 index e82b9dc..0000000 --- a/hosts/stratus/containers/nspawn/onlyoffice/default.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ - containers.onlyoffice.config = - { config, lib, ... }: - { - sops.secrets."onlyoffice-secret-key" = { - owner = config.users.users.onlyoffice.name; - inherit (config.users.users.onlyoffice) group; - }; - - nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "corefonts" ]; - - services.onlyoffice = { - enable = true; - hostname = "onlyoffice.stork-atlas.ts.net"; - jwtSecretFile = config.sops.secrets."onlyoffice-secret-key".path; - }; - - myConfig.tailscale.serve = "8000"; - }; -} diff --git a/hosts/stratus/containers/nspawn/onlyoffice/secrets.yaml b/hosts/stratus/containers/nspawn/onlyoffice/secrets.yaml deleted file mode 100644 index ce438ed..0000000 --- a/hosts/stratus/containers/nspawn/onlyoffice/secrets.yaml +++ /dev/null @@ -1,31 +0,0 @@ -tailscale-auth-key: ENC[AES256_GCM,data:rbESOOvhOWXx7fPsM4rfHZ83qiynHADz7QJjINfrPhpk7KddBkWpzfrHzsUszNEo3jaWOx67G71rhRZxEA==,iv:8PYmou/U2jsYenxk+APYlW4w4WhTSzv95aV5qq4/5pQ=,tag:iukHBj3GQ/ePpzaasXGm4g==,type:str] -onlyoffice-secret-key: ENC[AES256_GCM,data:FtIKFZrajzZ5nDTO1/JbJh9Kixo=,iv:l4rjxiNrdjGP1YRYp/QSEFn/1SOnN8i77dCYBRtb7lM=,tag:dbPD1otFzUDLTPvhXQowwQ==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYZW5ZOUhRM1NYOS8yWTRh - andCVjNIWDA0c294WmxwRGd4b3BTcHZRK0JFCmJyS1Rsd1JxaUgvQ05xelVQYWEy - dExxejRQUUpwajhBcHlTRG04UHpVY1EKLS0tIGRGTDBDVzU2N0h1aFdEMHNzSUhU - SnhUM1BHUzV2TDJKaVFDbkJqUW5rRmsKtBWX5Qf1XexmRvZkATZkcW51HJCGmEzq - 5A61eA/RIhRwdDCxR1omIzhUq+BId1MwjuygapIgLsaTkUWnfKltNA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1es9tg5225aum5k5ahu8u9q0jprzzte6d64jmwxr2w33ylctqs4lqykdtx5 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoUG1PTEN1Y1JjaVJrc3VW - OTN5eEt0SXg2VmZzOTNUMVlQaHZlaFd4Y1FvCkxRejFqOGYzbnR1UDBVMllqYTJt - Q2RXeW5tSEFiTVRMTFVtR00zQ1crQXMKLS0tIFFQTFYzQWlhbzVkNmUzM3Y0ejFj - V0V4ZkNucExLUGZVWUFuTWdaN3hSTkEKAJy3TKI+oUJS+1A2f47ck2xiOcW7TsFl - UCAaT19sZHVjaF/0CoPVmOZ3H5t3lh7BRo7di1TACr1TjYfCxEYRVw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-09-14T10:13:24Z" - mac: ENC[AES256_GCM,data:JuCYiDYHt7lO5i+XbXkuOFFmfGNmmhdEoLrUTHpHA/ex9goRwPLwQ8KcmSonf3cIT7+d/U+sv3U77zCPaVzI848a7liyXnxByulRkUUdnhoqUtGt4bNE+gBq/+y2jsb8QGJIeotHoQS+gEIGnKCv2OAP0RBNfveyYvzedoDVfmo=,iv:AHbzDqLXgngiQZPiv581dNPtKNQzEWGnXkHWgAj+oTc=,tag:qe1lfXkLOq4c/5z62wkk6g==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.9.0 diff --git a/hosts/stratus/secrets.yaml b/hosts/stratus/secrets.yaml index ac12aad..ba0a001 100644 --- a/hosts/stratus/secrets.yaml +++ b/hosts/stratus/secrets.yaml @@ -3,12 +3,13 @@ tailscale-auth-key: ENC[AES256_GCM,data:vwFTBVQr7T8/Wrc3jOCF3TeQhuEpFyJ0M9yES2g+ container: actualbudget: tailscale-auth-key: ENC[AES256_GCM,data:n6sxwHbhKyvk1gubSIg6qXyDONob2LJOWOUCvLwmZDe3tCVxkq62vwfgiqAA5is2HEaLi72JdgdYMFQNoggwEnZ5X1YcS8WC,iv:0rJJiL+T9y45nZqRqpMobP1XmVYHeLfZei7jQoofMLE=,tag:RKPj2JwBlhNMvYH27lGsaQ==,type:str] + onlyoffice: + tailscale-auth-key: ENC[AES256_GCM,data:nxNiy9AKzspdPx3OfdT1WFjO+De1k9xHMaITZZ0y/gYCj6hsOnF9cOq1A+YV5N/zYB5RbPd9Hg77kLwfPeHYgnJklNbVMNfs,iv:ruk+riD2BVlv+gTsRDBhMB7+trvxioq7M8rUlyrG2fk=,tag:RCtXHI16EWOnl+cljqQyxg==,type:str] + jwt-secret: ENC[AES256_GCM,data:cLEV5yTwzrcUWjS+RSOy4QGmB+yP24j/Bo51LCS+2yX9fpeeJ+tPAuA=,iv:4R/1YcVQjLTcEKJbQ5oq1/vUM+dc4zBLkFLSgH4wq0w=,tag:i0ub07cM9FwV2ryu+XTLbQ==,type:str] forgejo: ssh-key: ENC[AES256_GCM,data:PbPRioKPPE/sv8jceAzuV5NFSVSBNOZAejCfUJUYmhLblLSuDsZ7fdgk5+TFjf7baVPhWasUGAo588z7fqzMlTgHfT/RtwDJ4QUMaPXts68CxdZemdjVa8LbV96i9UNlCJP8Sz/7Wvc8axnmyIApAhcLBA7d9KTQn/7lXgaGs9QtDDpSSmJluQHDe1t4QG2UqV73ZZ4I1MY9nVYO9lmaKBej43247cnw8FrkeCQLx4nXuArCp88rBug0CpgY8z15eK4RWXonBjBe5TDoCOWpENyD/6uVFeQIow5TSJgKlkh1w+dj9IiCBfYBllH5xQxjsjlVpDba4A+hfoBhah+EWhK3J765UGn4ufslVMNTQeL9yD87WMa1EkYwGSCVgCTD+/BfgP4HjzgGbM0OuU2Z5t2WV/R9Dm69w+wISbcjTmqqk+q6hle0RR5SkY9bOax2AKsOkcp/k6BS9QmNnajD7qnIVgGTLEwqgWjbQJGFLEE5mSNmZU5oV2gatrbPnN609LbaH6d6Zj28l7Hwr6jH,iv:fgUklpj946AqYe5hh3gwII4CUoUXsrrk3cW2TVugm0c=,tag:ypVvK3K/lSunq2g/LFIWRA==,type:str] nextcloud: ssh-key: ENC[AES256_GCM,data:HXCYEpNL6Y5GOLp5bhQY9M6NTLV0+e8DiQz2PbnCskvMSiZSp4yHr3wcAzgZttWhLmAydY4moelGzsmkvH8O/DiR2Gkw9Ex4uFEffS2HjlEzTwi7qL70Av6ZbF395NCP82M34Gnnl143+y7wZiJjCPL/oY5QZSzbgg3FgHrqo7f1xcSPcv4LukZ33zcsn4irOGRi2KktiDgcvAdVMLiChWxO0snqS+h7zPIaX4NIcNFW3BgOmUJ42cAoKcsR2ORDDbq0FmSSePh67pKqQJPbBoya6OzfYufNKek0nuwfWVkIjnQbqi0sicx4lks4WXYWMj1WapbIFzPkabfVysfHXcYPpt6OXNqnXTN9bn9Ww/dgEeQyyO+Qc7MHjfXxcLZd8p4bmiP+9bVJ6/ed0YHdCUkt14IxTOiXu0n5lI8/NMam4YLaGiMbRyYAGN6q8W7UYurFBOoKajVByUPTa7FK4H8rZDsNd6HYtTc4lqyeqzKYA9EU/99P9GCmMhrkQYMcoF77tLAAsDdn74OfS2AY86z7xGHCRg67ROMb,iv:pj3P1p5wBn67wGyguLFHJs2+Qhz1X7U9EoD8OsdNTKc=,tag:lKogFelSJIXugKYm/gVy8w==,type:str] - onlyoffice: - ssh-key: ENC[AES256_GCM,data:xonFRcLVBVXJZlDQViT1YD28uPasQYUeIaZn+He5C/cvrzxubjqO9uVLbj2sy6vYB5kBHof1xYJBePYg1YDEcYNcw1vuyc06EXgVxI5vB4U2jiyGd6H588S89dCmnpHKfF7jBvdaTyuvKLAg0m0juQQPUsEjomtiYmgj4rRUpLmjoewhtUSkddNvnIS21dD5lAP9xNbsgO2jSaYwTOHgitURdISnZNW+OJFvwqdnwwKVwCBwRBi2VbVBUN/KW/UzKIlhYsp+1SMsyBYdGUeBPysB/PTs0D/FYz031ALtjb1zeHf6vGyeyOqUZPIv8mCb/2qn/0Ou4wwf8RDjdGdj+usw2Af4i+8bdbcJaSZqbrdYGJpVkT+W9NVMddE+Edah6f13Gl4VV/av1L0cFpARbNu+X3NzEZOBKSn5shK0uu8cYXUrPpCzqBO+vTyG6FI0Kugd8kkBvhCsylO8CAiQjtLNjXv23TVqDyIpsXKSYFGNBbYiUKvAKRLvCputgqcr0osi998tgT77JZxDC3l31ljtdp7yEPKezFuF,iv:dB5TqLXea6DXnhMiwdxjtTSDL9NjWvqfRbVy/ZsVJs4=,tag:ItwDOkN+W1/YxOSU6oduaA==,type:str] paperless: ssh-key: ENC[AES256_GCM,data:9A82GwjT+6Vf9uVGUcgkZZZtbVD7Fqc7C4TtGZ97WaTSNDku9LDRZN/qwk2neHrUb5s3V4Ag4hoszvfe9Hqz+1wDLHu6DyDZNhz9awdZbRD6y7ZavB67cTQtj/qjR5sfqWABVHOFaJxH74+cxvUZjBNOaUEhYBmnKow4AL4CpXjkF+DfT0WcpCWJCBagUA2tfvdScASShbu2bA3+NouY/KR54nOrHTI9cqio+3NNs0Ux1R8D1tzzKj1B4oM8u7e5AFyX7E7W9dJmIFEW9JkfqyToZwX9KxkLJG4T12tuReXLHy1HJtsll1OVytznDp4//pHOC64TFvRgcuHrdldXhUtILqd6we5Lt2Cg+HdITie0Veuvce8V9vVnNX8j7I4Wr6z1HHwWFhcRp/JgVCBOInRVGByF0IA5j4lG3XZ5WZgXKVHgLHN1mqkyPJC8pu7ZL57rdDUOCuSZxKT6aG54glD/PtqayFS0+8G0zeZ6xQ6UYSVCvD1VjDGKWDsZgeLHMV+IE2tTdzp0+AahhgW0RmCXh/FCgrMDfnJk,iv:I65+PTiDG2z8k1kE1ngp3kI/dD3bevIug8/CV5TqKPQ=,tag:fAwumpJkO66Uune9i0e3ug==,type:str] sops: @@ -35,8 +36,8 @@ sops: aW00MUpGdXpYam5LYVFUenh2VndzcE0KT6Hfx1CYJFseFaEZxwi4Fds4v1HEFzBo FdSC6pzpZkfXso8EtSftq0lPx10GfJ6GZXYb+bCB2S9ROvUMPYDH3A== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-09-17T19:24:26Z" - mac: ENC[AES256_GCM,data:J8Yb58+LhtuLck/T0dDyVxJUkn/C0NjQX2BcqwZXcBFKDrFzCOEDIlcAh0xipm5GD1vOtG+aTGTim0ukd7Nyixqihi6Idz36aGXcvV1honkrWh6lJK74ptJfAwt5tCeg8EPUAaDDeWXjkzG75nZo+gyFCiD70KwlM6hbJzWHvy8=,iv:QG37NsN6yGLnv2AWnAeMm/3r+xxbSGlLjnY35IGV6B4=,tag:LWynqPIJoYePUP35DfyY4A==,type:str] + lastmodified: "2024-09-17T19:31:27Z" + mac: ENC[AES256_GCM,data:dHNRqEXwYMK02HY4suuLQb1nkPQrq4s1jzgG6thpfOMYhVZ4ARe9xAx1aUjZM+eeqqvL7Jn9kyGoJ4aItADUguce3mTbdMR5gy3E7B0mm/jBO3op1Ec0hgivf+Cf2D8Ex53seqJTxFbH3/wqtHwvl9c1WTI5j81jn4u13wFnARg=,iv:BX/7+AhdJKl9y583vBrszmQDYocOuXNCbBEB1E2mxXM=,tag:DgErmskmRdRv+iMAOTo2OA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0