From f0295cd9e1fd56d3f6320e0070216b6a3d3db8ee Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Thu, 29 Aug 2024 21:39:43 +0200 Subject: [PATCH] Convert the nextcloud module into a container --- .../proxima/containers/nextcloud/default.nix | 42 +++++++++++ .../containers/nextcloud/email-server.nix | 21 ++++++ .../containers/nextcloud/nextcloud.nix | 45 ++++++++++++ .../containers/nextcloud/tailscale.nix | 30 ++++++++ hosts/proxima/default.nix | 6 +- hosts/proxima/secrets.yaml | 60 ++++++++-------- modules/system/nextcloud/default.nix | 71 ------------------- modules/system/nextcloud/email-server.nix | 29 -------- 8 files changed, 170 insertions(+), 134 deletions(-) create mode 100644 hosts/proxima/containers/nextcloud/default.nix create mode 100644 hosts/proxima/containers/nextcloud/email-server.nix create mode 100644 hosts/proxima/containers/nextcloud/nextcloud.nix create mode 100644 hosts/proxima/containers/nextcloud/tailscale.nix delete mode 100644 modules/system/nextcloud/default.nix delete mode 100644 modules/system/nextcloud/email-server.nix diff --git a/hosts/proxima/containers/nextcloud/default.nix b/hosts/proxima/containers/nextcloud/default.nix new file mode 100644 index 0000000..d7716e9 --- /dev/null +++ b/hosts/proxima/containers/nextcloud/default.nix @@ -0,0 +1,42 @@ +{ config, ... }: +{ + sops.secrets = { + "nextcloud/admin-password" = { }; + "nextcloud/gmail-password" = { }; + tailscale-auth-key = { }; + }; + + containers.nextcloud = { + autoStart = true; + ephemeral = true; + bindMounts = { + "/run/secrets/nextcloud/admin-password" = { }; + "/run/secrets/nextcloud/gmail-password" = { }; + "/run/secrets/tailscale-auth-key" = { }; + "/data/nextcloud".isReadOnly = false; + "/data/postgresql".isReadOnly = false; + "/var/lib/tailscale" = { + hostPath = "/var/lib/tailscale-nextcloud"; + isReadOnly = false; + }; + }; + + specialArgs = { + inherit (config.networking) domain; + }; + config = + { domain, ... }: + { + system.stateVersion = "24.05"; + networking = { + inherit domain; + }; + + imports = [ + ./nextcloud.nix + ./email-server.nix + ./tailscale.nix + ]; + }; + }; +} diff --git a/hosts/proxima/containers/nextcloud/email-server.nix b/hosts/proxima/containers/nextcloud/email-server.nix new file mode 100644 index 0000000..d3f21e0 --- /dev/null +++ b/hosts/proxima/containers/nextcloud/email-server.nix @@ -0,0 +1,21 @@ +{ + systemd.tmpfiles.rules = [ "d /run/secrets/nextcloud/gmail-password 400 nextcloud nextcloud -" ]; + + services.nextcloud.settings = { + mail_smtpmode = "sendmail"; + mail_sendmailmode = "pipe"; + }; + + programs.msmtp = { + enable = true; + accounts.default = { + auth = true; + tls = true; + host = "smtp.gmail.com"; + port = "587"; + user = "nextcloud.stork"; + from = "nextcloud.stork@gmail.com"; + passwordeval = "cat /run/secrets/nextcloud/gmail-password"; + }; + }; +} diff --git a/hosts/proxima/containers/nextcloud/nextcloud.nix b/hosts/proxima/containers/nextcloud/nextcloud.nix new file mode 100644 index 0000000..2763ed1 --- /dev/null +++ b/hosts/proxima/containers/nextcloud/nextcloud.nix @@ -0,0 +1,45 @@ +{ + config, + pkgs, + ... +}: +{ + systemd.tmpfiles.rules = [ "d /run/secrets/nextcloud/admin-password 400 nextcloud nextcloud -" ]; + + services.postgresql.dataDir = "/data/postgresql"; + + services.nextcloud = { + enable = true; + package = pkgs.nextcloud29; + home = "/data/nextcloud"; + hostName = "localhost"; + + database.createLocally = true; + config = { + dbtype = "pgsql"; + adminuser = "admin"; + adminpassFile = "/run/secrets/nextcloud/admin-password"; + }; + + https = true; + settings = { + overwriteProtocol = "https"; + trusted_domains = [ config.networking.fqdn ]; + log_type = "file"; + default_phone_region = "DE"; + maintenance_window_start = "2"; # UTC + }; + + configureRedis = true; + maxUploadSize = "4G"; + phpOptions."opcache.interned_strings_buffer" = "16"; + + autoUpdateApps = { + enable = true; + startAt = "04:00:00"; + }; + extraApps = { + inherit (config.services.nextcloud.package.packages.apps) contacts calendar; + }; + }; +} diff --git a/hosts/proxima/containers/nextcloud/tailscale.nix b/hosts/proxima/containers/nextcloud/tailscale.nix new file mode 100644 index 0000000..3f26dd4 --- /dev/null +++ b/hosts/proxima/containers/nextcloud/tailscale.nix @@ -0,0 +1,30 @@ +{ + config, + pkgs, + lib, + ... +}: +{ + services.tailscale = { + enable = true; + authKeyFile = "/run/secrets/tailscale-auth-key"; + useRoutingFeatures = "server"; + interfaceName = "userspace-networking"; + extraUpFlags = [ "--ssh" ]; + }; + + systemd.services.nextcloud-serve = { + after = [ + "tailscaled.service" + "tailscaled-autoconnect.service" + ]; + wants = [ "tailscaled.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig.Type = "oneshot"; + script = '' + ${lib.getExe pkgs.tailscale} cert ${config.networking.fqdn} + ${lib.getExe pkgs.tailscale} serve reset + ${lib.getExe pkgs.tailscale} serve --bg 80 + ''; + }; +} diff --git a/hosts/proxima/default.nix b/hosts/proxima/default.nix index 2daff9a..2ce4d13 100644 --- a/hosts/proxima/default.nix +++ b/hosts/proxima/default.nix @@ -3,6 +3,8 @@ ../common.nix ./hardware.nix ./disko.nix + + ./containers/nextcloud ]; system.stateVersion = "24.05"; @@ -15,9 +17,5 @@ ssh.enable = true; exitNode.enable = true; }; - nextcloud = { - enable = true; - emailServer.enable = true; - }; }; } diff --git a/hosts/proxima/secrets.yaml b/hosts/proxima/secrets.yaml index e7d2c84..da2e705 100644 --- a/hosts/proxima/secrets.yaml +++ b/hosts/proxima/secrets.yaml @@ -1,34 +1,34 @@ seb-password: ENC[AES256_GCM,data:N3w7niUZsyFmF2gF+gMhlDb6XfoYZ8yNrZvv2J0Cb3zDhstW7LsgYZVcM3+MXPbTDE9xJ00VGBayOT7fW+5IYYWdGgbRWvOH0w==,iv:rLCKJ9wUL+3sjIaqwV89pYJtt/ERuoR4AAgbt9H4oHg=,tag:nuh9rT0W500w8+y76MqC1Q==,type:str] tailscale-auth-key: ENC[AES256_GCM,data:zKjJsG23GYrAIAoTe9pRI/b9w6JPB/0EDrdtspQq1/dw7eQq7BuzYMT5O5EAy+5A9ZP3fDaleO5nFXRFvg==,iv:p7Dpq30TZyb20E5TfscycxMiN1XUx66DbNPhwuZkwaA=,tag:V/fc99Zv4xJ6PDxNIWHRew==,type:str] nextcloud: - admin-pass: ENC[AES256_GCM,data:XpJwcxY3QoooM8ZzKlFWXvoexm4ej3qzdgb+KUwF,iv:f8VLb+OO1mC6KWIReuDtUivypG+thns5Z+dToDT42+0=,tag:jr+vvkX2JpNsSgJ4iozzKA==,type:str] - gmail-password: ENC[AES256_GCM,data:lbdSZPEmXx1zU0fdaXHle9by9rk=,iv:SSN379SVvonVQjEpopFe8O6tY30k1l9YxKPB6a+xo6U=,tag:jiWy3b16i0zXTyaOhY+5Vw==,type:str] + admin-password: ENC[AES256_GCM,data:+gNp7oDzLk2gxalEtj8R0FWW3Jwvr1PzWo7+iZj0,iv:zZjwG+Z1KyrZN/i/rSg5LZ0lnQGBhxlAaREgKUCxco8=,tag:kBQjz1ISX5Gh9LeUfO4KdQ==,type:str] + gmail-password: ENC[AES256_GCM,data:lbdSZPEmXx1zU0fdaXHle9by9rk=,iv:SSN379SVvonVQjEpopFe8O6tY30k1l9YxKPB6a+xo6U=,tag:jiWy3b16i0zXTyaOhY+5Vw==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmdU9yQjVQbEFtN3dYVjhN - dTVpaXV2bWEvQXlnVkJ5Z3ZLL2VhV0FhdnpVCmQySzJWL1RnU0xETGxNeGxEeHVy - K2JPSmtteXA3SHg4SHcwTWxRUVlDUnMKLS0tIGhlTXE3ZVdkQzdNV1RjQy85b3gw - U2xiejFuVzZKRFJkcVRhWGpXUDNSeW8KHdBFwQb0JItYgkZ7mDo3agTnDr3Ii8j6 - 9LdLwahPwqScGbEONp8A1yzyTEabCiI5Hl9+ptKJoGlJK/lzfrCfsw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1pryafed9elaea6zk5gnf6drjt4nznc02385y973lwt9t2s7j7vmsfnggkp - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0Tm9tcVdHcVRpTmw2L0Qy - UWtjMG5uMUlodElDZ2cyZ3Q0NHQ4OGdFV1ZnCjF1RS9XaEltOHAzYmxUcHNLcVk4 - bHBpYUs3SzJlamI2dFozLzV6NThaRVEKLS0tIHN3YmJQNjhWaThPL1JmeUI5NlRT - aW00MUpGdXpYam5LYVFUenh2VndzcE0KT6Hfx1CYJFseFaEZxwi4Fds4v1HEFzBo - FdSC6pzpZkfXso8EtSftq0lPx10GfJ6GZXYb+bCB2S9ROvUMPYDH3A== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-08-25T20:49:58Z" - mac: ENC[AES256_GCM,data:g/rGVy6BgrHXNWg2ivjLZ8JPvS2T/JedZo4rxsBQncQvnM/xYg5Ncm5VmYLF5YUOsWQhaOwKaTm1elJ0fJWslya+gMG72X4A0izWi/xnUq0YlA6jSrFIAqhq6MqlKTbwkl9QOuppylNezr5DoipTrpKFlexF/z8WQvqO3W8DbSA=,iv:3sWTqijBkdRHGwDoj9GtpAtEa+KwBdChOffvzccf04E=,tag:eoNckfFE+6nT3vGOIIdSqA==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.9.0 + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmdU9yQjVQbEFtN3dYVjhN + dTVpaXV2bWEvQXlnVkJ5Z3ZLL2VhV0FhdnpVCmQySzJWL1RnU0xETGxNeGxEeHVy + K2JPSmtteXA3SHg4SHcwTWxRUVlDUnMKLS0tIGhlTXE3ZVdkQzdNV1RjQy85b3gw + U2xiejFuVzZKRFJkcVRhWGpXUDNSeW8KHdBFwQb0JItYgkZ7mDo3agTnDr3Ii8j6 + 9LdLwahPwqScGbEONp8A1yzyTEabCiI5Hl9+ptKJoGlJK/lzfrCfsw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1pryafed9elaea6zk5gnf6drjt4nznc02385y973lwt9t2s7j7vmsfnggkp + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0Tm9tcVdHcVRpTmw2L0Qy + UWtjMG5uMUlodElDZ2cyZ3Q0NHQ4OGdFV1ZnCjF1RS9XaEltOHAzYmxUcHNLcVk4 + bHBpYUs3SzJlamI2dFozLzV6NThaRVEKLS0tIHN3YmJQNjhWaThPL1JmeUI5NlRT + aW00MUpGdXpYam5LYVFUenh2VndzcE0KT6Hfx1CYJFseFaEZxwi4Fds4v1HEFzBo + FdSC6pzpZkfXso8EtSftq0lPx10GfJ6GZXYb+bCB2S9ROvUMPYDH3A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-08-29T13:58:05Z" + mac: ENC[AES256_GCM,data:E1zrsHL+mVaX6mVuPVw793e5/epoRV06nMguU7CT3v9yeDJ4ftO3dwqBChsR2xcISeIuTMc7W72GS57UMhrY08q/jwAKnR7WiPt6/6iK3TLyAKdOj9q/B8FYVuRu+T5cN5CY7cNE0EK+KAVXUcfNi6KAzt1Mow39cgjfddTMdA4=,iv:+GaMKNQaI4mtg0E5b0Ua0c7+K66/9cIUNkWFTxG6gzY=,tag:NnmL6HKv9J3RuqwH01UyNA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/modules/system/nextcloud/default.nix b/modules/system/nextcloud/default.nix deleted file mode 100644 index 5197b08..0000000 --- a/modules/system/nextcloud/default.nix +++ /dev/null @@ -1,71 +0,0 @@ -{ - config, - pkgs, - lib, - ... -}: -{ - options.myConfig.nextcloud.enable = lib.mkEnableOption ""; - - config = lib.mkIf config.myConfig.nextcloud.enable { - sops.secrets."nextcloud/admin-pass" = { - owner = config.services.nextcloud.config.dbname; - group = config.services.nextcloud.config.dbuser; - }; - - services = { - nextcloud = { - enable = true; - package = pkgs.nextcloud29; - home = "/data/nextcloud"; - hostName = config.networking.fqdn; - configureRedis = true; - maxUploadSize = "4G"; - - database.createLocally = true; - config = { - dbtype = "pgsql"; - adminuser = "admin"; - adminpassFile = config.sops.secrets."nextcloud/admin-pass".path; - }; - - https = true; - settings = { - overwriteProtocol = "https"; - trusted_proxies = [ "127.0.0.1" ]; - log_type = "file"; - default_phone_region = "DE"; - maintenance_window_start = "2"; # UTC - }; - - phpOptions."opcache.interned_strings_buffer" = "16"; - - autoUpdateApps = { - enable = true; - startAt = "04:00:00"; - }; - extraApps = { - inherit (config.services.nextcloud.package.packages.apps) contacts calendar; - }; - }; - - nginx = { - enable = true; - virtualHosts.${config.services.nextcloud.hostName}.listen = [ - { - addr = "0.0.0.0"; - port = 8080; - } - ]; - }; - - tailscale.permitCertUid = "caddy"; - caddy = { - enable = true; - virtualHosts.${config.services.nextcloud.hostName}.extraConfig = '' - reverse_proxy localhost:8080 - ''; - }; - }; - }; -} diff --git a/modules/system/nextcloud/email-server.nix b/modules/system/nextcloud/email-server.nix deleted file mode 100644 index 3d71df9..0000000 --- a/modules/system/nextcloud/email-server.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ config, lib, ... }: -{ - options.myConfig.nextcloud.emailServer.enable = lib.mkEnableOption ""; - - config = lib.mkIf config.myConfig.nextcloud.emailServer.enable { - sops.secrets."nextcloud/gmail-password" = { - owner = config.services.nextcloud.config.dbname; - group = config.services.nextcloud.config.dbuser; - }; - - programs.msmtp = { - enable = true; - accounts.default = { - auth = true; - tls = true; - host = "smtp.gmail.com"; - port = "587"; - user = "nextcloud.stork"; - from = "nextcloud.stork@gmail.com"; - passwordeval = "cat ${config.sops.secrets."nextcloud/gmail-password".path}"; - }; - }; - - services.nextcloud.settings = { - mail_smtpmode = "sendmail"; - mail_sendmailmode = "pipe"; - }; - }; -}