diff --git a/hosts/caddy/default.nix b/hosts/caddy/default.nix index a6fdd59..d890846 100644 --- a/hosts/caddy/default.nix +++ b/hosts/caddy/default.nix @@ -16,12 +16,24 @@ in my = { utils.commons.enable = true; - services.media-mgr = { - proxy = { - enable = true; - domain = "tegola.pro"; - host = "arr.internal"; + services = { + + media-mgr = { + proxy = { + enable = true; + domain = "tegola.pro"; + host = "arr.internal"; + }; }; + + nextcloud = { + proxy = { + enable = true; + domain = "tegola.pro"; + host = "nextcloud.internal"; + }; + }; + }; monitoring = { diff --git a/hosts/nextcloud/default.nix b/hosts/nextcloud/default.nix new file mode 100644 index 0000000..912aba6 --- /dev/null +++ b/hosts/nextcloud/default.nix @@ -0,0 +1,34 @@ +{ + config, + pkgs, + lib, + ... +}: +{ + my = { + utils.commons.enable = true; + + services.nextcloud = { + enable = true; + proxy.domain = "tegola.pro"; + }; + + virtualisation.proxmox.enable = true; + }; + + time.timeZone = "Europe/Rome"; + + # Extra packages + environment.systemPackages = with pkgs; [ ]; + + services = { + openssh.enable = true; + }; + + networking = { + firewall.allowedTCPPorts = [ 80 ]; + nameservers = [ "192.168.1.2" ]; + }; + + system.stateVersion = "24.05"; +} diff --git a/modules/services/default.nix b/modules/services/default.nix index fcdf778..21fc177 100644 --- a/modules/services/default.nix +++ b/modules/services/default.nix @@ -1,6 +1,6 @@ { imports = [ ./media-mgr.nix - ./nextcloud-podman.nix + ./nextcloud.nix ]; } diff --git a/modules/services/nextcloud-podman.nix b/modules/services/nextcloud-podman.nix deleted file mode 100644 index b677258..0000000 --- a/modules/services/nextcloud-podman.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ - lib, - config, - pkgs, - ... -}: -let - cfg = config.my.services.nextcloud-pd; -in -{ - options.my.services.nextcloud-pd = { - enable = lib.mkEnableOption "Enable Nextcloud module"; - }; - - config = lib.mkIf cfg.enable { - my.virtualisation.podman.enable = true; - - virtualisation.oci-containers.containers = { }; - - }; - -} diff --git a/modules/services/nextcloud.nix b/modules/services/nextcloud.nix new file mode 100644 index 0000000..5c3e3bc --- /dev/null +++ b/modules/services/nextcloud.nix @@ -0,0 +1,155 @@ +{ + lib, + config, + pkgs, + ... +}: +let + cfg = config.my.services.nextcloud; +in +{ + + options.my.services.nextcloud = { + enable = lib.mkEnableOption "Enable Nextcloud module"; + + proxy = { + enable = lib.mkEnableOption "Set the proxy entry for this service"; + + domain = lib.mkOption { + default = "example.com"; + type = lib.types.str; + description = '' + The domain where Caddy is reachable + ''; + }; + + host = lib.mkOption { + default = "localhost"; + type = lib.types.str; + description = '' + host name where the download manager stack is running + ''; + }; + + }; + }; + + config = lib.mkMerge [ + (lib.mkIf cfg.enable { + + age.secrets = { + nextcloud-admin-pwd = { + file = ../../secrets/nextcloud-admin-pwd.age; + owner = "nextcloud"; + group = "nextcloud"; + mode = "770"; + }; + }; + + services = { + + nextcloud = { + enable = true; + package = pkgs.nextcloud30; + hostName = "cloud.${cfg.proxy.domain}"; + https = true; + nginx.recommendedHttpHeaders = true; + + settings = { + overwriteProtocol = "https"; + defaultPhoneRegion = "IT"; + trusted_proxies = [ "192.168.1.150" ]; + trusted_domains = [ "cloud.${cfg.proxy.domain}" ]; + enabledPreviewProviders = [ + "OC\\Preview\\BMP" + "OC\\Preview\\GIF" + "OC\\Preview\\JPEG" + "OC\\Preview\\Krita" + "OC\\Preview\\MarkDown" + "OC\\Preview\\MP3" + "OC\\Preview\\OpenDocument" + "OC\\Preview\\PNG" + "OC\\Preview\\TXT" + "OC\\Preview\\XBitmap" + "OC\\Preview\\HEIC" + "OC\\Preview\\Movie" + ]; + }; + + config = { + dbtype = "pgsql"; + adminuser = "admin"; + adminpassFile = config.age.secrets.nextcloud-admin-pwd.path; + }; + + # Let NixOS install and configure the database automatically. + database.createLocally = true; + + # Let NixOS install and configure Redis caching automatically. + configureRedis = true; + + # Increase the maximum file upload size to avoid problems uploading videos. + maxUploadSize = "16G"; + + # Instead of using pkgs.nextcloudXXPackages.apps, + # we'll reference the package version specified above + autoUpdateApps.enable = true; + extraAppsEnable = true; + extraApps = { + inherit (config.services.nextcloud.package.packages.apps) + contacts + calendar + cookbook + cospend + memories + tasks + onlyoffice + # twofactor_totp + user_oidc + ; + }; + + }; + + onlyoffice = { + enable = true; + hostname = "onlyoffice.${cfg.proxy.domain}"; + }; + + nginx.virtualHosts = { + ${config.services.nextcloud.hostName} = { + forceSSL = false; + enableACME = false; + }; + }; + + }; + + environment.systemPackages = with pkgs; [ + exiftool + ffmpeg + ]; + + systemd.services."nextcloud-setup" = { + requires = [ "postgresql.service" ]; + after = [ "postgresql.service" ]; + }; + + }) + + (lib.mkIf cfg.proxy.enable { + services.caddy = with cfg.proxy; { + virtualHosts."cloud.${domain}".extraConfig = '' + reverse_proxy http://${host}:80 + import cloudflare + ''; + virtualHosts."onlyoffice.${domain}".extraConfig = '' + reverse_proxy http://${host}:${config.services.onlyoffice.port} + import cloudflare + # Required to circumvent bug of Onlyoffice loading mixed non-https content + header_up X-Forwarded-Proto https + ''; + }; + }) + ]; +} diff --git a/secrets.nix b/secrets.nix index 1c15c47..9d9e1fa 100644 --- a/secrets.nix +++ b/secrets.nix @@ -11,6 +11,7 @@ let readarr-apiKey = [ machines.metrics ]; bazarr-apiKey = [ machines.metrics ]; grafana-admin-pwd = [ machines.metrics ]; + nextcloud-admin-pwd = [ machines.nextcloud ]; }; in builtins.listToAttrs ( diff --git a/secrets/nextcloud-admin-pwd.age b/secrets/nextcloud-admin-pwd.age new file mode 100644 index 0000000..bd1329d --- /dev/null +++ b/secrets/nextcloud-admin-pwd.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 wVuNWQ 5azMMhnd0PdtBMlW/Ye9Dx5W8YQoVvpoFzhdGgbnnS0 +U1Og6r+t0Rvkzm0l01Erh5EfBHnDmbxjYEyZACveX9k +-> ssh-ed25519 Si3UKw RJzW4cv4yjsTCQTqr7sr++Cvw7RYs9+Ywb/a0fOJ9Hs +xwir0Ef0BMDsIWMCf54ItNdjS8GkwboqhOf/Z1Z/wCU +-> ssh-ed25519 3UG3uw KVyQWw1BgQzcouLUcMCSNyQu+7z5cuirb4Bnn0axwwQ +IzRW5pp0g405BDBHMhM1iobCFkIt9lLXyRCxNrw1DA4 +-> ssh-ed25519 JEhtoQ NtfMEtVw2G+LQQI2yBqHuYYU3yypPIWble8RyqCUxgg +WZthbzQC6SffjubVm2cxkIvcMm5/E2LUn6qiCPtqqAo +--- LSKRhvYWld83LHXQnwVE/E8OCupNRn01qyYGmH/IgcI +µtÖ,ªŠzÓÉÿ¹xÔ„w? ô.99) Çô ·óq/®Oú!^O9ÚñaîÒ \ No newline at end of file diff --git a/ssh-keys.nix b/ssh-keys.nix index 223713f..00e0387 100644 --- a/ssh-keys.nix +++ b/ssh-keys.nix @@ -13,21 +13,25 @@ rec { nextcloud = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBhRxaMK+swWcbd6dyBvPw74EtB5mghjgBzmIhXy9cRt"; }; + # Machines able to provision other machines infra-core = [ deadbeef PP416 krzo ]; + # Machines in tailscale network tailscale-machine = [ machines.caddy machines.metrics ]; + # Machines provisioned with Colmena infra-machine = [ machines.arr machines.caddy machines.metrics + machines.nextcloud ]; }