From 8f9a556f3749b468f4182bb8a52adf0d08935231 Mon Sep 17 00:00:00 2001 From: Natsu Kagami Date: Mon, 15 May 2023 13:56:39 +0200 Subject: [PATCH] Deploy nextcloud --- nki-personal-do/configuration.nix | 4 +- nki-personal-do/hardware-configuration.nix | 6 ++ nki-personal-do/nextcloud.nix | 66 ++++++++++++++++++++++ nki-personal-do/secrets/secrets.yaml | 8 ++- 4 files changed, 80 insertions(+), 4 deletions(-) create mode 100644 nki-personal-do/nextcloud.nix diff --git a/nki-personal-do/configuration.nix b/nki-personal-do/configuration.nix index a4f2a2c..1554fc7 100644 --- a/nki-personal-do/configuration.nix +++ b/nki-personal-do/configuration.nix @@ -15,6 +15,7 @@ ./headscale.nix ./gitea.nix + ./nextcloud.nix ]; common.linux.enable = false; # Don't enable the "common linux" module, this is a special machine. @@ -182,7 +183,7 @@ # Outline - sops.secrets.minio-secret-key = { }; + sops.secrets.minio-secret-key = { owner = "root"; mode = "0444"; }; sops.secrets.authentik-oidc-client-secret = { owner = "outline"; }; sops.secrets."outline/smtp-password" = { owner = "outline"; }; services.outline = { @@ -242,6 +243,7 @@ listenAddress = ":61929"; consoleAddress = ":62929"; rootCredentialsFile = config.sops.secrets.minio-credentials.path; + dataDir = lib.mkForce [ "/mnt/minio/minio" ]; }; cloud.traefik.hosts.minio = { host = "s3.dtth.ch"; port = 61929; }; system.stateVersion = "21.11"; diff --git a/nki-personal-do/hardware-configuration.nix b/nki-personal-do/hardware-configuration.nix index 6ec06be..1f5274d 100644 --- a/nki-personal-do/hardware-configuration.nix +++ b/nki-personal-do/hardware-configuration.nix @@ -7,4 +7,10 @@ fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; # swap swapDevices = [{ device = "/var/swapfile"; size = 2 * 1024; }]; + # volumes + fileSystems."/mnt/minio" = { + device = "/dev/disk/by-id/scsi-0HC_Volume_31812942"; + fsType = "ext4"; + + }; } diff --git a/nki-personal-do/nextcloud.nix b/nki-personal-do/nextcloud.nix new file mode 100644 index 0000000..96fce0f --- /dev/null +++ b/nki-personal-do/nextcloud.nix @@ -0,0 +1,66 @@ +{ lib, pkgs, config, ... }: +with lib; +let + user = "nextcloud"; + host = "cloud.dtth.ch"; + port = 61155; + + secrets = config.sops.secrets; +in +{ + sops.secrets."nextcloud/admin-password" = { owner = user; }; + sops.secrets."nextcloud/minio-secret-key" = { owner = user; key = "minio-secret-key"; }; + # database + cloud.postgresql.databases = [ user ]; + # traefik + cloud.traefik.hosts.nextcloud = { + inherit port host; + }; + services.nextcloud = { + enable = true; + hostName = host; + package = pkgs.nextcloud26; + enableBrokenCiphersForSSE = false; + + home = "/mnt/minio/nextcloud"; + https = true; + database.createLocally = false; + + extraApps = with pkgs.nextcloud26Packages.apps; { + inherit calendar contacts deck forms groupfolders news tasks; + sociallogin = pkgs.fetchNextcloudApp rec { + url = "https://github.com/zorn-v/nextcloud-social-login/releases/download/v5.4.3/release.tar.gz"; + sha256 = "sha256-ZKwtF9j9WFIk3MZgng9DmN00A73S2Rb4qbehL9adaZo="; + }; + }; + + config = { + # Database + dbtype = "pgsql"; + dbname = user; + dbuser = user; + dbhost = "/run/postgresql"; + # User + adminuser = "nki"; + adminpassFile = secrets."nextcloud/admin-password".path; + # General + overwriteProtocol = "https"; + defaultPhoneRegion = "VN"; + + objectstore.s3 = { + enable = true; + bucket = "nextcloud-dtth"; + autocreate = true; + key = "minio"; + secretFile = config.sops.secrets."nextcloud/minio-secret-key".path; + hostname = "s3.dtth.ch"; + port = 443; + useSsl = true; + usePathStyle = true; + region = "us-east-1"; + }; + }; + }; + services.nginx.virtualHosts.${host}.listen = [{ inherit port; addr = "127.0.0.1"; }]; +} + diff --git a/nki-personal-do/secrets/secrets.yaml b/nki-personal-do/secrets/secrets.yaml index 0746081..4b4d216 100644 --- a/nki-personal-do/secrets/secrets.yaml +++ b/nki-personal-do/secrets/secrets.yaml @@ -7,7 +7,7 @@ minio-secret-key: ENC[AES256_GCM,data:FkF4hFiW7s5gYbMbdemsmhduYDtb/aqMoUgP+CWI3r cloudflare-dns-api-token: ENC[AES256_GCM,data:2ny3JehpK30fTUDKrbzHv1QOczriChRyMQn6kNPULpUJ+eVwdptLvg==,iv:8wNAn3oawzLez7sO4ZvhFXcaZIpFVKgKCvTBlszFHn8=,tag:fRaO+u/5MtAWnTiy2Zwh0Q==,type:str] #ENC[AES256_GCM,data:KWrVRQg+cLm5MUdfsYrh7hkI4CWkl4Z0sDj0769eebeXDy+veixrQrxh1ZW+ro3WLwoIdU/IH5DPM4TWYn2qoM5aDHjGX764pr1x,iv:uZHBsGvSHv9vd/Wragl1dYNJ+8vCcMit2K3SrMFlz7s=,tag:7z4LyADfQvXsM2vvtWru8w==,type:comment] traefik-dashboard-users: ENC[AES256_GCM,data:kviapOq+xzxhjryse+5DaZbXRS/LEYyjqqFbHymXAZVEkWlu0T5pZ2bxSNCbXN+tXnb0u+6YPgGCaRNPLW74AF1hO8W8QqlLDA==,iv:41bwPyFQcuOLILTjLWUu5Kcnct/MaIIJsMbllc+n7Y0=,tag:17HyUjfRUcLGb0FrUm1O2A==,type:str] -mail-users: ENC[AES256_GCM,data:FLmmXKcYLNRCyksuEervvU3HHzbPa4nPyHziF0CAtvB571AilH35KylvVb6YAh66Zacr8aO6CkxgIhcqs4/IFWmqNRSWta3R2r5g6yQE3gUW+HhPra1rRrmB9lRFs8j6lkUza0Rrrr1NmTkf2YqGyAR40+lEcaCQUyDAqUE3GW39YSunWDkvbsBCHK/Pj+Oq46dKr8NrOHqkbN7rdamSdReAKMzk8/lRAkbsxe9kfra/cwxVArEEVX10w2g4zTdPW2QlykvrmBLcjY6NA6FWDPwSUvq87lfKo6svUSN3zgfsgo2F809FdKPazEMQq9QvAoWe5jJ1YJbiquuJpelH6Ip7ShKGGw==,iv:BlhylfpbRfq9e9UOuhwcL2BUuWpynZT46RsprcaEVrI=,tag:g8QVUuNk4TuxgkHrfzqQvQ==,type:str] +mail-users: ENC[AES256_GCM,data:4L/G7TfwqchtaSRBQxbKMrQY0f857jzye4ojaaZ5m5Q9Du6dLwyZoMu7KyAedhaYnVnjv+qk7BdNpbbHH1cbFJ13Q5KLqyrge0iyXmhKdFoT7ftU60omiIBgZahTvoSgIg72r+bUNRDFqbb9yHYixEDpZFX2DScJ3A8FnjKZ1l022eRHpj8KMV534ew5QN9QB0gE5Swu5egBm/glgbX9OeiNX4N66Qf7HKGTQ5p1UXqlK38xIJelAm2KjZ2BGswxYCmxKV6f0q0lAD2Pi6Ass1AWfWb0Is00ZUcJy5KoqhqmcaXURlcAnfHunRQam/UJstfYzARg4SwUG2mrKSDrqtnawxlsaf4D9dtj6AwZiyrsK6jDTj8EH6ZPYpc3I6ag9FkMSrkWmWYPNdHMzZFtoDN8Yvb/yRB5KQj2zqHVEbvQba0afNDP1RsmPHFezGCe6PchTLChIPEyLzgZS5dqiA==,iv:0BAZIE4Y0ZzszkTounx3cRgxYWZKbUT5Ye83rdL39vw=,tag:OIaOwTdM/9h1fwY7gwWOdQ==,type:str] youmubot-env: ENC[AES256_GCM,data:m/NGN8r6Caq2tTHeVWV9y5fol9r36aKYYXLjHaa0AR+0XpVeJdXVZxPfQtzX4uo09rOGAPE4lepO05weo7mvEjI5m5QJ4FWrw0/HkLm4SUWnTnDU6BlK7l4K/2Ayz7jmD6GLWI+KcOSjEmma9GXNkVwDnxVrwaAWYOfDqDJMjMES/1S8OgCe5+74MCgNeefIwgXnmmxVMpl8fAdnOgovh1zRvcKPVrN5T0ia39IatDERwegas+q8t90Jjw==,iv:IEFvaMWzgClbHbsxGTdP5EdGayHQgggOT9CU7oAyMtE=,tag:GoEEcGCNHMimzltDit4kzA==,type:str] outline: smtp-password: ENC[AES256_GCM,data:zpIi6jVB2Y7ksBOR8SGFgjOD1x3aS6dKa6taLKB8v2l9p92iWDti75qgB1puglmmq8mCzz8KXLrM0Bv7W8GWRg==,iv:6tKINzQcApmNuIbNn0kSzFJtwn3rky/uFG2Ff3lazUk=,tag:kjB6qB87tRQVpy32Pt3D5A==,type:str] @@ -24,6 +24,8 @@ headscale: gitea: mailer-password: ENC[AES256_GCM,data:LDW0bpbfanBa2QjqdgtKu6F+zG84xaGuLg1cs6eTJbg=,iv:Kle+czR9Xqi45qWjYJIjRhq87rG2PNoNF6YQ7tQ+HJA=,tag:WUuPgwdnz8F2WtFsgcrw/Q==,type:str] signing-key: ENC[AES256_GCM,data:64tLU6rVcCq6CSfVGtFfSc8m89gHFHwGQ4JSHw8p7GqlB7ioHrJVu8o+6u6UPERMfkcHsTG2gTwh7wpblF//bk1+TRyYWSuDnIGl1G7+6FVmJbvLyGJBck0NauW4s5Keiqr2qg38i3y9qy7kPaJGz/2J6cYYSQxB9xy8mtdoxwypGf+zxu1teiUnKmWa89i941s2FZZ+FoQvQCZs/7En3YnxNiDM+lXR4wqbPZPROlYHaVDOgeACBgq8GwNdgAFF7qRLdjxMGgjS3jjlD4QCJlEO6UbqVEBEK7pf4Or4kx/RM2A0rgGNUPpwKu/b5xGTUkA0X7TcZNIcLJ2zred0JIEj0bM7MNrkBIQovHEYLT3m33W1zKTTBC2lgPh90I/tPauIOb1hWHzgjM+LpV8bPkGXIk3BmoxW8eCiFmSjfvxdyS6WVJ6lGOIhaFNl59LyKsljyUmYcauig7/T+ylGyWiPViXuYB4fWxWr1t7Tb6DgY2fJdl5KQHLkDoAylHQ6pOb0l2YUGw1+vvHocMA9KTJeTnhTWAPZLOIFbfZL8sxrWRlpuZvvKdXlOjzKwVgCzWudYJ4jUoPSCmvxpnuCpiPbqaoZyA3Vyx7UCTN7UhKRb99jxEqdTrDPwRL0VlVZUQgLDTMPXHjdoOan06wXmDJEDRDBFsrrpna9wY1uvyPGBBpZ+uQZdxPZfXKQ8HRVHS1dKfyvdIaG/eYUrimF9euhYKYGPH02S6UcU+yQXw5B12HBxLDwS0oF3yWXfTMBsgejWFAuyQkQVJJjAi/Zs+9HJ3FQqr4vl/hUclv/X2XURuPc/jjYziNuOAn6yGhXuNC713SzUOnZlDgEcCkm8DHn5hQ/W4rZGUbSq+y/HUk8GA6XSw8u8H7KDQFnV4l4Chg1cKAf0YSXeinJ2x/RA9GXBvC5FVOM/Cx95arxS57vD578Rkdf/c7UQmuH+6X9YTX8MHVgkpHAGJ+bu2UnQ/hjAvGW6kee4jqefybCTxJm7qcSz1JrG6rS+S+9ZFj8BrXLcSIRlvxotg+FmBjdlqJMj5i0w+cR2f2zXPsmeDC0gmSTV7mYNz9+uMv708xwm26e4/rTT0hS+szLzzz/Ygm9yAkLf9lIS3457IWEjF+LCs9SEq3jfkx5zqpWfOpBCQU9rYKJhvjCVK6a1Hb2PfO4klkuwSNFPwyMHDlEqNmIVUf6uM5p8RVEQy07GsE4ycNtgicC32JGpkotcaU1ByQVbqRXlqJqMJnUEbnWH6qf3Em+wi8eBHmPf1BNjdP3f9BOle+H17/SdKssRbA8o4qQAGVkFzfjybMIh0onB1e15Rt5TUrRDxQAZG+uIsrHEiEOCDED846wO9apeV7wuOKXv2USDhybQhIctcuwxFGQEZWtGGrKzWTlK82Qb8FUM44x2HFj1SK7mIQbU20TcL2bd3b1OZ2kQe16CaT9R0BkpRlPLfiA1ZD7+3DdCyOJxTjutCQgaI1ONQuWn47rDOMbyqZhxs+Gj6bormGEWVRXQpV4VTknN/GyFB2aWQmZF8hGpEBl/t8IfOXDs56kN2Z8W2eKzHZz9u11HQ0eJ05LX2xz5DB+22UZT4bGK6Y3vJtB0+27r7G7hh79Fkapggm61xh3+D593epyW6Ix4hN29KrJWz/s93gi/g==,iv:LlUhINacJf7haxl7i0QI9ALdOFLdLJGbsXgszKVJOVg=,tag:ALkAcUmPFHp8wpI7DVYbiw==,type:str] +nextcloud: + admin-password: ENC[AES256_GCM,data:wDL8xCv8/mFQniIRQOR+zl1kArSUXc2KAfCP1jmnidLOYwC4X0d8V60s0hAXCO1gUxNTETjbjBkGlENpvQm8dL94DIshCMyMxFc5gUmrF9qc+omOPT5HF82FgaHnN9N6sH3r19SfoXkMtBROj1V6xlU/lVqx+CiJCSCBfbllYkY=,iv:DGFlXNRXey0dIQVzsg0qkPGxDG+36tcg0BXUQzHfANk=,tag:HdpNO+ikmXo7wtahYwtkDg==,type:str] sops: kms: [] gcp_kms: [] @@ -57,8 +59,8 @@ sops: by9kZFlTRVdCZFkxYTVVb0RIRk8zUlkKCqMw9oL9RaYBV5Hhy3o8Nm5xmGrPH8Sd hv36sxRFFNZT/DCKaHaSRbT3mfpBZSTXJt1dgl4nZe6whH54t/1KmA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-05-07T15:39:19Z" - mac: ENC[AES256_GCM,data:5+ORtiY/Ky9uk4eCoqypExNd2EJIi+VPOCVvwJeCXqD+arkAcwt1SGLETUI9Rh16Bs9k+e3q6bu9LBmoNjCBJ39yvDVChwNR7F0Uw0D5leTzDG9uLBFmAxJ+fTp8OL4UNQOwTO4Fmfhe9UC8v5X7wBBNmi5GS1dvDrw8FrfQvK0=,iv:ZFjT48N26e+TO5tjhcPgXmpBT5zjWs8BZfJx5eep24o=,tag:QajcmWss9MwKWmu6Ysy/8A==,type:str] + lastmodified: "2023-05-11T20:46:04Z" + mac: ENC[AES256_GCM,data:csUDc036tnmVNQcdmjc4bfDn+BqtpYSmmspF10EW+jUVINO3rLwnx01jrUMoqVZQnxZ3d62ra+afhKAKUtInYxsJLb1uC+EUdKMzz5AFZTMJ4QDoPO7X2JAGqoS15B5k/Tr+PGTSVNINWjWMNQTHS3NDvIKGDyjxxv19sefJ9WY=,iv:L+r1jlmN5yuSu0pQBvF4tvX92Qnmbsn1GGjQnB9CnjE=,tag:gaxNp/RzTOkR/guFjm8lHA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3