diff --git a/modules/nixos/services/matrix/default.nix b/modules/nixos/services/matrix/default.nix index bd088a6..3f76ea8 100644 --- a/modules/nixos/services/matrix/default.nix +++ b/modules/nixos/services/matrix/default.nix @@ -103,12 +103,12 @@ let services.postgresql = { enable = lib.mkDefault true; - authentication = lib.mkOverride 10 '' - # TYPE DATABASE USER ADDRESS METHOD - local all all peer - host all all 127.0.0.1/32 trust - host all all ::1/128 trust - ''; + #authentication = lib.mkOverride 10 '' + # # TYPE DATABASE USER ADDRESS METHOD + # local all all peer + # host all all 127.0.0.1/32 trust + # host all all ::1/128 trust + #''; ensureDatabases = [ "synapse" ]; ensureUsers = [ { diff --git a/modules/nixos/services/nextcloud/container.nix b/modules/nixos/services/nextcloud/container.nix new file mode 100755 index 0000000..9061135 --- /dev/null +++ b/modules/nixos/services/nextcloud/container.nix @@ -0,0 +1,288 @@ +{ + config, + lib, + pkgs, + namespace, + ... +}: +with lib; +let + cfg = config.${namespace}.services.nextcloud; + + adminpass = config.sops.secrets."jallen-nas/nextcloud/adminpassword".path; + secretsFile = config.sops.secrets."jallen-nas/nextcloud/smtp_settings".path; + jwtSecretFile = config.sops.secrets."jallen-nas/onlyoffice-key".path; + nextcloudUserId = config.users.users.nix-apps.uid; + nextcloudGroupId = config.users.groups.jallen-nas.gid; + hostAddress = "10.0.1.3"; + localAddress = "10.0.2.18"; + nextcloudPortExtHttp = 9988; + nextcloudPortExtHttps = 9943; + onlyofficePortExt = 9943; + + nextcloudPhotos = pkgs.${namespace}.nextcloud-app-photos; + nextcloudPdfViewer = pkgs.${namespace}.nextcloud-app-pdfviewer; + nextcloudAssist = pkgs.${namespace}.nextcloud-app-assistant; +in +{ + imports = [ ./options.nix ]; + + config = mkIf cfg.enable { + containers.nextcloud = { + autoStart = true; + privateNetwork = true; + hostAddress = hostAddress; + localAddress = localAddress; + specialArgs = { + inherit namespace; + }; + + bindMounts = { + secrets = { + hostPath = "/run/secrets/jallen-nas/nextcloud"; + isReadOnly = true; + mountPoint = "/run/secrets/jallen-nas/nextcloud"; + }; + + secrets2 = { + hostPath = "/run/secrets/jallen-nas/onlyoffice-key"; + isReadOnly = true; + mountPoint = "/run/secrets/jallen-nas/onlyoffice-key"; + }; + + data = { + hostPath = "/media/nas/main/nextcloud"; + isReadOnly = false; + mountPoint = "/data"; + }; + + "/var/lib/nextcloud" = { + hostPath = "/media/nas/main/nix-app-data/nextcloud"; + isReadOnly = false; + mountPoint = "/var/lib/nextcloud"; + }; + + "/var/lib/onlyoffice" = { + hostPath = "/media/nas/main/nix-app-data/onlyoffice"; + isReadOnly = false; + mountPoint = "/var/lib/onlyoffice"; + }; + }; + + config = + { + pkgs, + lib, + ... + }: + { + nixpkgs.config.allowUnfree = true; + networking.extraHosts = '' + ${hostAddress} host.containers protonmail-bridge + ''; + + services.nginx.virtualHosts."cloud.mjallen.dev".listen = [ { addr = "0.0.0.0"; port = 8080; } ]; + + services = { + nextcloud = { + enable = true; + package = pkgs.nextcloud32; + # datadir = "/data"; + database.createLocally = true; + hostName = "cloud.mjallen.dev"; + appstoreEnable = false; + caching.redis = true; + configureRedis = true; + enableImagemagick = true; + https = true; + secretFile = secretsFile; + + extraApps = { + inherit (pkgs.nextcloud31Packages.apps) + app_api + bookmarks + mail + calendar + contacts + integration_openai + integration_paperless + maps + oidc_login + onlyoffice + previewgenerator + recognize + richdocuments + user_oidc + ; + + inherit + nextcloudPhotos + nextcloudPdfViewer + nextcloudAssist + ; + }; + + config = { + adminuser = "mjallen"; + adminpassFile = adminpass; + dbhost = "localhost"; + dbtype = "sqlite"; + dbname = "nextcloud"; + dbuser = "nextcloud"; + }; + settings = { + loglevel = 3; + allow_local_remote_servers = true; + upgrade.disable-web = false; + datadirectory = "/data"; + trusted_domains = [ + "${hostAddress}:${toString nextcloudPortExtHttp}" + "${hostAddress}:${toString nextcloudPortExtHttps}" + "${localAddress}:80" + "${localAddress}:8080" + "${localAddress}:443" + "cloud.mjallen.dev" + ]; + opcache.interned_strings_buffer = 16; + trusted_proxies = [ hostAddress ]; + maintenance_window_start = 6; + default_phone_region = "US"; + enable_previews = true; + enabledPreviewProviders = [ + "OC\\Preview\\PNG" + "OC\\Preview\\JPEG" + "OC\\Preview\\GIF" + "OC\\Preview\\BMP" + "OC\\Preview\\XBitmap" + "OC\\Preview\\MP3" + "OC\\Preview\\TXT" + "OC\\Preview\\MarkDown" + "OC\\Preview\\OpenDocument" + "OC\\Preview\\Krita" + "OC\\Preview\\HEIC" + "OC\\Preview\\Movie" + "OC\\Preview\\MSOffice2003" + "OC\\Preview\\MSOffice2007" + "OC\\Preview\\MSOfficeDoc" + ]; + installed = true; + user_oidc = { + auto_provision = false; + soft_auto_provision = false; + allow_multiple_user_backends = false; # auto redirect to authentik for login + }; + + social_login_auto_redirect = true; + }; + }; + }; + + services.onlyoffice = { + enable = true; + port = onlyofficePortExt; + hostname = "office.mjallen.dev"; + jwtSecretFile = jwtSecretFile; + }; + + # System packages + environment.systemPackages = with pkgs; [ + ffmpeg + # libtensorflow-bin + nextcloud32 + nodejs + onlyoffice-documentserver + sqlite + ]; + + # Create required users and groups + users.users.nextcloud = { + isSystemUser = true; + uid = lib.mkForce nextcloudUserId; + group = "nextcloud"; + }; + + users.users.onlyoffice = { + group = lib.mkForce "nextcloud"; + }; + + users.groups = { + nextcloud = { + gid = lib.mkForce nextcloudGroupId; + }; + downloads = { }; + }; + + # Create and set permissions for required directories + system.activationScripts.nextcloud-dirs = '' + mkdir -p /data + + chown -R nextcloud:nextcloud /data + + chown -R nextcloud:nextcloud /run/secrets/jallen-nas/nextcloud + chown -R nextcloud:nextcloud /run/secrets/jallen-nas/onlyoffice-key + + chmod -R 775 /data + + chmod -R 750 /run/secrets/jallen-nas/nextcloud + chmod -R 750 /run/secrets/jallen-nas/onlyoffice-key + ''; + + hardware = { + graphics = { + enable = true; + # setLdLibraryPath = true; + }; + }; + + programs = { + nix-ld.enable = true; + }; + + system.stateVersion = "23.11"; + networking = { + firewall = { + enable = true; + allowedTCPPorts = [ + 8080 + 80 + 443 + onlyofficePortExt + ]; + }; + # Use systemd-resolved inside the container + # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 + useHostResolvConf = lib.mkForce false; + }; + services.resolved.enable = true; + + }; + }; + + networking = { + nat = { + forwardPorts = [ + { + destination = "${localAddress}:443"; + sourcePort = nextcloudPortExtHttps; + } + # { + # destination = "${localAddress}:80"; + # sourcePort = nextcloudPortExtHttp; + # } + { + destination = "${localAddress}:8080"; + sourcePort = nextcloudPortExtHttp; + } + { + destination = "${localAddress}:8000"; + sourcePort = 8000; + } + { + destination = "${localAddress}:${toString onlyofficePortExt}"; + sourcePort = onlyofficePortExt; + } + ]; + }; + }; + }; +} diff --git a/modules/nixos/services/nextcloud/default.nix b/modules/nixos/services/nextcloud/default.nix old mode 100755 new mode 100644 index 5cacfec..c87a8e0 --- a/modules/nixos/services/nextcloud/default.nix +++ b/modules/nixos/services/nextcloud/default.nix @@ -15,7 +15,6 @@ let nextcloudUserId = config.users.users.nix-apps.uid; nextcloudGroupId = config.users.groups.jallen-nas.gid; hostAddress = "10.0.1.3"; - localAddress = "10.0.2.18"; nextcloudPortExtHttp = 9988; nextcloudPortExtHttps = 9943; onlyofficePortExt = 9943; @@ -28,253 +27,130 @@ in imports = [ ./options.nix ]; config = mkIf cfg.enable { - containers.nextcloud = { - autoStart = true; - privateNetwork = true; - hostAddress = hostAddress; - localAddress = localAddress; - specialArgs = { - inherit namespace; - }; + services.nginx.virtualHosts."cloud.mjallen.dev".listen = [ { addr = "0.0.0.0"; port = nextcloudPortExtHttp; } ]; - bindMounts = { - secrets = { - hostPath = "/run/secrets/jallen-nas/nextcloud"; - isReadOnly = true; - mountPoint = "/run/secrets/jallen-nas/nextcloud"; - }; - - secrets2 = { - hostPath = "/run/secrets/jallen-nas/onlyoffice-key"; - isReadOnly = true; - mountPoint = "/run/secrets/jallen-nas/onlyoffice-key"; - }; - - data = { - hostPath = "/media/nas/main/nextcloud"; - isReadOnly = false; - mountPoint = "/data"; - }; - - "/var/lib/nextcloud" = { - hostPath = "/media/nas/main/nix-app-data/nextcloud"; - isReadOnly = false; - mountPoint = "/var/lib/nextcloud"; - }; - - "/var/lib/onlyoffice" = { - hostPath = "/media/nas/main/nix-app-data/onlyoffice"; - isReadOnly = false; - mountPoint = "/var/lib/onlyoffice"; - }; - }; - - config = - { - pkgs, - lib, - ... - }: - { - nixpkgs.config.allowUnfree = true; - networking.extraHosts = '' - ${hostAddress} host.containers protonmail-bridge - ''; - - services = { - nextcloud = { - enable = true; - package = pkgs.nextcloud32; - # datadir = "/data"; - database.createLocally = true; - hostName = "cloud.mjallen.dev"; - appstoreEnable = false; - caching.redis = true; - configureRedis = true; - enableImagemagick = true; - https = true; - secretFile = secretsFile; - - extraApps = { - inherit (pkgs.nextcloud31Packages.apps) - app_api - bookmarks - mail - calendar - contacts - integration_openai - integration_paperless - maps - oidc_login - onlyoffice - previewgenerator - recognize - richdocuments - user_oidc - ; - - inherit - nextcloudPhotos - nextcloudPdfViewer - nextcloudAssist - ; - }; - - config = { - adminuser = "mjallen"; - adminpassFile = adminpass; - dbhost = "localhost"; - dbtype = "sqlite"; - dbname = "nextcloud"; - dbuser = "nextcloud"; - }; - settings = { - loglevel = 3; - allow_local_remote_servers = true; - upgrade.disable-web = false; - datadirectory = "/data"; - trusted_domains = [ - "${hostAddress}:${toString nextcloudPortExtHttp}" - "${hostAddress}:${toString nextcloudPortExtHttps}" - "${localAddress}:80" - "${localAddress}:443" - "cloud.mjallen.dev" - ]; - opcache.interned_strings_buffer = 16; - trusted_proxies = [ hostAddress ]; - maintenance_window_start = 6; - default_phone_region = "US"; - enable_previews = true; - enabledPreviewProviders = [ - "OC\\Preview\\PNG" - "OC\\Preview\\JPEG" - "OC\\Preview\\GIF" - "OC\\Preview\\BMP" - "OC\\Preview\\XBitmap" - "OC\\Preview\\MP3" - "OC\\Preview\\TXT" - "OC\\Preview\\MarkDown" - "OC\\Preview\\OpenDocument" - "OC\\Preview\\Krita" - "OC\\Preview\\HEIC" - "OC\\Preview\\Movie" - "OC\\Preview\\MSOffice2003" - "OC\\Preview\\MSOffice2007" - "OC\\Preview\\MSOfficeDoc" - ]; - installed = true; - user_oidc = { - auto_provision = false; - soft_auto_provision = false; - allow_multiple_user_backends = false; # auto redirect to authentik for login - }; - - social_login_auto_redirect = true; - }; - }; - }; - - services.onlyoffice = { - enable = true; - port = onlyofficePortExt; - hostname = "office.mjallen.dev"; - jwtSecretFile = jwtSecretFile; - }; - - # System packages - environment.systemPackages = with pkgs; [ - ffmpeg - # libtensorflow-bin - nextcloud32 - nodejs - onlyoffice-documentserver - sqlite - ]; - - # Create required users and groups - users.users.nextcloud = { - isSystemUser = true; - uid = lib.mkForce nextcloudUserId; - group = "nextcloud"; - }; - - users.users.onlyoffice = { - group = lib.mkForce "nextcloud"; - }; - - users.groups = { - nextcloud = { - gid = lib.mkForce nextcloudGroupId; - }; - downloads = { }; - }; - - # Create and set permissions for required directories - system.activationScripts.nextcloud-dirs = '' - mkdir -p /data - - chown -R nextcloud:nextcloud /data - - chown -R nextcloud:nextcloud /run/secrets/jallen-nas/nextcloud - chown -R nextcloud:nextcloud /run/secrets/jallen-nas/onlyoffice-key - - chmod -R 775 /data - - chmod -R 750 /run/secrets/jallen-nas/nextcloud - chmod -R 750 /run/secrets/jallen-nas/onlyoffice-key - ''; - - hardware = { - graphics = { - enable = true; - # setLdLibraryPath = true; - }; - }; - - programs = { - nix-ld.enable = true; - }; - - system.stateVersion = "23.11"; - networking = { - firewall = { - enable = true; - allowedTCPPorts = [ - 80 - 443 - onlyofficePortExt - ]; - }; - # Use systemd-resolved inside the container - # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 - useHostResolvConf = lib.mkForce false; - }; - services.resolved.enable = true; - - }; + # Create required users and groups + users.users.nextcloud = { + isSystemUser = lib.mkForce true; + isNormalUser = lib.mkForce false; + group = "nextcloud"; }; - networking = { - nat = { - forwardPorts = [ - { - destination = "${localAddress}:443"; - sourcePort = nextcloudPortExtHttps; - } - { - destination = "${localAddress}:80"; - sourcePort = nextcloudPortExtHttp; - } - { - destination = "${localAddress}:8000"; - sourcePort = 8000; - } - { - destination = "${localAddress}:${toString onlyofficePortExt}"; - sourcePort = onlyofficePortExt; - } - ]; + users.groups = { + nextcloud = { }; + downloads = { }; + }; + + services = { + opencloud = { + enable = true; + url = "https://10.0.1.3:9988"; + address = "0.0.0.0"; + port = nextcloudPortExtHttp; + stateDir = "/media/nas/main/nix-app-data/opencloud"; + }; + + onlyoffice = { + enable = false; + port = onlyofficePortExt; + hostname = "office.mjallen.dev"; + jwtSecretFile = jwtSecretFile; + }; + + nextcloud = { + enable = false; + package = pkgs.nextcloud32; + home = "/media/nas/main/nix-app-data/nextcloud"; + database.createLocally = true; + hostName = "cloud.mjallen.dev"; + appstoreEnable = false; + caching.redis = true; + configureRedis = true; + enableImagemagick = true; + https = true; + secretFile = secretsFile; + + extraApps = { + inherit (pkgs.nextcloud32Packages.apps) + # app_api + # bookmarks + mail + calendar + contacts + integration_openai + integration_paperless + # maps + # oidc_login + onlyoffice + previewgenerator + recognize + # richdocuments + user_oidc + ; + + # inherit + # nextcloudPhotos + # nextcloudPdfViewer + # nextcloudAssist + # ; + }; + + config = { + adminuser = "mjallen"; + adminpassFile = adminpass; + dbhost = "localhost"; + dbtype = "pgsql"; + dbname = "nextcloud"; + dbuser = "nextcloud"; + }; + settings = { + log_type = "syslog"; + syslog_tag = "nextcloud"; + logfile = ""; + loglevel = 3; + allow_local_remote_servers = true; + upgrade.disable-web = false; + datadirectory = "/media/nas/main/nextcloud"; + trusted_domains = [ + "${hostAddress}:${toString nextcloudPortExtHttp}" + "${hostAddress}:${toString nextcloudPortExtHttps}" + # "${localAddress}:80" + # "${localAddress}:8080" + # "${localAddress}:443" + "cloud.mjallen.dev" + ]; + opcache.interned_strings_buffer = 16; + trusted_proxies = [ hostAddress ]; + maintenance_window_start = 6; + default_phone_region = "US"; + enable_previews = true; + enabledPreviewProviders = [ + "OC\\Preview\\PNG" + "OC\\Preview\\JPEG" + "OC\\Preview\\GIF" + "OC\\Preview\\BMP" + "OC\\Preview\\XBitmap" + "OC\\Preview\\MP3" + "OC\\Preview\\TXT" + "OC\\Preview\\MarkDown" + "OC\\Preview\\OpenDocument" + "OC\\Preview\\Krita" + "OC\\Preview\\HEIC" + "OC\\Preview\\Movie" + "OC\\Preview\\MSOffice2003" + "OC\\Preview\\MSOffice2007" + "OC\\Preview\\MSOfficeDoc" + ]; + installed = true; + user_oidc = { + auto_provision = false; + soft_auto_provision = false; + allow_multiple_user_backends = false; # auto redirect to authentik for login + }; + + social_login_auto_redirect = true; + }; }; }; }; -} +} \ No newline at end of file diff --git a/modules/nixos/services/opencloud/default.nix b/modules/nixos/services/opencloud/default.nix new file mode 100644 index 0000000..fe5d135 --- /dev/null +++ b/modules/nixos/services/opencloud/default.nix @@ -0,0 +1,56 @@ +{ + config, + lib, + namespace, + ... +}: +with lib; +let + inherit (lib.${namespace}) mkOpt mkReverseProxyOpt; + cfg = config.${namespace}.services.opencloud; + + opencloudConfig = { + services.opencloud = { + enable = true; + port = cfg.port; + environment = { + OC_OIDC_ISSUER = ""; + OC_EXCLUDE_RUN_SERVICES = "idp"; + PROXY_OIDC_REWRITE_WELLKNOWN = true; + PROXY_USER_OIDC_CLAIM = "preferred_username"; + PROXY_AUTOPROVISION_ACCOUNTS = true; + PROXY_ROLE_ASSIGNMENT_DRIVER = "oidc"; + }; + }; + }; + + # Create reverse proxy configuration using mkReverseProxy + reverseProxyConfig = lib.${namespace}.mkReverseProxy { + name = "cloud"; + subdomain = cfg.reverseProxy.subdomain; + url = "http://${cfg.localAddress}:${toString cfg.port}"; + middlewares = cfg.reverseProxy.middlewares; + }; + + fullConfig = { + "${namespace}".services.traefik = lib.mkIf cfg.reverseProxy.enable { + reverseProxies = [ reverseProxyConfig ]; + }; + } + // opencloudConfig; +in +{ + options.${namespace}.services.opencloud = { + enable = mkEnableOption "opencloud service"; + + port = mkOpt types.int 4000 "Port for opencloud to be hosted on"; + + localAddress = mkOpt types.str "127.0.0.1" "local address of the service"; + + dataDir = mkOpt types.str "" "Path to the data dir"; + + reverseProxy = mkReverseProxyOpt; + }; + + config = mkIf cfg.enable fullConfig; +} diff --git a/modules/nixos/services/traefik/default.nix b/modules/nixos/services/traefik/default.nix index 9246c21..1cf62e8 100755 --- a/modules/nixos/services/traefik/default.nix +++ b/modules/nixos/services/traefik/default.nix @@ -62,13 +62,15 @@ let authentikUrl = "http://${serverIp}:9000"; cacheUrl = "http://${serverIp}:9012"; - cloudUrl = "http://${config.containers.nextcloud.localAddress}:80"; + cloudUrl = "http:/10.0.1.3:9988"; + # cloudUrl = "http://${config.containers.nextcloud.localAddress}:80"; hassUrl = "http://10.0.1.4:8123"; immichUrl = "http://${serverIp}:${toString config.services.immich.port}"; jellyfinUrl = "http://${serverIp}:8096"; jellyseerrUrl = "http://10.0.1.3:${toString config.services.jellyseerr.port}"; lubeloggerUrl = "http://${serverIp}:6754"; - onlyofficeUrl = "http://${config.containers.nextcloud.localAddress}:${toString config.containers.nextcloud.config.services.onlyoffice.port}"; + # onlyofficeUrl = "http://${config.containers.nextcloud.localAddress}:${toString config.containers.nextcloud.config.services.onlyoffice.port}"; + onlyofficeUrl = "http://10.0.1.3:8000"; openWebUIUrl = "http://${serverIp}:8888"; paperlessUrl = "http://${config.containers.paperless.localAddress}:${toString config.containers.paperless.config.services.paperless.port}"; @@ -348,7 +350,13 @@ in actual.loadBalancer.servers = [ { - url = "https://10.0.1.3:3333"; + url = "http://10.0.1.3:3333"; + } + ]; + + matrix.loadBalancer.servers = [ + { + url = "http://10.1.0.3:8448"; } ]; @@ -445,6 +453,17 @@ in ]; tls.certResolver = "letsencrypt"; }; + + matrix = { + entryPoints = [ "websecure" ]; + rule = "Host(`matrix.${domain}`)"; + service = "matrix"; + middlewares = [ + "crowdsec" + "whitelist-geoblock" + ]; + tls.certResolver = "letsencrypt"; + }; authentik = { entryPoints = [ "websecure" ]; diff --git a/systems/x86_64-linux/jallen-nas/default.nix b/systems/x86_64-linux/jallen-nas/default.nix index e55705b..d5a44e6 100755 --- a/systems/x86_64-linux/jallen-nas/default.nix +++ b/systems/x86_64-linux/jallen-nas/default.nix @@ -107,13 +107,13 @@ in address = "10.0.1.3/24"; method = "manual"; gateway = "10.0.1.1"; - interface = "wlp6s0"; + interface = "enp197s0"; }; hostId = "4b501480"; nat = { enable = true; internalInterfaces = [ "ve-+" ]; - externalInterface = "wlp6s0"; + externalInterface = "enp197s0"; enableIPv6 = true; }; firewall = { @@ -142,7 +142,7 @@ in 2283 # immich 4444 # code-server 9012 - + 9988 8192 3000 2222 diff --git a/systems/x86_64-linux/jallen-nas/services.nix b/systems/x86_64-linux/jallen-nas/services.nix index 485adb7..af01b58 100755 --- a/systems/x86_64-linux/jallen-nas/services.nix +++ b/systems/x86_64-linux/jallen-nas/services.nix @@ -28,6 +28,7 @@ ensureDatabases = [ "authentik" "homeassistant" + "nextcloud" ]; ensureUsers = [ { @@ -38,12 +39,19 @@ name = "homeassistant"; ensureDBOwnership = true; } + { + name = "nextcloud"; + ensureDBOwnership = true; + } ]; # Allow access via pg_hba.conf rules: authentication = pkgs.lib.mkOverride 50 '' # TYPE DATABASE USER ADDRESS METHOD local all all trust host homeassistant homeassistant 10.0.1.0/24 trust + local nextcloud nextcloud trust + host nextcloud nextcloud 10.0.1.0/24 trust + host nextcloud nextcloud ::1/128 trust ''; };