diff --git a/home/isabel/system/ssh.nix b/home/isabel/system/ssh.nix index 1bb57a743..5d3385cfa 100644 --- a/home/isabel/system/ssh.nix +++ b/home/isabel/system/ssh.nix @@ -1,5 +1,6 @@ -{pkgs, ...}: { - home.packages = with pkgs; [cloudflared]; +_: { + # {pkgs, ...}: { + # home.packages = with pkgs; [cloudflared]; programs = { ssh = { enable = true; diff --git a/hosts/bernie/services.nix b/hosts/bernie/services.nix index 3a9a478b2..a868a6c97 100644 --- a/hosts/bernie/services.nix +++ b/hosts/bernie/services.nix @@ -1,5 +1,6 @@ _: { modules.services = { + nextcloud.enable = true; vscode-server.enable = false; miniflux.enable = false; matrix.enable = true; @@ -7,6 +8,7 @@ _: { vaultwarden.enable = true; isabelroses-web.enable = true; nginx.enable = true; + cloudflared.enable = false; mailserver = { enable = true; diff --git a/modules/common/secrets/default.nix b/modules/common/secrets/default.nix index 2630f85ea..8dca4b139 100644 --- a/modules/common/secrets/default.nix +++ b/modules/common/secrets/default.nix @@ -50,6 +50,11 @@ in { isabelroses-web-env = {}; + nextcloud-passwd = mkIf services.nextcloud.enable { + owner = "nextcloud"; + group = "nextcloud"; + }; + # vaultwarden vaultwarden-env = {}; diff --git a/modules/common/secrets/secrets.yaml b/modules/common/secrets/secrets.yaml index 895f76c03..95069d90b 100644 --- a/modules/common/secrets/secrets.yaml +++ b/modules/common/secrets/secrets.yaml @@ -9,6 +9,7 @@ mailserver-noreply: ENC[AES256_GCM,data:NgOZ1JI6cXRQG2AH2Rx3zXai/MYtZvrJ7DpwknTT mailserver-spam: ENC[AES256_GCM,data:QJKHyzY/GAwsc0sJfoCR7IEJAoakJ5KS94qIbi4fIoH4CqhJ+qjaLLvuI39Mu2Hrp2gCSvfBJ3oQlN5brQ==,iv:Acashw2STfzbzGBaXrFtHwlEc/AqSkBHKYXwVHOKC6Q=,tag:2Z6UXbe4fTxZq095vbKAZA==,type:str] mailserver-database: ENC[AES256_GCM,data:HR+U0nieGQjWX9iws2awtw==,iv:+Vc+3xGrZibBXZSBx6REW3u//0tzUi6a8ODNJhngS5w=,tag:oKyi1s7FzLYzEieGzuLR5Q==,type:str] rspamd-web: ENC[AES256_GCM,data:jgwF2Pix4QpWGJBKNibPXfh1yfs+5z2oq9XQ1B/C3xZ4BYAQ2aBIZcNoJj1U,iv:8mPIjqC47fX+8Zi5946aLMkGIeTbhVMHSpp7bTx58AA=,tag:e5hYLkgTULd1hJ/XTDwmSg==,type:str] +nextcloud-passwd: ENC[AES256_GCM,data:2XRFDsIU4D6KgneafD9SurL3pA/9g0RN4egMo209fhnp,iv:aAPGBJDlTeoVHneDiQ2FQAsadzB5uzfdEAf2dG3ubYw=,tag:5n63TU3oor6VEMkRxHIzhg==,type:str] vaultwarden-env: ENC[AES256_GCM,data:RZltkcbeTObbSVPIx4x2yP/e6o/WvAuChfmLki8gkX0L5NXYbm3hBOfA1cKMN34git1xNfPyckHm1zV4ZumTfeWtyBOvUZd1TqZxCObh0v67jZUH2pXWybot+LAd+MWf4dYphxiq8/yvvmOwH5WG82HAudOKcnkQ0qDjv47gEbD87IRgeFod3su2h8zd60iMIHTb6G+ErV06XpWizEsnDxWZzpl3k1WO2V30coVY48D/Sh3FQSrEceL4xMBZzRmVhu8Xh3cOqcSejEjS/PkNUYf+7IwDMn5hFXC6/yzgHHva4w==,iv:w6u+8ME93rGbXirMIS/hSSDwiRBKFbSEcLFQjxTHGak=,tag:rDY68+rvgzvVC29Ko+69bw==,type:str] isabelroses-web-env: ENC[AES256_GCM,data:pw5+wVbZXkqp4jvUIGqLkiJcbIJ8pMG31Py237TKu3Fml/kYyV5NuvwZIBvvzryTfT1f1ElefVrtaQyEbV1uA5MEZYZ1h4K7Aw3iWWCzZAyMUhEUUJP5ti46YIc6hyaQeuoWkLQkLmHbazg=,iv:Dcsnj6riFUM/CWljcQeMF/YgI2M3uUf/ZFVWpbSxyI0=,tag:JxNh5LESxMtiNaL8mHxL6g==,type:str] miniflux-env: ENC[AES256_GCM,data:v7miyr71dg2fcMHKtmBlnlFQXafkfXLQBPOGfIA2EYs8Ew3VzhFMDfPe+zZ6upVACIZlXNcd,iv:s2SQno1o0ZyV/aZlUsXDwlOHckvTmdq41VXHzdAPaQ8=,tag:/0vFN4sR5gebiHYjPd/QXw==,type:str] @@ -41,8 +42,8 @@ sops: cDRpZkkxZWhiVmN1Y1FSRm5seVpmbnMKl7CHdNdXOr67tCjYp+jhUSYImndyvhQP heUpcdBCJADlE9oG6lDr4ngwdHFqVrN757uMqZWEbT80hzZUXVRArw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-10-23T18:12:50Z" - mac: ENC[AES256_GCM,data:ShhL2973BN7dmdY+2s1NHqlgZ1PR8T82spWH2ZgYz7mKWZhfNFBiuGvBoMHAEYNUaieanI6SataTmEIq5Ud74RqskWOaKm92DVl7nfC31jqgtsshv2aj36+AREcmrKQ/dZcEVO8rnad1cTX2wyYDrkTHzFuU2ler/O+Az3y8CVU=,iv:c0eaetlOBsHe6/FKg0xGaPcENuf50pWMBbRUVVPHNKc=,tag:AJ8kyr/StFEfnX/UhAQz6A==,type:str] + lastmodified: "2023-10-26T22:09:17Z" + mac: ENC[AES256_GCM,data:nNAr/yIJ15akWZ+qQx4ax8LxNBjChkYstCKPzi89jAxmtRZNH1Io4zrDmNE4JWO4wjb9RYPtVlxeQkGZ0HeGAp5GfXnlEM8XtpMEPDfk6fLJ2yxPHdHwQs0BAdSB2QuAfDheGCJYlxSAyaUuN4EUlPHcbgFWBokdUb96JuPY1eM=,iv:wm9kq2S40pwXPCfFI2H/WwWGNofqB3PTYfxf2FSA3A0=,tag:9RPArhEwTYNEzBCX0UANSA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/modules/common/types/server/services/databases/postgresql/default.nix b/modules/common/types/server/services/databases/postgresql/default.nix index 66ae19b48..ff8acb966 100644 --- a/modules/common/types/server/services/databases/postgresql/default.nix +++ b/modules/common/types/server/services/databases/postgresql/default.nix @@ -28,16 +28,12 @@ in { }; ensureDatabases = [ - "miniflux" + "nextcloud" "forgejo" "grafana" "vaultwarden" ]; ensureUsers = [ - { - name = "miniflux"; - ensurePermissions."DATABASE miniflux" = "ALL PRIVILEGES"; - } { name = "postgres"; ensurePermissions."ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES"; @@ -50,6 +46,10 @@ in { name = "grafana"; ensurePermissions."DATABASE grafana" = "ALL PRIVILEGES"; } + { + name = "nextcloud"; + ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; + } { name = "vaultwarden"; ensurePermissions."DATABASE vaultwarden" = "ALL PRIVILEGES"; diff --git a/modules/common/types/server/services/databases/redis/default.nix b/modules/common/types/server/services/databases/redis/default.nix index d25f81bfd..e0b7999a8 100644 --- a/modules/common/types/server/services/databases/redis/default.nix +++ b/modules/common/types/server/services/databases/redis/default.nix @@ -11,6 +11,12 @@ in { services.redis = { vmOverCommit = true; servers = { + nextcloud = mkIf cfg.nextcloud.enable { + enable = true; + user = "nextcloud"; + port = 0; + }; + forgejo = mkIf cfg.forgejo.enable { enable = true; user = "forgejo"; diff --git a/modules/common/types/server/services/default.nix b/modules/common/types/server/services/default.nix index 225a4a448..e486ef9d3 100644 --- a/modules/common/types/server/services/default.nix +++ b/modules/common/types/server/services/default.nix @@ -10,6 +10,7 @@ _: { ./matrix ./miniflux ./monitoring + ./nextcloud ./nginx ./photoprism ./vaultwarden diff --git a/modules/common/types/server/services/nextcloud/default.nix b/modules/common/types/server/services/nextcloud/default.nix new file mode 100644 index 000000000..6e601dd9c --- /dev/null +++ b/modules/common/types/server/services/nextcloud/default.nix @@ -0,0 +1,72 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + inherit (config.networking) domain; + nextcloud_domain = "cloud.${domain}"; + + cfg = config.modules.services; +in { + config = mkIf cfg.nextcloud.enable { + modules.services.database = { + redis.enable = true; + postgresql.enable = true; + }; + + services = { + nextcloud = { + enable = true; + package = pkgs.nextcloud27; + caching.redis = true; + extraOptions = { + redis = { + host = "/run/redis-default/redis.sock"; + dbindex = 0; + timeout = 1.5; + }; + }; + + hostName = nextcloud_domain; + home = "/opt/nextcloud"; + maxUploadSize = "4G"; + enableImagemagick = true; + + autoUpdateApps = { + enable = true; + startAt = "02:00"; + }; + + config = { + overwriteProtocol = "https"; + extraTrustedDomains = ["https://${toString nextcloud_domain}"]; + trustedProxies = ["https://${toString nextcloud_domain}"]; + adminuser = "isabel"; + adminpassFile = config.sops.secrets.nextcloud-passwd.path; + defaultPhoneRegion = "UK"; + + # database + dbtype = "pgsql"; + dbhost = "/run/postgresql"; + dbname = "nextcloud"; + }; + nginx.recommendedHttpHeaders = true; + https = true; + }; + }; + + systemd.services = { + phpfpm-nextcloud.aliases = ["nextcloud.service"]; + "nextcloud-setup" = { + requires = ["postgresql.service"]; + after = ["postgresql.service"]; + serviceConfig = { + Restart = "on-failure"; + RestartSec = "10s"; + }; + }; + }; + }; +} diff --git a/modules/common/types/server/services/nginx/default.nix b/modules/common/types/server/services/nginx/default.nix index 3afc1f95b..0e8654978 100644 --- a/modules/common/types/server/services/nginx/default.nix +++ b/modules/common/types/server/services/nginx/default.nix @@ -56,6 +56,11 @@ in { enableACME = true; }; + "cloud.${domain}" = { + forceSSL = true; + enableACME = true; + }; + # mailserver "mail.${domain}" = mkIf cfg.mailserver.enable { forceSSL = true; diff --git a/modules/options/services/default.nix b/modules/options/services/default.nix index 3e81e3feb..679292278 100644 --- a/modules/options/services/default.nix +++ b/modules/options/services/default.nix @@ -6,16 +6,11 @@ inherit (lib) mkEnableOption; cfg = config.modules.services; - # stolen the functions https://github.com/NotAShelf/nyx/blob/614c3b0ee09b41a21bbd2395d1294bb55028657b/modules/common/options/system/services.nix - - # ifOneEnabled takes a parent option and 3 child options and checks if at least one of them is enabled - # => ifOneEnabled config.modules.services "service1" "service2" "service3" - # ifOneEnabled = cfg: a: b: c: cfg.a || cfg.b || cfg.c; - # mkEnableOption is the same as mkEnableOption but with the default value being equal to cfg.monitoring.enable mkEnableOption' = desc: mkEnableOption "${desc}" // {default = cfg.monitoring.enable;}; in { options.modules.services = { + nextcloud.enable = mkEnableOption "Nextcloud service"; matrix.enable = mkEnableOption "Enable matrix server"; miniflux.enable = mkEnableOption "Enable miniflux rss news aggreator service"; forgejo.enable = mkEnableOption "Enable the forgejo service";