cnst/cnix
1
0
Fork 0
Code Issues Pull Requests Activity

feat(nextcloud): tweaks to nextcloud

Browse Source
This commit is contained in:
cnst
2025-09-20 12:31:12 +02:00
parent 2e1d28450b
commit c63daec95c
10 changed files with 184 additions and 146 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
hosts/sobotka/default.nix
View File

@@ -3,11 +3,9 @@
config, config,
pkgs, pkgs,
... ...
}: }: let
let
ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups; ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
in in {
{
users.users.cnst = { users.users.cnst = {
isNormalUser = true; isNormalUser = true;
shell = pkgs.fish; shell = pkgs.fish;
@@ -51,8 +49,7 @@ in
./server.nix ./server.nix
]; ];
boot.initrd.luks.devices."luks-47b35d4b-467a-4637-a5f9-45177da62897".device = boot.initrd.luks.devices."luks-47b35d4b-467a-4637-a5f9-45177da62897".device = "/dev/disk/by-uuid/47b35d4b-467a-4637-a5f9-45177da62897";
"/dev/disk/by-uuid/47b35d4b-467a-4637-a5f9-45177da62897";
networking = { networking = {
hostName = "sobotka"; hostName = "sobotka";
@@ -69,8 +66,8 @@ in
]; ];
boot = { boot = {
supportedFilesystems = [ "zfs" ]; supportedFilesystems = ["zfs"];
zfs.extraPools = [ "data" ]; zfs.extraPools = ["data"];
}; };
services.zfs = { services.zfs = {
@@ -78,6 +75,8 @@ in
autoScrub.enable = true; autoScrub.enable = true;
}; };
environment.etc."nextcloud-admin-pass".text = "DeHKor3x8^eqqnBXjqhQ&QBl*3!sOLg8agfzOILihju#^0!2AfJ9W*vn";
environment.variables.NH_FLAKE = "/home/cnst/.nix-config"; environment.variables.NH_FLAKE = "/home/cnst/.nix-config";
# # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion # # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion

9
hosts/sobotka/server.nix
View File

@@ -3,6 +3,7 @@
enable = true; enable = true;
email = "adam@cnst.dev"; email = "adam@cnst.dev";
domain = "cnix.dev"; domain = "cnix.dev";
domainPublic = "cnst.dev";
user = "share"; user = "share";
group = "share"; group = "share";
uid = 994; uid = 994;
@@ -61,12 +62,12 @@
credentialsFile = config.age.secrets.vaultwardenCloudflared.path; credentialsFile = config.age.secrets.vaultwardenCloudflared.path;
}; };
}; };
ocis = { nextcloud = {
enable = true; enable = true;
url = "cloud.cnst.dev"; adminpassFile = config.age.secrets.nextcloudAdminPass.path;
cloudflared = { cloudflared = {
tunnelId = "8871dad0-e6ff-424c-9a6b-222ef0f492df"; tunnelId = "35802b60-7012-4f70-a686-f493c8f2dec0";
credentialsFile = config.age.secrets.ocisCloudflared.path; credentialsFile = config.age.secrets.nextcloudCloudflared.path;
}; };
}; };
fail2ban = { fail2ban = {

2
modules/nixos/services/agenix/default.nix
View File

@@ -77,7 +77,7 @@ in {
keycloakCloudflared.file = "${self}/secrets/keycloakCloudflared.age"; keycloakCloudflared.file = "${self}/secrets/keycloakCloudflared.age";
keycloakDbPasswordFile.file = "${self}/secrets/keycloakDbPasswordFile.age"; keycloakDbPasswordFile.file = "${self}/secrets/keycloakDbPasswordFile.age";
nextcloudAdminPass.file = "${self}/secrets/nextcloudAdminPass.age"; nextcloudAdminPass.file = "${self}/secrets/nextcloudAdminPass.age";
ocisCloudflared.file = "${self}/secrets/ocisCloudflared.age"; nextcloudCloudflared.file = "${self}/secrets/nextcloudCloudflared.age";
vaultwardenCloudflared.file = "${self}/secrets/vaultwardenCloudflared.age"; vaultwardenCloudflared.file = "${self}/secrets/vaultwardenCloudflared.age";
vaultwardenEnvironment.file = "${self}/secrets/vaultwardenEnvironment.age"; vaultwardenEnvironment.file = "${self}/secrets/vaultwardenEnvironment.age";
homepageEnvironment.file = "${self}/secrets/homepageEnvironment.age"; homepageEnvironment.file = "${self}/secrets/homepageEnvironment.age";

21
modules/server/caddy/default.nix
View File

@@ -39,6 +39,16 @@ in {
group = config.services.caddy.group; group = config.services.caddy.group;
environmentFile = getCloudflareCredentials config.networking.hostName; environmentFile = getCloudflareCredentials config.networking.hostName;
}; };
certs.${config.server.domainPublic} = {
reloadServices = ["caddy.service"];
domain = "${config.server.domainPublic}";
extraDomainNames = ["*.${config.server.domainPublic}"];
dnsProvider = "cloudflare";
dnsResolver = "1.1.1.1:53";
dnsPropagationCheck = true;
group = config.services.caddy.group;
environmentFile = getCloudflareCredentials config.networking.hostName;
};
}; };
services.caddy = { services.caddy = {
@@ -57,6 +67,17 @@ in {
redir https://{host}{uri} redir https://{host}{uri}
''; '';
}; };
"http://${config.server.domainPublic}" = {
extraConfig = ''
redir https://{host}{uri}
'';
};
"http://*.${config.server.domainPublic}" = {
extraConfig = ''
redir https://{host}{uri}
'';
};
}; };
}; };
}; };

29
modules/server/default.nix
View File

@@ -1,14 +1,16 @@
{ {
lib, lib,
config, config,
pkgs,
... ...
}: }: let
let hardDrives = [
"/dev/disk/by-label/data"
];
inherit (lib) mkOption types; inherit (lib) mkOption types;
cfg = config.server; cfg = config.server;
ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups; ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
in in {
{
options.server = { options.server = {
enable = lib.mkEnableOption "The server services and configuration variables"; enable = lib.mkEnableOption "The server services and configuration variables";
email = mkOption { email = mkOption {
@@ -25,6 +27,13 @@ in
Domain name to be used to access the server services via Caddy reverse proxy Domain name to be used to access the server services via Caddy reverse proxy
''; '';
}; };
domainPublic = mkOption {
default = "";
type = types.str;
description = ''
Public domain name to be used to access the server services via Caddy reverse proxy
'';
};
user = lib.mkOption { user = lib.mkOption {
default = "share"; default = "share";
type = lib.types.str; type = lib.types.str;
@@ -93,5 +102,17 @@ in
]; ];
}; };
}; };
systemd.services.hd-idle = {
description = "External HD spin down daemon";
wantedBy = ["multi-user.target"];
serviceConfig = {
Type = "simple";
ExecStart = let
idleTime = toString 900;
hardDriveParameter = lib.strings.concatMapStringsSep " " (x: "-a ${x} -i ${idleTime}") hardDrives;
in "${pkgs.hd-idle}/bin/hd-idle -i 0 ${hardDriveParameter}";
};
};
}; };
} }

170
modules/server/nextcloud/default.nix
View File

@@ -4,7 +4,7 @@
lib, lib,
... ...
}: let }: let
unit = "ocis"; unit = "nextcloud";
cfg = config.server.${unit}; cfg = config.server.${unit};
srv = config.server; srv = config.server;
in { in {
@@ -12,24 +12,24 @@ in {
enable = lib.mkEnableOption { enable = lib.mkEnableOption {
description = "Enable ${unit}"; description = "Enable ${unit}";
}; };
adminUser = lib.mkOption { adminpassFile = lib.mkOption {
type = lib.types.path;
};
adminuser = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = "cnst"; default = "cnst";
}; };
adminPass = lib.mkOption {
type = lib.types.path;
};
configDir = lib.mkOption { configDir = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = "/var/lib/${unit}"; default = "/var/lib/${unit}";
}; };
url = lib.mkOption { url = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = "cloud.${srv.domain}"; default = "cloud.${srv.domainPublic}";
}; };
homepage.name = lib.mkOption { homepage.name = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = "OCIS"; default = "Nextcloud";
}; };
homepage.description = lib.mkOption { homepage.description = lib.mkOption {
type = lib.types.str; type = lib.types.str;
@@ -37,14 +37,13 @@ in {
}; };
homepage.icon = lib.mkOption { homepage.icon = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = "owncloud.svg"; default = "nextcloud.svg";
}; };
homepage.category = lib.mkOption { homepage.category = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = "Services"; default = "Services";
}; };
cloudflared = { cloudflared.credentialsFile = lib.mkOption {
credentialsFile = lib.mkOption {
type = lib.types.str; type = lib.types.str;
example = lib.literalExpression '' example = lib.literalExpression ''
pkgs.writeText "cloudflare-credentials.json" ''' pkgs.writeText "cloudflare-credentials.json" '''
@@ -52,103 +51,100 @@ in {
''' '''
''; '';
}; };
tunnelId = lib.mkOption { cloudflared.tunnelId = lib.mkOption {
type = lib.types.str; type = lib.types.str;
example = "00000000-0000-0000-0000-000000000000"; example = "00000000-0000-0000-0000-000000000000";
}; };
}; };
};
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
server = { services.nginx.virtualHosts."nextcloud".listen = [
postgresql.databases = [
{ {
database = "ocis"; addr = "127.0.0.1";
port = 8083;
} }
]; ];
fail2ban = lib.mkIf config.server.fail2ban.enable { services.cloudflared = {
jails = {
nextcloud = {
serviceName = "phpfm-nextcloud";
failRegex = "^.*Login failed:.*(Remote IP: <HOST>).*$";
};
};
};
};
systemd.services.ocis.preStart = ''
${lib.getExe pkgs.ocis} init || true
'';
services = {
cloudflared = {
enable = true; enable = true;
tunnels.${cfg.cloudflared.tunnelId} = { tunnels.${cfg.cloudflared.tunnelId} = {
credentialsFile = cfg.cloudflared.credentialsFile; credentialsFile = cfg.cloudflared.credentialsFile;
default = "http_status:404"; default = "http_status:404";
ingress."${cfg.url}".service = "http://${config.services.ocis.address}:${toString config.services.ocis.port}"; ingress."${cfg.url}".service = "http://127.0.0.1:8083";
}; };
}; };
${unit} = {
server.fail2ban = lib.mkIf config.server.fail2ban.enable {
jails = {
nextcloud = {
serviceName = "phpfpm-nextcloud";
failRegex = "^.*Login failed:.*(Remote IP: <HOST>).*$";
};
};
};
services.${unit} = {
enable = true; enable = true;
url = "https://${cfg.url}"; package = pkgs.nextcloud31;
environment = let hostName = "nextcloud";
cspFormat = pkgs.formats.yaml {}; configureRedis = true;
cspConfig = { caching = {
directives = { redis = true;
child-src = ["'self'"]; };
connect-src = [ occ = {
"'self'" maintenance = "install";
"blob:" };
"https://${srv.keycloak.url}" database.createLocally = true;
maxUploadSize = "50G";
settings = {
trusted_proxies = ["127.0.0.1"];
trusted_domains = ["cloud.${srv.domainPublic}" "192.168.88.14"];
overwriteprotocol = "https";
overwritehost = "cloud.${srv.domainPublic}";
overwrite.cli.url = "https://cloud.${srv.domainPublic}";
# mail_smtpmode = "sendmail";
# mail_sendmailmode = "pipe";
# user_oidc = {
# allow_multiple_user_backends = 0;
# };
forwarded_for_headers = [
"HTTP_CF_CONNECTING_IP"
]; ];
default-src = ["'none'"]; enabledPreviewProviders = [
font-src = ["'self'"]; "OC\\Preview\\BMP"
frame-ancestors = ["'none'"]; "OC\\Preview\\GIF"
frame-src = [ "OC\\Preview\\JPEG"
"'self'" "OC\\Preview\\Krita"
"blob:" "OC\\Preview\\MarkDown"
"https://embed.diagrams.net" "OC\\Preview\\MP3"
]; "OC\\Preview\\OpenDocument"
img-src = [ "OC\\Preview\\PNG"
"'self'" "OC\\Preview\\TXT"
"data:" "OC\\Preview\\XBitmap"
"blob:" "OC\\Preview\\HEIC"
];
manifest-src = ["'self'"];
media-src = ["'self'"];
object-src = [
"'self'"
"blob:"
];
script-src = [
"'self'"
"'unsafe-inline'"
];
style-src = [
"'self'"
"'unsafe-inline'"
]; ];
}; };
}; config = {
in { dbtype = "pgsql";
PROXY_AUTOPROVISION_ACCOUNTS = "true"; dbuser = "nextcloud";
PROXY_ROLE_ASSIGNMENT_DRIVER = "oidc"; dbhost = "/run/postgresql";
OCIS_OIDC_ISSUER = "https://${srv.keycloak.url}/realms/ownCloud"; dbname = "nextcloud";
PROXY_OIDC_REWRITE_WELLKNOWN = "true"; adminuser = "cnst";
WEB_OIDC_CLIENT_ID = "ocis"; adminpassFile = cfg.adminpassFile;
OCIS_LOG_LEVEL = "error";
PROXY_TLS = "false";
PROXY_USER_OIDC_CLAIM = "preferred_username";
PROXY_USER_CS3_CLAIM = "username";
OCIS_ADMIN_USER_ID = "";
OCIS_INSECURE = "false";
OCIS_EXCLUDE_RUN_SERVICES = "idp";
GRAPH_ASSIGN_DEFAULT_USER_ROLE = "false";
PROXY_CSP_CONFIG_FILE_LOCATION = toString (cspFormat.generate "csp.yaml" cspConfig);
GRAPH_USERNAME_MATCH = "none";
PROXY_ROLE_ASSIGNMENT_ENABLED = "true";
PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM = "realm_access.roles";
PROXY_ROLE_ASSIGNMENT_MAPPING = "ocisAdmin:admin,ocisUser:user";
}; };
}; };
services.caddy.virtualHosts."${srv.domainPublic}" = {
useACMEHost = srv.domainPublic;
extraConfig = ''
reverse_proxy http://127.0.0.1:8083
'';
};
server.postgresql.databases = [
{
database = "nextcloud";
}
];
systemd.services."nextcloud-setup" = {
requires = ["postgresql.service"];
after = ["postgresql.service"];
}; };
}; };
} }

20
secrets/nextcloudAdminPass.age
View File

@@ -1,11 +1,11 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 t9iOEg PQ9P0XIzZ/u/gSgdOlfQXFVW1GemJxDaVCtqJkBYsBY -> ssh-ed25519 t9iOEg 5z2kiVAol78mM42O1Jf9ndeBwElB0x4BectRt+R8GkM
KOw543xyHFcTzkCyOAB40bbArhQW+cGPySfFB4ceMn4 gE89nfzfPZ7dcQDG57xdJAcrq565V+rbWDUEtNuBEwA
-> ssh-ed25519 KUYMFA GdUikncmoMYip/ASuwLKXwv+Wa3qyfT/CBjQxaptIRY -> ssh-ed25519 KUYMFA 7aaMHpHzTC3U/7zol+LWE5IXrXm98ORcQpXkC3SNBBw
vnHv5sJVDcce02IaKwPFefNzIzvlwgIKi1ZVo+2tq+0 i4cyBlQrGmPiosCaCjv/7GUUikP2c/I8tA93Qz0o3cI
-> ssh-ed25519 76RhUQ xLBZfVIBGSuEqGlV8ny+uDhDnHZrHv0b7PVOCyiFdRs -> ssh-ed25519 76RhUQ 7Jppe6oBvuXqxoB4LNU+725b6ZeopHxgXq3WWDZlbhg
gK3tkiaZmHBTpwYImlftYgcyNc7k6kRl1dyOaEN/zls f+8GtX9dsCrnQ+kN0Swhq5LLNZrlzEVYJhwn+oN7yG8
-> ssh-ed25519 Jf8sqw YFwHA8v2BZvppparLQ1ts75lBCuS1exwNbLt4vRLuQY -> ssh-ed25519 Jf8sqw qBlvp6ZCHVkr37lfE+HrBNNEGcqQ8++GbMYBKhpr1Dk
qV/PXIouLPAx0amjeeS8aQx3tqgG7VqHhSjqIu+kOF4 9CoVJgvPZyIQOdTOFQWMotZaohFUmt953pivSVx6C9Q
--- SAbSjt7w+XOwUQI+1saRnttNRuC9NOUvQXWu/+MdLn0 --- ZSaeUcQ9T8TdcDXXNOWgTRAAG5+lRsl4sOFIOYgMISQ
3<EFBFBD>U<EFBFBD>\'<27><>UUK<>UQ<55>g<EFBFBD><67>k<><6B><EFBFBD>"P<>R<EFBFBD>L<EFBFBD>'r<>*<1B>rA<72><41>c<EFBFBD>Oy{%A<><41><EFBFBD>bL<62>KM9<4D>'<27> Ua<55><61>`<60><><1A>'<27>^n<02>eP<65>=<3D><12>b<EFBFBD><62><EFBFBD>><3E><>~<7E>ؑ RV<52><05><><EFBFBD>n<05>g0Z<30><5A><EFBFBD><EFBFBD><EFBFBD>E<EFBFBD><45><EFBFBD>k<1E><1D><1C><>ml<6D>w<08>`<60>ҝ<EFBFBD><D29D><EFBFBD> <20>/<2F>x<EFBFBD><78>~

11
secrets/nextcloudCloudflared.age Normal file
View File

@@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 t9iOEg tCTVBy/ZypZ8DjzMhp6MsG0OUSmY/Z7nprs6OgMXiRs
GXMwQ7THAvuh9SpM12ck84R86Qvs+Db62ybohItDloE
-> ssh-ed25519 KUYMFA EwdbsocHYlzEJ2JLiI6oD6wkhaN+llPghPuO50oNLmY
NYQmMaeBM511yQeeEczVEW9Hx6y8/5NiQJ4PGtytBlw
-> ssh-ed25519 76RhUQ 3zs9rA1RoMUahExIGTBXV6i815jrK9UDrh6ZKi4gXQk
lWRnELDu+qd+MHBnYoSkBZblJoNcBXIeIW7phdZb7fg
-> ssh-ed25519 Jf8sqw zDqvIhlZ5TMP5l4Ymc0VUccb0EZHu6nzT0zAz0n/yiA
2C6PIEpv7dsDV7u87B991XRHIDcYRIfi60cvHK0Bkgo
--- TzhNfeAGrl1ggKFbSWgQw+R0xpKU+VOod/iEJlgLPOA
uGe<47><65><EFBFBD>R H<10><><EFBFBD>=<3D><>of<6F>|t'e <09>L뉱l<EB89B1>w<1D><><EFBFBD>fMG"<22><>}@\<5C>e *R<>7j<37>%<25><><EFBFBD>=?<3F><>v<EFBFBD>%i<><10>\<5C><>'<27><><03>0Qyj <04><>8<><38><EFBFBD><EFBFBD>x<EFBFBD>yj<79><04><><05>&EB<45>T<EFBFBD>ɥ#<23>H<EFBFBD><48>u<EFBFBD>E%5uLҐy<D290>Ć5<C486><35>K<EFBFBD>><3E>t<><03><><EFBFBD><EFBFBD>0<EFBFBD><30><EFBFBD><EFBFBD><EFBFBD>0 <0C>q<EFBFBD>V ŵ>_j<5F>U<EFBFBD>D<><1A><><EFBFBD>JWꂿ<0F>>@<40><><EFBFBD><EFBFBD>w :<3A><>CJEb,5U

11
secrets/ocisCloudflared.age
View File

@@ -1,11 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 t9iOEg v2avJ6U6RgP+ZxIa1QzzqxB48cslbdB0TlDlcz4F0RE
JTyOfbyFWOh9Br07l2SZpDH/2xk5+Cnz3BEl+1DdQdA
-> ssh-ed25519 KUYMFA pGewUt3eOluT+v/+Yuf8zsuQtZVRSbYQPVw6CkbrOUk
H3G8Gxug7dww1fkfpuErLCndsD0HHcEQkndIkkZaW4I
-> ssh-ed25519 76RhUQ o0kqSfuXPVvPGk3snfUGdAZqJG1I5KOhbEK21XUcCXs
ZKFxlayTAQptEgfNdPawCB1EYSphO6CzgVOxP56n71U
-> ssh-ed25519 Jf8sqw uor01IOxnc3p9iRi2019HjkZzs1ph9G+oiYIPKrXb3A
Q2uxuYsSmMc3N2g7IQ/87YHXNdcgF2MpIz8P53kPBSs
--- 3JvyOSSYzDA6OPnYq45RUKdgGE6EgzkP1kDyu1nRbww
`<60>l<EFBFBD>0<EFBFBD>n˵ 8y<10><>i<EFBFBD>ĕKn<4B><6E>P&G<><47><EFBFBD><EFBFBD><EFBFBD>2<EFBFBD>O <0C><15>`Yw<59>H<EFBFBD>+:<3A><>(q<18><>po<70><6F><EFBFBD>A<>|<7C>͸dz<64>g<EFBFBD><67> <0C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <0B><><EFBFBD>\K<><4B><EFBFBD>h<EFBFBD><68>/<2F><07>+2hq1x6g<36>ǒ<EFBFBD>5<EFBFBD><35>6Fz<46><17><><19>$Z<><5A><EFBFBD>28<32>ߏ<EFBFBD>U<EFBFBD>f<EFBFBD><66>OQ<4F><51>[<5B>8ua<75>А<EFBFBD><D090>uo-<2D><><EFBFBD>:<3A>&<26><><EFBFBD>P<EFBFBD><50> <14><> <20>49Q?b<08>li<6C><69><EFBFBD>f-Ox<4F><78>s<EFBFBD><73><EFBFBD>j<EFBFBD>USf[

4
secrets/secrets.nix
View File

@@ -42,8 +42,8 @@ in {
"vaultwardenCloudflared.age".publicKeys = core ++ sobotka; "vaultwardenCloudflared.age".publicKeys = core ++ sobotka;
"keycloakDbPasswordFile.age".publicKeys = core ++ sobotka; "keycloakDbPasswordFile.age".publicKeys = core ++ sobotka;
"keycloakCloudflared.age".publicKeys = core ++ sobotka; "keycloakCloudflared.age".publicKeys = core ++ sobotka;
"ocisCloudflared.age".publicKeys = core ++ sobotka; "nextcloudCloudflared.age".publicKeys = core ++ sobotka;
"ocisAdminPass.age".publicKeys = core ++ sobotka; "nextcloudAdminPass.age".publicKeys = core ++ sobotka;
"cloudflareDnsApiToken.age".publicKeys = core ++ sobotka; "cloudflareDnsApiToken.age".publicKeys = core ++ sobotka;
"cloudflareDnsCredentials.age".publicKeys = core ++ sobotka; "cloudflareDnsCredentials.age".publicKeys = core ++ sobotka;
"wgCredentials.age".publicKeys = core ++ sobotka; "wgCredentials.age".publicKeys = core ++ sobotka;