From 2957af19b5f4569e85cec6f84ce9821b721dc02b Mon Sep 17 00:00:00 2001 From: Felix Albrigtsen Date: Wed, 3 Jan 2024 02:35:57 +0100 Subject: [PATCH] voyager: add nextcloud --- hosts/defiant/services/nginx.nix | 29 ++++++++++ hosts/voyager/configuration.nix | 12 +++-- hosts/voyager/services/nextcloud.nix | 79 ++++++++++++++++++++++++++++ 3 files changed, 115 insertions(+), 5 deletions(-) create mode 100644 hosts/voyager/services/nextcloud.nix diff --git a/hosts/defiant/services/nginx.nix b/hosts/defiant/services/nginx.nix index aee37b0..1934c04 100644 --- a/hosts/defiant/services/nginx.nix +++ b/hosts/defiant/services/nginx.nix @@ -45,5 +45,34 @@ "jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/"; "git.feal.no" = publicProxy "http://unix:${config.services.gitea.settings.server.HTTP_ADDR}"; "wiki.wackattack.eu" = publicProxy "http://pascal.wackattack.home.feal.no/"; + + "cloud.feal.no" = { + listen = [ + { addr = "192.168.10.175"; port = 43443; ssl = true; } + { addr = "192.168.10.175"; port = 43080; ssl = false; } + ]; + enableACME = true; + forceSSL = true; + + extraConfig = '' + server_tokens off; + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + + # HSTS settings + # WARNING: Only add the preload option once you read about + # the consequences in https://hstspreload.org/. This option + # will add the domain to a hardcoded list that is shipped + # in all major browsers and getting removed from this list + # could take several months. + #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always; + ''; + locations."/".proxyPass = "http://nextcloud.home.feal.no/"; + }; }; } diff --git a/hosts/voyager/configuration.nix b/hosts/voyager/configuration.nix index 472fbf1..606c2c0 100644 --- a/hosts/voyager/configuration.nix +++ b/hosts/voyager/configuration.nix @@ -15,6 +15,7 @@ ./services/fancontrol.nix ./services/jellyfin.nix ./services/kanidm.nix + ./services/nextcloud.nix ./services/nginx ./services/postgres.nix ./services/timemachine.nix @@ -23,13 +24,14 @@ networking = { hostName = "voyager"; - defaultGateway = "192.168.10.1"; - interfaces.eno1.ipv4 = { - addresses = [ + bridges.br0.interfaces = [ "eno1" ]; + interfaces.br0.useDHCP = false; + interfaces.br0.ipv4.addresses = [ { address = "192.168.10.165"; prefixLength = 24; } - ]; - }; + ]; + hostId = "8e84b235"; + defaultGateway = "192.168.10.1"; }; sops.defaultSopsFile = ../../secrets/voyager/voyager.yaml; diff --git a/hosts/voyager/services/nextcloud.nix b/hosts/voyager/services/nextcloud.nix new file mode 100644 index 0000000..f682ad7 --- /dev/null +++ b/hosts/voyager/services/nextcloud.nix @@ -0,0 +1,79 @@ +{ config, pkgs, lib, ... }: +let + cfg = config.containers.nextcloud.config.services.nextcloud; + hostName = "cloud.feal.no"; +in { + containers.nextcloud = { + autoStart = true; + ephemeral = true; + + privateNetwork = true; + hostBridge = "br0"; + localAddress = "192.168.10.171/24"; + + bindMounts = { + "/var/lib/nextcloud" = { isReadOnly = false; hostPath = "/tank/nextcloud/nextcloud/"; }; + "/var/lib/postgresql" = { isReadOnly = false; hostPath = "/tank/nextcloud/postgresql/"; }; + "/srv/secrets/" = { isReadOnly = true; hostPath = "/tank/nextcloud/secrets/"; }; + }; + + config = { config, pkgs, ... }: { + system.stateVersion = "23.11"; + + networking = { + firewall = { + enable = true; + allowedTCPPorts = [ 80 ]; + }; + + defaultGateway = "192.168.10.1"; + }; + time.timeZone = "Europe/Oslo"; + + services.nextcloud = { + enable = true; + package = pkgs.nextcloud28; + inherit hostName; + home = "/var/lib/nextcloud"; + https = true; + + config = { + dbtype = "pgsql"; + dbuser = "nextcloud"; + dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself + dbname = "nextcloud"; + adminpassFile = "/srv/secrets/adminpass"; + adminuser = "ncadmin"; + }; + + # phpOptions = { + # "opcache.interned_strings_buffer" = "16"; + # "upload_max_filesize" = "4G"; + # "post_max_size" = "4G"; + # "memory_limit" = "4G"; + # }; + + poolSettings = { + "pm" = "ondemand"; + "pm.max_children" = 32; + "pm.process_idle_timeout" = "10s"; + "pm.max_requests" = 500; + }; + }; + + services.postgresql = { + enable = true; + ensureDatabases = [ "nextcloud" ]; + ensureUsers = [ { + name = "nextcloud"; + ensureDBOwnership = true; + } ]; + }; + + systemd.services."nextcloud-setup" = { + requires = [ "postgresql.service" ]; + after = [ "postgresql.service" ]; + }; + }; + }; +}