diff --git a/iso-minimal b/iso-minimal new file mode 120000 index 0000000..1d53201 --- /dev/null +++ b/iso-minimal @@ -0,0 +1 @@ +/nix/store/l75qzsqgsaafrgkjchxpvmmdr4k5pjq1-nixos-26.05.20251209.677fbe9-x86_64-linux.iso \ No newline at end of file diff --git a/modules/home/programs/update-checker/default.nix b/modules/home/programs/update-checker/default.nix index fed4f6c..99f8b7d 100644 --- a/modules/home/programs/update-checker/default.nix +++ b/modules/home/programs/update-checker/default.nix @@ -1,9 +1,13 @@ { config, + lib, + namespace, pkgs, ... }: let + git-token = (if config.${namespace}.sops.enable then config.sops.secrets."github-token".path else "error"); + update-checker = pkgs.writeScriptBin "update-checker" '' #!/usr/bin/env nix-shell #! nix-shell -i python3 --pure @@ -19,7 +23,7 @@ let token = None - with open('${config.sops.secrets."github-token".path}', 'r') as token_file: + with open('${git-token}', 'r') as token_file: token = token_file.readline() auth = Auth.Token(token) @@ -267,7 +271,7 @@ let ''; in { - config = { + config = lib.mkIf config.${namespace}.sops.enable { home.packages = [ update-checker ]; }; } diff --git a/modules/home/sops/default.nix b/modules/home/sops/default.nix index 71f1ee4..1bb1578 100644 --- a/modules/home/sops/default.nix +++ b/modules/home/sops/default.nix @@ -10,7 +10,7 @@ in { imports = [ ./options.nix ]; - config = { + config = lib.mkIf cfg.enable { sops = { age.keyFile = "/home/${config.${namespace}.user.name}/.config/sops/age/keys.txt"; defaultSopsFile = "/etc/nixos/secrets/secrets.yaml"; diff --git a/modules/nixos/services/collabora/default.nix b/modules/nixos/services/collabora/default.nix new file mode 100644 index 0000000..90e7c2e --- /dev/null +++ b/modules/nixos/services/collabora/default.nix @@ -0,0 +1,62 @@ +{ + config, + lib, + namespace, + ... +}: +let + inherit (lib.${namespace}) mkOpt mkReverseProxyOpt; + cfg = config.${namespace}.services.collabora; + + jwtSecretFile = config.sops.secrets."jallen-nas/onlyoffice-key".path; +in +{ + options.${namespace}.services.collabora = with lib; { + enable = lib.mkEnableOption ""; + + port = mkOpt types.int 9980 "Port for opencloud to be hosted on"; + + configPath = mkOpt types.str "/media/nas/main/nix-app-data/collabora" "Path to the data dir"; + + puid = mkOpt types.str "911" "puid"; + + pgid = mkOpt types.str "1000" "pgid"; + + timeZone = mkOpt types.str "America/Chicago" "container tz"; + }; + + config = lib.mkIf cfg.enable { + services.collabora-online = { + enable = true; + port = cfg.port; + settings = { + # Rely on reverse proxy for SSL + ssl = { + enable = false; + termination = true; + }; + + # Listen on loopback interface only, and accept requests from ::1 + net = { + listen = "0.0.0.0"; + post_allow.host = [ + "cloud.mjallen.dev" + "office.mjallen.dev" + "10.0.1.3" + "10.0.1.0/24" + ]; + frame_ancestors = "cloud.mjallen.dev"; + }; + + # Restrict loading documents from WOPI Host + storage.wopi = { + "@allow" = true; + host = ["cloud.mjallen.dev"]; + }; + + # Set FQDN of server + server_name = "office.mjallen.dev"; + }; + }; + }; +} diff --git a/modules/nixos/services/opencloud/default.nix b/modules/nixos/services/opencloud/default.nix index b8b521b..f032f82 100644 --- a/modules/nixos/services/opencloud/default.nix +++ b/modules/nixos/services/opencloud/default.nix @@ -10,6 +10,15 @@ let cfg = config.${namespace}.services.opencloud; opencloudConfig = { + sops.templates = { + "opencloud.env" = { + content = '' + OC_JWT_SECRET=${config.sops.placeholder."jallen-nas/onlyoffice-key"} + OC_TRANSFER_SECRET=${config.sops.placeholder."jallen-nas/onlyoffice-key"} + OC_MACHINE_AUTH_API_KEY=${config.sops.placeholder."jallen-nas/onlyoffice-key"} + ''; + }; + }; virtualisation.oci-containers.containers.opencloud = { autoStart = true; image = "opencloudeu/opencloud-rolling"; @@ -20,22 +29,47 @@ let "${cfg.dataPath}:/var/lib/opencloud" "${cfg.configPath}:/etc/opencloud" ]; - environmentFiles = [ ]; + environmentFiles = [ config.sops.templates."opencloud.env".path ]; environment = { - OC_ADD_RUN_SERVICES = "collaboration"; - APP_PROVIDER_WOPI_APP_NAME = "OnlyOffice"; - COLLABORATION_APP_NAME = "OnlyOffice"; - COLLABORATION_APP_PRODUCT = "OnlyOffice"; - COLLABORATION_WOPI_SRC = "https://cloud.mjallen.dev"; + OC_ADD_RUN_SERVICES = "collaboration,app-provider"; + OC_REVA_GATEWAY = "eu.opencloud.api.gateway"; + APP_PROVIDER_WOPI_APP_NAME = "Collabora"; + APP_PROVIDER_ENABLE = "true"; + APP_PROVIDER_SERVICE_NAME = "app-provider-collabora"; + COLLABORATION_APP_NAME = "Collabora"; + COLLABORATION_APP_PRODUCT = "Collabora"; + COLLABORATION_WOPI_DISCOVERY_URL = "https://office.mjallen.dev/hosting/discovery"; + COLLABORATION_WOPI_SRC = "https://office.mjallen.dev"; + OC_COLLABORATION_WOPI_URL = "https://office.mjallen.dev"; COLLABORATION_APP_ADDR = "https://office.mjallen.dev"; COLLABORATION_APP_INSECURE = "false"; - COLLABORATION_LOG_LEVEL = "info"; COLLABORATION_APP_PROOF_DISABLE = "true"; COLLABORATION_WOPI_SHORTTOKENS = "false"; - COLLABORATION_GRPC_ADDR = "0.0.0.0:9301"; - COLLABORATION_HTTP_ADDR = "0.0.0.0:9300"; + # COLLABORATION_GRPC_ADDR = "0.0.0.0:9301"; + # COLLABORATION_HTTP_ADDR = "0.0.0.0:9200"; MICRO_REGISTRY = "nats-js-kv"; - MICRO_REGISTRY_ADDRESS = "opencloud:9233"; + MICRO_REGISTRY_ADDRESS = "127.0.0.1:9233"; + OC_SYSTEM_USER_ID = cfg.puid; + + OC_LOG_LEVEL = "info"; + + APP_PROVIDER_PROVIDERS = "collabora"; + + APP_PROVIDER_COLLABORA_NAME = "Collabora"; + APP_PROVIDER_COLLABORA_PRODUCT = "Collabora Online"; + + APP_PROVIDER_COLLABORA_ADDR = "https://office.mjallen.dev"; + APP_PROVIDER_COLLABORA_ICON = "https://office.mjallen.dev/favicon.ico"; + + APP_PROVIDER_COLLABORA_MIME_TYPES = '' + application/vnd.openxmlformats-officedocument.wordprocessingml.document + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet + application/vnd.openxmlformats-officedocument.presentationml.presentation + application/msword + application/vnd.ms-excel + application/vnd.ms-powerpoint + text/plain + ''; NATS_NATS_HOST = "0.0.0.0"; GATEWAY_GRPC_ADDR = "0.0.0.0:9142"; @@ -50,6 +84,7 @@ let PROXY_TLS = "false"; PROXY_HTTP_ADDR = "0.0.0.0:9200"; OC_URL = "https://cloud.mjallen.dev"; + OC_PUBLIC_URL = "https://cloud.mjallen.dev"; PUID = cfg.puid; PGID = cfg.pgid; TZ = cfg.timeZone; diff --git a/modules/nixos/services/traefik/default.nix b/modules/nixos/services/traefik/default.nix index 7939fda..f1bc8bf 100755 --- a/modules/nixos/services/traefik/default.nix +++ b/modules/nixos/services/traefik/default.nix @@ -70,7 +70,7 @@ let jellyseerrUrl = "http://10.0.1.3:${toString config.services.jellyseerr.port}"; lubeloggerUrl = "http://${serverIp}:6754"; # onlyofficeUrl = "http://${config.containers.nextcloud.localAddress}:${toString config.containers.nextcloud.config.services.onlyoffice.port}"; - onlyofficeUrl = "http://10.0.1.3:9943"; + onlyofficeUrl = "http://10.0.1.3:9980"; openWebUIUrl = "http://${serverIp}:8888"; paperlessUrl = "http://${config.containers.paperless.localAddress}:${toString config.containers.paperless.config.services.paperless.port}"; @@ -294,11 +294,6 @@ in ]; }; }; - onlyoffice-websocket = { - headers.customrequestheaders = { - X-Forwarded-Proto = "https"; - }; - }; crowdsec = { plugin = { bouncer = { @@ -344,6 +339,43 @@ in ]; }; }; + collabora-headers = { + headers = { + customRequestHeaders = { + Upgrade = "websocket"; + Connection = "Upgrade"; + X-Forwarded-Proto = "https"; + X-Forwarded-Host = "office.mjallen.dev"; + }; + customResponseHeaders = { + X-Frame-Options = ""; + Content-Security-Policy = "frame-ancestors https://cloud.mjallen.dev"; + }; + referrerPolicy = "no-referrer"; + stsSeconds = "15552000"; + stsPreload = "true"; + stsIncludeSubdomains = "true"; + forceSTSHeader = "true"; + browserXssFilter = "true"; + }; + }; + onlyoffice-headers = { + headers = { + customResponseHeaders = { + X-Robots-Tag = "none"; + Strict-Transport-Security = "max-age=63072000"; + X-Forwarded-Proto = "https"; + }; + browserXssFilter = "true"; + contentTypeNosniff = "true"; + stsIncludeSubdomains = "true"; + stsPreload = "true"; + stsSeconds = "31536000"; + forceSTSHeader = "true"; + accessControlMaxAge = "15552000"; + accesscontrolalloworiginlist = "*"; + }; + }; }; services = { @@ -571,7 +603,8 @@ in middlewares = [ "crowdsec" "whitelist-geoblock" - "onlyoffice-websocket" + # "onlyoffice-headers" + "collabora-headers" ]; tls.certResolver = "letsencrypt"; }; diff --git a/systems/x86_64-install-iso/graphical/default.nix b/systems/x86_64-install-iso/graphical/default.nix index 71ce3c1..a372d9f 100644 --- a/systems/x86_64-install-iso/graphical/default.nix +++ b/systems/x86_64-install-iso/graphical/default.nix @@ -1,4 +1,5 @@ { + lib, pkgs, namespace, ... @@ -11,6 +12,12 @@ bootloader.lanzaboote.enable = true; + # ################################################### + # # Desktop # # + # ################################################### + + desktop.cosmic.enable = true; + # ################################################### # # Hardware # # # ################################################### @@ -64,6 +71,9 @@ # # Boot # # # ################################################### - boot.kernelPackages = pkgs.linuxPackages_latest; + boot = { + kernelPackages = lib.mkForce pkgs.linuxPackages_cachyos-lto; + supportedFilesystems.zfs = false; + }; } diff --git a/systems/x86_64-install-iso/minimal/default.nix b/systems/x86_64-install-iso/minimal/default.nix index caaacd9..398251e 100644 --- a/systems/x86_64-install-iso/minimal/default.nix +++ b/systems/x86_64-install-iso/minimal/default.nix @@ -66,7 +66,7 @@ # ################################################### boot = { - kernelPackages = lib.mkForce pkgs.linuxPackages_cachyos-gcc; + kernelPackages = lib.mkForce pkgs.linuxPackages_cachyos-lto; supportedFilesystems.zfs = false; }; diff --git a/systems/x86_64-linux/jallen-nas/apps.nix b/systems/x86_64-linux/jallen-nas/apps.nix index ed3bfde..a5b466b 100755 --- a/systems/x86_64-linux/jallen-nas/apps.nix +++ b/systems/x86_64-linux/jallen-nas/apps.nix @@ -16,7 +16,8 @@ port = 9200; reverseProxy.enable = true; }; - onlyoffice.enable = true; + onlyoffice.enable = false; + collabora.enable = true; ai.enable = true; paperless.enable = true; traefik.enable = true; diff --git a/systems/x86_64-linux/jallen-nas/default.nix b/systems/x86_64-linux/jallen-nas/default.nix index bd419ba..b3a1bca 100755 --- a/systems/x86_64-linux/jallen-nas/default.nix +++ b/systems/x86_64-linux/jallen-nas/default.nix @@ -159,6 +159,8 @@ in 5201 # iperf 8400 9200 + 9233 + 9980 ]; allowedUDPPorts = config.${namespace}.network.firewall.allowedTCPPorts; };