challenger: move more services from voyager: calibre-web, calibre-server, komga, nextcloud, postgres, timemachine

hosts/challenger/services/calibre.nix

@@ -0,0 +1,40 @@
+{ config, lib, pkgs, ... }:
+let
+  domain = "books.home.feal.no";
+  storage = "/tank/media/books";
+  cfg = config.services.calibre-web;
+in {
+  services = {
+    nginx.virtualHosts.${domain} = {
+      locations = {
+        "/".proxyPass = "http://${cfg.listen.ip}:${toString cfg.listen.port}";
+        "/opds".proxyPass = "http://${cfg.listen.ip}:${toString cfg.listen.port}";
+      };
+      extraConfig = ''
+        client_max_body_size 512M;
+        proxy_busy_buffers_size 512k;
+        proxy_buffers 4 512k;
+        proxy_buffer_size 256k;
+      '';
+    };
+
+    calibre-server = {
+      enable = true;
+      user = "calibre-server";
+      libraries = [ storage ];
+    };
+
+    calibre-web = {
+      enable = true;
+      user = "calibre-server";
+      listen.ip = "127.0.0.1";
+      listen.port = 5010;
+      options = {
+        calibreLibrary = storage;
+        enableBookConversion = true;
+        enableKepubify = true;
+        enableBookUploading = true;
+      };
+    };
+  };
+}

hosts/challenger/services/komga.nix

@@ -0,0 +1,19 @@
+{ config, lib, pkgs, ... }:
+let
+  domain = "komga.home.feal.no";
+  cfg = config.services.komga;
+in {
+  services.komga = {
+    enable = true;
+    stateDir = "/tank/media/komga";
+    port = 5001;
+  };
+
+  services.nginx.virtualHosts.${domain} = {
+    locations."/".proxyPass = "http://127.0.0.1:${toString cfg.port}";
+
+    extraConfig = ''
+      client_max_body_size 512M;
+    '';
+  };
+}

hosts/challenger/services/nextcloud.nix

@@ -0,0 +1,121 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.nextcloud;
+  hostName = "cloud.feal.no";
+in {
+  services.nextcloud = {
+    enable = true;
+    package = pkgs.nextcloud29;
+    inherit hostName;
+    home = "/tank/nextcloud";
+    https = true;
+    webfinger = true;
+
+    config = {
+      dbtype = "pgsql";
+      dbuser = "nextcloud";
+      dbhost = "/run/postgresql";
+      dbname = "nextcloud";
+      adminuser = "ncadmin";
+      adminpassFile = config.sops.secrets."nextcloud/adminpass".path;
+    };
+
+    settings = {
+      default_phone_region = "NO";
+      log_type = "file";
+      overwriteprotocol = "https";
+      trusted_proxies = [ "192.168.10.175" ]; # defiant
+
+      # Docs: https://github.com/pulsejet/nextcloud-oidc-login
+      oidc_login_auto_redirect = true;
+      oidc_login_button_text = "Log in with KeyCloak";
+      oidc_login_client_id = "nextcloud";
+      oidc_login_client_secret = "dont_put_secrets_here_use_secretFile";
+      oidc_login_code_challenge_method = "S256";
+      oidc_login_end_session_redirect' = true;
+      oidc_login_logout_url = "https://cloud.feal.no/apps/oidc_login/oidc";
+      oidc_login_provider_url = "https://iam.feal.no/realms/feal.no";
+      oidc_login_redir_fallback = true;
+
+      oidc_login_attributes = {
+        id = "preferred_username";
+        mail = "email";
+        name = "name";
+        login_filter = "nextcloud-roles";
+      };
+      oidc_login_filter_allowed_values = [ "nextcloud-user" ];
+      oidc_login_disable_registration = false;
+    };
+
+    secretFile = config.sops.secrets."nextcloud/secretsjson".path;
+
+    phpOptions = {
+      "opcache.interned_strings_buffer" = "16";
+      "upload_max_filesize" = lib.mkForce "8G";
+      "post_max_size" = lib.mkForce "8G";
+      "memory_limit" = lib.mkForce "8G";
+    };
+
+    poolSettings = {
+      "pm" = "ondemand";
+      "pm.max_children" = 32;
+      "pm.process_idle_timeout" = "10s";
+      "pm.max_requests" = 500;
+    };
+  };
+
+  environment.systemPackages = [ cfg.occ ];
+
+  sops.secrets."nextcloud/adminpass" = {
+    mode = "0440";
+    owner = "nextcloud";
+    group = "nextcloud";
+    restartUnits = [ "phpfpm-nextcloud.service" ];
+  };
+  sops.secrets."nextcloud/secretsjson" = {
+    mode = "0440";
+    owner = "nextcloud";
+    group = "nextcloud";
+    restartUnits = [ "phpfpm-nextcloud.service" ];
+  };
+
+  services.postgresql = {
+    ensureDatabases = [ "nextcloud" ];
+    ensureUsers = [ {
+      name = "nextcloud";
+      ensureDBOwnership = true;
+    } ];
+  };
+
+  systemd.services."nextcloud-setup" = {
+    requires = [ "postgresql.service" ];
+    after = [ "postgresql.service" ];
+  };
+
+  systemd.services."phpfpm-nextcloud" = {
+    requires = [ "tank-nextcloud.mount" ];
+    serviceConfig = {
+      WorkingDirectory = "/tank/nextcloud";
+      NoNewPrivileges = true;
+      PrivateDevices = true;
+      PrivateMounts = true;
+      PrivateTmp = true;
+      ProtectClock = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      ReadWritePaths = [ "/tank/nextcloud" "/run/phpfpm" "/run/systemd" ];
+      ReadOnlyPaths = [ "/run/secrets" "/nix/store" ];
+      InaccessbilePaths = [ "/tank/media" "/tank/backup" ];
+      RemoveIPC = true;
+      RestrictSUIDSGID = true;
+      UMask = "0007";
+      SystemCallArchitectures = "native";
+      SystemCallFilter = "@system-service";
+      CapabilityBoundingSet = "~CAP_FSETID ~CAP_SETFCAP ~CAP_SETUID ~CAP_SETGID ~CAP_SETPCAP ~CAP_NET_ADMIN ~CAP_SYS_ADMIN ~CAP_SYS_PTRACE ";
+    };
+  };
+}

hosts/challenger/services/postgres.nix

@@ -0,0 +1,21 @@
+{ config, pkgs, lib, ... }:
+{
+  services.postgresql = {
+    enable = true;
+    /* enableTCPIP = true; # Expose on the network */
+    authentication = pkgs.lib.mkOverride 10 ''
+     local all all trust
+     host all all 127.0.0.1/32 trust
+     host all all ::1/128 trust
+    '';
+  };
+
+  services.postgresqlBackup = {
+    enable = true;
+    location = "/var/backup/postgres";
+    startAt = "*-*-* 03:15:00";
+    backupAll = true;
+  };
+
+  environment.systemPackages = [ config.services.postgresql.package ];
+}

hosts/challenger/services/timemachine.nix

@@ -0,0 +1,42 @@
+{ config, pkgs, ... }:
+  let
+    timeMachineDir = "/tank/backup/worf";
+    user = "worf-backup";
+    sizeLimit = "800000"; # MiB
+    allowedIPs = "192.168.10.2 192.168.10.5"; #TODO
+  in {
+  services.avahi = {
+    enable = true;
+    publish = {
+      enable = true;
+      userServices = true;
+    };
+  };
+
+  services.netatalk = {
+    enable = true;
+
+    settings = {
+      Global = {
+        "mimic model" = "TimeCapsule6,106";  # show the icon for the first gen TC
+        "hosts allow" = allowedIPs;
+      };
+
+      "worf-time-machine" = {
+        "time machine" = "yes";
+        "path" = timeMachineDir;
+        "valid users" = user;
+        "vol size limit" = sizeLimit;
+      };
+    };
+  };
+
+  users.extraUsers.worf-backup = {
+    isSystemUser = true;
+    name = user;
+    group = user;
+  };
+  users.groups."${user}" = {};
+
+  networking.firewall.allowedTCPPorts = [ 548 636 ];
+}