Use docker instead of nspawn to host onlyoffice

2026-01-22 00:21:34 +01:00 · 2024-09-17 21:38:02 +02:00 · 2024-09-17 21:38:02 +02:00 · 18bbe1fd27
commit 18bbe1fd27
parent 982dc99e7a
5 changed files with 53 additions and 61 deletions
--- a/hosts/stratus/containers/docker/onlyoffice/default.nix
+++ b/hosts/stratus/containers/docker/onlyoffice/default.nix
@ -0,0 +1,48 @@
+{ config, pkgs, ... }:
+{
+  sops.secrets = {
+    "container/onlyoffice/tailscale-auth-key" = { };
+    "container/onlyoffice/jwt-secret" = { };
+  };
+
+  virtualisation.oci-containers.containers = {
+    onlyoffice = {
+      image = "onlyoffice/documentserver";
+      environmentFiles = [
+        # Contains "JWT_SECRET=<token>"
+        config.sops.secrets."container/onlyoffice/jwt-secret".path
+      ];
+    };
+
+    tailscale-onlyoffice =
+      let
+        configPath = pkgs.writeTextFile {
+          name = "config";
+          destination = "/tailscale-serve.json";
+          text = builtins.toJSON {
+            TCP."443".HTTPS = true;
+            Web."onlyoffice.${config.networking.domain}:443".Handlers."/".Proxy = "http://127.0.0.1:80";
+          };
+        };
+      in
+      {
+        image = "ghcr.io/tailscale/tailscale:latest";
+        environment = {
+          TS_HOSTNAME = "onlyoffice";
+          TS_STATE_DIR = "/var/lib/tailscale";
+          TS_SERVE_CONFIG = "/config/tailscale-serve.json";
+          TS_USERSPACE = "true"; # https://github.com/tailscale/tailscale/issues/11372
+        };
+        environmentFiles = [
+          # Contains "TS_AUTHKEY=<token>"
+          config.sops.secrets."container/onlyoffice/tailscale-auth-key".path
+        ];
+        volumes = [
+          "/var/lib/tailscale-onlyoffice:/var/lib/tailscale"
+          "${configPath}:/config"
+        ];
+        extraOptions = [ "--network=container:onlyoffice" ];
+        dependsOn = [ "onlyoffice" ];
+      };
+  };
+}
--- a/hosts/stratus/containers/nspawn/onlyoffice/default.nix
+++ b/hosts/stratus/containers/nspawn/onlyoffice/default.nix
@ -1,20 +0,0 @@
-{
-  containers.onlyoffice.config =
-    { config, lib, ... }:
-    {
-      sops.secrets."onlyoffice-secret-key" = {
-        owner = config.users.users.onlyoffice.name;
-        inherit (config.users.users.onlyoffice) group;
-      };
-
-      nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "corefonts" ];
-
-      services.onlyoffice = {
-        enable = true;
-        hostname = "onlyoffice.stork-atlas.ts.net";
-        jwtSecretFile = config.sops.secrets."onlyoffice-secret-key".path;
-      };
-
-      myConfig.tailscale.serve = "8000";
-    };
-}
--- a/hosts/stratus/containers/nspawn/onlyoffice/secrets.yaml
+++ b/hosts/stratus/containers/nspawn/onlyoffice/secrets.yaml
@ -1,31 +0,0 @@
-tailscale-auth-key: ENC[AES256_GCM,data:rbESOOvhOWXx7fPsM4rfHZ83qiynHADz7QJjINfrPhpk7KddBkWpzfrHzsUszNEo3jaWOx67G71rhRZxEA==,iv:8PYmou/U2jsYenxk+APYlW4w4WhTSzv95aV5qq4/5pQ=,tag:iukHBj3GQ/ePpzaasXGm4g==,type:str]
-onlyoffice-secret-key: ENC[AES256_GCM,data:FtIKFZrajzZ5nDTO1/JbJh9Kixo=,iv:l4rjxiNrdjGP1YRYp/QSEFn/1SOnN8i77dCYBRtb7lM=,tag:dbPD1otFzUDLTPvhXQowwQ==,type:str]
-sops:
-  kms: []
-  gcp_kms: []
-  azure_kv: []
-  hc_vault: []
-  age:
-    - recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5
-      enc: |
-        -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYZW5ZOUhRM1NYOS8yWTRh
-        andCVjNIWDA0c294WmxwRGd4b3BTcHZRK0JFCmJyS1Rsd1JxaUgvQ05xelVQYWEy
-        dExxejRQUUpwajhBcHlTRG04UHpVY1EKLS0tIGRGTDBDVzU2N0h1aFdEMHNzSUhU
-        SnhUM1BHUzV2TDJKaVFDbkJqUW5rRmsKtBWX5Qf1XexmRvZkATZkcW51HJCGmEzq
-        5A61eA/RIhRwdDCxR1omIzhUq+BId1MwjuygapIgLsaTkUWnfKltNA==
-        -----END AGE ENCRYPTED FILE-----
-    - recipient: age1es9tg5225aum5k5ahu8u9q0jprzzte6d64jmwxr2w33ylctqs4lqykdtx5
-      enc: |
-        -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoUG1PTEN1Y1JjaVJrc3VW
-        OTN5eEt0SXg2VmZzOTNUMVlQaHZlaFd4Y1FvCkxRejFqOGYzbnR1UDBVMllqYTJt
-        Q2RXeW5tSEFiTVRMTFVtR00zQ1crQXMKLS0tIFFQTFYzQWlhbzVkNmUzM3Y0ejFj
-        V0V4ZkNucExLUGZVWUFuTWdaN3hSTkEKAJy3TKI+oUJS+1A2f47ck2xiOcW7TsFl
-        UCAaT19sZHVjaF/0CoPVmOZ3H5t3lh7BRo7di1TACr1TjYfCxEYRVw==
-        -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2024-09-14T10:13:24Z"
-  mac: ENC[AES256_GCM,data:JuCYiDYHt7lO5i+XbXkuOFFmfGNmmhdEoLrUTHpHA/ex9goRwPLwQ8KcmSonf3cIT7+d/U+sv3U77zCPaVzI848a7liyXnxByulRkUUdnhoqUtGt4bNE+gBq/+y2jsb8QGJIeotHoQS+gEIGnKCv2OAP0RBNfveyYvzedoDVfmo=,iv:AHbzDqLXgngiQZPiv581dNPtKNQzEWGnXkHWgAj+oTc=,tag:qe1lfXkLOq4c/5z62wkk6g==,type:str]
-  pgp: []
-  unencrypted_suffix: _unencrypted
-  version: 3.9.0