mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

idk

Browse Source
This commit is contained in:
mjallen18
2025-11-14 10:47:49 -06:00
parent 582561ae12
commit 0e93ea159f
7 changed files with 504 additions and 257 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
modules/nixos/services/matrix/default.nix
View File

@@ -103,12 +103,12 @@ let
services.postgresql = { services.postgresql = {
enable = lib.mkDefault true; enable = lib.mkDefault true;
authentication = lib.mkOverride 10 '' #authentication = lib.mkOverride 10 ''
# TYPE DATABASE USER ADDRESS METHOD # # TYPE DATABASE USER ADDRESS METHOD
local all all peer # local all all peer
host all all 127.0.0.1/32 trust # host all all 127.0.0.1/32 trust
host all all ::1/128 trust # host all all ::1/128 trust
''; #'';
ensureDatabases = [ "synapse" ]; ensureDatabases = [ "synapse" ];
ensureUsers = [ ensureUsers = [
{ {

288
modules/nixos/services/nextcloud/container.nix Executable file
View File

@@ -0,0 +1,288 @@
{
config,
lib,
pkgs,
namespace,
...
}:
with lib;
let
cfg = config.${namespace}.services.nextcloud;
adminpass = config.sops.secrets."jallen-nas/nextcloud/adminpassword".path;
secretsFile = config.sops.secrets."jallen-nas/nextcloud/smtp_settings".path;
jwtSecretFile = config.sops.secrets."jallen-nas/onlyoffice-key".path;
nextcloudUserId = config.users.users.nix-apps.uid;
nextcloudGroupId = config.users.groups.jallen-nas.gid;
hostAddress = "10.0.1.3";
localAddress = "10.0.2.18";
nextcloudPortExtHttp = 9988;
nextcloudPortExtHttps = 9943;
onlyofficePortExt = 9943;
nextcloudPhotos = pkgs.${namespace}.nextcloud-app-photos;
nextcloudPdfViewer = pkgs.${namespace}.nextcloud-app-pdfviewer;
nextcloudAssist = pkgs.${namespace}.nextcloud-app-assistant;
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable {
containers.nextcloud = {
autoStart = true;
privateNetwork = true;
hostAddress = hostAddress;
localAddress = localAddress;
specialArgs = {
inherit namespace;
};
bindMounts = {
secrets = {
hostPath = "/run/secrets/jallen-nas/nextcloud";
isReadOnly = true;
mountPoint = "/run/secrets/jallen-nas/nextcloud";
};
secrets2 = {
hostPath = "/run/secrets/jallen-nas/onlyoffice-key";
isReadOnly = true;
mountPoint = "/run/secrets/jallen-nas/onlyoffice-key";
};
data = {
hostPath = "/media/nas/main/nextcloud";
isReadOnly = false;
mountPoint = "/data";
};
"/var/lib/nextcloud" = {
hostPath = "/media/nas/main/nix-app-data/nextcloud";
isReadOnly = false;
mountPoint = "/var/lib/nextcloud";
};
"/var/lib/onlyoffice" = {
hostPath = "/media/nas/main/nix-app-data/onlyoffice";
isReadOnly = false;
mountPoint = "/var/lib/onlyoffice";
};
};
config =
{
pkgs,
lib,
...
}:
{
nixpkgs.config.allowUnfree = true;
networking.extraHosts = ''
${hostAddress} host.containers protonmail-bridge
'';
services.nginx.virtualHosts."cloud.mjallen.dev".listen = [ { addr = "0.0.0.0"; port = 8080; } ];
services = {
nextcloud = {
enable = true;
package = pkgs.nextcloud32;
# datadir = "/data";
database.createLocally = true;
hostName = "cloud.mjallen.dev";
appstoreEnable = false;
caching.redis = true;
configureRedis = true;
enableImagemagick = true;
https = true;
secretFile = secretsFile;
extraApps = {
inherit (pkgs.nextcloud31Packages.apps)
app_api
bookmarks
mail
calendar
contacts
integration_openai
integration_paperless
maps
oidc_login
onlyoffice
previewgenerator
recognize
richdocuments
user_oidc
;
inherit
nextcloudPhotos
nextcloudPdfViewer
nextcloudAssist
;
};
config = {
adminuser = "mjallen";
adminpassFile = adminpass;
dbhost = "localhost";
dbtype = "sqlite";
dbname = "nextcloud";
dbuser = "nextcloud";
};
settings = {
loglevel = 3;
allow_local_remote_servers = true;
upgrade.disable-web = false;
datadirectory = "/data";
trusted_domains = [
"${hostAddress}:${toString nextcloudPortExtHttp}"
"${hostAddress}:${toString nextcloudPortExtHttps}"
"${localAddress}:80"
"${localAddress}:8080"
"${localAddress}:443"
"cloud.mjallen.dev"
];
opcache.interned_strings_buffer = 16;
trusted_proxies = [ hostAddress ];
maintenance_window_start = 6;
default_phone_region = "US";
enable_previews = true;
enabledPreviewProviders = [
"OC\\Preview\\PNG"
"OC\\Preview\\JPEG"
"OC\\Preview\\GIF"
"OC\\Preview\\BMP"
"OC\\Preview\\XBitmap"
"OC\\Preview\\MP3"
"OC\\Preview\\TXT"
"OC\\Preview\\MarkDown"
"OC\\Preview\\OpenDocument"
"OC\\Preview\\Krita"
"OC\\Preview\\HEIC"
"OC\\Preview\\Movie"
"OC\\Preview\\MSOffice2003"
"OC\\Preview\\MSOffice2007"
"OC\\Preview\\MSOfficeDoc"
];
installed = true;
user_oidc = {
auto_provision = false;
soft_auto_provision = false;
allow_multiple_user_backends = false; # auto redirect to authentik for login
};
social_login_auto_redirect = true;
};
};
};
services.onlyoffice = {
enable = true;
port = onlyofficePortExt;
hostname = "office.mjallen.dev";
jwtSecretFile = jwtSecretFile;
};
# System packages
environment.systemPackages = with pkgs; [
ffmpeg
# libtensorflow-bin
nextcloud32
nodejs
onlyoffice-documentserver
sqlite
];
# Create required users and groups
users.users.nextcloud = {
isSystemUser = true;
uid = lib.mkForce nextcloudUserId;
group = "nextcloud";
};
users.users.onlyoffice = {
group = lib.mkForce "nextcloud";
};
users.groups = {
nextcloud = {
gid = lib.mkForce nextcloudGroupId;
};
downloads = { };
};
# Create and set permissions for required directories
system.activationScripts.nextcloud-dirs = ''
mkdir -p /data
chown -R nextcloud:nextcloud /data
chown -R nextcloud:nextcloud /run/secrets/jallen-nas/nextcloud
chown -R nextcloud:nextcloud /run/secrets/jallen-nas/onlyoffice-key
chmod -R 775 /data
chmod -R 750 /run/secrets/jallen-nas/nextcloud
chmod -R 750 /run/secrets/jallen-nas/onlyoffice-key
'';
hardware = {
graphics = {
enable = true;
# setLdLibraryPath = true;
};
};
programs = {
nix-ld.enable = true;
};
system.stateVersion = "23.11";
networking = {
firewall = {
enable = true;
allowedTCPPorts = [
8080
80
443
onlyofficePortExt
];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
};
};
networking = {
nat = {
forwardPorts = [
{
destination = "${localAddress}:443";
sourcePort = nextcloudPortExtHttps;
}
# {
# destination = "${localAddress}:80";
# sourcePort = nextcloudPortExtHttp;
# }
{
destination = "${localAddress}:8080";
sourcePort = nextcloudPortExtHttp;
}
{
destination = "${localAddress}:8000";
sourcePort = 8000;
}
{
destination = "${localAddress}:${toString onlyofficePortExt}";
sourcePort = onlyofficePortExt;
}
];
};
};
};
}

366
modules/nixos/services/nextcloud/default.nix Executable file → Normal file
View File

@@ -15,7 +15,6 @@ let
nextcloudUserId = config.users.users.nix-apps.uid; nextcloudUserId = config.users.users.nix-apps.uid;
nextcloudGroupId = config.users.groups.jallen-nas.gid; nextcloudGroupId = config.users.groups.jallen-nas.gid;
hostAddress = "10.0.1.3"; hostAddress = "10.0.1.3";
localAddress = "10.0.2.18";
nextcloudPortExtHttp = 9988; nextcloudPortExtHttp = 9988;
nextcloudPortExtHttps = 9943; nextcloudPortExtHttps = 9943;
onlyofficePortExt = 9943; onlyofficePortExt = 9943;
@@ -28,253 +27,130 @@ in
imports = [ ./options.nix ]; imports = [ ./options.nix ];
config = mkIf cfg.enable { config = mkIf cfg.enable {
containers.nextcloud = { services.nginx.virtualHosts."cloud.mjallen.dev".listen = [ { addr = "0.0.0.0"; port = nextcloudPortExtHttp; } ];
autoStart = true;
privateNetwork = true;
hostAddress = hostAddress;
localAddress = localAddress;
specialArgs = {
inherit namespace;
};
bindMounts = { # Create required users and groups
secrets = { users.users.nextcloud = {
hostPath = "/run/secrets/jallen-nas/nextcloud"; isSystemUser = lib.mkForce true;
isReadOnly = true; isNormalUser = lib.mkForce false;
mountPoint = "/run/secrets/jallen-nas/nextcloud"; group = "nextcloud";
};
secrets2 = {
hostPath = "/run/secrets/jallen-nas/onlyoffice-key";
isReadOnly = true;
mountPoint = "/run/secrets/jallen-nas/onlyoffice-key";
};
data = {
hostPath = "/media/nas/main/nextcloud";
isReadOnly = false;
mountPoint = "/data";
};
"/var/lib/nextcloud" = {
hostPath = "/media/nas/main/nix-app-data/nextcloud";
isReadOnly = false;
mountPoint = "/var/lib/nextcloud";
};
"/var/lib/onlyoffice" = {
hostPath = "/media/nas/main/nix-app-data/onlyoffice";
isReadOnly = false;
mountPoint = "/var/lib/onlyoffice";
};
};
config =
{
pkgs,
lib,
...
}:
{
nixpkgs.config.allowUnfree = true;
networking.extraHosts = ''
${hostAddress} host.containers protonmail-bridge
'';
services = {
nextcloud = {
enable = true;
package = pkgs.nextcloud32;
# datadir = "/data";
database.createLocally = true;
hostName = "cloud.mjallen.dev";
appstoreEnable = false;
caching.redis = true;
configureRedis = true;
enableImagemagick = true;
https = true;
secretFile = secretsFile;
extraApps = {
inherit (pkgs.nextcloud31Packages.apps)
app_api
bookmarks
mail
calendar
contacts
integration_openai
integration_paperless
maps
oidc_login
onlyoffice
previewgenerator
recognize
richdocuments
user_oidc
;
inherit
nextcloudPhotos
nextcloudPdfViewer
nextcloudAssist
;
};
config = {
adminuser = "mjallen";
adminpassFile = adminpass;
dbhost = "localhost";
dbtype = "sqlite";
dbname = "nextcloud";
dbuser = "nextcloud";
};
settings = {
loglevel = 3;
allow_local_remote_servers = true;
upgrade.disable-web = false;
datadirectory = "/data";
trusted_domains = [
"${hostAddress}:${toString nextcloudPortExtHttp}"
"${hostAddress}:${toString nextcloudPortExtHttps}"
"${localAddress}:80"
"${localAddress}:443"
"cloud.mjallen.dev"
];
opcache.interned_strings_buffer = 16;
trusted_proxies = [ hostAddress ];
maintenance_window_start = 6;
default_phone_region = "US";
enable_previews = true;
enabledPreviewProviders = [
"OC\\Preview\\PNG"
"OC\\Preview\\JPEG"
"OC\\Preview\\GIF"
"OC\\Preview\\BMP"
"OC\\Preview\\XBitmap"
"OC\\Preview\\MP3"
"OC\\Preview\\TXT"
"OC\\Preview\\MarkDown"
"OC\\Preview\\OpenDocument"
"OC\\Preview\\Krita"
"OC\\Preview\\HEIC"
"OC\\Preview\\Movie"
"OC\\Preview\\MSOffice2003"
"OC\\Preview\\MSOffice2007"
"OC\\Preview\\MSOfficeDoc"
];
installed = true;
user_oidc = {
auto_provision = false;
soft_auto_provision = false;
allow_multiple_user_backends = false; # auto redirect to authentik for login
};
social_login_auto_redirect = true;
};
};
};
services.onlyoffice = {
enable = true;
port = onlyofficePortExt;
hostname = "office.mjallen.dev";
jwtSecretFile = jwtSecretFile;
};
# System packages
environment.systemPackages = with pkgs; [
ffmpeg
# libtensorflow-bin
nextcloud32
nodejs
onlyoffice-documentserver
sqlite
];
# Create required users and groups
users.users.nextcloud = {
isSystemUser = true;
uid = lib.mkForce nextcloudUserId;
group = "nextcloud";
};
users.users.onlyoffice = {
group = lib.mkForce "nextcloud";
};
users.groups = {
nextcloud = {
gid = lib.mkForce nextcloudGroupId;
};
downloads = { };
};
# Create and set permissions for required directories
system.activationScripts.nextcloud-dirs = ''
mkdir -p /data
chown -R nextcloud:nextcloud /data
chown -R nextcloud:nextcloud /run/secrets/jallen-nas/nextcloud
chown -R nextcloud:nextcloud /run/secrets/jallen-nas/onlyoffice-key
chmod -R 775 /data
chmod -R 750 /run/secrets/jallen-nas/nextcloud
chmod -R 750 /run/secrets/jallen-nas/onlyoffice-key
'';
hardware = {
graphics = {
enable = true;
# setLdLibraryPath = true;
};
};
programs = {
nix-ld.enable = true;
};
system.stateVersion = "23.11";
networking = {
firewall = {
enable = true;
allowedTCPPorts = [
80
443
onlyofficePortExt
];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
};
}; };
networking = { users.groups = {
nat = { nextcloud = { };
forwardPorts = [ downloads = { };
{ };
destination = "${localAddress}:443";
sourcePort = nextcloudPortExtHttps; services = {
} opencloud = {
{ enable = true;
destination = "${localAddress}:80"; url = "https://10.0.1.3:9988";
sourcePort = nextcloudPortExtHttp; address = "0.0.0.0";
} port = nextcloudPortExtHttp;
{ stateDir = "/media/nas/main/nix-app-data/opencloud";
destination = "${localAddress}:8000"; };
sourcePort = 8000;
} onlyoffice = {
{ enable = false;
destination = "${localAddress}:${toString onlyofficePortExt}"; port = onlyofficePortExt;
sourcePort = onlyofficePortExt; hostname = "office.mjallen.dev";
} jwtSecretFile = jwtSecretFile;
]; };
nextcloud = {
enable = false;
package = pkgs.nextcloud32;
home = "/media/nas/main/nix-app-data/nextcloud";
database.createLocally = true;
hostName = "cloud.mjallen.dev";
appstoreEnable = false;
caching.redis = true;
configureRedis = true;
enableImagemagick = true;
https = true;
secretFile = secretsFile;
extraApps = {
inherit (pkgs.nextcloud32Packages.apps)
# app_api
# bookmarks
mail
calendar
contacts
integration_openai
integration_paperless
# maps
# oidc_login
onlyoffice
previewgenerator
recognize
# richdocuments
user_oidc
;
# inherit
# nextcloudPhotos
# nextcloudPdfViewer
# nextcloudAssist
# ;
};
config = {
adminuser = "mjallen";
adminpassFile = adminpass;
dbhost = "localhost";
dbtype = "pgsql";
dbname = "nextcloud";
dbuser = "nextcloud";
};
settings = {
log_type = "syslog";
syslog_tag = "nextcloud";
logfile = "";
loglevel = 3;
allow_local_remote_servers = true;
upgrade.disable-web = false;
datadirectory = "/media/nas/main/nextcloud";
trusted_domains = [
"${hostAddress}:${toString nextcloudPortExtHttp}"
"${hostAddress}:${toString nextcloudPortExtHttps}"
# "${localAddress}:80"
# "${localAddress}:8080"
# "${localAddress}:443"
"cloud.mjallen.dev"
];
opcache.interned_strings_buffer = 16;
trusted_proxies = [ hostAddress ];
maintenance_window_start = 6;
default_phone_region = "US";
enable_previews = true;
enabledPreviewProviders = [
"OC\\Preview\\PNG"
"OC\\Preview\\JPEG"
"OC\\Preview\\GIF"
"OC\\Preview\\BMP"
"OC\\Preview\\XBitmap"
"OC\\Preview\\MP3"
"OC\\Preview\\TXT"
"OC\\Preview\\MarkDown"
"OC\\Preview\\OpenDocument"
"OC\\Preview\\Krita"
"OC\\Preview\\HEIC"
"OC\\Preview\\Movie"
"OC\\Preview\\MSOffice2003"
"OC\\Preview\\MSOffice2007"
"OC\\Preview\\MSOfficeDoc"
];
installed = true;
user_oidc = {
auto_provision = false;
soft_auto_provision = false;
allow_multiple_user_backends = false; # auto redirect to authentik for login
};
social_login_auto_redirect = true;
};
}; };
}; };
}; };
} }

56
modules/nixos/services/opencloud/default.nix Normal file
View File

@@ -0,0 +1,56 @@
{
config,
lib,
namespace,
...
}:
with lib;
let
inherit (lib.${namespace}) mkOpt mkReverseProxyOpt;
cfg = config.${namespace}.services.opencloud;
opencloudConfig = {
services.opencloud = {
enable = true;
port = cfg.port;
environment = {
OC_OIDC_ISSUER = "";
OC_EXCLUDE_RUN_SERVICES = "idp";
PROXY_OIDC_REWRITE_WELLKNOWN = true;
PROXY_USER_OIDC_CLAIM = "preferred_username";
PROXY_AUTOPROVISION_ACCOUNTS = true;
PROXY_ROLE_ASSIGNMENT_DRIVER = "oidc";
};
};
};
# Create reverse proxy configuration using mkReverseProxy
reverseProxyConfig = lib.${namespace}.mkReverseProxy {
name = "cloud";
subdomain = cfg.reverseProxy.subdomain;
url = "http://${cfg.localAddress}:${toString cfg.port}";
middlewares = cfg.reverseProxy.middlewares;
};
fullConfig = {
"${namespace}".services.traefik = lib.mkIf cfg.reverseProxy.enable {
reverseProxies = [ reverseProxyConfig ];
};
}
// opencloudConfig;
in
{
options.${namespace}.services.opencloud = {
enable = mkEnableOption "opencloud service";
port = mkOpt types.int 4000 "Port for opencloud to be hosted on";
localAddress = mkOpt types.str "127.0.0.1" "local address of the service";
dataDir = mkOpt types.str "" "Path to the data dir";
reverseProxy = mkReverseProxyOpt;
};
config = mkIf cfg.enable fullConfig;
}

25
modules/nixos/services/traefik/default.nix
View File

@@ -62,13 +62,15 @@ let
authentikUrl = "http://${serverIp}:9000"; authentikUrl = "http://${serverIp}:9000";
cacheUrl = "http://${serverIp}:9012"; cacheUrl = "http://${serverIp}:9012";
cloudUrl = "http://${config.containers.nextcloud.localAddress}:80"; cloudUrl = "http:/10.0.1.3:9988";
# cloudUrl = "http://${config.containers.nextcloud.localAddress}:80";
hassUrl = "http://10.0.1.4:8123"; hassUrl = "http://10.0.1.4:8123";
immichUrl = "http://${serverIp}:${toString config.services.immich.port}"; immichUrl = "http://${serverIp}:${toString config.services.immich.port}";
jellyfinUrl = "http://${serverIp}:8096"; jellyfinUrl = "http://${serverIp}:8096";
jellyseerrUrl = "http://10.0.1.3:${toString config.services.jellyseerr.port}"; jellyseerrUrl = "http://10.0.1.3:${toString config.services.jellyseerr.port}";
lubeloggerUrl = "http://${serverIp}:6754"; lubeloggerUrl = "http://${serverIp}:6754";
onlyofficeUrl = "http://${config.containers.nextcloud.localAddress}:${toString config.containers.nextcloud.config.services.onlyoffice.port}"; # onlyofficeUrl = "http://${config.containers.nextcloud.localAddress}:${toString config.containers.nextcloud.config.services.onlyoffice.port}";
onlyofficeUrl = "http://10.0.1.3:8000";
openWebUIUrl = "http://${serverIp}:8888"; openWebUIUrl = "http://${serverIp}:8888";
paperlessUrl = "http://${config.containers.paperless.localAddress}:${toString config.containers.paperless.config.services.paperless.port}"; paperlessUrl = "http://${config.containers.paperless.localAddress}:${toString config.containers.paperless.config.services.paperless.port}";
@@ -348,7 +350,13 @@ in
actual.loadBalancer.servers = [ actual.loadBalancer.servers = [
{ {
url = "https://10.0.1.3:3333"; url = "http://10.0.1.3:3333";
}
];
matrix.loadBalancer.servers = [
{
url = "http://10.1.0.3:8448";
} }
]; ];
@@ -445,6 +453,17 @@ in
]; ];
tls.certResolver = "letsencrypt"; tls.certResolver = "letsencrypt";
}; };
matrix = {
entryPoints = [ "websecure" ];
rule = "Host(`matrix.${domain}`)";
service = "matrix";
middlewares = [
"crowdsec"
"whitelist-geoblock"
];
tls.certResolver = "letsencrypt";
};
authentik = { authentik = {
entryPoints = [ "websecure" ]; entryPoints = [ "websecure" ];

6
systems/x86_64-linux/jallen-nas/default.nix
View File

@@ -107,13 +107,13 @@ in
address = "10.0.1.3/24"; address = "10.0.1.3/24";
method = "manual"; method = "manual";
gateway = "10.0.1.1"; gateway = "10.0.1.1";
interface = "wlp6s0"; interface = "enp197s0";
}; };
hostId = "4b501480"; hostId = "4b501480";
nat = { nat = {
enable = true; enable = true;
internalInterfaces = [ "ve-+" ]; internalInterfaces = [ "ve-+" ];
externalInterface = "wlp6s0"; externalInterface = "enp197s0";
enableIPv6 = true; enableIPv6 = true;
}; };
firewall = { firewall = {
@@ -142,7 +142,7 @@ in
2283 # immich 2283 # immich
4444 # code-server 4444 # code-server
9012 9012
9988
8192 8192
3000 3000
2222 2222

8
systems/x86_64-linux/jallen-nas/services.nix
View File

@@ -28,6 +28,7 @@
ensureDatabases = [ ensureDatabases = [
"authentik" "authentik"
"homeassistant" "homeassistant"
"nextcloud"
]; ];
ensureUsers = [ ensureUsers = [
{ {
@@ -38,12 +39,19 @@
name = "homeassistant"; name = "homeassistant";
ensureDBOwnership = true; ensureDBOwnership = true;
} }
{
name = "nextcloud";
ensureDBOwnership = true;
}
]; ];
# Allow access via pg_hba.conf rules: # Allow access via pg_hba.conf rules:
authentication = pkgs.lib.mkOverride 50 '' authentication = pkgs.lib.mkOverride 50 ''
# TYPE DATABASE USER ADDRESS METHOD # TYPE DATABASE USER ADDRESS METHOD
local all all trust local all all trust
host homeassistant homeassistant 10.0.1.0/24 trust host homeassistant homeassistant 10.0.1.0/24 trust
local nextcloud nextcloud trust
host nextcloud nextcloud 10.0.1.0/24 trust
host nextcloud nextcloud ::1/128 trust
''; '';
}; };