karaolidis/nix
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add nextcloud

Browse Source 
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
This commit is contained in:
Nick Karaolidis
2025-06-16 00:40:24 +01:00
parent 6505f74ef3
commit f819c8c5e3
36 changed files with 572 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
hosts/common/configs/user/default.nix
View File

@@ -4,9 +4,7 @@
}: }:
{ ... }: { ... }:
{ {
imports = [ imports = [ ./options.nix ];
./options.nix
];
home-manager.users.${user}.imports = [ home-manager.users.${user}.imports = [
./console/zsh/options.nix ./console/zsh/options.nix

4
hosts/himalia/hardware/keybinds.nix
View File

@@ -37,9 +37,7 @@
} }
); );
in in
[ [ ", XF86Launch3, exec, uwsm app -- $term ${farmAura}" ];
", XF86Launch3, exec, uwsm app -- $term ${farmAura}"
];
}; };
} }
]; ];

2
hosts/himalia/hardware/scripts/farm-aura.sh
View File

@@ -1,3 +1,5 @@
# shellcheck shell=bash
SESSION_NAME="aura-farm-$$" SESSION_NAME="aura-farm-$$"
tmux new-session -d -s "$SESSION_NAME" "genact -s 25" tmux new-session -d -s "$SESSION_NAME" "genact -s 25"

12
hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix
View File

@@ -68,6 +68,8 @@ in
identity_validation.reset_password.jwt_secret = identity_validation.reset_password.jwt_secret =
hmConfig.sops.placeholder."authelia/resetPasswordJwt"; hmConfig.sops.placeholder."authelia/resetPasswordJwt";
definitions.user_attributes.is_admin.expression = "\"admins\" in groups";
identity_providers.oidc = { identity_providers.oidc = {
hmac_secret = hmConfig.sops.placeholder."authelia/oidcHmac"; hmac_secret = hmConfig.sops.placeholder."authelia/oidcHmac";
@@ -94,6 +96,11 @@ in
]; ];
}; };
}; };
claims_policies.is_admin.custom_claims.is_admin = { };
# FIXME: Add scope description
scopes.is_admin.claims = [ "is_admin" ];
}; };
storage = { storage = {
@@ -128,9 +135,10 @@ in
email = "nick@karaolidis.com"; email = "nick@karaolidis.com";
groups = [ groups = [
"admins" "admins"
"git" "gitea"
"docs" "outline"
"vaultwarden" "vaultwarden"
"nextcloud"
]; ];
}; };
} }

1
hosts/jupiter/users/storm/configs/console/podman/default.nix
View File

@@ -11,6 +11,7 @@ in
(import ./authelia { inherit user home; }) (import ./authelia { inherit user home; })
(import ./gitea { inherit user home; }) (import ./gitea { inherit user home; })
(import ./grafana { inherit user home; }) (import ./grafana { inherit user home; })
(import ./nextcloud { inherit user home; })
(import ./ntfy { inherit user home; }) (import ./ntfy { inherit user home; })
(import ./outline { inherit user home; }) (import ./outline { inherit user home; })
(import ./prometheus { inherit user home; }) (import ./prometheus { inherit user home; })

14
hosts/jupiter/users/storm/configs/console/podman/gitea/default.nix
View File

@@ -13,7 +13,7 @@
let let
selfPkgs = inputs.self.packages.${system}; selfPkgs = inputs.self.packages.${system};
hmConfig = config.home-manager.users.${user}; hmConfig = config.home-manager.users.${user};
inherit (hmConfig.virtualisation.quadlet) volumes networks; inherit (hmConfig.virtualisation.quadlet) containers volumes networks;
autheliaClientId = "I2ZYDFGWP1bzfiauXe94IaiReZF6SqoEskSp6phoL2L8l16Cq7YX3Vr4pkQOSYfNDOwuFjTRIpqQ8eAqK0M93NeEgpr8YoPhKHyR"; autheliaClientId = "I2ZYDFGWP1bzfiauXe94IaiReZF6SqoEskSp6phoL2L8l16Cq7YX3Vr4pkQOSYfNDOwuFjTRIpqQ8eAqK0M93NeEgpr8YoPhKHyR";
podman = lib.meta.getExe pkgs.podman; podman = lib.meta.getExe pkgs.podman;
podmanAsUser = "${config.security.wrapperDir}/git-sudo -u ${user} ${podman}"; podmanAsUser = "${config.security.wrapperDir}/git-sudo -u ${user} ${podman}";
@@ -166,12 +166,12 @@ in
authelia-gitea.content = builtins.readFile ( authelia-gitea.content = builtins.readFile (
(pkgs.formats.yaml { }).generate "gitea.yaml" { (pkgs.formats.yaml { }).generate "gitea.yaml" {
identity_providers.oidc = { identity_providers.oidc = {
authorization_policies.git = { authorization_policies.gitea = {
default_policy = "deny"; default_policy = "deny";
rules = [ rules = [
{ {
policy = "one_factor"; policy = "one_factor";
subject = "group:git"; subject = "group:gitea";
} }
]; ];
}; };
@@ -182,7 +182,7 @@ in
client_name = "Gitea"; client_name = "Gitea";
client_secret = hmConfig.sops.placeholder."gitea/authelia/digest"; client_secret = hmConfig.sops.placeholder."gitea/authelia/digest";
redirect_uris = [ "https://git.karaolidis.com/user/oauth2/authelia/callback" ]; redirect_uris = [ "https://git.karaolidis.com/user/oauth2/authelia/callback" ];
authorization_policy = "git"; authorization_policy = "gitea";
} }
]; ];
}; };
@@ -196,6 +196,7 @@ in
volumes = { volumes = {
gitea-postgresql = { }; gitea-postgresql = { };
# TODO: Move LFS to mass storage
gitea = { }; gitea = { };
}; };
@@ -229,7 +230,10 @@ in
]; ];
}; };
unitConfig.After = [ "sops-nix.service" ]; unitConfig.After = [
"${containers.gitea-postgresql._serviceName}.service"
"sops-nix.service"
];
}; };
gitea-postgresql = { gitea-postgresql = {

221
hosts/jupiter/users/storm/configs/console/podman/nextcloud/default.nix Normal file
View File

@@ -0,0 +1,221 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{
config,
inputs,
pkgs,
system,
...
}:
let
selfPkgs = inputs.self.packages.${system};
hmConfig = config.home-manager.users.${user};
inherit (hmConfig.virtualisation.quadlet) containers volumes networks;
autheliaClientId = "7DXUBtkdLUUkmyV8oSXidP0XiU6W7usLvYRJ9TrbHy7IflFwWPmHVmU26oLahrj8bVURiexGfAr3bIey6vnlvirnYQ8HMo55NnqH";
in
{
home-manager.users.${user} = {
sops = {
secrets = {
"nextcloud/salt".sopsFile = ../../../../../../secrets/secrets.yaml;
"nextcloud/secret".sopsFile = ../../../../../../secrets/secrets.yaml;
"nextcloud/smtp".sopsFile = ../../../../../../secrets/secrets.yaml;
"nextcloud/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml;
"nextcloud/authelia/password".sopsFile = ../../../../../../secrets/secrets.yaml;
"nextcloud/authelia/digest".sopsFile = ../../../../../../secrets/secrets.yaml;
};
templates = {
nextcloud-postgresql-env.content = ''
POSTGRES_PASSWORD=${hmConfig.sops.placeholder."nextcloud/postgresql"}
'';
nextcloud-env.content = ''
POSTGRES_PASSWORD=${hmConfig.sops.placeholder."nextcloud/postgresql"}
'';
nextcloud.content = ''
<?php
$CONFIG = array (
'instanceid' => '${config.networking.hostName}',
'passwordsalt' => '${hmConfig.sops.placeholder."nextcloud/salt"}',
'secret' => '${hmConfig.sops.placeholder."nextcloud/secret"}',
'setup_create_db_user' => false,
'upgrade.disable-web' => true,
'integrity.check.disabled' => true,
'trusted_domains' => array (
0 => 'cloud.karaolidis.com',
),
'trusted_proxies' => [
'10.89.0.0/13',
'10.96.0.0/11',
'10.128.0.0/9'
],
'overwrite.cli.url' => 'https://cloud.karaolidis.com/',
'htaccess.RewriteBase' => '/',
'overwritehost' => 'cloud.karaolidis.com',
'overwriteprotocol' => 'https',
'overwritewebroot' => '/',
'memcache.local' => '\\OC\\Memcache\\APCu',
'maintenance_window_start' => 1,
'skeletondirectory' => ''',
'templatedirectory' => ''',
'mail_from_address' => 'jupiter',
'mail_smtpmode' => 'smtp',
'mail_sendmailmode' => 'smtp',
'mail_domain' => 'karaolidis.com',
'mail_smtphost' => 'smtp.protonmail.ch',
'mail_smtpport' => '587',
'mail_smtpauth' => true,
'mail_smtpname' => 'jupiter@karaolidis.com',
'mail_smtppassword' => '${hmConfig.sops.placeholder."nextcloud/smtp"}',
'allow_user_to_change_display_name' => false,
'lost_password_link' => 'disabled',
'oidc_login_provider_url' => 'https://id.karaolidis.com',
'oidc_login_client_id' => '${autheliaClientId}',
'oidc_login_client_secret' => '${hmConfig.sops.placeholder."nextcloud/authelia/password"}',
'oidc_login_auto_redirect' => true,
'oidc_login_logout_url' => 'https://id.karaolidis.com/logout',
'oidc_login_end_session_redirect' => false,
'oidc_login_button_text' => 'Log in with Authelia',
'oidc_login_hide_password_form' => true,
'oidc_login_use_id_token' => false,
'oidc_login_attributes' => array (
'id' => 'preferred_username',
'name' => 'name',
'mail' => 'email',
'groups' => 'groups',
'is_admin' => 'is_admin',
),
'oidc_login_use_external_storage' => false,
'oidc_login_scope' => 'openid profile email groups is_admin',
'oidc_login_proxy_ldap' => false,
'oidc_login_disable_registration' => false,
'oidc_login_redir_fallback' => false,
'oidc_login_tls_verify' => true,
'oidc_create_groups' => false,
'oidc_login_webdav_enabled' => true,
'oidc_login_password_authentication' => true,
'oidc_login_min_time_between_jwks_requests' => 10,
'oidc_login_update_avatar' => true,
'oidc_login_code_challenge_method' => 'S256',
);
'';
authelia-nextcloud.content = builtins.readFile (
(pkgs.formats.yaml { }).generate "nextcloud.yaml" {
identity_providers.oidc = {
authorization_policies.nextcloud = {
default_policy = "deny";
rules = [
{
policy = "one_factor";
subject = "group:nextcloud";
}
];
};
clients = [
{
client_id = autheliaClientId;
client_name = "Nextcloud";
client_secret = hmConfig.sops.placeholder."nextcloud/authelia/digest";
redirect_uris = [ "https://cloud.karaolidis.com/apps/oidc_login/oidc" ];
authorization_policy = "nextcloud";
require_pkce = true;
pkce_challenge_method = "S256";
claims_policy = "is_admin";
scopes = [
"openid"
"profile"
"email"
"groups"
"is_admin"
];
}
];
};
}
);
};
};
virtualisation.quadlet = {
networks.nextcloud.networkConfig.internal = true;
volumes = {
nextcloud-postgresql = { };
nextcloud-config = { };
nextcloud-apps = { };
# TODO: Move to mass storage
nextcloud-data = { };
};
containers = {
nextcloud = {
containerConfig = {
image = "docker-archive:${selfPkgs.docker-nextcloud}";
networks = [
networks.nextcloud.ref
networks.traefik.ref
];
volumes = [
"${volumes.nextcloud-data.ref}:/var/lib/nextcloud"
"${volumes.nextcloud-config.ref}:/var/www/nextcloud/config"
"${volumes.nextcloud-apps.ref}:/var/www/nextcloud/apps"
"${hmConfig.sops.templates.nextcloud.path}:/var/www/nextcloud/config/override.config.php:ro"
];
environments = {
POSTGRES_HOST = "nextcloud-postgresql";
POSTGRES_DB = "nextcloud";
POSTGRES_USER = "nextcloud";
EXTRA_INIT = ''
occ config:app:set core shareapi_allow_custom_tokens --value true --type boolean --no-interaction
occ theming:config url https://cloud.karaolidis.com
'';
};
environmentFiles = [ hmConfig.sops.templates.nextcloud-env.path ];
labels = [
"traefik.enable=true"
"traefik.http.routers.nextcloud.rule=Host(`cloud.karaolidis.com`)"
];
};
unitConfig.After = [
"${containers.nextcloud-postgresql._serviceName}.service"
"sops-nix.service"
];
};
nextcloud-postgresql = {
containerConfig = {
image = "docker-archive:${selfPkgs.docker-postgresql}";
networks = [ networks.nextcloud.ref ];
volumes = [ "${volumes.nextcloud-postgresql.ref}:/var/lib/postgresql/data" ];
environments = {
POSTGRES_DB = "nextcloud";
POSTGRES_USER = "nextcloud";
};
environmentFiles = [ hmConfig.sops.templates.nextcloud-postgresql-env.path ];
};
unitConfig.After = [ "sops-nix.service" ];
};
authelia-init.containerConfig.volumes = [
"${hmConfig.sops.templates.authelia-nextcloud.path}:/etc/authelia/conf.d/nextcloud.yaml:ro"
];
};
};
};
}

15
hosts/jupiter/users/storm/configs/console/podman/outline/default.nix
View File

@@ -12,7 +12,7 @@
let let
selfPkgs = inputs.self.packages.${system}; selfPkgs = inputs.self.packages.${system};
hmConfig = config.home-manager.users.${user}; hmConfig = config.home-manager.users.${user};
inherit (hmConfig.virtualisation.quadlet) volumes networks; inherit (hmConfig.virtualisation.quadlet) containers volumes networks;
autheliaClientId = "3U5O3TkoIFb3bz3MMqscGEDx2wkT2G48iLLJalqSKA40zCweSBfgORGNMjDEidz4qiQ93qIoW2UlgTyLfzAwbklTvwHJPcarmXaq"; autheliaClientId = "3U5O3TkoIFb3bz3MMqscGEDx2wkT2G48iLLJalqSKA40zCweSBfgORGNMjDEidz4qiQ93qIoW2UlgTyLfzAwbklTvwHJPcarmXaq";
in in
{ {
@@ -45,12 +45,12 @@ in
authelia-outline.content = builtins.readFile ( authelia-outline.content = builtins.readFile (
(pkgs.formats.yaml { }).generate "outline.yaml" { (pkgs.formats.yaml { }).generate "outline.yaml" {
identity_providers.oidc = { identity_providers.oidc = {
authorization_policies.docs = { authorization_policies.outline = {
default_policy = "deny"; default_policy = "deny";
rules = [ rules = [
{ {
policy = "one_factor"; policy = "one_factor";
subject = "group:docs"; subject = "group:outline";
} }
]; ];
}; };
@@ -61,7 +61,7 @@ in
client_name = "Outline"; client_name = "Outline";
client_secret = hmConfig.sops.placeholder."outline/authelia/digest"; client_secret = hmConfig.sops.placeholder."outline/authelia/digest";
redirect_uris = [ "https://docs.karaolidis.com/auth/oidc.callback" ]; redirect_uris = [ "https://docs.karaolidis.com/auth/oidc.callback" ];
authorization_policy = "docs"; authorization_policy = "outline";
scopes = [ scopes = [
"openid" "openid"
"profile" "profile"
@@ -83,6 +83,7 @@ in
volumes = { volumes = {
outline-redis = { }; outline-redis = { };
outline-postgresql = { }; outline-postgresql = { };
# TODO: Move to mass storage
outline = { }; outline = { };
}; };
@@ -125,7 +126,11 @@ in
]; ];
}; };
unitConfig.After = [ "sops-nix.service" ]; unitConfig.After = [
"${containers.outline-postgresql._serviceName}.service"
"${containers.outline-redis._serviceName}.service"
"sops-nix.service"
];
}; };
outline-postgresql = { outline-postgresql = {

2
hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix
View File

@@ -102,7 +102,7 @@ in
"traefik.http.routers.traefik-api.middlewares=authelia@docker" "traefik.http.routers.traefik-api.middlewares=authelia@docker"
"traefik.http.middlewares.compress.compress=true" "traefik.http.middlewares.compress.compress=true"
# TODO: Middlewares: Headers # TODO: Middlewares: Headers (Security + Performance)
]; ];
environmentFiles = [ hmConfig.sops.templates.traefik-env.path ]; environmentFiles = [ hmConfig.sops.templates.traefik-env.path ];
}; };

2
lib/fetchers/sshKnownHosts/default.nix
View File

@@ -15,7 +15,7 @@ pkgs.lib.fetchers.withNormalizedHash { } (
let let
keyTypeArgs = pkgs.lib.concatStringsSep "," keyTypes; keyTypeArgs = pkgs.lib.concatStringsSep "," keyTypes;
in in
pkgs.runCommand name pkgs.runCommandLocal name
{ {
inherit outputHash outputHashAlgo; inherit outputHash outputHashAlgo;
outputHashMode = "flat"; outputHashMode = "flat";

5
packages/default.nix
View File

@@ -15,10 +15,9 @@
docker-grafana = import ./docker/grafana { inherit pkgs; }; docker-grafana = import ./docker/grafana { inherit pkgs; };
docker-grafana-image-renderer = import ./docker/grafana-image-renderer { inherit pkgs; }; docker-grafana-image-renderer = import ./docker/grafana-image-renderer { inherit pkgs; };
docker-mariadb = import ./docker/mariadb { inherit pkgs; }; docker-mariadb = import ./docker/mariadb { inherit pkgs; };
docker-nextcloud = import ./docker/nextcloud { inherit pkgs; };
docker-ntfy = import ./docker/ntfy { inherit pkgs; }; docker-ntfy = import ./docker/ntfy { inherit pkgs; };
docker-oidcwarden = import ./docker/oidcwarden { docker-oidcwarden = import ./docker/oidcwarden { inherit pkgs inputs system; };
inherit pkgs inputs system;
};
docker-outline = import ./docker/outline { inherit pkgs; }; docker-outline = import ./docker/outline { inherit pkgs; };
docker-postgresql = import ./docker/postgresql { inherit pkgs; }; docker-postgresql = import ./docker/postgresql { inherit pkgs; };
docker-prometheus = import ./docker/prometheus { inherit pkgs; }; docker-prometheus = import ./docker/prometheus { inherit pkgs; };

2
packages/docker/authelia/default.nix
View File

@@ -10,7 +10,7 @@ pkgs.dockerTools.buildImage {
}; };
config = { config = {
Entrypoint = [ "/bin/authelia" ]; Entrypoint = [ "authelia" ];
ExposedPorts = { ExposedPorts = {
"9091/tcp" = { }; "9091/tcp" = { };
}; };

5
packages/docker/base/default.nix
View File

@@ -11,9 +11,14 @@ pkgs.dockerTools.buildImage {
bashInteractive bashInteractive
ncurses ncurses
coreutils coreutils
util-linux
gnugrep gnugrep
gawk
findutils findutils
which
vim
iputils iputils
iproute2
curl curl
]; ];
pathsToLink = [ pathsToLink = [

2
packages/docker/gitea/default.nix
View File

@@ -17,7 +17,7 @@ pkgs.dockerTools.buildImage {
''; '';
config = { config = {
Entrypoint = [ "/bin/gitea" ]; Entrypoint = [ "gitea" ];
Cmd = [ Cmd = [
"web" "web"
"-c" "-c"

2
packages/docker/grafana-image-renderer/default.nix
View File

@@ -10,7 +10,7 @@ pkgs.dockerTools.buildImage {
}; };
config = { config = {
Entrypoint = [ "/bin/grafana-image-renderer" ]; Entrypoint = [ "grafana-image-renderer" ];
Cmd = [ "server" ]; Cmd = [ "server" ];
ExposedPorts = { ExposedPorts = {
"8081/tcp" = { }; "8081/tcp" = { };

2
packages/docker/grafana/default.nix
View File

@@ -17,7 +17,7 @@ pkgs.dockerTools.buildImage {
''; '';
config = { config = {
Entrypoint = [ "/bin/grafana" ]; Entrypoint = [ "grafana" ];
Cmd = [ Cmd = [
"server" "server"
"--homepath" "--homepath"

2
packages/docker/mariadb/default.nix
View File

@@ -30,7 +30,7 @@ pkgs.dockerTools.buildImage {
''; '';
config = { config = {
Entrypoint = [ "/bin/entrypoint" ]; Entrypoint = [ "entrypoint" ];
WorkingDir = "/var/lib/mysql"; WorkingDir = "/var/lib/mysql";
ExposedPorts = { ExposedPorts = {
"3306/tcp" = { }; "3306/tcp" = { };

34
packages/docker/nextcloud/declarative-secrets.patch Normal file
View File

@@ -0,0 +1,34 @@
diff --git a/lib/private/Setup.php b/lib/private/Setup.php
index 271e10d6..d21e2dd6 100644
--- a/lib/private/Setup.php
+++ b/lib/private/Setup.php
@@ -272,21 +272,22 @@ class Setup {
$dbType = 'sqlite3';
}
- //generate a random salt that is used to salt the local passwords
- $salt = $this->random->generate(30);
- // generate a secret
- $secret = $this->random->generate(48);
-
//write the config file
$newConfigValues = [
- 'passwordsalt' => $salt,
- 'secret' => $secret,
'trusted_domains' => $trustedDomains,
'datadirectory' => $dataDir,
'dbtype' => $dbType,
'version' => implode('.', \OCP\Util::getVersion()),
];
+ if ($this->config->getValue('passwordsalt', null) === null) {
+ $newConfigValues['passwordsalt'] = $this->random->generate(30);
+ }
+
+ if ($this->config->getValue('secret', null) === null) {
+ $newConfigValues['secret'] = $this->random->generate(48);
+ }
+
if ($this->config->getValue('overwrite.cli.url', null) === null) {
$newConfigValues['overwrite.cli.url'] = $request->getServerProtocol() . '://' . $request->getInsecureServerHost() . \OC::$WEBROOT;
}

181
packages/docker/nextcloud/default.nix Normal file
View File

@@ -0,0 +1,181 @@
{ pkgs, ... }:
let
apacheHttpd = pkgs.apacheHttpd.overrideAttrs (oldAttrs: {
env.NIX_CFLAGS_COMPILE = "-DBIG_SECURITY_HOLE";
});
# https://docs.nextcloud.com/server/latest/admin_manual/installation/php_configuration.html
php =
(pkgs.php83.override {
inherit apacheHttpd;
apxs2Support = true;
}).buildEnv
{
extensions =
{ all, ... }:
with all;
[
ctype
curl
dom
fileinfo
filter
gd
mbstring
openssl
posix
session
simplexml
xmlreader
xmlwriter
zip
zlib
pdo_pgsql
intl
sodium
apcu
imagick
exif
pcntl
opcache
gmp
sysvsem
];
extraConfig = ''
expose_php = Off
memory_limit = 2048M
apc.shm_size = 128M
opcache.jit = 1255
opcache.jit_buffer_size = 8M
opcache.interned_strings_buffer = 16
upload_max_filesize = 100G
post_max_size = 100G
max_input_time = 3600
max_execution_time = 3600
output_buffering = 0
'';
};
apacheHttpdConfig = pkgs.writeTextDir "/etc/httpd/httpd.conf" ''
ServerRoot ${apacheHttpd}
ServerName localhost
Listen 80
LoadModule mpm_event_module modules/mod_mpm_event.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule headers_module modules/mod_headers.so
LoadModule env_module modules/mod_env.so
LoadModule dir_module modules/mod_dir.so
LoadModule mime_module modules/mod_mime.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule php_module ${php}/modules/libphp.so
User root
Group root
PidFile /run/httpd/httpd.pid
LogLevel warn
ErrorLog /dev/stderr
TypesConfig conf/mime.types
AddType application/x-httpd-php .php .phtml
DocumentRoot "/var/www/nextcloud"
DirectoryIndex index.php index.html
LimitRequestBody 0
TimeOut 3600
<Directory />
Require all granted
AllowOverride All
Options FollowSymLinks MultiViews
</Directory>
<Files ".ht*">
Require all denied
</Files>
'';
occ = pkgs.writeShellApplication {
name = "occ";
text = ''
exec ${pkgs.lib.meta.getExe php} /var/www/nextcloud/occ "$@"
'';
};
nextcloud31 =
let
nextcloud31 = pkgs.nextcloud31.overrideAttrs (oldAttrs: {
patches = oldAttrs.patches or [ ] ++ [ ./declarative-secrets.patch ];
});
in
pkgs.runCommandLocal "nextcloud" { } ''
mkdir -p $out/var/www
cp -r ${nextcloud31} $out/var/www/nextcloud
'';
crontab = pkgs.writeTextDir "/var/cron/tabs/root" ''
*/5 * * * * ${pkgs.lib.meta.getExe php} -f /var/www/nextcloud/cron.php
'';
entrypoint = pkgs.writeTextFile {
name = "entrypoint";
executable = true;
destination = "/bin/entrypoint";
text = builtins.readFile ./entrypoint.sh;
};
in
pkgs.dockerTools.buildImage {
name = "nextcloud";
fromImage = import ../base { inherit pkgs; };
diskSize = 2048;
copyToRoot = pkgs.buildEnv {
name = "root";
paths = [
apacheHttpd
apacheHttpdConfig
php
nextcloud31
occ
entrypoint
crontab
pkgs.cron
pkgs.ffmpeg
];
pathsToLink = [
"/bin"
"/etc"
"/var"
];
};
runAsRoot = ''
${pkgs.dockerTools.shadowSetup}
mkdir -p /run/httpd
'';
config = {
Entrypoint = [ "entrypoint" ];
Cmd = [
"-DFOREGROUND"
"-f"
"/etc/httpd/httpd.conf"
];
Volumes = {
"/var/www/nextcloud/config" = { };
"/var/www/nextcloud/apps" = { };
"/var/lib/nextcloud" = { };
};
WorkingDir = "/var/www/nextcloud";
ExposedPorts = {
"80/tcp" = { };
};
};
}

72
packages/docker/nextcloud/entrypoint.sh Normal file
View File

@@ -0,0 +1,72 @@
#!/bin/sh
set -o errexit
set -o nounset
if [ ! -f "/var/www/nextcloud/config/config.php" ]; then
POSTGRES_HOST="${POSTGRES_HOST:-nextcloud-postgresql}"
POSTGRES_PORT="${POSTGRES_PORT:-5432}"
POSTGRES_USER="${POSTGRES_USER:-nextcloud}"
POSTGRES_PASSWORD="${POSTGRES_PASSWORD:-nextcloud}"
POSTGRES_DB="${POSTGRES_DB:-$POSTGRES_USER}"
ADMIN_USER="admin"
ADMIN_PASS="$(head -c 128 /dev/urandom | tr -dc 'A-Za-z0-9' | head -c 64)"
echo "Installing Nextcloud..."
occ maintenance:install \
--database "pgsql" \
--database-host "$POSTGRES_HOST" \
--database-port "$POSTGRES_PORT" \
--database-user "$POSTGRES_USER" \
--database-pass "$POSTGRES_PASSWORD" \
--database-name "$POSTGRES_DB" \
--admin-user "$ADMIN_USER" \
--admin-pass "$ADMIN_PASS" \
--data-dir "/var/lib/nextcloud"
occ user:delete admin
occ app:disable \
app_api \
contactsinteraction \
dashboard \
federation \
firstrunwizard \
photos \
recommendations \
sharebymail \
support \
survey_client \
user_status \
weather_status
occ app:install \
oidc_login
fi
occ upgrade
occ app:update --all
occ db:add-missing-columns
occ db:add-missing-indices
occ db:add-missing-primary-keys
occ maintenance:repair --include-expensive
occ background:cron
occ maintenance:update:htaccess
[ -n "${EXTRA_INIT:-}" ] && eval "$EXTRA_INIT"
cron
PHPRC="$(dirname "$(readlink -f "$(which php)")")/../lib/php.ini"
export PHPRC
setsid --wait httpd "$@" &
pid=$!
trap 'kill -INT $pid' INT
wait $pid
exit $?

2
packages/docker/ntfy/default.nix
View File

@@ -10,7 +10,7 @@ pkgs.dockerTools.buildImage {
}; };
config = { config = {
Entrypoint = [ "/bin/ntfy" ]; Entrypoint = [ "ntfy" ];
Cmd = [ "serve" ]; Cmd = [ "serve" ];
ExposedPorts = { ExposedPorts = {
"80/tcp" = { }; "80/tcp" = { };

2
packages/docker/oidcwarden/default.nix
View File

@@ -24,7 +24,7 @@ pkgs.dockerTools.buildImage {
}; };
config = { config = {
Entrypoint = [ "/bin/oidcwarden" ]; Entrypoint = [ "oidcwarden" ];
Env = [ Env = [
"WEB_VAULT_FOLDER=${selfPkgs.oidcwarden.webvault}/share/vaultwarden/vault" "WEB_VAULT_FOLDER=${selfPkgs.oidcwarden.webvault}/share/vaultwarden/vault"
"DATA_FOLDER=/var/lib/vaultwarden" "DATA_FOLDER=/var/lib/vaultwarden"

2
packages/docker/outline/default.nix
View File

@@ -13,7 +13,7 @@ pkgs.dockerTools.buildImage {
}; };
config = { config = {
Entrypoint = [ "/bin/outline-server" ]; Entrypoint = [ "outline-server" ];
ExposedPorts = { ExposedPorts = {
"3000/tcp" = { }; "3000/tcp" = { };
}; };

2
packages/docker/postgresql/default.nix
View File

@@ -36,7 +36,7 @@ pkgs.dockerTools.buildImage {
''; '';
config = { config = {
Entrypoint = [ "/bin/entrypoint" ]; Entrypoint = [ "entrypoint" ];
WorkingDir = "/var/lib/postgresql"; WorkingDir = "/var/lib/postgresql";
ExposedPorts = { ExposedPorts = {
"5432/tcp" = { }; "5432/tcp" = { };

2
packages/docker/prometheus-fail2ban-exporter/default.nix
View File

@@ -28,7 +28,7 @@ pkgs.dockerTools.buildImage {
}; };
config = { config = {
Entrypoint = [ "/bin/entrypoint" ]; Entrypoint = [ "entrypoint" ];
ExposedPorts = { ExposedPorts = {
"9191/tcp" = { }; "9191/tcp" = { };
}; };

2
packages/docker/prometheus-fail2ban-exporter/entrypoint.sh
View File

@@ -20,4 +20,4 @@ LOG_PID=$!
trap 'kill $LOG_PID' EXIT trap 'kill $LOG_PID' EXIT
exec /bin/prometheus-fail2ban-exporter "$@" > "$LOG_PIPE" 2>&1 exec prometheus-fail2ban-exporter "$@" > "$LOG_PIPE" 2>&1

2
packages/docker/prometheus-node-exporter/default.nix
View File

@@ -10,7 +10,7 @@ pkgs.dockerTools.buildImage {
}; };
config = { config = {
Entrypoint = [ "/bin/node_exporter" ]; Entrypoint = [ "node_exporter" ];
Cmd = [ "--log.level=warn" ]; Cmd = [ "--log.level=warn" ];
ExposedPorts = { ExposedPorts = {
"9100/tcp" = { }; "9100/tcp" = { };

2
packages/docker/prometheus-podman-exporter/default.nix
View File

@@ -32,7 +32,7 @@ pkgs.dockerTools.buildImage {
''; '';
config = { config = {
Entrypoint = [ "/bin/entrypoint" ]; Entrypoint = [ "entrypoint" ];
ExposedPorts = { ExposedPorts = {
"9882/tcp" = { }; "9882/tcp" = { };
}; };

2
packages/docker/prometheus-podman-exporter/entrypoint.sh
View File

@@ -20,4 +20,4 @@ LOG_PID=$!
trap 'kill $LOG_PID' EXIT trap 'kill $LOG_PID' EXIT
exec /bin/prometheus-podman-exporter "$@" > "$LOG_PIPE" 2>&1 exec prometheus-podman-exporter "$@" > "$LOG_PIPE" 2>&1

2
packages/docker/prometheus-smartctl-exporter/default.nix
View File

@@ -10,7 +10,7 @@ pkgs.dockerTools.buildImage {
}; };
config = { config = {
Entrypoint = [ "/bin/smartctl_exporter" ]; Entrypoint = [ "smartctl_exporter" ];
Cmd = [ "--log.level=warn" ]; Cmd = [ "--log.level=warn" ];
ExposedPorts = { ExposedPorts = {
"9633/tcp" = { }; "9633/tcp" = { };

2
packages/docker/prometheus/default.nix
View File

@@ -10,7 +10,7 @@ pkgs.dockerTools.buildImage {
}; };
config = { config = {
Entrypoint = [ "/bin/prometheus" ]; Entrypoint = [ "prometheus" ];
ExposedPorts = { ExposedPorts = {
"9090/tcp" = { }; "9090/tcp" = { };
}; };

2
packages/docker/redis/default.nix
View File

@@ -16,7 +16,7 @@ pkgs.dockerTools.buildImage {
}; };
config = { config = {
Entrypoint = [ "/bin/redis-server" ]; Entrypoint = [ "redis-server" ];
WorkingDir = "/var/lib/redis"; WorkingDir = "/var/lib/redis";
ExposedPorts = { ExposedPorts = {
"6379/tcp" = { }; "6379/tcp" = { };

2
packages/docker/sish/default.nix
View File

@@ -10,7 +10,7 @@ pkgs.dockerTools.buildImage {
}; };
config = { config = {
Entrypoint = [ "/bin/sish" ]; Entrypoint = [ "sish" ];
Cmd = [ Cmd = [
"--ssh-address=0.0.0.0:2222" "--ssh-address=0.0.0.0:2222"
"--http-address=0.0.0.0:80" "--http-address=0.0.0.0:80"

2
packages/docker/traefik/default.nix
View File

@@ -10,7 +10,7 @@ pkgs.dockerTools.buildImage {
}; };
config = { config = {
Entrypoint = [ "/bin/traefik" ]; Entrypoint = [ "traefik" ];
ExposedPorts = { ExposedPorts = {
"80/tcp" = { }; "80/tcp" = { };
}; };

2
packages/docker/whoami/default.nix
View File

@@ -15,7 +15,7 @@ pkgs.dockerTools.buildImage {
}; };
config = { config = {
Entrypoint = [ "/bin/whoami" ]; Entrypoint = [ "whoami" ];
ExposedPorts = { ExposedPorts = {
"80/tcp" = { }; "80/tcp" = { };
}; };

2
packages/docker/yq/default.nix
View File

@@ -10,6 +10,6 @@ pkgs.dockerTools.buildImage {
}; };
config = { config = {
Entrypoint = [ "/bin/yq" ]; Entrypoint = [ "yq" ];
}; };
} }