SebastianStork/nixos-config
1
0
Fork 0
mirror of https://github.com/SebastianStork/nixos-config.git synced 2026-01-21 23:11:34 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Use docker instead of nspawn to host onlyoffice

Browse source
This commit is contained in:
SebastianStork 2024-09-17 21:38:02 +02:00
parent 982dc99e7a
commit 18bbe1fd27
5 changed files with 53 additions and 61 deletions
Download patch file Download diff file Expand all files Collapse all files

6
.sops.yaml
View file

@ -9,7 +9,6 @@ keys:
# Containers # Containers
- &forgejo age12k607dpdjt5dyq0w3hpgyfdyfrrfuutxgra0tgt8qja30er7cupsfps60n - &forgejo age12k607dpdjt5dyq0w3hpgyfdyfrrfuutxgra0tgt8qja30er7cupsfps60n
- &nextcloud age1jutruntzdaqs26mpe68pafje23m9n4klm04fva05fcdyvyqnaamsvqf3jr - &nextcloud age1jutruntzdaqs26mpe68pafje23m9n4klm04fva05fcdyvyqnaamsvqf3jr
- &onlyoffice age1es9tg5225aum5k5ahu8u9q0jprzzte6d64jmwxr2w33ylctqs4lqykdtx5
- &paperless age1y82j460w5fh0fpquatqar0zqet0vzzfzjnegrp686na3gejapdtsc37vuh - &paperless age1y82j460w5fh0fpquatqar0zqet0vzzfzjnegrp686na3gejapdtsc37vuh
# Users # Users
@ -45,11 +44,6 @@ creation_rules:
- age: - age:
- *admin - *admin
- *nextcloud - *nextcloud
- path_regex: hosts/stratus/containers/nspawn/onlyoffice/secrets.yaml$
key_groups:
- age:
- *admin
- *onlyoffice
- path_regex: hosts/stratus/containers/nspawn/paperless/secrets.yaml$ - path_regex: hosts/stratus/containers/nspawn/paperless/secrets.yaml$
key_groups: key_groups:
- age: - age:

48
hosts/stratus/containers/docker/onlyoffice/default.nix Normal file
View file

@ -0,0 +1,48 @@
{ config, pkgs, ... }:
{
sops.secrets = {
"container/onlyoffice/tailscale-auth-key" = { };
"container/onlyoffice/jwt-secret" = { };
};
virtualisation.oci-containers.containers = {
onlyoffice = {
image = "onlyoffice/documentserver";
environmentFiles = [
# Contains "JWT_SECRET=<token>"
config.sops.secrets."container/onlyoffice/jwt-secret".path
];
};
tailscale-onlyoffice =
let
configPath = pkgs.writeTextFile {
name = "config";
destination = "/tailscale-serve.json";
text = builtins.toJSON {
TCP."443".HTTPS = true;
Web."onlyoffice.${config.networking.domain}:443".Handlers."/".Proxy = "http://127.0.0.1:80";
};
};
in
{
image = "ghcr.io/tailscale/tailscale:latest";
environment = {
TS_HOSTNAME = "onlyoffice";
TS_STATE_DIR = "/var/lib/tailscale";
TS_SERVE_CONFIG = "/config/tailscale-serve.json";
TS_USERSPACE = "true"; # https://github.com/tailscale/tailscale/issues/11372
};
environmentFiles = [
# Contains "TS_AUTHKEY=<token>"
config.sops.secrets."container/onlyoffice/tailscale-auth-key".path
];
volumes = [
"/var/lib/tailscale-onlyoffice:/var/lib/tailscale"
"${configPath}:/config"
];
extraOptions = [ "--network=container:onlyoffice" ];
dependsOn = [ "onlyoffice" ];
};
};
}

20
hosts/stratus/containers/nspawn/onlyoffice/default.nix
View file

@ -1,20 +0,0 @@
{
containers.onlyoffice.config =
{ config, lib, ... }:
{
sops.secrets."onlyoffice-secret-key" = {
owner = config.users.users.onlyoffice.name;
inherit (config.users.users.onlyoffice) group;
};
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "corefonts" ];
services.onlyoffice = {
enable = true;
hostname = "onlyoffice.stork-atlas.ts.net";
jwtSecretFile = config.sops.secrets."onlyoffice-secret-key".path;
};
myConfig.tailscale.serve = "8000";
};
}

31
hosts/stratus/containers/nspawn/onlyoffice/secrets.yaml
View file

@ -1,31 +0,0 @@
tailscale-auth-key: ENC[AES256_GCM,data:rbESOOvhOWXx7fPsM4rfHZ83qiynHADz7QJjINfrPhpk7KddBkWpzfrHzsUszNEo3jaWOx67G71rhRZxEA==,iv:8PYmou/U2jsYenxk+APYlW4w4WhTSzv95aV5qq4/5pQ=,tag:iukHBj3GQ/ePpzaasXGm4g==,type:str]
onlyoffice-secret-key: ENC[AES256_GCM,data:FtIKFZrajzZ5nDTO1/JbJh9Kixo=,iv:l4rjxiNrdjGP1YRYp/QSEFn/1SOnN8i77dCYBRtb7lM=,tag:dbPD1otFzUDLTPvhXQowwQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYZW5ZOUhRM1NYOS8yWTRh
andCVjNIWDA0c294WmxwRGd4b3BTcHZRK0JFCmJyS1Rsd1JxaUgvQ05xelVQYWEy
dExxejRQUUpwajhBcHlTRG04UHpVY1EKLS0tIGRGTDBDVzU2N0h1aFdEMHNzSUhU
SnhUM1BHUzV2TDJKaVFDbkJqUW5rRmsKtBWX5Qf1XexmRvZkATZkcW51HJCGmEzq
5A61eA/RIhRwdDCxR1omIzhUq+BId1MwjuygapIgLsaTkUWnfKltNA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1es9tg5225aum5k5ahu8u9q0jprzzte6d64jmwxr2w33ylctqs4lqykdtx5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoUG1PTEN1Y1JjaVJrc3VW
OTN5eEt0SXg2VmZzOTNUMVlQaHZlaFd4Y1FvCkxRejFqOGYzbnR1UDBVMllqYTJt
Q2RXeW5tSEFiTVRMTFVtR00zQ1crQXMKLS0tIFFQTFYzQWlhbzVkNmUzM3Y0ejFj
V0V4ZkNucExLUGZVWUFuTWdaN3hSTkEKAJy3TKI+oUJS+1A2f47ck2xiOcW7TsFl
UCAaT19sZHVjaF/0CoPVmOZ3H5t3lh7BRo7di1TACr1TjYfCxEYRVw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-14T10:13:24Z"
mac: ENC[AES256_GCM,data:JuCYiDYHt7lO5i+XbXkuOFFmfGNmmhdEoLrUTHpHA/ex9goRwPLwQ8KcmSonf3cIT7+d/U+sv3U77zCPaVzI848a7liyXnxByulRkUUdnhoqUtGt4bNE+gBq/+y2jsb8QGJIeotHoQS+gEIGnKCv2OAP0RBNfveyYvzedoDVfmo=,iv:AHbzDqLXgngiQZPiv581dNPtKNQzEWGnXkHWgAj+oTc=,tag:qe1lfXkLOq4c/5z62wkk6g==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0

9
hosts/stratus/secrets.yaml
View file

@ -3,12 +3,13 @@ tailscale-auth-key: ENC[AES256_GCM,data:vwFTBVQr7T8/Wrc3jOCF3TeQhuEpFyJ0M9yES2g+
container: container:
actualbudget: actualbudget:
tailscale-auth-key: ENC[AES256_GCM,data:n6sxwHbhKyvk1gubSIg6qXyDONob2LJOWOUCvLwmZDe3tCVxkq62vwfgiqAA5is2HEaLi72JdgdYMFQNoggwEnZ5X1YcS8WC,iv:0rJJiL+T9y45nZqRqpMobP1XmVYHeLfZei7jQoofMLE=,tag:RKPj2JwBlhNMvYH27lGsaQ==,type:str] tailscale-auth-key: ENC[AES256_GCM,data:n6sxwHbhKyvk1gubSIg6qXyDONob2LJOWOUCvLwmZDe3tCVxkq62vwfgiqAA5is2HEaLi72JdgdYMFQNoggwEnZ5X1YcS8WC,iv:0rJJiL+T9y45nZqRqpMobP1XmVYHeLfZei7jQoofMLE=,tag:RKPj2JwBlhNMvYH27lGsaQ==,type:str]
onlyoffice:
tailscale-auth-key: ENC[AES256_GCM,data:nxNiy9AKzspdPx3OfdT1WFjO+De1k9xHMaITZZ0y/gYCj6hsOnF9cOq1A+YV5N/zYB5RbPd9Hg77kLwfPeHYgnJklNbVMNfs,iv:ruk+riD2BVlv+gTsRDBhMB7+trvxioq7M8rUlyrG2fk=,tag:RCtXHI16EWOnl+cljqQyxg==,type:str]
jwt-secret: ENC[AES256_GCM,data:cLEV5yTwzrcUWjS+RSOy4QGmB+yP24j/Bo51LCS+2yX9fpeeJ+tPAuA=,iv:4R/1YcVQjLTcEKJbQ5oq1/vUM+dc4zBLkFLSgH4wq0w=,tag:i0ub07cM9FwV2ryu+XTLbQ==,type:str]
forgejo: forgejo:
ssh-key: ENC[AES256_GCM,data:PbPRioKPPE/sv8jceAzuV5NFSVSBNOZAejCfUJUYmhLblLSuDsZ7fdgk5+TFjf7baVPhWasUGAo588z7fqzMlTgHfT/RtwDJ4QUMaPXts68CxdZemdjVa8LbV96i9UNlCJP8Sz/7Wvc8axnmyIApAhcLBA7d9KTQn/7lXgaGs9QtDDpSSmJluQHDe1t4QG2UqV73ZZ4I1MY9nVYO9lmaKBej43247cnw8FrkeCQLx4nXuArCp88rBug0CpgY8z15eK4RWXonBjBe5TDoCOWpENyD/6uVFeQIow5TSJgKlkh1w+dj9IiCBfYBllH5xQxjsjlVpDba4A+hfoBhah+EWhK3J765UGn4ufslVMNTQeL9yD87WMa1EkYwGSCVgCTD+/BfgP4HjzgGbM0OuU2Z5t2WV/R9Dm69w+wISbcjTmqqk+q6hle0RR5SkY9bOax2AKsOkcp/k6BS9QmNnajD7qnIVgGTLEwqgWjbQJGFLEE5mSNmZU5oV2gatrbPnN609LbaH6d6Zj28l7Hwr6jH,iv:fgUklpj946AqYe5hh3gwII4CUoUXsrrk3cW2TVugm0c=,tag:ypVvK3K/lSunq2g/LFIWRA==,type:str] ssh-key: ENC[AES256_GCM,data:PbPRioKPPE/sv8jceAzuV5NFSVSBNOZAejCfUJUYmhLblLSuDsZ7fdgk5+TFjf7baVPhWasUGAo588z7fqzMlTgHfT/RtwDJ4QUMaPXts68CxdZemdjVa8LbV96i9UNlCJP8Sz/7Wvc8axnmyIApAhcLBA7d9KTQn/7lXgaGs9QtDDpSSmJluQHDe1t4QG2UqV73ZZ4I1MY9nVYO9lmaKBej43247cnw8FrkeCQLx4nXuArCp88rBug0CpgY8z15eK4RWXonBjBe5TDoCOWpENyD/6uVFeQIow5TSJgKlkh1w+dj9IiCBfYBllH5xQxjsjlVpDba4A+hfoBhah+EWhK3J765UGn4ufslVMNTQeL9yD87WMa1EkYwGSCVgCTD+/BfgP4HjzgGbM0OuU2Z5t2WV/R9Dm69w+wISbcjTmqqk+q6hle0RR5SkY9bOax2AKsOkcp/k6BS9QmNnajD7qnIVgGTLEwqgWjbQJGFLEE5mSNmZU5oV2gatrbPnN609LbaH6d6Zj28l7Hwr6jH,iv:fgUklpj946AqYe5hh3gwII4CUoUXsrrk3cW2TVugm0c=,tag:ypVvK3K/lSunq2g/LFIWRA==,type:str]
nextcloud: nextcloud:
ssh-key: ENC[AES256_GCM,data:HXCYEpNL6Y5GOLp5bhQY9M6NTLV0+e8DiQz2PbnCskvMSiZSp4yHr3wcAzgZttWhLmAydY4moelGzsmkvH8O/DiR2Gkw9Ex4uFEffS2HjlEzTwi7qL70Av6ZbF395NCP82M34Gnnl143+y7wZiJjCPL/oY5QZSzbgg3FgHrqo7f1xcSPcv4LukZ33zcsn4irOGRi2KktiDgcvAdVMLiChWxO0snqS+h7zPIaX4NIcNFW3BgOmUJ42cAoKcsR2ORDDbq0FmSSePh67pKqQJPbBoya6OzfYufNKek0nuwfWVkIjnQbqi0sicx4lks4WXYWMj1WapbIFzPkabfVysfHXcYPpt6OXNqnXTN9bn9Ww/dgEeQyyO+Qc7MHjfXxcLZd8p4bmiP+9bVJ6/ed0YHdCUkt14IxTOiXu0n5lI8/NMam4YLaGiMbRyYAGN6q8W7UYurFBOoKajVByUPTa7FK4H8rZDsNd6HYtTc4lqyeqzKYA9EU/99P9GCmMhrkQYMcoF77tLAAsDdn74OfS2AY86z7xGHCRg67ROMb,iv:pj3P1p5wBn67wGyguLFHJs2+Qhz1X7U9EoD8OsdNTKc=,tag:lKogFelSJIXugKYm/gVy8w==,type:str] ssh-key: ENC[AES256_GCM,data:HXCYEpNL6Y5GOLp5bhQY9M6NTLV0+e8DiQz2PbnCskvMSiZSp4yHr3wcAzgZttWhLmAydY4moelGzsmkvH8O/DiR2Gkw9Ex4uFEffS2HjlEzTwi7qL70Av6ZbF395NCP82M34Gnnl143+y7wZiJjCPL/oY5QZSzbgg3FgHrqo7f1xcSPcv4LukZ33zcsn4irOGRi2KktiDgcvAdVMLiChWxO0snqS+h7zPIaX4NIcNFW3BgOmUJ42cAoKcsR2ORDDbq0FmSSePh67pKqQJPbBoya6OzfYufNKek0nuwfWVkIjnQbqi0sicx4lks4WXYWMj1WapbIFzPkabfVysfHXcYPpt6OXNqnXTN9bn9Ww/dgEeQyyO+Qc7MHjfXxcLZd8p4bmiP+9bVJ6/ed0YHdCUkt14IxTOiXu0n5lI8/NMam4YLaGiMbRyYAGN6q8W7UYurFBOoKajVByUPTa7FK4H8rZDsNd6HYtTc4lqyeqzKYA9EU/99P9GCmMhrkQYMcoF77tLAAsDdn74OfS2AY86z7xGHCRg67ROMb,iv:pj3P1p5wBn67wGyguLFHJs2+Qhz1X7U9EoD8OsdNTKc=,tag:lKogFelSJIXugKYm/gVy8w==,type:str]
onlyoffice:
ssh-key: ENC[AES256_GCM,data:xonFRcLVBVXJZlDQViT1YD28uPasQYUeIaZn+He5C/cvrzxubjqO9uVLbj2sy6vYB5kBHof1xYJBePYg1YDEcYNcw1vuyc06EXgVxI5vB4U2jiyGd6H588S89dCmnpHKfF7jBvdaTyuvKLAg0m0juQQPUsEjomtiYmgj4rRUpLmjoewhtUSkddNvnIS21dD5lAP9xNbsgO2jSaYwTOHgitURdISnZNW+OJFvwqdnwwKVwCBwRBi2VbVBUN/KW/UzKIlhYsp+1SMsyBYdGUeBPysB/PTs0D/FYz031ALtjb1zeHf6vGyeyOqUZPIv8mCb/2qn/0Ou4wwf8RDjdGdj+usw2Af4i+8bdbcJaSZqbrdYGJpVkT+W9NVMddE+Edah6f13Gl4VV/av1L0cFpARbNu+X3NzEZOBKSn5shK0uu8cYXUrPpCzqBO+vTyG6FI0Kugd8kkBvhCsylO8CAiQjtLNjXv23TVqDyIpsXKSYFGNBbYiUKvAKRLvCputgqcr0osi998tgT77JZxDC3l31ljtdp7yEPKezFuF,iv:dB5TqLXea6DXnhMiwdxjtTSDL9NjWvqfRbVy/ZsVJs4=,tag:ItwDOkN+W1/YxOSU6oduaA==,type:str]
paperless: paperless:
ssh-key: ENC[AES256_GCM,data:9A82GwjT+6Vf9uVGUcgkZZZtbVD7Fqc7C4TtGZ97WaTSNDku9LDRZN/qwk2neHrUb5s3V4Ag4hoszvfe9Hqz+1wDLHu6DyDZNhz9awdZbRD6y7ZavB67cTQtj/qjR5sfqWABVHOFaJxH74+cxvUZjBNOaUEhYBmnKow4AL4CpXjkF+DfT0WcpCWJCBagUA2tfvdScASShbu2bA3+NouY/KR54nOrHTI9cqio+3NNs0Ux1R8D1tzzKj1B4oM8u7e5AFyX7E7W9dJmIFEW9JkfqyToZwX9KxkLJG4T12tuReXLHy1HJtsll1OVytznDp4//pHOC64TFvRgcuHrdldXhUtILqd6we5Lt2Cg+HdITie0Veuvce8V9vVnNX8j7I4Wr6z1HHwWFhcRp/JgVCBOInRVGByF0IA5j4lG3XZ5WZgXKVHgLHN1mqkyPJC8pu7ZL57rdDUOCuSZxKT6aG54glD/PtqayFS0+8G0zeZ6xQ6UYSVCvD1VjDGKWDsZgeLHMV+IE2tTdzp0+AahhgW0RmCXh/FCgrMDfnJk,iv:I65+PTiDG2z8k1kE1ngp3kI/dD3bevIug8/CV5TqKPQ=,tag:fAwumpJkO66Uune9i0e3ug==,type:str] ssh-key: ENC[AES256_GCM,data:9A82GwjT+6Vf9uVGUcgkZZZtbVD7Fqc7C4TtGZ97WaTSNDku9LDRZN/qwk2neHrUb5s3V4Ag4hoszvfe9Hqz+1wDLHu6DyDZNhz9awdZbRD6y7ZavB67cTQtj/qjR5sfqWABVHOFaJxH74+cxvUZjBNOaUEhYBmnKow4AL4CpXjkF+DfT0WcpCWJCBagUA2tfvdScASShbu2bA3+NouY/KR54nOrHTI9cqio+3NNs0Ux1R8D1tzzKj1B4oM8u7e5AFyX7E7W9dJmIFEW9JkfqyToZwX9KxkLJG4T12tuReXLHy1HJtsll1OVytznDp4//pHOC64TFvRgcuHrdldXhUtILqd6we5Lt2Cg+HdITie0Veuvce8V9vVnNX8j7I4Wr6z1HHwWFhcRp/JgVCBOInRVGByF0IA5j4lG3XZ5WZgXKVHgLHN1mqkyPJC8pu7ZL57rdDUOCuSZxKT6aG54glD/PtqayFS0+8G0zeZ6xQ6UYSVCvD1VjDGKWDsZgeLHMV+IE2tTdzp0+AahhgW0RmCXh/FCgrMDfnJk,iv:I65+PTiDG2z8k1kE1ngp3kI/dD3bevIug8/CV5TqKPQ=,tag:fAwumpJkO66Uune9i0e3ug==,type:str]
sops: sops:
@ -35,8 +36,8 @@ sops:
aW00MUpGdXpYam5LYVFUenh2VndzcE0KT6Hfx1CYJFseFaEZxwi4Fds4v1HEFzBo aW00MUpGdXpYam5LYVFUenh2VndzcE0KT6Hfx1CYJFseFaEZxwi4Fds4v1HEFzBo
FdSC6pzpZkfXso8EtSftq0lPx10GfJ6GZXYb+bCB2S9ROvUMPYDH3A== FdSC6pzpZkfXso8EtSftq0lPx10GfJ6GZXYb+bCB2S9ROvUMPYDH3A==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-17T19:24:26Z" lastmodified: "2024-09-17T19:31:27Z"
mac: ENC[AES256_GCM,data:J8Yb58+LhtuLck/T0dDyVxJUkn/C0NjQX2BcqwZXcBFKDrFzCOEDIlcAh0xipm5GD1vOtG+aTGTim0ukd7Nyixqihi6Idz36aGXcvV1honkrWh6lJK74ptJfAwt5tCeg8EPUAaDDeWXjkzG75nZo+gyFCiD70KwlM6hbJzWHvy8=,iv:QG37NsN6yGLnv2AWnAeMm/3r+xxbSGlLjnY35IGV6B4=,tag:LWynqPIJoYePUP35DfyY4A==,type:str] mac: ENC[AES256_GCM,data:dHNRqEXwYMK02HY4suuLQb1nkPQrq4s1jzgG6thpfOMYhVZ4ARe9xAx1aUjZM+eeqqvL7Jn9kyGoJ4aItADUguce3mTbdMR5gy3E7B0mm/jBO3op1Ec0hgivf+Cf2D8Ex53seqJTxFbH3/wqtHwvl9c1WTI5j81jn4u13wFnARg=,iv:BX/7+AhdJKl9y583vBrszmQDYocOuXNCbBEB1E2mxXM=,tag:DgErmskmRdRv+iMAOTo2OA==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.0 version: 3.9.0