waffentrager: add nextcloud, config: remove private inputs

2024-03-25 19:46:18 +01:00 · 2024-03-25 19:46:18 +01:00 · a9146bb628
parent cd78aabf19
commit a9146bb628
9 changed files with 70 additions and 6 deletions
--- a/configurations/host/default.nix
+++ b/configurations/host/default.nix
@ -25,7 +25,6 @@ let
      system = arch;
      modules = [
        ./${host}
-        inputs.private.systemModule
        profiles.osProfile
        materusCfg.configInputs.sops-nix.nixosModules.sops
        (if hmAsModule then hm.nixosModules.home-manager else { })
--- a/configurations/host/waffentrager/secrets/default.nix
+++ b/configurations/host/waffentrager/secrets/default.nix
@ -24,4 +24,5 @@
  sops.secrets.wireguard = { };
  sops.secrets."users/materus" = { neededForUsers = true; };
  sops.secrets.elements = { };
+  sops.secrets.nextcloud-adminpass = { };
 }
--- a/configurations/host/waffentrager/secrets/secrets.yaml
+++ b/configurations/host/waffentrager/secrets/secrets.yaml
@ -1,4 +1,5 @@
 wireguard: ENC[AES256_GCM,data:QLngCAtEa6wfRRrZwywbARhsS1oGj9+hGTlC1QV6xnRmlZLorAoftGb8jTg=,iv:rNbE0tfJKTjo0pPwfw3oKxOZmSO9PGgW/xDo9zi8lCU=,tag:ZT4mfXaToiR6SjzOwSz4HA==,type:str]
+nextcloud-adminpass: ENC[AES256_GCM,data:5vohRPEcJJ8gIRro38O73ufSYYEp1DXpBgjCPdPnMcg=,iv:STh3k5wUwx3AfSDTPCXhuXbPb3d+Vi1cAaQN2a9eW1w=,tag:Ef/Z2Idvl6575Jvs2GDJ8A==,type:str]
 elements: ENC[AES256_GCM,data:Kh6ueReXpj9h5yQ3P0qY8X1ow4RRZD9zyXZLS6DUIIVuthgqgu9dPzBc7ojnz6nXoYTHt1I2LJJKLOGQYZC+iVxXOk+QADJMPwY4NCyeZ3prgvYMghlD,iv:WFA/UQ0XDFjpbgaDEacrBxkteLitXv3CJP54ANVSJHM=,tag:M+tTpTR0alvQxvUiP2MWlA==,type:str]
 users:
    materus: ENC[AES256_GCM,data:MhPrMJ4/0oxEsFZDUKcYb3WMUWLI2ZbRTgnh1fQZG1Ly2J781jcUWtA8vVAdMBedNfWky0mDq5+KEQ/2fJNGU4IkTBvLdAqnWw==,iv:Dpl+M+x1weNIVkEsf3I/uXpG0SM6bDz+d9w7AYwn/MY=,tag:yGc1D2ODp6Te/QAztOj7yA==,type:str]
@ -17,8 +18,8 @@ sops:
            eFN4VVdUMkVjcTVWNFdLM0xtbExLdncK6LYUufWzIcd2jFyEeZDypo0xkJQ4z91F
            ULyGxJLLWl6/inYXtxHNdxIIPfwW+5yppBAbXaOgvABi1E7tf1JZcA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-23T01:18:06Z"
-    mac: ENC[AES256_GCM,data:VJvZl1wOOqDkiYXJyWn1V952H0Wovt4qi/ErQ2J63seRsqD8k52KpraB44gRyuRc3AwoDjm4gSj6vkWFoSmE+RxxiR03ArscVanJOrsefDclAcp9DLlHxyVopsnmzbd5HMAt89RznCwRtbxHk+Nm22uBrBjw3Kqq4zmHAZKjAjo=,iv:1Fg0RE4td6LL2ruJmy8lTL6euK0p+R/E/dQPjrQB9cg=,tag:os41oy4Wfo/HxPi0ESaeDA==,type:str]
+    lastmodified: "2024-03-25T17:12:26Z"
+    mac: ENC[AES256_GCM,data:TQR/BiXayPQ5S2fbMNJcdjdTjPemZFFWk9aWs0HI2UDG8DDZUUhz8U0OD8qM2+h7ZZK/HGlyQH6QBOZjitTcjbXLXZFGKo/ueAvT8vaeZAgYiFjPdHOOTbtr+MvaV/Ia5CWwVD42USxU3srVkHSwxpM1J/q4Rahag7EmF6raj08=,iv:42cnWEEYr6FysEeq6o4zndqNkC9uNrOdlVO652JsmoA=,tag:vQaJ8QoX4jWKbn1bOcVAaA==,type:str]
    pgp:
        - created_at: "2024-03-21T18:15:00Z"
          enc: |-
--- a/configurations/host/waffentrager/services/default.nix
+++ b/configurations/host/waffentrager/services/default.nix
@ -7,10 +7,12 @@
      ./mount-acme.nix
      ./gitea.nix
      ./nginx.nix
+      ./nextcloud.nix
    ];
  waffentragerService.elements.enable = true;
  waffentragerService.postgresql.enable = true;
  waffentragerService.mount-acme.enable = true;
  waffentragerService.gitea.enable = true;
  waffentragerService.nginx.enable = true;
+  waffentragerService.nextcloud.enable = true;
 }
--- a/configurations/host/waffentrager/services/elements.nix
+++ b/configurations/host/waffentrager/services/elements.nix
@ -4,7 +4,7 @@
  options.waffentragerService.elements.path = lib.mkOption { default = "/var/lib/elements"; };
  options.waffentragerService.elements.uuid = lib.mkOption { default = "e32039c6-e98d-44b0-8e7d-120994bf7be1"; };
  options.waffentragerService.elements.postgresqlDir = lib.mkOption { default = "${config.waffentragerService.elements.path}/services/postgresql"; };
-
+  options.waffentragerService.elements.nextcloudDir = lib.mkOption { default = "${config.waffentragerService.elements.path}/services/nextcloud"; };
  config =
    let
      cfg = config.waffentragerService.elements;
@ -24,6 +24,9 @@
        '' + lib.optionalString config.waffentragerService.postgresql.enable ''
          mkdir -p ${cfg.postgresqlDir}/${config.waffentragerService.postgresql.version}
          chown -R postgres:postgres ${cfg.postgresqlDir}
+        '' + lib.optionalString config.waffentragerService.nextcloud.enable ''
+          mkdir -p ${cfg.nextcloudDir}
+          chown -R nextcloud:nextcloud ${cfg.nextcloudDir}
        ''

        ;
--- a/configurations/host/waffentrager/services/nextcloud.nix
+++ b/configurations/host/waffentrager/services/nextcloud.nix
@ -0,0 +1,59 @@
+{ materusArg, config, lib, pkgs, ... }:
+{
+  options.waffentragerService.nextcloud.enable = materusArg.pkgs.lib.mkBoolOpt false "Enable nextcloud";
+
+  config =
+    let
+      cfg = config.waffentragerService.nextcloud;
+    in
+    lib.mkIf cfg.enable {
+      waffentragerService.elements.enable = true;
+      waffentragerService.postgresql.enable = true;
+      waffentragerService.nginx.enable = true;
+
+      sops.secrets.nextcloud-adminpass.owner = config.users.users.nextcloud.name;
+      sops.secrets.nextcloud-adminpass.group = config.users.users.nextcloud.group;
+
+      services.postgresql.ensureDatabases = [ "nextcloud" ];
+      services.postgresql.ensureUsers = [{
+        name = "nextcloud";
+        ensureDBOwnership = true;
+      }];
+      services.nextcloud = {
+        enable = true;
+        notify_push.enable = true;
+        package = pkgs.nextcloud28;
+        hostName = "waffentrager.materus.pl";
+        home = config.waffentragerService.elements.nextcloudDir;
+        config.adminuser = "master";
+        config.adminpassFile = config.sops.secrets.nextcloud-adminpass.path;
+        config.dbtype = "pgsql";
+        config.defaultPhoneRegion = "PL";
+        config.trustedProxies = [ materusArg.ips.valkyrie materusArg.ips.wireguard.valkyrie materusArg.ips.wireguard.waffentrager ];
+        extraAppsEnable = true;
+        maxUploadSize = "4G";
+        https = true;
+        enableImagemagick = true;
+        configureRedis = true;
+        webfinger = true;
+        appstoreEnable = true;
+        database.createLocally = true;
+        nginx.recommendedHttpHeaders = true;
+        extraApps = { notify_push = pkgs.nextcloud28Packages.apps.notify_push; };
+        extraOptions = {
+          mail_smtpmode = "sendmail";
+          mail_sendmailmode = "pipe";
+        };
+      };
+      services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
+        addSSL = true;
+        http2 = false;
+        sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem";
+        sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem";
+        sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem";
+        extraConfig = ''
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        '';
+      };
+    };
+}
--- a/configurations/profile/common/default.nix
+++ b/configurations/profile/common/default.nix
@ -10,6 +10,7 @@ in
  imports = [
    ./nixpkgs.nix
    ./packages
+    ./private
  ];
  options.materus.materusArg = lib.mkOption { default = { }; };
  config._module.args.materusArg = config.materus.materusArg // materusArg;
--- a/configurations/profile/common/private/default.nix
+++ b/configurations/profile/common/private/default.nix
--- a/configurations/shared/home/genHomes.nix
+++ b/configurations/shared/home/genHomes.nix
@ -19,7 +19,6 @@ let
                (materusFlake.selfPath + "/configurations/shared/home/${username}")
                (materusFlake.selfPath + "/configurations/host/${host}/home/${username}")
                profiles.homeProfile
-                inputs.private.homeModule
                materusFlake.nixosConfigurations.${host}.materusCfg.configInputs.sops-nix.homeManagerModules.sops
              ];
            };
@ -49,7 +48,6 @@ let
          modules = [
            ./${username}
            profiles.homeProfile
-            inputs.private.homeModule
            materusCfg.configInputs.sops-nix.homeManagerModules.sops
          ];
        };