From 6f9706d8f2adf881fa53b389f5f3ad4cbf8fbd81 Mon Sep 17 00:00:00 2001 From: blaknull Date: Tue, 12 Nov 2024 09:10:04 -0600 Subject: [PATCH] nextcloud --- flake.lock | 34 ++++----- home-manager/packages/default.nix | 1 + .../configuration/homebox/default.nix | 12 ++- .../homebox/secrets/secrets.yaml | 9 ++- system-config/services/containers/default.nix | 2 +- .../services/containers/gitlab/default.nix | 2 +- .../services/containers/nextcloud/default.nix | 52 +++++++++++++ .../services/containers/pihole/default.nix | 56 -------------- .../services/containers/traefik/default.nix | 74 ++++++++----------- 9 files changed, 119 insertions(+), 123 deletions(-) create mode 100644 system-config/services/containers/nextcloud/default.nix diff --git a/flake.lock b/flake.lock index 287740e..c5081c1 100644 --- a/flake.lock +++ b/flake.lock @@ -274,11 +274,11 @@ "locked": { "lastModified": 1, "narHash": "sha256-sdsD7OzeWyBdSRpf90GeDM/xCoNIdAVh1OsPnqLdlkU=", - "path": "/nix/store/qzwsi8yafmx6fwb6pkj8mnv09jxpmq10-source/external", + "path": "/nix/store/fzn4is98a0rrszcmm6vgz4f4j31sby2v-source/external", "type": "path" }, "original": { - "path": "/nix/store/qzwsi8yafmx6fwb6pkj8mnv09jxpmq10-source/external", + "path": "/nix/store/fzn4is98a0rrszcmm6vgz4f4j31sby2v-source/external", "type": "path" } }, @@ -1384,12 +1384,12 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-swUtIf1jN3XSE4xExChj4M5rBWCSs08qqxXsJu1tZYs=", - "path": "/nix/store/3nayfrr03wsxjgyamh8g8p96ixdvmd73-source/home-manager", + "narHash": "sha256-mrfMvef+tOYMK35horTWF43tQpES1zI7hb5RbzN3oIk=", + "path": "/nix/store/i9xr2hp5qs0ds8alz0r0b1vjzgxgf2vs-source/home-manager", "type": "path" }, "original": { - "path": "/nix/store/3nayfrr03wsxjgyamh8g8p96ixdvmd73-source/home-manager", + "path": "/nix/store/i9xr2hp5qs0ds8alz0r0b1vjzgxgf2vs-source/home-manager", "type": "path" } }, @@ -1946,12 +1946,12 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-c5NG8DPgBUepMNi5yxYaIBPVUpgWseGBgfbIsdZtuD4=", - "path": "/nix/store/kxnjw6wlqhd0hx55p09q934dss8kibqy-source/packages", + "narHash": "sha256-bdsn3cBMySV5RHcYNRe3gp7PWEv6Y8dg9EgLUQU+1os=", + "path": "/nix/store/nbdr1yhyl2hy67anrvpfjp377anrd38q-source/packages", "type": "path" }, "original": { - "path": "/nix/store/kxnjw6wlqhd0hx55p09q934dss8kibqy-source/packages", + "path": "/nix/store/nbdr1yhyl2hy67anrvpfjp377anrd38q-source/packages", "type": "path" } }, @@ -2051,11 +2051,11 @@ "locked": { "lastModified": 1, "narHash": "sha256-5gepalTSnDyC1WW11Gp75FAPeex5V9M0xOUn9amViyw=", - "path": "/nix/store/kxnjw6wlqhd0hx55p09q934dss8kibqy-source/programs", + "path": "/nix/store/nbdr1yhyl2hy67anrvpfjp377anrd38q-source/programs", "type": "path" }, "original": { - "path": "/nix/store/kxnjw6wlqhd0hx55p09q934dss8kibqy-source/programs", + "path": "/nix/store/nbdr1yhyl2hy67anrvpfjp377anrd38q-source/programs", "type": "path" } }, @@ -2066,11 +2066,11 @@ "locked": { "lastModified": 1, "narHash": "sha256-HAuZ9X84fuwUcit6NWUoJCjHj+29nST/YN6Rs8JQugY=", - "path": "/nix/store/cys6k1rm3riwhaiwf0fx7jvfq4dm0yn5-source/programs", + "path": "/nix/store/bj77knasy2hbj35s703i2wb6kb8a53np-source/programs", "type": "path" }, "original": { - "path": "/nix/store/cys6k1rm3riwhaiwf0fx7jvfq4dm0yn5-source/programs", + "path": "/nix/store/bj77knasy2hbj35s703i2wb6kb8a53np-source/programs", "type": "path" } }, @@ -2142,11 +2142,11 @@ "locked": { "lastModified": 1, "narHash": "sha256-0Ztx5DVQ2I7hvCK/qjGa4XTdRgbzM8rhf19m0al8lVM=", - "path": "/nix/store/cys6k1rm3riwhaiwf0fx7jvfq4dm0yn5-source/services/sddm", + "path": "/nix/store/bj77knasy2hbj35s703i2wb6kb8a53np-source/services/sddm", "type": "path" }, "original": { - "path": "/nix/store/cys6k1rm3riwhaiwf0fx7jvfq4dm0yn5-source/services/sddm", + "path": "/nix/store/bj77knasy2hbj35s703i2wb6kb8a53np-source/services/sddm", "type": "path" } }, @@ -2213,12 +2213,12 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-+lpkyF/b2w9P0vWDZdkv42PIlOxICLWdCms+U9HkH+4=", - "path": "/nix/store/3nayfrr03wsxjgyamh8g8p96ixdvmd73-source/system-config", + "narHash": "sha256-CvWcEd6AhbWJueaGBWuloqDST+vGH1vCb2YIdN1r6ys=", + "path": "/nix/store/i9xr2hp5qs0ds8alz0r0b1vjzgxgf2vs-source/system-config", "type": "path" }, "original": { - "path": "/nix/store/3nayfrr03wsxjgyamh8g8p96ixdvmd73-source/system-config", + "path": "/nix/store/i9xr2hp5qs0ds8alz0r0b1vjzgxgf2vs-source/system-config", "type": "path" } }, diff --git a/home-manager/packages/default.nix b/home-manager/packages/default.nix index ce1d0e8..9f970c6 100644 --- a/home-manager/packages/default.nix +++ b/home-manager/packages/default.nix @@ -52,6 +52,7 @@ cava android-tools neovim-remote + handbrake (pkgs.python311.withPackages pypkgs) diff --git a/system-config/configuration/homebox/default.nix b/system-config/configuration/homebox/default.nix index 0dd4e5f..f6c7885 100644 --- a/system-config/configuration/homebox/default.nix +++ b/system-config/configuration/homebox/default.nix @@ -88,9 +88,9 @@ networking = { hostName = "homebox"; - nameservers = [ "1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one" ]; + nameservers = [ "127.0.0.1" ]; networkmanager.enable = true; - firewall.allowedTCPPorts = [ 22 80 443 9000 ]; + firewall.allowedTCPPorts = [ 22 80 443 9000 8080 ]; hosts = { "192.168.100.11" = [ "blunkall.us" "*.blunkall.us" "*.local.blunkall.us" ]; }; @@ -191,7 +191,13 @@ "authentik/pass" = {}; "authentik/secret_key" = {}; + "pihole/pass" = {}; + + "gitlab/db_pass" = {}; + "gitlab/root_pass" = {}; + + "nextcloud/pass" = {}; }; }; @@ -250,6 +256,8 @@ "blunkall.us".enable = true; pihole.enable = true; + + nextcloud.enable = true; gitlab.enable = false; }; diff --git a/system-config/configuration/homebox/secrets/secrets.yaml b/system-config/configuration/homebox/secrets/secrets.yaml index 279bc7d..9b393ca 100644 --- a/system-config/configuration/homebox/secrets/secrets.yaml +++ b/system-config/configuration/homebox/secrets/secrets.yaml @@ -5,6 +5,11 @@ authentik: secret_key: ENC[AES256_GCM,data:tIWDGtB/z7Ysizz9FPQJe2EeSTAxDPkeHJnaDfytDvbqvRaiCgg7qGpEF6hAQFdZ,iv:gloup5aI0qY+SYJt8V6lvUdE+18IWH09BXtz8dRi6JE=,tag:vFwF9h1Rsa/X1bjvdSRSfQ==,type:str] pihole: pass: ENC[AES256_GCM,data:hintZA==,iv:HA5K8mHYlLtf5s8iaLI/QRolYgcKwG8DWCH+LXnWI4k=,tag:DlnXxG0n9dBVpk2kILlPKg==,type:str] +gitlab: + db_pass: "" + root_pass: "" +nextcloud: + pass: ENC[AES256_GCM,data:U/VI/uHDT1a5O4iAHUVwsz/h,iv:W0hAXBddFKhXmDWHpCB2JhjPPTEGer7721WtIRxg4Zo=,tag:OE4wzibNaaXsbfFuk0dwTA==,type:str] sops: kms: [] gcp_kms: [] @@ -20,8 +25,8 @@ sops: S0NMRGJSeks0Q0UrVnZmUVdyU2NqVm8KLu2kQpD1fJdU0fTdR9A2cTQzRp+waJ6M 8vA+E8xYb2U4d7m0YnwKkGzw0CBPb0BvdEgvWvqpFViftoDwRv5KGA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-11T17:49:35Z" - mac: ENC[AES256_GCM,data:sjv2jD36o02RWeuDcEnUbUGRiAVvH/Gv+TJw9sIydaMT3uSJklRZ3pct71NZQerxi0WLJLimjLJMJQjL65VzrCzA8oU1KT3cawUo1val3/9OUxcrFln9EOdm3569X4/iU+44cAn8Tz68kO2Cq4BxtyESMEpTv4WdKSCnAydZmTg=,iv:u7EHrQ4GfXIRzb0f0YN9a8J1HLEoHPNA7/mb2dh3hR4=,tag:PQOAqCF8fyjd26qsesC3gw==,type:str] + lastmodified: "2024-11-12T14:28:49Z" + mac: ENC[AES256_GCM,data:fXVSjqESPAREM5Iz3ZXS9stkYrXTeO4PR0lZuf8baR8OA9P07sQcPtq2parKL8RlALLcrdi3uqDJhv0Zw7mVwvnvzlgKsLssiz4U/N4zzIhwNXGvXccwKF4IEJD48/wRz31S87haIu0N8LHrV3LS++eZLnbWaqtVzuT39WxGUww=,iv:0QqLBKm3T+wCFgjFedViaCYBgBRKUkabqW6sv1OBSQE=,tag:ovUkgubwRfZnc94Ss4G2tA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/system-config/services/containers/default.nix b/system-config/services/containers/default.nix index 5aea350..5bd7b9d 100644 --- a/system-config/services/containers/default.nix +++ b/system-config/services/containers/default.nix @@ -3,10 +3,10 @@ imports = [ ./gitlab ./traefik -# ./authentik-nix ./authentik ./nginx ./jellyfin ./pihole + ./nextcloud ]; } diff --git a/system-config/services/containers/gitlab/default.nix b/system-config/services/containers/gitlab/default.nix index 2b5d18e..6179f64 100644 --- a/system-config/services/containers/gitlab/default.nix +++ b/system-config/services/containers/gitlab/default.nix @@ -12,7 +12,7 @@ autoStart = true; privateNetwork = true; hostAddress = "192.168.100.10"; - localAddress = "192.168.100."; + localAddress = "192.168.100.16"; bindMounts = { "/etc/gitlab/data" = { hostPath = "/ssd1/Gitlab/data"; diff --git a/system-config/services/containers/nextcloud/default.nix b/system-config/services/containers/nextcloud/default.nix new file mode 100644 index 0000000..8c4b0b1 --- /dev/null +++ b/system-config/services/containers/nextcloud/default.nix @@ -0,0 +1,52 @@ +{ config, lib, pkgs, ... }: { + + options.sysconfig.opts.virtualization.nextcloud.enable = lib.options.mkOption { + type = lib.types.bool; + default = false; + }; + + config = lib.mkIf config.sysconfig.opts.virtualization.nextcloud.enable { + + sops.templates."nextcloud_pass.txt" = { + content = '' + ${config.sops.placeholder."nextcloud/pass"} + ''; + + path = "/ssd1/Nextcloud/nextcloud_pass.txt"; + }; + + containers.nextcloud = { + + autoStart = true; + privateNetwork = true; + hostAddress = "192.168.100.10"; + localAddress = "192.168.100.16"; + + bindMounts = { + + "/var/lib/nextcloud" = { + hostPath = "/ssd1/Nextcloud"; + isReadOnly = false; + }; + }; + + config = { + + services.nextcloud = { + + enable = true; + package = pkgs.nextcloud30; + hostName = "localhost"; + config.adminPassFile = "/var/lib/nextcloud/nextcloud_pass.txt"; + dataDir = "/var/lib/nextcloud/data"; + home = "/var/lib/nextcloud/nextcloud_home"; + https = true; + maxUploadSize = "5G"; + settings = { + overwriteprotocol = "https"; + }; + }; + }; + }; + }; +} diff --git a/system-config/services/containers/pihole/default.nix b/system-config/services/containers/pihole/default.nix index f308d5c..dbb3771 100644 --- a/system-config/services/containers/pihole/default.nix +++ b/system-config/services/containers/pihole/default.nix @@ -25,61 +25,5 @@ ${pkgs.docker-compose}/bin/docker-compose up ''; }; - - containers.unbound = { - - autoStart = true; - privateNetwork = true; - hostAddress = "192.168.100.10"; - localAddress = "192.168.100.15"; - - config = { - - services.unbound = { - enable = true; - - settings = { - server = { - interface = [ "127.0.0.1" ]; - - port = 5335; - - do-ipv4 = "yes"; - - do-udp = "yes"; - - do-tcp = "yes"; - - do-ipv6 = "no"; - - perfer-ipv6 = "no"; - - harden-glue = "yes"; - - harden-dnssec-stripped = "yes"; - - use-caps-for-id = "no"; - - edns-buffer-size = 1232; - - prefetch = "yes"; - - num-threads = 1; - - so-rcvbuf = "1m"; - - private-address = [ - "192.168.0.0/16" - "169.254.0.0/16" - "172.16.0.0/12" - "10.0.0.0/8" - "fd00::/8" - "fe80::/10" - ]; - }; - }; - }; - }; - }; }; } diff --git a/system-config/services/containers/traefik/default.nix b/system-config/services/containers/traefik/default.nix index a833166..59ec535 100644 --- a/system-config/services/containers/traefik/default.nix +++ b/system-config/services/containers/traefik/default.nix @@ -55,7 +55,6 @@ serversTransport.insecureSkipVerify = true; api = { dashboard = true; - insecure = true; debug = true; }; global = { @@ -91,7 +90,7 @@ certResolver = "cloudflare"; domains = { main = "blunkall.us"; - sans = [ "*.blunkall.us" "blunkall.us" ]; + sans = [ "*.local.blunkall.us" "*.blunkall.us" "blunkall.us" ]; }; }; }; @@ -132,68 +131,45 @@ middlewares = [ "authentik" ]; - /*tls = { - certResolver = "cloudflare"; - domains = { - main = "blunkall.us"; - sans = [ "*.blunkall.us" ]; - }; - };*/ }; jellyfin = { entryPoints = [ "localsecure" "websecure" ]; rule = "Host(`jellyfin.blunkall.us`)"; service = "jellyfin"; - /*middlewares = [ - "authentik" - ];*/ - /*tls = { - certResolver = "cloudflare"; - domains = { - main = "blunkall.us"; - sans = [ "*.blunkall.us" ]; - }; - };*/ }; auth = { entryPoints = [ "localsecure" "websecure" ]; rule = "Host(`auth.blunkall.us`)"; service = "authentik"; - /*tls = { - certResolver = "cloudflare"; - domains = { - main = "blunkall.us"; - sans = [ "*.blunkall.us" ]; - }; - };*/ }; /*gitlab = { entryPoints = [ "localsecure" "websecure" ]; rule = "Host(`gitlab.blunkall.us`)"; service = "gitlab"; - tls = { - certResolver = "cloudflare"; - domains = { - main = "blunkall.us"; - sans = [ "*.blunkall.us" "*.local.blunkall.us" ]; - }; - }; };*/ - /*local = { + nextcloud = { + entryPoints = [ "localsecure" "websecure" ]; + rule = "Host(`nextcloud.blunkall.us`)"; + service = "nextcloud"; + middlewares = [ + "nextcloud_redirectregex" + ]; + }; + + traefik = { entryPoints = [ "localsecure" ]; rule = "Host(`traefik.local.blunkall.us`)"; - service = "dashboard@internal"; - tls = { - certResolver = "cloudflare"; - domains = { - main = "blunkall.us"; - sans = [ "*.blunkall.us" "*.local.blunkall.us" ]; - }; - }; - };*/ + service = "api@internal"; + }; + + pihole = { + entryPoints = [ "localsecure" ]; + rule = "Host(`pihole.local.blunkall.us`)"; + service = "pihole"; + }; }; middlewares = { @@ -214,6 +190,12 @@ "X-authentik-meta-version" ]; }; + + nextcloud_redirectregex.redirectregex = { + permanent = true; + regex = "https://(.*)/.well-known/(?:card|cal)dav"; + replacement = "https://$${1}/remote.php/dav"; + }; }; services = { @@ -224,12 +206,16 @@ jellyfin.loadBalancer.servers = [ { url = "http://192.168.100.14:8096"; } ]; authentik.loadBalancer.servers = [ { url = "http://192.168.100.10:9000"; } ]; + + pihole.loadBalancer.servers = [ { url = "http://192.168.100.10:8080"; } ]; + + nextcloud.loadBalancer.servers = [ { url = "http://192.168.100.16:80"; } ]; }; }; }; }; - networking.firewall.allowedTCPPorts = [ 80 443 9080 9443 8080 ]; + networking.firewall.allowedTCPPorts = [ 80 443 9080 9443 ]; networking.firewall.allowedUDPPorts = [ 80 443 ]; system.stateVersion = "24.05";