karaolidis/nix
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add nextcloud

Browse Source 
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
This commit is contained in:
Nick Karaolidis
2025-06-16 00:40:24 +01:00
parent 6505f74ef3
commit f819c8c5e3
36 changed files with 572 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
hosts/common/configs/user/default.nix
View File

@@ -4,9 +4,7 @@
}:
{ ... }:
{
imports = [
./options.nix
];
imports = [ ./options.nix ];
home-manager.users.${user}.imports = [
./console/zsh/options.nix

4
hosts/himalia/hardware/keybinds.nix
View File

@@ -37,9 +37,7 @@
}
);
in
[
", XF86Launch3, exec, uwsm app -- $term ${farmAura}"
];
[ ", XF86Launch3, exec, uwsm app -- $term ${farmAura}" ];
};
}
];

2
hosts/himalia/hardware/scripts/farm-aura.sh
View File

@@ -1,3 +1,5 @@
# shellcheck shell=bash
SESSION_NAME="aura-farm-$$"
tmux new-session -d -s "$SESSION_NAME" "genact -s 25"

12
hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix
View File

@@ -68,6 +68,8 @@ in
identity_validation.reset_password.jwt_secret =
hmConfig.sops.placeholder."authelia/resetPasswordJwt";
definitions.user_attributes.is_admin.expression = "\"admins\" in groups";
identity_providers.oidc = {
hmac_secret = hmConfig.sops.placeholder."authelia/oidcHmac";
@@ -94,6 +96,11 @@ in
];
};
};
claims_policies.is_admin.custom_claims.is_admin = { };
# FIXME: Add scope description
scopes.is_admin.claims = [ "is_admin" ];
};
storage = {
@@ -128,9 +135,10 @@ in
email = "nick@karaolidis.com";
groups = [
"admins"
"git"
"docs"
"gitea"
"outline"
"vaultwarden"
"nextcloud"
];
};
}

1
hosts/jupiter/users/storm/configs/console/podman/default.nix
View File

@@ -11,6 +11,7 @@ in
(import ./authelia { inherit user home; })
(import ./gitea { inherit user home; })
(import ./grafana { inherit user home; })
(import ./nextcloud { inherit user home; })
(import ./ntfy { inherit user home; })
(import ./outline { inherit user home; })
(import ./prometheus { inherit user home; })

14
hosts/jupiter/users/storm/configs/console/podman/gitea/default.nix
View File

@@ -13,7 +13,7 @@
let
selfPkgs = inputs.self.packages.${system};
hmConfig = config.home-manager.users.${user};
inherit (hmConfig.virtualisation.quadlet) volumes networks;
inherit (hmConfig.virtualisation.quadlet) containers volumes networks;
autheliaClientId = "I2ZYDFGWP1bzfiauXe94IaiReZF6SqoEskSp6phoL2L8l16Cq7YX3Vr4pkQOSYfNDOwuFjTRIpqQ8eAqK0M93NeEgpr8YoPhKHyR";
podman = lib.meta.getExe pkgs.podman;
podmanAsUser = "${config.security.wrapperDir}/git-sudo -u ${user} ${podman}";
@@ -166,12 +166,12 @@ in
authelia-gitea.content = builtins.readFile (
(pkgs.formats.yaml { }).generate "gitea.yaml" {
identity_providers.oidc = {
authorization_policies.git = {
authorization_policies.gitea = {
default_policy = "deny";
rules = [
{
policy = "one_factor";
subject = "group:git";
subject = "group:gitea";
}
];
};
@@ -182,7 +182,7 @@ in
client_name = "Gitea";
client_secret = hmConfig.sops.placeholder."gitea/authelia/digest";
redirect_uris = [ "https://git.karaolidis.com/user/oauth2/authelia/callback" ];
authorization_policy = "git";
authorization_policy = "gitea";
}
];
};
@@ -196,6 +196,7 @@ in
volumes = {
gitea-postgresql = { };
# TODO: Move LFS to mass storage
gitea = { };
};
@@ -229,7 +230,10 @@ in
];
};
unitConfig.After = [ "sops-nix.service" ];
unitConfig.After = [
"${containers.gitea-postgresql._serviceName}.service"
"sops-nix.service"
];
};
gitea-postgresql = {

221
hosts/jupiter/users/storm/configs/console/podman/nextcloud/default.nix Normal file
View File

@@ -0,0 +1,221 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{
config,
inputs,
pkgs,
system,
...
}:
let
selfPkgs = inputs.self.packages.${system};
hmConfig = config.home-manager.users.${user};
inherit (hmConfig.virtualisation.quadlet) containers volumes networks;
autheliaClientId = "7DXUBtkdLUUkmyV8oSXidP0XiU6W7usLvYRJ9TrbHy7IflFwWPmHVmU26oLahrj8bVURiexGfAr3bIey6vnlvirnYQ8HMo55NnqH";
in
{
home-manager.users.${user} = {
sops = {
secrets = {
"nextcloud/salt".sopsFile = ../../../../../../secrets/secrets.yaml;
"nextcloud/secret".sopsFile = ../../../../../../secrets/secrets.yaml;
"nextcloud/smtp".sopsFile = ../../../../../../secrets/secrets.yaml;
"nextcloud/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml;
"nextcloud/authelia/password".sopsFile = ../../../../../../secrets/secrets.yaml;
"nextcloud/authelia/digest".sopsFile = ../../../../../../secrets/secrets.yaml;
};
templates = {
nextcloud-postgresql-env.content = ''
POSTGRES_PASSWORD=${hmConfig.sops.placeholder."nextcloud/postgresql"}
'';
nextcloud-env.content = ''
POSTGRES_PASSWORD=${hmConfig.sops.placeholder."nextcloud/postgresql"}
'';
nextcloud.content = ''
<?php
$CONFIG = array (
'instanceid' => '${config.networking.hostName}',
'passwordsalt' => '${hmConfig.sops.placeholder."nextcloud/salt"}',
'secret' => '${hmConfig.sops.placeholder."nextcloud/secret"}',
'setup_create_db_user' => false,
'upgrade.disable-web' => true,
'integrity.check.disabled' => true,
'trusted_domains' => array (
0 => 'cloud.karaolidis.com',
),
'trusted_proxies' => [
'10.89.0.0/13',
'10.96.0.0/11',
'10.128.0.0/9'
],
'overwrite.cli.url' => 'https://cloud.karaolidis.com/',
'htaccess.RewriteBase' => '/',
'overwritehost' => 'cloud.karaolidis.com',
'overwriteprotocol' => 'https',
'overwritewebroot' => '/',
'memcache.local' => '\\OC\\Memcache\\APCu',
'maintenance_window_start' => 1,
'skeletondirectory' => ''',
'templatedirectory' => ''',
'mail_from_address' => 'jupiter',
'mail_smtpmode' => 'smtp',
'mail_sendmailmode' => 'smtp',
'mail_domain' => 'karaolidis.com',
'mail_smtphost' => 'smtp.protonmail.ch',
'mail_smtpport' => '587',
'mail_smtpauth' => true,
'mail_smtpname' => 'jupiter@karaolidis.com',
'mail_smtppassword' => '${hmConfig.sops.placeholder."nextcloud/smtp"}',
'allow_user_to_change_display_name' => false,
'lost_password_link' => 'disabled',
'oidc_login_provider_url' => 'https://id.karaolidis.com',
'oidc_login_client_id' => '${autheliaClientId}',
'oidc_login_client_secret' => '${hmConfig.sops.placeholder."nextcloud/authelia/password"}',
'oidc_login_auto_redirect' => true,
'oidc_login_logout_url' => 'https://id.karaolidis.com/logout',
'oidc_login_end_session_redirect' => false,
'oidc_login_button_text' => 'Log in with Authelia',
'oidc_login_hide_password_form' => true,
'oidc_login_use_id_token' => false,
'oidc_login_attributes' => array (
'id' => 'preferred_username',
'name' => 'name',
'mail' => 'email',
'groups' => 'groups',
'is_admin' => 'is_admin',
),
'oidc_login_use_external_storage' => false,
'oidc_login_scope' => 'openid profile email groups is_admin',
'oidc_login_proxy_ldap' => false,
'oidc_login_disable_registration' => false,
'oidc_login_redir_fallback' => false,
'oidc_login_tls_verify' => true,
'oidc_create_groups' => false,
'oidc_login_webdav_enabled' => true,
'oidc_login_password_authentication' => true,
'oidc_login_min_time_between_jwks_requests' => 10,
'oidc_login_update_avatar' => true,
'oidc_login_code_challenge_method' => 'S256',
);
'';
authelia-nextcloud.content = builtins.readFile (
(pkgs.formats.yaml { }).generate "nextcloud.yaml" {
identity_providers.oidc = {
authorization_policies.nextcloud = {
default_policy = "deny";
rules = [
{
policy = "one_factor";
subject = "group:nextcloud";
}
];
};
clients = [
{
client_id = autheliaClientId;
client_name = "Nextcloud";
client_secret = hmConfig.sops.placeholder."nextcloud/authelia/digest";
redirect_uris = [ "https://cloud.karaolidis.com/apps/oidc_login/oidc" ];
authorization_policy = "nextcloud";
require_pkce = true;
pkce_challenge_method = "S256";
claims_policy = "is_admin";
scopes = [
"openid"
"profile"
"email"
"groups"
"is_admin"
];
}
];
};
}
);
};
};
virtualisation.quadlet = {
networks.nextcloud.networkConfig.internal = true;
volumes = {
nextcloud-postgresql = { };
nextcloud-config = { };
nextcloud-apps = { };
# TODO: Move to mass storage
nextcloud-data = { };
};
containers = {
nextcloud = {
containerConfig = {
image = "docker-archive:${selfPkgs.docker-nextcloud}";
networks = [
networks.nextcloud.ref
networks.traefik.ref
];
volumes = [
"${volumes.nextcloud-data.ref}:/var/lib/nextcloud"
"${volumes.nextcloud-config.ref}:/var/www/nextcloud/config"
"${volumes.nextcloud-apps.ref}:/var/www/nextcloud/apps"
"${hmConfig.sops.templates.nextcloud.path}:/var/www/nextcloud/config/override.config.php:ro"
];
environments = {
POSTGRES_HOST = "nextcloud-postgresql";
POSTGRES_DB = "nextcloud";
POSTGRES_USER = "nextcloud";
EXTRA_INIT = ''
occ config:app:set core shareapi_allow_custom_tokens --value true --type boolean --no-interaction
occ theming:config url https://cloud.karaolidis.com
'';
};
environmentFiles = [ hmConfig.sops.templates.nextcloud-env.path ];
labels = [
"traefik.enable=true"
"traefik.http.routers.nextcloud.rule=Host(`cloud.karaolidis.com`)"
];
};
unitConfig.After = [
"${containers.nextcloud-postgresql._serviceName}.service"
"sops-nix.service"
];
};
nextcloud-postgresql = {
containerConfig = {
image = "docker-archive:${selfPkgs.docker-postgresql}";
networks = [ networks.nextcloud.ref ];
volumes = [ "${volumes.nextcloud-postgresql.ref}:/var/lib/postgresql/data" ];
environments = {
POSTGRES_DB = "nextcloud";
POSTGRES_USER = "nextcloud";
};
environmentFiles = [ hmConfig.sops.templates.nextcloud-postgresql-env.path ];
};
unitConfig.After = [ "sops-nix.service" ];
};
authelia-init.containerConfig.volumes = [
"${hmConfig.sops.templates.authelia-nextcloud.path}:/etc/authelia/conf.d/nextcloud.yaml:ro"
];
};
};
};
}

15
hosts/jupiter/users/storm/configs/console/podman/outline/default.nix
View File

@@ -12,7 +12,7 @@
let
selfPkgs = inputs.self.packages.${system};
hmConfig = config.home-manager.users.${user};
inherit (hmConfig.virtualisation.quadlet) volumes networks;
inherit (hmConfig.virtualisation.quadlet) containers volumes networks;
autheliaClientId = "3U5O3TkoIFb3bz3MMqscGEDx2wkT2G48iLLJalqSKA40zCweSBfgORGNMjDEidz4qiQ93qIoW2UlgTyLfzAwbklTvwHJPcarmXaq";
in
{
@@ -45,12 +45,12 @@ in
authelia-outline.content = builtins.readFile (
(pkgs.formats.yaml { }).generate "outline.yaml" {
identity_providers.oidc = {
authorization_policies.docs = {
authorization_policies.outline = {
default_policy = "deny";
rules = [
{
policy = "one_factor";
subject = "group:docs";
subject = "group:outline";
}
];
};
@@ -61,7 +61,7 @@ in
client_name = "Outline";
client_secret = hmConfig.sops.placeholder."outline/authelia/digest";
redirect_uris = [ "https://docs.karaolidis.com/auth/oidc.callback" ];
authorization_policy = "docs";
authorization_policy = "outline";
scopes = [
"openid"
"profile"
@@ -83,6 +83,7 @@ in
volumes = {
outline-redis = { };
outline-postgresql = { };
# TODO: Move to mass storage
outline = { };
};
@@ -125,7 +126,11 @@ in
];
};
unitConfig.After = [ "sops-nix.service" ];
unitConfig.After = [
"${containers.outline-postgresql._serviceName}.service"
"${containers.outline-redis._serviceName}.service"
"sops-nix.service"
];
};
outline-postgresql = {

2
hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix
View File

@@ -102,7 +102,7 @@ in
"traefik.http.routers.traefik-api.middlewares=authelia@docker"
"traefik.http.middlewares.compress.compress=true"
# TODO: Middlewares: Headers
# TODO: Middlewares: Headers (Security + Performance)
];
environmentFiles = [ hmConfig.sops.templates.traefik-env.path ];
};