challenger: move more services from voyager: calibre-web, calibre-server, komga, nextcloud, postgres, timemachine
This commit is contained in:
@@ -10,12 +10,8 @@
|
||||
./exports.nix
|
||||
./filesystems.nix
|
||||
|
||||
./services/calibre.nix
|
||||
./services/fancontrol.nix
|
||||
./services/komga.nix
|
||||
./services/nextcloud.nix
|
||||
./services/podgrab.nix
|
||||
./services/postgres.nix
|
||||
./services/snappymail.nix
|
||||
./services/timemachine.nix
|
||||
];
|
||||
|
||||
@@ -1,40 +0,0 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
domain = "books.home.feal.no";
|
||||
storage = "/tank/media/books";
|
||||
cfg = config.services.calibre-web;
|
||||
in {
|
||||
services = {
|
||||
nginx.virtualHosts.${domain} = {
|
||||
locations = {
|
||||
"/".proxyPass = "http://${cfg.listen.ip}:${toString cfg.listen.port}";
|
||||
"/opds".proxyPass = "http://${cfg.listen.ip}:${toString cfg.listen.port}";
|
||||
};
|
||||
extraConfig = ''
|
||||
client_max_body_size 512M;
|
||||
proxy_busy_buffers_size 512k;
|
||||
proxy_buffers 4 512k;
|
||||
proxy_buffer_size 256k;
|
||||
'';
|
||||
};
|
||||
|
||||
calibre-server = {
|
||||
enable = true;
|
||||
user = "calibre-server";
|
||||
libraries = [ storage ];
|
||||
};
|
||||
|
||||
calibre-web = {
|
||||
enable = true;
|
||||
user = "calibre-server";
|
||||
listen.ip = "127.0.0.1";
|
||||
listen.port = 5010;
|
||||
options = {
|
||||
calibreLibrary = storage;
|
||||
enableBookConversion = true;
|
||||
enableKepubify = true;
|
||||
enableBookUploading = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -1,19 +0,0 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
domain = "komga.home.feal.no";
|
||||
cfg = config.services.komga;
|
||||
in {
|
||||
services.nginx.virtualHosts.${domain} = {
|
||||
locations."/".proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
||||
|
||||
extraConfig = ''
|
||||
client_max_body_size 512M;
|
||||
'';
|
||||
};
|
||||
|
||||
services.komga = {
|
||||
enable = true;
|
||||
stateDir = "/tank/media/komga";
|
||||
port = 8034;
|
||||
};
|
||||
}
|
||||
@@ -1,120 +0,0 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
let
|
||||
cfg = config.services.nextcloud;
|
||||
hostName = "cloud.feal.no";
|
||||
in {
|
||||
services.nextcloud = {
|
||||
enable = true;
|
||||
package = pkgs.nextcloud29;
|
||||
inherit hostName;
|
||||
home = "/tank/nextcloud";
|
||||
https = true;
|
||||
webfinger = true;
|
||||
|
||||
config = {
|
||||
dbtype = "pgsql";
|
||||
dbuser = "nextcloud";
|
||||
dbhost = "/run/postgresql";
|
||||
dbname = "nextcloud";
|
||||
adminuser = "ncadmin";
|
||||
adminpassFile = config.sops.secrets."nextcloud/adminpass".path;
|
||||
};
|
||||
|
||||
settings = {
|
||||
default_phone_region = "NO";
|
||||
log_type = "file";
|
||||
overwriteprotocol = "https";
|
||||
trusted_proxies = [ "192.168.10.175" ]; # defiant
|
||||
|
||||
# Docs: https://github.com/pulsejet/nextcloud-oidc-login
|
||||
oidc_login_auto_redirect = true;
|
||||
oidc_login_button_text = "Log in with KeyCloak";
|
||||
oidc_login_client_id = "nextcloud";
|
||||
oidc_login_client_secret = "dont_put_secrets_here_use_secretFile";
|
||||
oidc_login_code_challenge_method = "S256";
|
||||
oidc_login_end_session_redirect' = true;
|
||||
oidc_login_logout_url = "https://cloud.feal.no/apps/oidc_login/oidc";
|
||||
oidc_login_provider_url = "https://iam.feal.no/realms/feal.no";
|
||||
oidc_login_redir_fallback = true;
|
||||
|
||||
oidc_login_attributes = {
|
||||
id = "preferred_username";
|
||||
mail = "email";
|
||||
name = "name";
|
||||
login_filter = "nextcloud-roles";
|
||||
};
|
||||
oidc_login_filter_allowed_values = [ "nextcloud-user" ];
|
||||
oidc_login_disable_registration = false;
|
||||
};
|
||||
|
||||
secretFile = config.sops.secrets."nextcloud/secretsjson".path;
|
||||
|
||||
phpOptions = {
|
||||
"opcache.interned_strings_buffer" = "16";
|
||||
"upload_max_filesize" = lib.mkForce "8G";
|
||||
"post_max_size" = lib.mkForce "8G";
|
||||
"memory_limit" = lib.mkForce "8G";
|
||||
};
|
||||
|
||||
poolSettings = {
|
||||
"pm" = "ondemand";
|
||||
"pm.max_children" = 32;
|
||||
"pm.process_idle_timeout" = "10s";
|
||||
"pm.max_requests" = 500;
|
||||
};
|
||||
};
|
||||
|
||||
environment.systemPackages = [ cfg.occ ];
|
||||
|
||||
sops.secrets."nextcloud/adminpass" = {
|
||||
mode = "0440";
|
||||
owner = "nextcloud";
|
||||
group = "nextcloud";
|
||||
restartUnits = [ "phpfpm-nextcloud.service" ];
|
||||
};
|
||||
sops.secrets."nextcloud/secretsjson" = {
|
||||
mode = "0440";
|
||||
owner = "nextcloud";
|
||||
group = "nextcloud";
|
||||
restartUnits = [ "phpfpm-nextcloud.service" ];
|
||||
};
|
||||
|
||||
services.postgresql = {
|
||||
ensureDatabases = [ "nextcloud" ];
|
||||
ensureUsers = [ {
|
||||
name = "nextcloud";
|
||||
ensureDBOwnership = true;
|
||||
} ];
|
||||
};
|
||||
|
||||
systemd.services."nextcloud-setup" = {
|
||||
requires = [ "postgresql.service" ];
|
||||
after = [ "postgresql.service" ];
|
||||
};
|
||||
|
||||
systemd.services."phpfpm-nextcloud" = {
|
||||
requires = [ "tank-nextcloud.mount" ];
|
||||
serviceConfig = {
|
||||
WorkingDirectory = "/tank/nextcloud";
|
||||
NoNewPrivileges = true;
|
||||
PrivateDevices = true;
|
||||
PrivateMounts = true;
|
||||
PrivateTmp = true;
|
||||
ProtectClock = true;
|
||||
ProtectHome = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectProc = "invisible";
|
||||
ReadWritePaths = [ "/tank/nextcloud" "/run/phpfpm" "/run/systemd" ];
|
||||
ReadOnlyPaths = [ "/run/secrets" "/nix/store" ];
|
||||
RemoveIPC = true;
|
||||
RestrictSUIDSGID = true;
|
||||
UMask = "0007";
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = "@system-service";
|
||||
CapabilityBoundingSet = "~CAP_FSETID ~CAP_SETFCAP ~CAP_SETUID ~CAP_SETGID ~CAP_SETPCAP ~CAP_NET_ADMIN ~CAP_SYS_ADMIN ~CAP_SYS_PTRACE ";
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -1,23 +0,0 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
{
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
/* enableTCPIP = true; # Expose on the network */
|
||||
authentication = pkgs.lib.mkOverride 10 ''
|
||||
local all all trust
|
||||
host all all 127.0.0.1/32 trust
|
||||
host all all ::1/128 trust
|
||||
'';
|
||||
};
|
||||
|
||||
services.postgresqlBackup = {
|
||||
enable = true;
|
||||
location = "/var/backup/postgres";
|
||||
startAt = "*-*-* 03:15:00";
|
||||
backupAll = true;
|
||||
};
|
||||
|
||||
environment.systemPackages = [ config.services.postgresql.package ];
|
||||
}
|
||||
|
||||
|
||||
@@ -1,42 +0,0 @@
|
||||
{ config, pkgs, ... }:
|
||||
let
|
||||
timeMachineDir = "/tank/backup/worf";
|
||||
user = "worf-backup";
|
||||
sizeLimit = "800000"; # MiB
|
||||
allowedIPs = "192.168.10.2 192.168.10.5"; #TODO
|
||||
in {
|
||||
services.avahi = {
|
||||
enable = true;
|
||||
publish = {
|
||||
enable = true;
|
||||
userServices = true;
|
||||
};
|
||||
};
|
||||
|
||||
services.netatalk = {
|
||||
enable = true;
|
||||
|
||||
settings = {
|
||||
Global = {
|
||||
"mimic model" = "TimeCapsule6,106"; # show the icon for the first gen TC
|
||||
"hosts allow" = allowedIPs;
|
||||
};
|
||||
|
||||
"worf-time-machine" = {
|
||||
"time machine" = "yes";
|
||||
"path" = timeMachineDir;
|
||||
"valid users" = user;
|
||||
"vol size limit" = sizeLimit;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
users.extraUsers.worf-backup = {
|
||||
isSystemUser = true;
|
||||
name = user;
|
||||
group = user;
|
||||
};
|
||||
users.groups."${user}" = {};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 548 636 ];
|
||||
}
|
||||
Reference in New Issue
Block a user