@@ -0,0 +1,221 @@
|
||||
{
|
||||
user ? throw "user argument is required",
|
||||
home ? throw "home argument is required",
|
||||
}:
|
||||
{
|
||||
config,
|
||||
inputs,
|
||||
pkgs,
|
||||
system,
|
||||
...
|
||||
}:
|
||||
let
|
||||
selfPkgs = inputs.self.packages.${system};
|
||||
hmConfig = config.home-manager.users.${user};
|
||||
inherit (hmConfig.virtualisation.quadlet) containers volumes networks;
|
||||
autheliaClientId = "7DXUBtkdLUUkmyV8oSXidP0XiU6W7usLvYRJ9TrbHy7IflFwWPmHVmU26oLahrj8bVURiexGfAr3bIey6vnlvirnYQ8HMo55NnqH";
|
||||
in
|
||||
{
|
||||
home-manager.users.${user} = {
|
||||
sops = {
|
||||
secrets = {
|
||||
"nextcloud/salt".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"nextcloud/secret".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"nextcloud/smtp".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"nextcloud/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"nextcloud/authelia/password".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"nextcloud/authelia/digest".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
};
|
||||
|
||||
templates = {
|
||||
nextcloud-postgresql-env.content = ''
|
||||
POSTGRES_PASSWORD=${hmConfig.sops.placeholder."nextcloud/postgresql"}
|
||||
'';
|
||||
|
||||
nextcloud-env.content = ''
|
||||
POSTGRES_PASSWORD=${hmConfig.sops.placeholder."nextcloud/postgresql"}
|
||||
'';
|
||||
|
||||
nextcloud.content = ''
|
||||
<?php
|
||||
$CONFIG = array (
|
||||
'instanceid' => '${config.networking.hostName}',
|
||||
|
||||
'passwordsalt' => '${hmConfig.sops.placeholder."nextcloud/salt"}',
|
||||
'secret' => '${hmConfig.sops.placeholder."nextcloud/secret"}',
|
||||
|
||||
'setup_create_db_user' => false,
|
||||
'upgrade.disable-web' => true,
|
||||
'integrity.check.disabled' => true,
|
||||
|
||||
'trusted_domains' => array (
|
||||
0 => 'cloud.karaolidis.com',
|
||||
),
|
||||
'trusted_proxies' => [
|
||||
'10.89.0.0/13',
|
||||
'10.96.0.0/11',
|
||||
'10.128.0.0/9'
|
||||
],
|
||||
'overwrite.cli.url' => 'https://cloud.karaolidis.com/',
|
||||
'htaccess.RewriteBase' => '/',
|
||||
'overwritehost' => 'cloud.karaolidis.com',
|
||||
'overwriteprotocol' => 'https',
|
||||
'overwritewebroot' => '/',
|
||||
|
||||
'memcache.local' => '\\OC\\Memcache\\APCu',
|
||||
'maintenance_window_start' => 1,
|
||||
|
||||
'skeletondirectory' => ''',
|
||||
'templatedirectory' => ''',
|
||||
|
||||
'mail_from_address' => 'jupiter',
|
||||
'mail_smtpmode' => 'smtp',
|
||||
'mail_sendmailmode' => 'smtp',
|
||||
'mail_domain' => 'karaolidis.com',
|
||||
'mail_smtphost' => 'smtp.protonmail.ch',
|
||||
'mail_smtpport' => '587',
|
||||
'mail_smtpauth' => true,
|
||||
'mail_smtpname' => 'jupiter@karaolidis.com',
|
||||
'mail_smtppassword' => '${hmConfig.sops.placeholder."nextcloud/smtp"}',
|
||||
|
||||
'allow_user_to_change_display_name' => false,
|
||||
'lost_password_link' => 'disabled',
|
||||
|
||||
'oidc_login_provider_url' => 'https://id.karaolidis.com',
|
||||
'oidc_login_client_id' => '${autheliaClientId}',
|
||||
'oidc_login_client_secret' => '${hmConfig.sops.placeholder."nextcloud/authelia/password"}',
|
||||
'oidc_login_auto_redirect' => true,
|
||||
'oidc_login_logout_url' => 'https://id.karaolidis.com/logout',
|
||||
'oidc_login_end_session_redirect' => false,
|
||||
'oidc_login_button_text' => 'Log in with Authelia',
|
||||
'oidc_login_hide_password_form' => true,
|
||||
'oidc_login_use_id_token' => false,
|
||||
'oidc_login_attributes' => array (
|
||||
'id' => 'preferred_username',
|
||||
'name' => 'name',
|
||||
'mail' => 'email',
|
||||
'groups' => 'groups',
|
||||
'is_admin' => 'is_admin',
|
||||
),
|
||||
'oidc_login_use_external_storage' => false,
|
||||
'oidc_login_scope' => 'openid profile email groups is_admin',
|
||||
'oidc_login_proxy_ldap' => false,
|
||||
'oidc_login_disable_registration' => false,
|
||||
'oidc_login_redir_fallback' => false,
|
||||
'oidc_login_tls_verify' => true,
|
||||
'oidc_create_groups' => false,
|
||||
'oidc_login_webdav_enabled' => true,
|
||||
'oidc_login_password_authentication' => true,
|
||||
'oidc_login_min_time_between_jwks_requests' => 10,
|
||||
'oidc_login_update_avatar' => true,
|
||||
'oidc_login_code_challenge_method' => 'S256',
|
||||
);
|
||||
'';
|
||||
|
||||
authelia-nextcloud.content = builtins.readFile (
|
||||
(pkgs.formats.yaml { }).generate "nextcloud.yaml" {
|
||||
identity_providers.oidc = {
|
||||
authorization_policies.nextcloud = {
|
||||
default_policy = "deny";
|
||||
rules = [
|
||||
{
|
||||
policy = "one_factor";
|
||||
subject = "group:nextcloud";
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
clients = [
|
||||
{
|
||||
client_id = autheliaClientId;
|
||||
client_name = "Nextcloud";
|
||||
client_secret = hmConfig.sops.placeholder."nextcloud/authelia/digest";
|
||||
redirect_uris = [ "https://cloud.karaolidis.com/apps/oidc_login/oidc" ];
|
||||
authorization_policy = "nextcloud";
|
||||
require_pkce = true;
|
||||
pkce_challenge_method = "S256";
|
||||
claims_policy = "is_admin";
|
||||
scopes = [
|
||||
"openid"
|
||||
"profile"
|
||||
"email"
|
||||
"groups"
|
||||
"is_admin"
|
||||
];
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
||||
);
|
||||
};
|
||||
};
|
||||
|
||||
virtualisation.quadlet = {
|
||||
networks.nextcloud.networkConfig.internal = true;
|
||||
|
||||
volumes = {
|
||||
nextcloud-postgresql = { };
|
||||
nextcloud-config = { };
|
||||
nextcloud-apps = { };
|
||||
# TODO: Move to mass storage
|
||||
nextcloud-data = { };
|
||||
};
|
||||
|
||||
containers = {
|
||||
nextcloud = {
|
||||
containerConfig = {
|
||||
image = "docker-archive:${selfPkgs.docker-nextcloud}";
|
||||
networks = [
|
||||
networks.nextcloud.ref
|
||||
networks.traefik.ref
|
||||
];
|
||||
volumes = [
|
||||
"${volumes.nextcloud-data.ref}:/var/lib/nextcloud"
|
||||
"${volumes.nextcloud-config.ref}:/var/www/nextcloud/config"
|
||||
"${volumes.nextcloud-apps.ref}:/var/www/nextcloud/apps"
|
||||
"${hmConfig.sops.templates.nextcloud.path}:/var/www/nextcloud/config/override.config.php:ro"
|
||||
];
|
||||
environments = {
|
||||
POSTGRES_HOST = "nextcloud-postgresql";
|
||||
POSTGRES_DB = "nextcloud";
|
||||
POSTGRES_USER = "nextcloud";
|
||||
EXTRA_INIT = ''
|
||||
occ config:app:set core shareapi_allow_custom_tokens --value true --type boolean --no-interaction
|
||||
occ theming:config url https://cloud.karaolidis.com
|
||||
'';
|
||||
};
|
||||
environmentFiles = [ hmConfig.sops.templates.nextcloud-env.path ];
|
||||
labels = [
|
||||
"traefik.enable=true"
|
||||
"traefik.http.routers.nextcloud.rule=Host(`cloud.karaolidis.com`)"
|
||||
];
|
||||
};
|
||||
|
||||
unitConfig.After = [
|
||||
"${containers.nextcloud-postgresql._serviceName}.service"
|
||||
"sops-nix.service"
|
||||
];
|
||||
};
|
||||
|
||||
nextcloud-postgresql = {
|
||||
containerConfig = {
|
||||
image = "docker-archive:${selfPkgs.docker-postgresql}";
|
||||
networks = [ networks.nextcloud.ref ];
|
||||
volumes = [ "${volumes.nextcloud-postgresql.ref}:/var/lib/postgresql/data" ];
|
||||
environments = {
|
||||
POSTGRES_DB = "nextcloud";
|
||||
POSTGRES_USER = "nextcloud";
|
||||
};
|
||||
environmentFiles = [ hmConfig.sops.templates.nextcloud-postgresql-env.path ];
|
||||
};
|
||||
|
||||
unitConfig.After = [ "sops-nix.service" ];
|
||||
};
|
||||
|
||||
authelia-init.containerConfig.volumes = [
|
||||
"${hmConfig.sops.templates.authelia-nextcloud.path}:/etc/authelia/conf.d/nextcloud.yaml:ro"
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
Reference in New Issue
Block a user