From a7cca4355e7f8d2c56ea5004de60bc1b2668f142 Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Tue, 29 Nov 2022 19:02:01 +0100 Subject: [PATCH] add nextcloud my-service with sqlite --- modules/services/default.nix | 8 ++ modules/services/minecraft-server/default.nix | 21 +++ modules/services/nextcloud/default.nix | 130 ++++++++++++++++++ nixos/newton/configuration.nix | 11 +- nixos/newton/secrets.yaml | 6 +- nixos/newton/services.nix | 80 ++++++++++- 6 files changed, 243 insertions(+), 13 deletions(-) create mode 100644 modules/services/minecraft-server/default.nix create mode 100644 modules/services/nextcloud/default.nix diff --git a/modules/services/default.nix b/modules/services/default.nix index 8b105cf..d7a2fd8 100644 --- a/modules/services/default.nix +++ b/modules/services/default.nix @@ -1,10 +1,18 @@ { ... }: { imports = [ + ./gitea + ./hedgedoc + ./homepage ./homer ./jellyfin + ./minecraft-server ./mumble-server + ./navidrome + ./nextcloud ./nginx + ./passworts + ./paperless ./rss-bridge ./ssh-server ]; diff --git a/modules/services/minecraft-server/default.nix b/modules/services/minecraft-server/default.nix new file mode 100644 index 0000000..31bec13 --- /dev/null +++ b/modules/services/minecraft-server/default.nix @@ -0,0 +1,21 @@ +# sandbox video game +{ config, lib, pkgs, ... }: +let + cfg = config.my.services.minecraft-server; +in +{ + options.my.services.minecraft-server = with lib; { + enable = mkEnableOption "Minecraft Server"; + }; + + config = lib.mkIf cfg.enable { + services.minecraft-server = { + enable = true; + eula = true; + package = pkgs.unstable.minecraft-server; + openFirewall = true; + + jvmOpts = "-Xms8G -Xmx8G -XX:+UseG1GC -XX:+UnlockExperimentalVMOptions -XX:MaxGCPauseMillis=100 -XX:+DisableExplicitGC -XX:TargetSurvivorRatio=90 -XX:G1NewSizePercent=50 -XX:G1MaxNewSizePercent=80 -XX:G1MixedGCLiveThresholdPercent=50 -XX:+AlwaysPreTouch"; + }; + }; +} diff --git a/modules/services/nextcloud/default.nix b/modules/services/nextcloud/default.nix new file mode 100644 index 0000000..e9da5d4 --- /dev/null +++ b/modules/services/nextcloud/default.nix @@ -0,0 +1,130 @@ +# self-hosted cloud +{ config, lib, pkgs, ... }: +let + cfg = config.my.services.nextcloud; + domain = config.networking.domain; +in +{ + options.my.services.nextcloud = with lib; { + enable = mkEnableOption "Nextcloud"; + maxSize = mkOption { + type = types.str; + default = "1G"; + example = "512M"; + description = "Maximum file upload size"; + }; + admin = mkOption { + type = types.str; + default = "felix"; + example = "admin"; + description = "Name of the admin user"; + }; + defaultPhoneRegion = mkOption { + type = types.str; + default = "DE"; + example = "US"; + description = "country codes for automatic phone-number "; + }; + passwordFile = mkOption { + type = types.str; + example = "/var/lib/nextcloud/password.txt"; + description = '' + Path to a file containing the admin's password, must be readable by + 'nextcloud' user. + ''; + }; + }; + + config = lib.mkIf cfg.enable { + services.nextcloud = { + enable = true; + package = pkgs.nextcloud25; + hostName = "cloud.${domain}"; + maxUploadSize = cfg.maxSize; + autoUpdateApps.enable = true; + config = { + adminuser = cfg.admin; + adminpassFile = cfg.passwordFile; + defaultPhoneRegion = cfg.defaultPhoneRegion; + + overwriteProtocol = "https"; # Nginx only allows SSL + + #dbtype = "pgsql"; + #dbhost = "/run/postgresql"; + }; + + extraApps = { + calendar = pkgs.fetchNextcloudApp rec { + name = "calendar"; + url = "https://github.com/nextcloud-releases/calendar/releases/download/v${version}/calendar-v${version}.tar.gz"; + version = "4.1.0"; + sha256 = "sha256-K5jqDgukylIREi5f4rS2OFP33u0ytmmI5ktW8ukWCjk="; + }; + contacts = pkgs.fetchNextcloudApp rec { + name = "contacts"; + url = "https://github.com/nextcloud-releases/contacts/releases/download/v${version}/contacts-v${version}.tar.gz"; + version = "5.0.1"; + sha256 = "sha256-vdSw7oF2D/2r5xl0wUyOfQXp0lbgWCedIuVn9HKkFws="; + }; + tasks = pkgs.fetchNextcloudApp rec { + name = "tasks"; + url = "https://github.com/nextcloud/tasks/releases/download/v${version}/tasks.tar.gz"; + version = "0.14.5"; + sha256 = "sha256-/foxaKyA6u8+LeUAnu4Co2msyNNd/YKD0fJUI73zxTI="; + }; + deck = pkgs.fetchNextcloudApp rec { + name = "deck"; + url = "https://github.com/nextcloud/deck/releases/download/v${version}/deck.tar.gz"; + version = "1.8.2"; + sha256 = "sha256-L8mFbKUi/LSXKTWjMTGeCzdiCvEgsk7p+xMRovxrCf0="; + }; + }; + }; + + #services.postgresql = { + # enable = true; + # ensureDatabases = [ "nextcloud" ]; + # ensureUsers = [ + # { + # name = "nextcloud"; + # ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; + # } + # ]; + #}; + + #systemd.services."nextcloud-setup" = { + # requires = [ "postgresql.service" ]; + # after = [ "postgresql.service" ]; + #}; + + # The service above configures the domain, no need for my wrapper + services.nginx.virtualHosts."cloud.${domain}" = { + forceSSL = true; + useACMEHost = domain; + + # so homer can get the online status + extraConfig = lib.optionalString config.my.services.homer.enable '' + add_header Access-Control-Allow-Origin https://${domain}; + ''; + }; + + #my.services.backup = { + # paths = [ + # config.services.nextcloud.home + # ]; + # exclude = [ + # # image previews can take up a lot of space + # "${config.services.nextcloud.home}/data/appdata_*/preview" + # ]; + #}; + + webapps.apps.nextcloud = { + dashboard = { + name = "Nextcloud"; + category = "app"; + icon = "cloud"; + link = "https://cloud.${domain}/login"; + }; + }; + }; +} diff --git a/nixos/newton/configuration.nix b/nixos/newton/configuration.nix index d4c7cda..190e453 100644 --- a/nixos/newton/configuration.nix +++ b/nixos/newton/configuration.nix @@ -12,20 +12,15 @@ ../modules/docker.nix ../modules/networkdecrypt.nix ../modules/nix.nix - ../modules/ssh.nix ../modules/users.nix - ../modules/webapps/gitea.nix - ../modules/webapps/hedgedoc.nix - ../modules/webapps/homer.nix - ../modules/webapps/navidrome.nix - ../modules/webapps/paperless.nix - ../modules/webapps/radicale.nix + #../modules/webapps/radicale.nix ]; + networking.hostName = "newton"; sops = { defaultSopsFile = ./secrets.yaml; - gnupg.sshKeyPaths = []; + gnupg.sshKeyPaths = [ ]; }; #environment.noXlibs = true; diff --git a/nixos/newton/secrets.yaml b/nixos/newton/secrets.yaml index 388302e..13d8dec 100644 --- a/nixos/newton/secrets.yaml +++ b/nixos/newton/secrets.yaml @@ -11,6 +11,8 @@ paperless: password: ENC[AES256_GCM,data:GrH2MEFUGSoJEUnFUb5nTxHHnnSIohwEUVU+2Xpa,iv:U9tDsq5PsqFzzl1e1sYUL5XxUqGEmdiZoJtCh96+yEA=,tag:qVu2bulQ9wz+K0lmbMULzQ==,type:str] freshrss: password: ENC[AES256_GCM,data:dUOKeRxovwIHIchkwMFxsQYEKrU2muY=,iv:OA1zbIiV3NBWIoJLpxpLBEjR/I6m5vzVKvzMEZYYE7Q=,tag:r4PbEbEkSH3bsJMamDuuFw==,type:str] +nextcloud: + password: ENC[AES256_GCM,data:uE507Ij34zJVYnd2YkNCGj8hpFpEM5w=,iv:x8BNCUaAas0poQ/Lo0izZApF6l52xal8DDrClIzWjvk=,tag:sA08dmcVQbKswX9hF/txag==,type:str] sso: auth-key: ENC[AES256_GCM,data:jFDeymziDiJMnoIGjYPMmnxTzKer1bFffGDaoHnbKlpMPslP/Bmtsc5kio2tbDBlxG0TCdf+ePirPPw2,iv:8wGHEp1gB/qgkSvqkqjb9zBnqkkl1+Ezm9tCFS8tL3w=,tag:tHIT9Iw29TUXJm2e7z3Z/A==,type:str] felix: @@ -42,8 +44,8 @@ sops: NmNwT3N5UEVabFdLTDhseFRjeVZaWFkKL3HGFqfttU1tXY4OhnIr1ABFsHB0R0CX s6wxb0ilut32ijjtnGXMIIa9y6XsMTpYskTb9FdRP9VnQQGVrMfdew== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-10-02T21:20:32Z" - mac: ENC[AES256_GCM,data:TdxemiZ8xz3BuoBy8JB/J15Bikl6+LMR8QqVwWlo45kY1hFVKF7dJGOohGng1jX1GQ6Ec89iw1yRNtMtTpEcRzQgrcMtZQwtM7n/+YNcTVYifTGsRBt/VojB9QWRqy1xclLwWMzBL4q0PWAh1ljVtAhB2lL+QQ7aUiWeFrb969g=,iv:zjbdzkLn4YcenCcO+iP3H3RQ19Fq5eo1dai65QBahPY=,tag:ZNC27P3Jl4PlRZptxmgbAQ==,type:str] + lastmodified: "2022-11-13T15:50:14Z" + mac: ENC[AES256_GCM,data:RmNsaye+hanRtzO1BNj6Q/LKS4ACRufzs7TGGcQHfVbi8QyrBqltGoox9ukgaN5PqBNR+uz3+Grpzkjj33xtdJuSRoHNk7aa/q2FHFHmJs+qIggf3HRzgfmBPkP0K9kJdFeOYvy0XoZWMdmaZ9H3fC8kqbEkQPMTrwnKEiDOx6M=,iv:ntjiRk8UUbsnPaKW1AxEoa8RRejA9LCKYNGD6s8dKwI=,tag:hKi3HZoMuOwtAcd7oyUZgw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3 diff --git a/nixos/newton/services.nix b/nixos/newton/services.nix index 8c0e11e..9b61d54 100644 --- a/nixos/newton/services.nix +++ b/nixos/newton/services.nix @@ -4,11 +4,85 @@ let secrets = config.sops.secrets; in { + sops.secrets."acme/inwx" = { }; + sops.secrets."sso/auth-key" = { }; + sops.secrets."sso/felix/password-hash" = { }; + sops.secrets."sso/felix/totp-secret" = { }; + sops.secrets."paperless/password" = { }; + sops.secrets."nextcloud/password" = { }; + sops.secrets."nextcloud/password".owner = config.users.users.nextcloud.name; + # List services that you want to enable: my.services = { + # My own personal homepage + homepage = { + enable = true; + }; + # Dashboard + homer = { + enable = true; + }; # RSS provider for websites that do not provide any feeds - rss-bridge.enable = true; - # Voice-chat server - mumble-server.enable = true; + rss-bridge = { + enable = true; + }; + # voice-chat server + mumble-server = { + enable = true; + }; + # sandbox video game + minecraft-server = { + enable = true; + }; + # music streaming server + navidrome = { + enable = true; + musicFolder = "/srv/data/music"; + }; + # self-hosted cloud + nextcloud = { + enable = true; + passwordFile = secrets."nextcloud/password".path; + }; + # document management system + paperless = { + enable = true; + passwordFile = secrets."paperless/password".path; + extraConfig.PAPERLESS_ADMIN_USER = "felix"; + }; + # self-hosted git service + gitea = { + enable = true; + }; + # collaborative markdown editor + hedgedoc = { + enable = true; + }; + # a password-generator using the marokov model + passworts = { + enable = true; + }; + ssh-server = { + enable = true; + }; + # Webserver + nginx = { + enable = true; + acme = { + credentialsFile = secrets."acme/inwx".path; + }; + sso = { + authKeyFile = secrets."sso/auth-key".path; + users = { + felix = { + passwordHashFile = secrets."sso/felix/password-hash".path; + totpSecretFile = secrets."sso/felix/totp-secret".path; + }; + }; + groups = { + root = [ "felix" ]; + }; + }; + }; }; }