set up nextcloud and sops-nix
This commit is contained in:
parent
0a8637a087
commit
6c526718cb
4 changed files with 161 additions and 7 deletions
|
|
@ -1,4 +1,4 @@
|
|||
{ hostName, config, lib, ... }:
|
||||
{ hostName, inputs, config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
|
|
@ -12,6 +12,8 @@
|
|||
|
||||
../../modules/nixos/bash.nix
|
||||
../../modules/nixos/tailscale.nix
|
||||
|
||||
inputs.sops-nix.nixosModules.sops
|
||||
];
|
||||
|
||||
fileSystems = {
|
||||
|
|
@ -49,13 +51,50 @@
|
|||
};
|
||||
};
|
||||
|
||||
sops = {
|
||||
defaultSopsFile = "/etc/nixos/secrets/secrets.yaml";
|
||||
defaultSopsFormat = "yaml";
|
||||
validateSopsFiles = false;
|
||||
|
||||
age.keyFile = "/root/.config/sops/age/keys.txt";
|
||||
|
||||
secrets = {
|
||||
"caddy/wo2wz.fyi.crt" = {
|
||||
owner = "caddy";
|
||||
group = "caddy";
|
||||
reloadUnits = [ "caddy.service" ];
|
||||
};
|
||||
"caddy/wo2wz.fyi.key" = {
|
||||
owner = "caddy";
|
||||
group = "caddy";
|
||||
reloadUnits = [ "caddy.service" ];
|
||||
};
|
||||
|
||||
"cloudflared/8af2892d-d534-4e32-b867-5b79308a99d5.json" = {};
|
||||
|
||||
"nextcloud/adminpass" = {};
|
||||
|
||||
"vaultwarden/secrets.env".restartUnits = [ "vaultwarden.service" ];
|
||||
|
||||
"zipline/secrets.env".restartUnits = [ "zipline.service" ];
|
||||
};
|
||||
};
|
||||
|
||||
users.users.caddy.extraGroups = [ "nextcloud" ];
|
||||
|
||||
services = {
|
||||
scx.scheduler = lib.mkForce "scx_rusty";
|
||||
|
||||
# for cloudflare browser ssh
|
||||
openssh.settings.Macs = [
|
||||
"hmac-sha2-512"
|
||||
"hmac-sha2-256"
|
||||
];
|
||||
|
||||
cloudflared = {
|
||||
enable = true;
|
||||
tunnels."8af2892d-d534-4e32-b867-5b79308a99d5" = {
|
||||
credentialsFile = "/etc/cloudflared/8af2892d-d534-4e32-b867-5b79308a99d5.json";
|
||||
credentialsFile = config.sops.secrets."cloudflared/8af2892d-d534-4e32-b867-5b79308a99d5.json".path;
|
||||
default = "http_status:418";
|
||||
};
|
||||
};
|
||||
|
|
@ -81,6 +120,17 @@
|
|||
reverse_proxy localhost:8000
|
||||
'';
|
||||
|
||||
"wo2wz.fyi".extraConfig = ''
|
||||
encode
|
||||
|
||||
header {
|
||||
X-Robots-Tag "noindex, nofollow"
|
||||
-Server
|
||||
}
|
||||
|
||||
respond "not much to see here"
|
||||
'';
|
||||
|
||||
"zipline.wo2wz.fyi".extraConfig = ''
|
||||
encode
|
||||
|
||||
|
|
@ -92,20 +142,43 @@
|
|||
}
|
||||
|
||||
# use cloudflare origin certs for https
|
||||
tls /var/secrets/caddy/wo2wz.fyi.crt /var/secrets/caddy/wo2wz.fyi.key
|
||||
tls ${config.sops.secrets."caddy/wo2wz.fyi.crt".path} ${config.sops.secrets."caddy/wo2wz.fyi.key".path}
|
||||
|
||||
reverse_proxy localhost:3000
|
||||
'';
|
||||
|
||||
"wo2wz.fyi".extraConfig = ''
|
||||
"nextcloud.wo2wz.fyi".extraConfig = ''
|
||||
encode
|
||||
|
||||
tls ${config.sops.secrets."caddy/wo2wz.fyi.crt".path} ${config.sops.secrets."caddy/wo2wz.fyi.key".path}
|
||||
|
||||
header {
|
||||
X-Robots-Tag "noindex, nofollow"
|
||||
-Server
|
||||
}
|
||||
|
||||
respond "not much to see here"
|
||||
root ${config.services.nginx.virtualHosts."localhost:8001".root}
|
||||
file_server
|
||||
|
||||
php_fastcgi unix/${config.services.phpfpm.pools.nextcloud.socket}
|
||||
|
||||
redir /.well-known/carddav /remote.php/dav 301
|
||||
redir /.well-known/caldav /remote.php/dav 301
|
||||
redir /.well-known/webfinger /index.php/webfinger 301
|
||||
redir /.well-known/nodeinfo /index.php/nodeinfo 301
|
||||
redir /.well-known/* /index.php{uri} 301
|
||||
redir /remote/* /remote.php{uri} 301
|
||||
|
||||
@forbidden {
|
||||
path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
|
||||
path /.* /autotest* /occ* /issue* /indie* /db_* /console*
|
||||
not path /.well-known/*
|
||||
}
|
||||
respond @forbidden 403
|
||||
|
||||
# make .mjs javascript work for the functionality of some buttons/apps
|
||||
@mjs path *.mjs
|
||||
header @mjs Content-Type application/javascript
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
|
@ -120,7 +193,7 @@
|
|||
|
||||
SIGNUPS_ALLOWED = false;
|
||||
};
|
||||
environmentFile = "/var/secrets/vaultwarden/secrets.env";
|
||||
environmentFile = config.sops.secrets."vaultwarden/secrets.env".path;
|
||||
};
|
||||
|
||||
zipline = {
|
||||
|
|
@ -129,7 +202,32 @@
|
|||
FEATURES_VERSION_CHECKING = "false";
|
||||
FEATURES_THUMBNAILS_NUM_THREADS = 2;
|
||||
};
|
||||
environmentFiles = [ "/var/secrets/zipline/secrets.env" ];
|
||||
environmentFiles = [ config.sops.secrets."zipline/secrets.env".path ];
|
||||
};
|
||||
|
||||
nginx.enable = false;
|
||||
phpfpm.pools.nextcloud.settings = {
|
||||
"listen.owner" = "caddy";
|
||||
"listen.group" = "caddy";
|
||||
};
|
||||
nextcloud = {
|
||||
enable = true;
|
||||
package = pkgs.nextcloud31;
|
||||
hostName = "localhost:8001";
|
||||
config = {
|
||||
adminuser = "wo2w";
|
||||
adminpassFile = config.sops.secrets."nextcloud/adminpass".path;
|
||||
dbtype = "sqlite";
|
||||
};
|
||||
settings = {
|
||||
trusted_domains = [ "nextcloud.wo2wz.fyi" ];
|
||||
trusted_proxies = [ "127.0.0.1" ];
|
||||
};
|
||||
|
||||
maxUploadSize = "200G";
|
||||
extraApps = {
|
||||
inherit (config.services.nextcloud.package.packages.apps) calendar tasks deck twofactor_webauthn;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue