diff --git a/nix/modules/nixos/containers/adguard/default.nix b/nix/modules/nixos/containers/adguard/default.nix index fc7a19e..86e8fb9 100644 --- a/nix/modules/nixos/containers/adguard/default.nix +++ b/nix/modules/nixos/containers/adguard/default.nix @@ -10,7 +10,7 @@ with lib.custom; let in { options.${namespace}.containers.adguard = with types; { enable = mkBoolOpt false "Enable adguard nixos-container;"; - host = mkOpt str "adguard.sbulav.ru" "The host to serve homepage on"; + host = mkOpt str "adguard.sbulav.ru" "The host to serve adguard on"; hostAddress = mkOpt str "172.16.64.10" "With private network, which address to use on Host"; localAddress = mkOpt str "172.16.64.104" "With privateNetwork, which address to use in container"; }; diff --git a/nix/modules/nixos/containers/authelia/default.nix b/nix/modules/nixos/containers/authelia/default.nix index 8a4c7c0..9961d25 100644 --- a/nix/modules/nixos/containers/authelia/default.nix +++ b/nix/modules/nixos/containers/authelia/default.nix @@ -11,8 +11,8 @@ with lib.custom; let in { options.${namespace}.containers.authelia = with types; { enable = mkBoolOpt false "Enable authelia nixos-container;"; - cf_secret_file = mkOpt str "secrets/serverz/default.yaml" "SOPS secret to get cloudflare creds from"; - dataPath = mkOpt str "/tank/authelia" "Traefik data path on host machine"; + secret_file = mkOpt str "secrets/serverz/default.yaml" "SOPS secret to get creds from"; + dataPath = mkOpt str "/tank/authelia" "Authelia data path on host machine"; host = mkOpt str "authelia.sbulav.ru" "The host to serve authentik on"; domain = mkOpt str "sbulav.ru" "The domain session cookie to protect"; hostAddress = mkOpt str "172.16.64.10" "With private network, which address to use on Host"; @@ -22,12 +22,12 @@ in { config = mkIf cfg.enable { sops.secrets = { authelia-env = { - sopsFile = lib.snowfall.fs.get-file "${cfg.cf_secret_file}"; + sopsFile = lib.snowfall.fs.get-file "${cfg.secret_file}"; uid = 999; restartUnits = ["container@authelia.service"]; }; authelia-storage-encryption-key = { - sopsFile = lib.snowfall.fs.get-file "${cfg.cf_secret_file}"; + sopsFile = lib.snowfall.fs.get-file "${cfg.secret_file}"; uid = 999; restartUnits = ["container@authelia.service"]; }; diff --git a/nix/modules/nixos/containers/flood/default.nix b/nix/modules/nixos/containers/flood/default.nix index 9434bec..1cc5e66 100644 --- a/nix/modules/nixos/containers/flood/default.nix +++ b/nix/modules/nixos/containers/flood/default.nix @@ -9,8 +9,8 @@ with lib.custom; let cfg = config.${namespace}.containers.flood; in { options.${namespace}.containers.flood = with types; { - enable = mkBoolOpt false "Enable flood nixos-container;"; - host = mkOpt str "flood.sbulav.ru" "The host to serve homepage on"; + enable = mkBoolOpt false "Enable flood nixos-container with rtorrent;"; + host = mkOpt str "flood.sbulav.ru" "The host to serve flood on"; hostAddress = mkOpt str "172.16.64.10" "With private network, which address to use on Host"; localAddress = mkOpt str "172.16.64.105" "With privateNetwork, which address to use in container"; }; diff --git a/nix/modules/nixos/containers/nextcloud/default.nix b/nix/modules/nixos/containers/nextcloud/default.nix new file mode 100644 index 0000000..18c5c15 --- /dev/null +++ b/nix/modules/nixos/containers/nextcloud/default.nix @@ -0,0 +1,177 @@ +{ + config, + lib, + namespace, + inputs, + ... +}: +with lib; +with lib.custom; let + cfg = config.${namespace}.containers.nextcloud; +in { + options.${namespace}.containers.nextcloud = with types; { + enable = mkBoolOpt false "Enable nextcloud nixos-container;"; + secret_file = mkOpt str "secrets/serverz/default.yaml" "SOPS secret to get creds from"; + dataPath = mkOpt str "/tank/nextcloud" "Nextcloud data path on host machine"; + host = mkOpt str "nextcloud.sbulav.ru" "The host to serve nextcloud on"; + hostAddress = mkOpt str "172.16.64.10" "With private network, which address to use on Host"; + localAddress = mkOpt str "172.16.64.106" "With privateNetwork, which address to use in container"; + }; + + config = mkIf cfg.enable { + networking.nat = { + enable = true; + internalInterfaces = ["ve-nextcloud"]; + externalInterface = "ens3"; + }; + + sops.secrets = { + nextcloud-admin-pass = { + sopsFile = lib.snowfall.fs.get-file "${cfg.secret_file}"; + uid = 999; + }; + }; + containers.nextcloud = { + ephemeral = true; + autoStart = true; + + privateNetwork = true; + # Need to add 172.16.64.0/18 on router + hostAddress = "${cfg.hostAddress}"; + localAddress = "${cfg.localAddress}"; + + bindMounts = { + "${config.sops.secrets.nextcloud-admin-pass.path}" = { + isReadOnly = true; + }; + + "/var/lib/nextcloud/config/" = { + hostPath = "${cfg.dataPath}/config/"; + isReadOnly = false; + }; + "/var/lib/nextcloud/data/" = { + hostPath = "${cfg.dataPath}/data/"; + isReadOnly = false; + }; + "/var/lib/nextcloud/store-apps/" = { + hostPath = "${cfg.dataPath}/store-apps/"; + isReadOnly = false; + }; + "/var/lib/postgresql/" = { + hostPath = "${cfg.dataPath}/postgresql/"; + isReadOnly = false; + }; + }; + # Inherit inputs to use stable package in container + specialArgs = { + inherit inputs; + }; + + config = { + config, + inputs, + ... + }: { + systemd.tmpfiles.rules = [ + # "z /run/secrets/nextcloud-admin-pass - nextcloud nextcloud -" + "d /var/lib/nextcloud 750 nextcloud nextcloud -" + "d /var/lib/postgresql 700 postgres postgres -" + ]; + + services = { + nextcloud = { + enable = true; + package = inputs.stable.legacyPackages.x86_64-linux.nextcloud30; + hostName = "${cfg.host}"; + + https = true; + maxUploadSize = "16G"; + configureRedis = true; + datadir = "/var/lib/nextcloud"; + database.createLocally = true; + # As recommended by admin panel + phpOptions."opcache.interned_strings_buffer" = "24"; + + autoUpdateApps.enable = true; + extraAppsEnable = true; + extraApps = { + inherit + (config.services.nextcloud.package.packages.apps) + previewgenerator + notes + user_oidc + ; + }; + + config = { + adminuser = "admin"; + adminpassFile = "/run/secrets/nextcloud-admin-pass"; + dbtype = "pgsql"; + }; + + settings = { + log_type = "file"; + loglevel = 1; + trusted_proxies = ["${cfg.hostAddress}"]; + default_phone_region = "US"; + enable_previews = true; + maintenance_window_start = 4; # Run jobs at 4am UTC + enabledPreviewProviders = [ + "OC\\Preview\\BMP" + "OC\\Preview\\GIF" + "OC\\Preview\\JPEG" + "OC\\Preview\\Krita" + "OC\\Preview\\MarkDown" + "OC\\Preview\\MP3" + "OC\\Preview\\OpenDocument" + "OC\\Preview\\PNG" + "OC\\Preview\\TXT" + "OC\\Preview\\XBitmap" + # Not included by default + "OC\\Preview\\HEIC" + "OC\\Preview\\Movie" + "OC\\Preview\\MP4" + ]; + }; + }; + }; + + networking = { + firewall = { + enable = true; + allowedTCPPorts = [80]; + }; + # Use systemd-resolved inside the container + # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 + useHostResolvConf = lib.mkForce false; + }; + services.resolved.enable = true; + system.stateVersion = "24.11"; + }; + }; + + containers.traefik.config.services.traefik.dynamicConfigOptions.http = lib.mkIf config.${namespace}.containers.traefik.enable { + routers.nextcloud = { + entrypoints = ["websecure"]; + rule = "Host(`${cfg.host}`)"; + service = "nextcloud"; + middlewares = [ + "secure-headers" + ]; + tls = { + certResolver = "production"; + }; + }; + services.nextcloud = { + loadBalancer = { + passHostHeader = true; + servers = [ + { + url = "http://${cfg.localAddress}:80"; + } + ]; + }; + }; + }; + }; +} diff --git a/nix/modules/nixos/containers/traefik/middleware_secure-headers.nix b/nix/modules/nixos/containers/traefik/middleware_secure-headers.nix index 6927151..3d92a20 100644 --- a/nix/modules/nixos/containers/traefik/middleware_secure-headers.nix +++ b/nix/modules/nixos/containers/traefik/middleware_secure-headers.nix @@ -17,6 +17,14 @@ ]; referrerPolicy = "same-origin"; addVaryHeader = true; + customResponseHeaders = { + X-Robots-Tag = "none,noarchive,nosnippet,notranslate,noimageindex"; + server = ""; + X-Forwarded-Proto = "https"; + }; + sslProxyHeaders = { + X-Forwarded-Proto = "https"; + }; }; }; auth-chain = { diff --git a/nix/secrets/serverz/default.yaml b/nix/secrets/serverz/default.yaml index f4cb26f..41763a4 100644 --- a/nix/secrets/serverz/default.yaml +++ b/nix/secrets/serverz/default.yaml @@ -1,6 +1,7 @@ traefik-cf-env: ENC[AES256_GCM,data:g7Xw9UM1FeOFh+R0jGmPl9Gipix2WNilkCw30iDutxduhYCRmh3cye4D43Zy5x31kvdHej0pwlaSgEVbDOfBMoeENezrcDnLd3xqZHks75QleXv8Ujqoag==,iv:w/byUzrl/9+qcMnUERmO7RYpk991WbhRtcBJkIQIF1o=,tag:CxFiyegx/ZhzU+CU0Bkabg==,type:str] authelia-env: ENC[AES256_GCM,data:6fFB2jhyMiGKY/Y/cbel3p9wkEX72OPYHjoEereC7vj6kVH6fne7ctCKFgzZF0bGyET6iS7sh01Xgj+BNCejdSAoqjouoUHBcFc3VE7Vrecg/0LLDjLZ4sc1Fd1ZGLvcPNDTVL0j7UQTBX0MirB1yy4t2s1gNLUvjunwxtglLaAxjDIi541pZb4d9FL/BJ1g76dvGLIlyF4tKssSPSujLls/JrlG3/jbdrmS4sbA+ZI=,iv:eqeV4P1Rw0RxQqs//oYTzEQLyavLfbvKkz2JXs9fkmc=,tag:1rsGSeGVn3c3IYAsfghTXw==,type:str] authelia-storage-encryption-key: ENC[AES256_GCM,data:ub+rSg3lNyxVJapVhMJBu+9kfG6ToSJSXmgie3qOvlkRZy4oLYdEIvgcie9yZ6CnSAASMLVBX8GSt2XKee8Lbg==,iv:vHNERwAxZ8ndFKANC40GUqt1JF1ivBOPWt70MWgSMso=,tag:yQN8dDoXl6Uqg3VSG3hhUw==,type:str] +nextcloud-admin-pass: ENC[AES256_GCM,data:yJFfJ7K/gyM71omo//qURGs=,iv:5JmRGdHHtJtiZeuF4kjok2nUrWQArRRTr5XbwJtDXxI=,tag:SY9Lz7QMCNoixUesA3Q9WQ==,type:str] sops: kms: [] gcp_kms: [] @@ -25,8 +26,8 @@ sops: SVdkN2htWTBaLy9jdGJ6S0RocE9JMFUK8yejh6yKp+OLsNFXWHUJzvHnwaGI1yXA Y4F7JY6bhXcu8KJGvjgy08ox+n82V6xY9ov1hwhUlfyIZf4H0/bjuA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-11T15:03:08Z" - mac: ENC[AES256_GCM,data:gIT8+GGrup4dAqVG0iTZDiJV/2vc5H9Gw6OhKqGxWKWLd02awHEvSP54saLGRTOel704UNCSeAvOmttAE1sSCGKCxffFh7rsJnp8U06v9GFNA4A4EmacfjQJ4eVTzETkbTf3OOghkA5NNxiRwAlwmdMVOW2DBp7cxW7O+RuCg/k=,iv:+qHNrk06eIiJj9smg67QaqQvWoapjVYNv3qVvPhlEbw=,tag:UqPtQYyP2JC8lX4DP4ormw==,type:str] + lastmodified: "2024-11-13T07:50:57Z" + mac: ENC[AES256_GCM,data:3ww7LvMEg/qa8JJ6C4OlEvf4eqlQgvPtWDEkuY9QewnjSs7pAGNxQrOPpNCO4zLrO7Kx2u73Rcg8bzQXbBsPypR5LmlOC8hqi+OqW8k0YPmG8Ep0WVMX7v9IQsjM34JSyQFIKC7iD55diTi5B7W+a/MOpqJ0wvNPqPUwrbRA1/M=,iv:IgbubkYWcOrxXLRvHCknUNNkt1rQ+JDgcRTAaAgKZwU=,tag:WGVSgNnybAqfEgLl1kZx+w==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.1 diff --git a/nix/systems/x86_64-linux/serverz/default.nix b/nix/systems/x86_64-linux/serverz/default.nix index f496163..de51c54 100644 --- a/nix/systems/x86_64-linux/serverz/default.nix +++ b/nix/systems/x86_64-linux/serverz/default.nix @@ -65,6 +65,12 @@ in { hostAddress = "172.16.64.10"; localAddress = "172.16.64.105"; }; + nextcloud = { + enable = true; + host = "nextcloud2.sbulav.ru"; + hostAddress = "172.16.64.10"; + localAddress = "172.16.64.106"; + }; }; environment.systemPackages = with pkgs; [