feat(nix): add nextcloud module

sbulav · Nov 13, 2024 · 68a13eb · 68a13eb
1 parent 0a891e6
commit 68a13eb
Show file tree

Hide file tree

Showing 7 changed files with 201 additions and 9 deletions.
diff --git a/nix/modules/nixos/containers/adguard/default.nix b/nix/modules/nixos/containers/adguard/default.nix
@@ -10,7 +10,7 @@ with lib.custom; let
 in {
   options.${namespace}.containers.adguard = with types; {
     enable = mkBoolOpt false "Enable adguard nixos-container;";
-    host = mkOpt str "adguard.sbulav.ru" "The host to serve homepage on";
+    host = mkOpt str "adguard.sbulav.ru" "The host to serve adguard on";
     hostAddress = mkOpt str "172.16.64.10" "With private network, which address to use on Host";
     localAddress = mkOpt str "172.16.64.104" "With privateNetwork, which address to use in container";
   };

diff --git a/nix/modules/nixos/containers/authelia/default.nix b/nix/modules/nixos/containers/authelia/default.nix
@@ -11,8 +11,8 @@ with lib.custom; let
 in {
   options.${namespace}.containers.authelia = with types; {
     enable = mkBoolOpt false "Enable authelia nixos-container;";
-    cf_secret_file = mkOpt str "secrets/serverz/default.yaml" "SOPS secret to get cloudflare creds from";
-    dataPath = mkOpt str "/tank/authelia" "Traefik data path on host machine";
+    secret_file = mkOpt str "secrets/serverz/default.yaml" "SOPS secret to get creds from";
+    dataPath = mkOpt str "/tank/authelia" "Authelia data path on host machine";
     host = mkOpt str "authelia.sbulav.ru" "The host to serve authentik on";
     domain = mkOpt str "sbulav.ru" "The domain session cookie to protect";
     hostAddress = mkOpt str "172.16.64.10" "With private network, which address to use on Host";
@@ -22,12 +22,12 @@ in {
   config = mkIf cfg.enable {
     sops.secrets = {
       authelia-env = {
-        sopsFile = lib.snowfall.fs.get-file "${cfg.cf_secret_file}";
+        sopsFile = lib.snowfall.fs.get-file "${cfg.secret_file}";
         uid = 999;
         restartUnits = ["[email protected]"];
       };
       authelia-storage-encryption-key = {
-        sopsFile = lib.snowfall.fs.get-file "${cfg.cf_secret_file}";
+        sopsFile = lib.snowfall.fs.get-file "${cfg.secret_file}";
         uid = 999;
         restartUnits = ["[email protected]"];
       };

diff --git a/nix/modules/nixos/containers/flood/default.nix b/nix/modules/nixos/containers/flood/default.nix
@@ -9,8 +9,8 @@ with lib.custom; let
   cfg = config.${namespace}.containers.flood;
 in {
   options.${namespace}.containers.flood = with types; {
-    enable = mkBoolOpt false "Enable flood nixos-container;";
-    host = mkOpt str "flood.sbulav.ru" "The host to serve homepage on";
+    enable = mkBoolOpt false "Enable flood nixos-container with rtorrent;";
+    host = mkOpt str "flood.sbulav.ru" "The host to serve flood on";
     hostAddress = mkOpt str "172.16.64.10" "With private network, which address to use on Host";
     localAddress = mkOpt str "172.16.64.105" "With privateNetwork, which address to use in container";
   };

diff --git a/nix/modules/nixos/containers/nextcloud/default.nix b/nix/modules/nixos/containers/nextcloud/default.nix
@@ -0,0 +1,177 @@
+{
+  config,
+  lib,
+  namespace,
+  inputs,
+  ...
+}:
+with lib;
+with lib.custom; let
+  cfg = config.${namespace}.containers.nextcloud;
+in {
+  options.${namespace}.containers.nextcloud = with types; {
+    enable = mkBoolOpt false "Enable nextcloud nixos-container;";
+    secret_file = mkOpt str "secrets/serverz/default.yaml" "SOPS secret to get creds from";
+    dataPath = mkOpt str "/tank/nextcloud" "Nextcloud data path on host machine";
+    host = mkOpt str "nextcloud.sbulav.ru" "The host to serve nextcloud on";
+    hostAddress = mkOpt str "172.16.64.10" "With private network, which address to use on Host";
+    localAddress = mkOpt str "172.16.64.106" "With privateNetwork, which address to use in container";
+  };
+
+  config = mkIf cfg.enable {
+    networking.nat = {
+      enable = true;
+      internalInterfaces = ["ve-nextcloud"];
+      externalInterface = "ens3";
+    };
+
+    sops.secrets = {
+      nextcloud-admin-pass = {
+        sopsFile = lib.snowfall.fs.get-file "${cfg.secret_file}";
+        uid = 999;
+      };
+    };
+    containers.nextcloud = {
+      ephemeral = true;
+      autoStart = true;
+
+      privateNetwork = true;
+      # Need to add 172.16.64.0/18 on router
+      hostAddress = "${cfg.hostAddress}";
+      localAddress = "${cfg.localAddress}";
+
+      bindMounts = {
+        "${config.sops.secrets.nextcloud-admin-pass.path}" = {
+          isReadOnly = true;
+        };
+
+        "/var/lib/nextcloud/config/" = {
+          hostPath = "${cfg.dataPath}/config/";
+          isReadOnly = false;
+        };
+        "/var/lib/nextcloud/data/" = {
+          hostPath = "${cfg.dataPath}/data/";
+          isReadOnly = false;
+        };
+        "/var/lib/nextcloud/store-apps/" = {
+          hostPath = "${cfg.dataPath}/store-apps/";
+          isReadOnly = false;
+        };
+        "/var/lib/postgresql/" = {
+          hostPath = "${cfg.dataPath}/postgresql/";
+          isReadOnly = false;
+        };
+      };
+      # Inherit inputs to use stable package in container
+      specialArgs = {
+        inherit inputs;
+      };
+
+      config = {
+        config,
+        inputs,
+        ...
+      }: {
+        systemd.tmpfiles.rules = [
+          # "z /run/secrets/nextcloud-admin-pass - nextcloud nextcloud -"
+          "d /var/lib/nextcloud 750 nextcloud nextcloud -"
+          "d /var/lib/postgresql 700 postgres postgres -"
+        ];
+
+        services = {
+          nextcloud = {
+            enable = true;
+            package = inputs.stable.legacyPackages.x86_64-linux.nextcloud30;
+            hostName = "${cfg.host}";
+
+            https = true;
+            maxUploadSize = "16G";
+            configureRedis = true;
+            datadir = "/var/lib/nextcloud";
+            database.createLocally = true;
+            # As recommended by admin panel
+            phpOptions."opcache.interned_strings_buffer" = "24";
+
+            autoUpdateApps.enable = true;
+            extraAppsEnable = true;
+            extraApps = {
+              inherit
+                (config.services.nextcloud.package.packages.apps)
+                previewgenerator
+                notes
+                user_oidc
+                ;
+            };
+
+            config = {
+              adminuser = "admin";
+              adminpassFile = "/run/secrets/nextcloud-admin-pass";
+              dbtype = "pgsql";
+            };
+
+            settings = {
+              log_type = "file";
+              loglevel = 1;
+              trusted_proxies = ["${cfg.hostAddress}"];
+              default_phone_region = "US";
+              enable_previews = true;
+              maintenance_window_start = 4; # Run jobs at 4am UTC
+              enabledPreviewProviders = [
+                "OC\\Preview\\BMP"
+                "OC\\Preview\\GIF"
+                "OC\\Preview\\JPEG"
+                "OC\\Preview\\Krita"
+                "OC\\Preview\\MarkDown"
+                "OC\\Preview\\MP3"
+                "OC\\Preview\\OpenDocument"
+                "OC\\Preview\\PNG"
+                "OC\\Preview\\TXT"
+                "OC\\Preview\\XBitmap"
+                # Not included by default
+                "OC\\Preview\\HEIC"
+                "OC\\Preview\\Movie"
+                "OC\\Preview\\MP4"
+              ];
+            };
+          };
+        };
+
+        networking = {
+          firewall = {
+            enable = true;
+            allowedTCPPorts = [80];
+          };
+          # Use systemd-resolved inside the container
+          # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
+          useHostResolvConf = lib.mkForce false;
+        };
+        services.resolved.enable = true;
+        system.stateVersion = "24.11";
+      };
+    };
+
+    containers.traefik.config.services.traefik.dynamicConfigOptions.http = lib.mkIf config.${namespace}.containers.traefik.enable {
+      routers.nextcloud = {
+        entrypoints = ["websecure"];
+        rule = "Host(`${cfg.host}`)";
+        service = "nextcloud";
+        middlewares = [
+          "secure-headers"
+        ];
+        tls = {
+          certResolver = "production";
+        };
+      };
+      services.nextcloud = {
+        loadBalancer = {
+          passHostHeader = true;
+          servers = [
+            {
+              url = "http://${cfg.localAddress}:80";
+            }
+          ];
+        };
+      };
+    };
+  };
+}
diff --git a/nix/modules/nixos/containers/traefik/middleware_secure-headers.nix b/nix/modules/nixos/containers/traefik/middleware_secure-headers.nix
@@ -17,6 +17,14 @@
       ];
       referrerPolicy = "same-origin";
       addVaryHeader = true;
+      customResponseHeaders = {
+        X-Robots-Tag = "none,noarchive,nosnippet,notranslate,noimageindex";
+        server = "";
+        X-Forwarded-Proto = "https";
+      };
+      sslProxyHeaders = {
+        X-Forwarded-Proto = "https";
+      };
     };
   };
   auth-chain = {

diff --git a/nix/secrets/serverz/default.yaml b/nix/secrets/serverz/default.yaml
@@ -1,6 +1,7 @@
 traefik-cf-env: ENC[AES256_GCM,data:g7Xw9UM1FeOFh+R0jGmPl9Gipix2WNilkCw30iDutxduhYCRmh3cye4D43Zy5x31kvdHej0pwlaSgEVbDOfBMoeENezrcDnLd3xqZHks75QleXv8Ujqoag==,iv:w/byUzrl/9+qcMnUERmO7RYpk991WbhRtcBJkIQIF1o=,tag:CxFiyegx/ZhzU+CU0Bkabg==,type:str]
 authelia-env: ENC[AES256_GCM,data:6fFB2jhyMiGKY/Y/cbel3p9wkEX72OPYHjoEereC7vj6kVH6fne7ctCKFgzZF0bGyET6iS7sh01Xgj+BNCejdSAoqjouoUHBcFc3VE7Vrecg/0LLDjLZ4sc1Fd1ZGLvcPNDTVL0j7UQTBX0MirB1yy4t2s1gNLUvjunwxtglLaAxjDIi541pZb4d9FL/BJ1g76dvGLIlyF4tKssSPSujLls/JrlG3/jbdrmS4sbA+ZI=,iv:eqeV4P1Rw0RxQqs//oYTzEQLyavLfbvKkz2JXs9fkmc=,tag:1rsGSeGVn3c3IYAsfghTXw==,type:str]
 authelia-storage-encryption-key: ENC[AES256_GCM,data:ub+rSg3lNyxVJapVhMJBu+9kfG6ToSJSXmgie3qOvlkRZy4oLYdEIvgcie9yZ6CnSAASMLVBX8GSt2XKee8Lbg==,iv:vHNERwAxZ8ndFKANC40GUqt1JF1ivBOPWt70MWgSMso=,tag:yQN8dDoXl6Uqg3VSG3hhUw==,type:str]
+nextcloud-admin-pass: ENC[AES256_GCM,data:yJFfJ7K/gyM71omo//qURGs=,iv:5JmRGdHHtJtiZeuF4kjok2nUrWQArRRTr5XbwJtDXxI=,tag:SY9Lz7QMCNoixUesA3Q9WQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -25,8 +26,8 @@ sops:
             SVdkN2htWTBaLy9jdGJ6S0RocE9JMFUK8yejh6yKp+OLsNFXWHUJzvHnwaGI1yXA
             Y4F7JY6bhXcu8KJGvjgy08ox+n82V6xY9ov1hwhUlfyIZf4H0/bjuA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-11T15:03:08Z"
-    mac: ENC[AES256_GCM,data:gIT8+GGrup4dAqVG0iTZDiJV/2vc5H9Gw6OhKqGxWKWLd02awHEvSP54saLGRTOel704UNCSeAvOmttAE1sSCGKCxffFh7rsJnp8U06v9GFNA4A4EmacfjQJ4eVTzETkbTf3OOghkA5NNxiRwAlwmdMVOW2DBp7cxW7O+RuCg/k=,iv:+qHNrk06eIiJj9smg67QaqQvWoapjVYNv3qVvPhlEbw=,tag:UqPtQYyP2JC8lX4DP4ormw==,type:str]
+    lastmodified: "2024-11-13T07:50:57Z"
+    mac: ENC[AES256_GCM,data:3ww7LvMEg/qa8JJ6C4OlEvf4eqlQgvPtWDEkuY9QewnjSs7pAGNxQrOPpNCO4zLrO7Kx2u73Rcg8bzQXbBsPypR5LmlOC8hqi+OqW8k0YPmG8Ep0WVMX7v9IQsjM34JSyQFIKC7iD55diTi5B7W+a/MOpqJ0wvNPqPUwrbRA1/M=,iv:IgbubkYWcOrxXLRvHCknUNNkt1rQ+JDgcRTAaAgKZwU=,tag:WGVSgNnybAqfEgLl1kZx+w==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.1
diff --git a/nix/systems/x86_64-linux/serverz/default.nix b/nix/systems/x86_64-linux/serverz/default.nix
@@ -65,6 +65,12 @@ in {
       hostAddress = "172.16.64.10";
       localAddress = "172.16.64.105";
     };
+    nextcloud = {
+      enable = true;
+      host = "nextcloud2.sbulav.ru";
+      hostAddress = "172.16.64.10";
+      localAddress = "172.16.64.106";
+    };
   };
 
   environment.systemPackages = with pkgs; [