From 48a03b9af32acf7400b163e5fdebb97c376d3fec Mon Sep 17 00:00:00 2001 From: Felix Albrigtsen Date: Wed, 3 Jan 2024 18:34:33 +0100 Subject: [PATCH] nextcloud: move out of container --- hosts/defiant/services/nginx.nix | 10 +- hosts/voyager/services/nextcloud.nix | 146 ++++++++++++++------------- secrets/voyager/voyager.yaml | 6 +- 3 files changed, 82 insertions(+), 80 deletions(-) diff --git a/hosts/defiant/services/nginx.nix b/hosts/defiant/services/nginx.nix index 7ecf990..ba687f7 100644 --- a/hosts/defiant/services/nginx.nix +++ b/hosts/defiant/services/nginx.nix @@ -57,15 +57,7 @@ extraConfig = '' proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - server_tokens off; - gzip on; - gzip_vary on; - gzip_comp_level 4; - gzip_min_length 256; - gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; - gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; - # HSTS settings # WARNING: Only add the preload option once you read about @@ -75,7 +67,7 @@ # could take several months. #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always; ''; - locations."/".proxyPass = "http://nextcloud.home.feal.no/"; + locations."/".proxyPass = "http://voyager.home.feal.no/"; }; }; } diff --git a/hosts/voyager/services/nextcloud.nix b/hosts/voyager/services/nextcloud.nix index 5ac8de4..68c5904 100644 --- a/hosts/voyager/services/nextcloud.nix +++ b/hosts/voyager/services/nextcloud.nix @@ -1,80 +1,88 @@ { config, pkgs, lib, ... }: let - cfg = config.containers.nextcloud.config.services.nextcloud; + cfg = config.services.nextcloud; hostName = "cloud.feal.no"; in { - containers.nextcloud = { - autoStart = true; - ephemeral = true; + services.nextcloud = { + enable = true; + package = pkgs.nextcloud28; + inherit hostName; + home = "/var/lib/nextcloud"; + https = true; + webfinger = true; - privateNetwork = true; - hostBridge = "br0"; - localAddress = "192.168.10.171/24"; - - bindMounts = { - "/var/lib/nextcloud" = { isReadOnly = false; hostPath = "/tank/nextcloud/nextcloud/"; }; - "/var/lib/postgresql" = { isReadOnly = false; hostPath = "/tank/nextcloud/postgresql/"; }; - "/srv/secrets/" = { isReadOnly = true; hostPath = "/tank/nextcloud/secrets/"; }; + config = { + dbtype = "pgsql"; + dbuser = "nextcloud"; + dbhost = "/run/postgresql"; + dbname = "nextcloud"; + adminuser = "ncadmin"; + adminpassFile = config.sops.secrets."nextcloud/adminpass".path; + trustedProxies = [ "192.168.10.175" ]; # defiant + defaultPhoneRegion = "NO"; }; - config = { config, pkgs, ... }: { - system.stateVersion = "23.11"; + # phpOptions = { + # "opcache.interned_strings_buffer" = "16"; + # "upload_max_filesize" = "4G"; + # "post_max_size" = "4G"; + # "memory_limit" = "4G"; + # }; - networking = { - firewall = { - enable = true; - allowedTCPPorts = [ 80 ]; - }; - - defaultGateway = "192.168.10.1"; - }; - time.timeZone = "Europe/Oslo"; - - services.nextcloud = { - enable = true; - package = pkgs.nextcloud28; - inherit hostName; - home = "/var/lib/nextcloud"; - https = true; - - config = { - dbtype = "pgsql"; - dbuser = "nextcloud"; - dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself - dbname = "nextcloud"; - adminpassFile = "/srv/secrets/adminpass"; - adminuser = "ncadmin"; - trustedProxies = [ "192.168.10.175" ]; # defiant - }; - - # phpOptions = { - # "opcache.interned_strings_buffer" = "16"; - # "upload_max_filesize" = "4G"; - # "post_max_size" = "4G"; - # "memory_limit" = "4G"; - # }; - - poolSettings = { - "pm" = "ondemand"; - "pm.max_children" = 32; - "pm.process_idle_timeout" = "10s"; - "pm.max_requests" = 500; - }; - }; - - services.postgresql = { - enable = true; - ensureDatabases = [ "nextcloud" ]; - ensureUsers = [ { - name = "nextcloud"; - ensureDBOwnership = true; - } ]; - }; - - systemd.services."nextcloud-setup" = { - requires = [ "postgresql.service" ]; - after = [ "postgresql.service" ]; - }; + poolSettings = { + "pm" = "ondemand"; + "pm.max_children" = 32; + "pm.process_idle_timeout" = "10s"; + "pm.max_requests" = 500; }; }; + + environment.systemPackages = [ cfg.occ ]; + + sops.secrets."nextcloud/adminpass" = { + mode = "0440"; + owner = "nextcloud"; + group = "nextcloud"; + restartUnits = [ "phpfpm-nextcloud.service" ]; + }; + + services.postgresql = { + ensureDatabases = [ "nextcloud" ]; + ensureUsers = [ { + name = "nextcloud"; + ensureDBOwnership = true; + } ]; + }; + + systemd.services."nextcloud-setup" = { + requires = [ "postgresql.service" ]; + after = [ "postgresql.service" ]; + }; + + systemd.services."phpfpm-nextcloud".serviceConfig = { + WorkingDirectory = "/var/lib/nextcloud"; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + ProtectClock = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ReadWritePaths = [ "/var/lib/nextcloud" "/run/phpfpm" "/run/systemd" "/run/secrets" "/nix/store" ]; + RemoveIPC = true; + RestrictSUIDSGID = true; + UMask = "0007"; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service"; + CapabilityBoundingSet = "~CAP_FSETID ~CAP_SETFCAP ~CAP_SETUID ~CAP_SETGID ~CAP_SETPCAP ~CAP_NET_ADMIN ~CAP_SYS_ADMIN ~CAP_SYS_PTRACE "; + }; + + fileSystems."/var/lib/nextcloud" = { + device = "/tank/nextcloud"; + options = [ "bind "]; + }; } diff --git a/secrets/voyager/voyager.yaml b/secrets/voyager/voyager.yaml index 437a2f4..e4008de 100644 --- a/secrets/voyager/voyager.yaml +++ b/secrets/voyager/voyager.yaml @@ -14,6 +14,8 @@ wireguard: wg0: public: ENC[AES256_GCM,data:jKkYH9giZJ09/hFWF0UgM8TSvQ/qrkSbhCOhHG5Ze2WI8MLZaNzZMQSgWHM=,iv:VI48j/DzQez+L4oW2vUHj8FqDpTAd5P/71ih4D/3I54=,tag:9m23ruMSkFsTbxj9dAD9eg==,type:str] private: ENC[AES256_GCM,data:XF89i1/TF5CpOvixwFDNOpke0YdWQDAMbvf/jOGR7iHKzz4OJu7K33lQbObT,iv:tVGdkkUU83Ba7VxHa7AJaIHFETp2Dy72dya3FDjnPZY=,tag:h9IJVeGnK7gABbu9hWZpww==,type:str] +nextcloud: + adminpass: ENC[AES256_GCM,data:r2Z6KsQ1hP90/Bf8J804a5D7BTS7,iv:f3TkiPVxw8lAPcyStWqOZuhF4p/5nUPkzL2j/yjsnyg=,tag:c2JWdxZUjkHQWNWDILBrRQ==,type:str] sops: kms: [] gcp_kms: [] @@ -47,8 +49,8 @@ sops: NENEM2VLRDBzTWM0ckdPVThaeE0xL2MKTAvsDKgaoj0Fz9CoNbP6s1kROlDbbXtB 4rFRGN+WZJrBioz5nN4kR7mVFKa4w6z6Pu3D5WLyK7UQQkZJ64avdw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-12-26T10:47:58Z" - mac: ENC[AES256_GCM,data:8iVD4UMpvPFZ0nZltAsEHzHlH8L+FnOTQiRUDi7kqA9gpf7aAU+EnLwNf0wVRdBclI7EmfUYmhRAyxfXBVRf8VdADCybocagHd0y5lFDKG8+FuREQ99Z561ZRsEWxGbw8ByHRf4l3wVMOZ/8WMdidAcHGfEMGueSiAvwSrnpqq8=,iv:189f9Bd9cYScN71aQiCdRD72oT0RNbwg5CL8cvI6XYQ=,tag:QgCuNtKmcqp+lPvvsrH+Vw==,type:str] + lastmodified: "2024-01-03T11:58:32Z" + mac: ENC[AES256_GCM,data:17G+wUFH0yV9dQo7kLoMiI7UMBVfj8HbqE0p26/LZ5N0wbLyXKt5YdXQPG8rC22fgHdgePFgIl6qxI2KWgy0bwgBtg9kTxjaKDHkdEs8KKTxbjUXYeIp2JonIH9j3GgN/wa7kABr4QyhDmKhlLupi0ea2A51fDSuhYZDN2kl5As=,iv:XNhmnQJEww6PfHI80bl8LKoiiJdJQcezy71kQZx4oys=,tag:02+GjhSRxw4+qNNjlxPbqA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1