nextcloud: move out of container
This commit is contained in:
parent
e465dc9970
commit
582f336b79
|
@ -57,15 +57,7 @@
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
|
||||||
server_tokens off;
|
server_tokens off;
|
||||||
gzip on;
|
|
||||||
gzip_vary on;
|
|
||||||
gzip_comp_level 4;
|
|
||||||
gzip_min_length 256;
|
|
||||||
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
|
|
||||||
gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
|
|
||||||
|
|
||||||
|
|
||||||
# HSTS settings
|
# HSTS settings
|
||||||
# WARNING: Only add the preload option once you read about
|
# WARNING: Only add the preload option once you read about
|
||||||
|
@ -75,7 +67,7 @@
|
||||||
# could take several months.
|
# could take several months.
|
||||||
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
|
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
|
||||||
'';
|
'';
|
||||||
locations."/".proxyPass = "http://nextcloud.home.feal.no/";
|
locations."/".proxyPass = "http://voyager.home.feal.no/";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,50 +1,25 @@
|
||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
let
|
let
|
||||||
cfg = config.containers.nextcloud.config.services.nextcloud;
|
cfg = config.services.nextcloud;
|
||||||
hostName = "cloud.feal.no";
|
hostName = "cloud.feal.no";
|
||||||
in {
|
in {
|
||||||
containers.nextcloud = {
|
|
||||||
autoStart = true;
|
|
||||||
ephemeral = true;
|
|
||||||
|
|
||||||
privateNetwork = true;
|
|
||||||
hostBridge = "br0";
|
|
||||||
localAddress = "192.168.10.171/24";
|
|
||||||
|
|
||||||
bindMounts = {
|
|
||||||
"/var/lib/nextcloud" = { isReadOnly = false; hostPath = "/tank/nextcloud/nextcloud/"; };
|
|
||||||
"/var/lib/postgresql" = { isReadOnly = false; hostPath = "/tank/nextcloud/postgresql/"; };
|
|
||||||
"/srv/secrets/" = { isReadOnly = true; hostPath = "/tank/nextcloud/secrets/"; };
|
|
||||||
};
|
|
||||||
|
|
||||||
config = { config, pkgs, ... }: {
|
|
||||||
system.stateVersion = "23.11";
|
|
||||||
|
|
||||||
networking = {
|
|
||||||
firewall = {
|
|
||||||
enable = true;
|
|
||||||
allowedTCPPorts = [ 80 ];
|
|
||||||
};
|
|
||||||
|
|
||||||
defaultGateway = "192.168.10.1";
|
|
||||||
};
|
|
||||||
time.timeZone = "Europe/Oslo";
|
|
||||||
|
|
||||||
services.nextcloud = {
|
services.nextcloud = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.nextcloud28;
|
package = pkgs.nextcloud28;
|
||||||
inherit hostName;
|
inherit hostName;
|
||||||
home = "/var/lib/nextcloud";
|
home = "/var/lib/nextcloud";
|
||||||
https = true;
|
https = true;
|
||||||
|
webfinger = true;
|
||||||
|
|
||||||
config = {
|
config = {
|
||||||
dbtype = "pgsql";
|
dbtype = "pgsql";
|
||||||
dbuser = "nextcloud";
|
dbuser = "nextcloud";
|
||||||
dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
|
dbhost = "/run/postgresql";
|
||||||
dbname = "nextcloud";
|
dbname = "nextcloud";
|
||||||
adminpassFile = "/srv/secrets/adminpass";
|
|
||||||
adminuser = "ncadmin";
|
adminuser = "ncadmin";
|
||||||
|
adminpassFile = config.sops.secrets."nextcloud/adminpass".path;
|
||||||
trustedProxies = [ "192.168.10.175" ]; # defiant
|
trustedProxies = [ "192.168.10.175" ]; # defiant
|
||||||
|
defaultPhoneRegion = "NO";
|
||||||
};
|
};
|
||||||
|
|
||||||
# phpOptions = {
|
# phpOptions = {
|
||||||
|
@ -62,8 +37,16 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
environment.systemPackages = [ cfg.occ ];
|
||||||
|
|
||||||
|
sops.secrets."nextcloud/adminpass" = {
|
||||||
|
mode = "0440";
|
||||||
|
owner = "nextcloud";
|
||||||
|
group = "nextcloud";
|
||||||
|
restartUnits = [ "phpfpm-nextcloud.service" ];
|
||||||
|
};
|
||||||
|
|
||||||
services.postgresql = {
|
services.postgresql = {
|
||||||
enable = true;
|
|
||||||
ensureDatabases = [ "nextcloud" ];
|
ensureDatabases = [ "nextcloud" ];
|
||||||
ensureUsers = [ {
|
ensureUsers = [ {
|
||||||
name = "nextcloud";
|
name = "nextcloud";
|
||||||
|
@ -75,6 +58,31 @@ in {
|
||||||
requires = [ "postgresql.service" ];
|
requires = [ "postgresql.service" ];
|
||||||
after = [ "postgresql.service" ];
|
after = [ "postgresql.service" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
systemd.services."phpfpm-nextcloud".serviceConfig = {
|
||||||
|
WorkingDirectory = "/var/lib/nextcloud";
|
||||||
|
NoNewPrivileges = true;
|
||||||
|
PrivateDevices = true;
|
||||||
|
PrivateMounts = true;
|
||||||
|
PrivateTmp = true;
|
||||||
|
ProtectClock = true;
|
||||||
|
ProtectHome = true;
|
||||||
|
ProtectHostname = true;
|
||||||
|
ProtectKernelLogs = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
ProtectProc = "invisible";
|
||||||
|
ReadWritePaths = [ "/var/lib/nextcloud" "/run/phpfpm" "/run/systemd" "/run/secrets" "/nix/store" ];
|
||||||
|
RemoveIPC = true;
|
||||||
|
RestrictSUIDSGID = true;
|
||||||
|
UMask = "0007";
|
||||||
|
SystemCallArchitectures = "native";
|
||||||
|
SystemCallFilter = "@system-service";
|
||||||
|
CapabilityBoundingSet = "~CAP_FSETID ~CAP_SETFCAP ~CAP_SETUID ~CAP_SETGID ~CAP_SETPCAP ~CAP_NET_ADMIN ~CAP_SYS_ADMIN ~CAP_SYS_PTRACE ";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
fileSystems."/var/lib/nextcloud" = {
|
||||||
|
device = "/tank/nextcloud";
|
||||||
|
options = [ "bind "];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -14,6 +14,8 @@ wireguard:
|
||||||
wg0:
|
wg0:
|
||||||
public: ENC[AES256_GCM,data:jKkYH9giZJ09/hFWF0UgM8TSvQ/qrkSbhCOhHG5Ze2WI8MLZaNzZMQSgWHM=,iv:VI48j/DzQez+L4oW2vUHj8FqDpTAd5P/71ih4D/3I54=,tag:9m23ruMSkFsTbxj9dAD9eg==,type:str]
|
public: ENC[AES256_GCM,data:jKkYH9giZJ09/hFWF0UgM8TSvQ/qrkSbhCOhHG5Ze2WI8MLZaNzZMQSgWHM=,iv:VI48j/DzQez+L4oW2vUHj8FqDpTAd5P/71ih4D/3I54=,tag:9m23ruMSkFsTbxj9dAD9eg==,type:str]
|
||||||
private: ENC[AES256_GCM,data:XF89i1/TF5CpOvixwFDNOpke0YdWQDAMbvf/jOGR7iHKzz4OJu7K33lQbObT,iv:tVGdkkUU83Ba7VxHa7AJaIHFETp2Dy72dya3FDjnPZY=,tag:h9IJVeGnK7gABbu9hWZpww==,type:str]
|
private: ENC[AES256_GCM,data:XF89i1/TF5CpOvixwFDNOpke0YdWQDAMbvf/jOGR7iHKzz4OJu7K33lQbObT,iv:tVGdkkUU83Ba7VxHa7AJaIHFETp2Dy72dya3FDjnPZY=,tag:h9IJVeGnK7gABbu9hWZpww==,type:str]
|
||||||
|
nextcloud:
|
||||||
|
adminpass: ENC[AES256_GCM,data:r2Z6KsQ1hP90/Bf8J804a5D7BTS7,iv:f3TkiPVxw8lAPcyStWqOZuhF4p/5nUPkzL2j/yjsnyg=,tag:c2JWdxZUjkHQWNWDILBrRQ==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
@ -47,8 +49,8 @@ sops:
|
||||||
NENEM2VLRDBzTWM0ckdPVThaeE0xL2MKTAvsDKgaoj0Fz9CoNbP6s1kROlDbbXtB
|
NENEM2VLRDBzTWM0ckdPVThaeE0xL2MKTAvsDKgaoj0Fz9CoNbP6s1kROlDbbXtB
|
||||||
4rFRGN+WZJrBioz5nN4kR7mVFKa4w6z6Pu3D5WLyK7UQQkZJ64avdw==
|
4rFRGN+WZJrBioz5nN4kR7mVFKa4w6z6Pu3D5WLyK7UQQkZJ64avdw==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2023-12-26T10:47:58Z"
|
lastmodified: "2024-01-03T11:58:32Z"
|
||||||
mac: ENC[AES256_GCM,data:8iVD4UMpvPFZ0nZltAsEHzHlH8L+FnOTQiRUDi7kqA9gpf7aAU+EnLwNf0wVRdBclI7EmfUYmhRAyxfXBVRf8VdADCybocagHd0y5lFDKG8+FuREQ99Z561ZRsEWxGbw8ByHRf4l3wVMOZ/8WMdidAcHGfEMGueSiAvwSrnpqq8=,iv:189f9Bd9cYScN71aQiCdRD72oT0RNbwg5CL8cvI6XYQ=,tag:QgCuNtKmcqp+lPvvsrH+Vw==,type:str]
|
mac: ENC[AES256_GCM,data:17G+wUFH0yV9dQo7kLoMiI7UMBVfj8HbqE0p26/LZ5N0wbLyXKt5YdXQPG8rC22fgHdgePFgIl6qxI2KWgy0bwgBtg9kTxjaKDHkdEs8KKTxbjUXYeIp2JonIH9j3GgN/wa7kABr4QyhDmKhlLupi0ea2A51fDSuhYZDN2kl5As=,iv:XNhmnQJEww6PfHI80bl8LKoiiJdJQcezy71kQZx4oys=,tag:02+GjhSRxw4+qNNjlxPbqA==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.8.1
|
version: 3.8.1
|
||||||
|
|
Loading…
Reference in New Issue