mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

test

Browse Source
This commit is contained in:
mjallen18
2025-12-14 10:19:26 -06:00
parent 90daf80a88
commit f09246dcba
10 changed files with 171 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
iso-minimal Symbolic link
View File

@@ -0,0 +1 @@
/nix/store/l75qzsqgsaafrgkjchxpvmmdr4k5pjq1-nixos-26.05.20251209.677fbe9-x86_64-linux.iso

8
modules/home/programs/update-checker/default.nix
View File

@@ -1,9 +1,13 @@
{ {
config, config,
lib,
namespace,
pkgs, pkgs,
... ...
}: }:
let let
git-token = (if config.${namespace}.sops.enable then config.sops.secrets."github-token".path else "error");
update-checker = pkgs.writeScriptBin "update-checker" '' update-checker = pkgs.writeScriptBin "update-checker" ''
#!/usr/bin/env nix-shell #!/usr/bin/env nix-shell
#! nix-shell -i python3 --pure #! nix-shell -i python3 --pure
@@ -19,7 +23,7 @@ let
token = None token = None
with open('${config.sops.secrets."github-token".path}', 'r') as token_file: with open('${git-token}', 'r') as token_file:
token = token_file.readline() token = token_file.readline()
auth = Auth.Token(token) auth = Auth.Token(token)
@@ -267,7 +271,7 @@ let
''; '';
in in
{ {
config = { config = lib.mkIf config.${namespace}.sops.enable {
home.packages = [ update-checker ]; home.packages = [ update-checker ];
}; };
} }

2
modules/home/sops/default.nix
View File

@@ -10,7 +10,7 @@ in
{ {
imports = [ ./options.nix ]; imports = [ ./options.nix ];
config = { config = lib.mkIf cfg.enable {
sops = { sops = {
age.keyFile = "/home/${config.${namespace}.user.name}/.config/sops/age/keys.txt"; age.keyFile = "/home/${config.${namespace}.user.name}/.config/sops/age/keys.txt";
defaultSopsFile = "/etc/nixos/secrets/secrets.yaml"; defaultSopsFile = "/etc/nixos/secrets/secrets.yaml";

62
modules/nixos/services/collabora/default.nix Normal file
View File

@@ -0,0 +1,62 @@
{
config,
lib,
namespace,
...
}:
let
inherit (lib.${namespace}) mkOpt mkReverseProxyOpt;
cfg = config.${namespace}.services.collabora;
jwtSecretFile = config.sops.secrets."jallen-nas/onlyoffice-key".path;
in
{
options.${namespace}.services.collabora = with lib; {
enable = lib.mkEnableOption "";
port = mkOpt types.int 9980 "Port for opencloud to be hosted on";
configPath = mkOpt types.str "/media/nas/main/nix-app-data/collabora" "Path to the data dir";
puid = mkOpt types.str "911" "puid";
pgid = mkOpt types.str "1000" "pgid";
timeZone = mkOpt types.str "America/Chicago" "container tz";
};
config = lib.mkIf cfg.enable {
services.collabora-online = {
enable = true;
port = cfg.port;
settings = {
# Rely on reverse proxy for SSL
ssl = {
enable = false;
termination = true;
};
# Listen on loopback interface only, and accept requests from ::1
net = {
listen = "0.0.0.0";
post_allow.host = [
"cloud.mjallen.dev"
"office.mjallen.dev"
"10.0.1.3"
"10.0.1.0/24"
];
frame_ancestors = "cloud.mjallen.dev";
};
# Restrict loading documents from WOPI Host
storage.wopi = {
"@allow" = true;
host = ["cloud.mjallen.dev"];
};
# Set FQDN of server
server_name = "office.mjallen.dev";
};
};
};
}

55
modules/nixos/services/opencloud/default.nix
View File

@@ -10,6 +10,15 @@ let
cfg = config.${namespace}.services.opencloud; cfg = config.${namespace}.services.opencloud;
opencloudConfig = { opencloudConfig = {
sops.templates = {
"opencloud.env" = {
content = ''
OC_JWT_SECRET=${config.sops.placeholder."jallen-nas/onlyoffice-key"}
OC_TRANSFER_SECRET=${config.sops.placeholder."jallen-nas/onlyoffice-key"}
OC_MACHINE_AUTH_API_KEY=${config.sops.placeholder."jallen-nas/onlyoffice-key"}
'';
};
};
virtualisation.oci-containers.containers.opencloud = { virtualisation.oci-containers.containers.opencloud = {
autoStart = true; autoStart = true;
image = "opencloudeu/opencloud-rolling"; image = "opencloudeu/opencloud-rolling";
@@ -20,22 +29,47 @@ let
"${cfg.dataPath}:/var/lib/opencloud" "${cfg.dataPath}:/var/lib/opencloud"
"${cfg.configPath}:/etc/opencloud" "${cfg.configPath}:/etc/opencloud"
]; ];
environmentFiles = [ ]; environmentFiles = [ config.sops.templates."opencloud.env".path ];
environment = { environment = {
OC_ADD_RUN_SERVICES = "collaboration"; OC_ADD_RUN_SERVICES = "collaboration,app-provider";
APP_PROVIDER_WOPI_APP_NAME = "OnlyOffice"; OC_REVA_GATEWAY = "eu.opencloud.api.gateway";
COLLABORATION_APP_NAME = "OnlyOffice"; APP_PROVIDER_WOPI_APP_NAME = "Collabora";
COLLABORATION_APP_PRODUCT = "OnlyOffice"; APP_PROVIDER_ENABLE = "true";
COLLABORATION_WOPI_SRC = "https://cloud.mjallen.dev"; APP_PROVIDER_SERVICE_NAME = "app-provider-collabora";
COLLABORATION_APP_NAME = "Collabora";
COLLABORATION_APP_PRODUCT = "Collabora";
COLLABORATION_WOPI_DISCOVERY_URL = "https://office.mjallen.dev/hosting/discovery";
COLLABORATION_WOPI_SRC = "https://office.mjallen.dev";
OC_COLLABORATION_WOPI_URL = "https://office.mjallen.dev";
COLLABORATION_APP_ADDR = "https://office.mjallen.dev"; COLLABORATION_APP_ADDR = "https://office.mjallen.dev";
COLLABORATION_APP_INSECURE = "false"; COLLABORATION_APP_INSECURE = "false";
COLLABORATION_LOG_LEVEL = "info";
COLLABORATION_APP_PROOF_DISABLE = "true"; COLLABORATION_APP_PROOF_DISABLE = "true";
COLLABORATION_WOPI_SHORTTOKENS = "false"; COLLABORATION_WOPI_SHORTTOKENS = "false";
COLLABORATION_GRPC_ADDR = "0.0.0.0:9301"; # COLLABORATION_GRPC_ADDR = "0.0.0.0:9301";
COLLABORATION_HTTP_ADDR = "0.0.0.0:9300"; # COLLABORATION_HTTP_ADDR = "0.0.0.0:9200";
MICRO_REGISTRY = "nats-js-kv"; MICRO_REGISTRY = "nats-js-kv";
MICRO_REGISTRY_ADDRESS = "opencloud:9233"; MICRO_REGISTRY_ADDRESS = "127.0.0.1:9233";
OC_SYSTEM_USER_ID = cfg.puid;
OC_LOG_LEVEL = "info";
APP_PROVIDER_PROVIDERS = "collabora";
APP_PROVIDER_COLLABORA_NAME = "Collabora";
APP_PROVIDER_COLLABORA_PRODUCT = "Collabora Online";
APP_PROVIDER_COLLABORA_ADDR = "https://office.mjallen.dev";
APP_PROVIDER_COLLABORA_ICON = "https://office.mjallen.dev/favicon.ico";
APP_PROVIDER_COLLABORA_MIME_TYPES = ''
application/vnd.openxmlformats-officedocument.wordprocessingml.document
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
application/vnd.openxmlformats-officedocument.presentationml.presentation
application/msword
application/vnd.ms-excel
application/vnd.ms-powerpoint
text/plain
'';
NATS_NATS_HOST = "0.0.0.0"; NATS_NATS_HOST = "0.0.0.0";
GATEWAY_GRPC_ADDR = "0.0.0.0:9142"; GATEWAY_GRPC_ADDR = "0.0.0.0:9142";
@@ -50,6 +84,7 @@ let
PROXY_TLS = "false"; PROXY_TLS = "false";
PROXY_HTTP_ADDR = "0.0.0.0:9200"; PROXY_HTTP_ADDR = "0.0.0.0:9200";
OC_URL = "https://cloud.mjallen.dev"; OC_URL = "https://cloud.mjallen.dev";
OC_PUBLIC_URL = "https://cloud.mjallen.dev";
PUID = cfg.puid; PUID = cfg.puid;
PGID = cfg.pgid; PGID = cfg.pgid;
TZ = cfg.timeZone; TZ = cfg.timeZone;

47
modules/nixos/services/traefik/default.nix
View File

@@ -70,7 +70,7 @@ let
jellyseerrUrl = "http://10.0.1.3:${toString config.services.jellyseerr.port}"; jellyseerrUrl = "http://10.0.1.3:${toString config.services.jellyseerr.port}";
lubeloggerUrl = "http://${serverIp}:6754"; lubeloggerUrl = "http://${serverIp}:6754";
# onlyofficeUrl = "http://${config.containers.nextcloud.localAddress}:${toString config.containers.nextcloud.config.services.onlyoffice.port}"; # onlyofficeUrl = "http://${config.containers.nextcloud.localAddress}:${toString config.containers.nextcloud.config.services.onlyoffice.port}";
onlyofficeUrl = "http://10.0.1.3:9943"; onlyofficeUrl = "http://10.0.1.3:9980";
openWebUIUrl = "http://${serverIp}:8888"; openWebUIUrl = "http://${serverIp}:8888";
paperlessUrl = "http://${config.containers.paperless.localAddress}:${toString config.containers.paperless.config.services.paperless.port}"; paperlessUrl = "http://${config.containers.paperless.localAddress}:${toString config.containers.paperless.config.services.paperless.port}";
@@ -294,11 +294,6 @@ in
]; ];
}; };
}; };
onlyoffice-websocket = {
headers.customrequestheaders = {
X-Forwarded-Proto = "https";
};
};
crowdsec = { crowdsec = {
plugin = { plugin = {
bouncer = { bouncer = {
@@ -344,6 +339,43 @@ in
]; ];
}; };
}; };
collabora-headers = {
headers = {
customRequestHeaders = {
Upgrade = "websocket";
Connection = "Upgrade";
X-Forwarded-Proto = "https";
X-Forwarded-Host = "office.mjallen.dev";
};
customResponseHeaders = {
X-Frame-Options = "";
Content-Security-Policy = "frame-ancestors https://cloud.mjallen.dev";
};
referrerPolicy = "no-referrer";
stsSeconds = "15552000";
stsPreload = "true";
stsIncludeSubdomains = "true";
forceSTSHeader = "true";
browserXssFilter = "true";
};
};
onlyoffice-headers = {
headers = {
customResponseHeaders = {
X-Robots-Tag = "none";
Strict-Transport-Security = "max-age=63072000";
X-Forwarded-Proto = "https";
};
browserXssFilter = "true";
contentTypeNosniff = "true";
stsIncludeSubdomains = "true";
stsPreload = "true";
stsSeconds = "31536000";
forceSTSHeader = "true";
accessControlMaxAge = "15552000";
accesscontrolalloworiginlist = "*";
};
};
}; };
services = { services = {
@@ -571,7 +603,8 @@ in
middlewares = [ middlewares = [
"crowdsec" "crowdsec"
"whitelist-geoblock" "whitelist-geoblock"
"onlyoffice-websocket" # "onlyoffice-headers"
"collabora-headers"
]; ];
tls.certResolver = "letsencrypt"; tls.certResolver = "letsencrypt";
}; };

12
systems/x86_64-install-iso/graphical/default.nix
View File

@@ -1,4 +1,5 @@
{ {
lib,
pkgs, pkgs,
namespace, namespace,
... ...
@@ -11,6 +12,12 @@
bootloader.lanzaboote.enable = true; bootloader.lanzaboote.enable = true;
# ###################################################
# # Desktop # #
# ###################################################
desktop.cosmic.enable = true;
# ################################################### # ###################################################
# # Hardware # # # # Hardware # #
# ################################################### # ###################################################
@@ -64,6 +71,9 @@
# # Boot # # # # Boot # #
# ################################################### # ###################################################
boot.kernelPackages = pkgs.linuxPackages_latest; boot = {
kernelPackages = lib.mkForce pkgs.linuxPackages_cachyos-lto;
supportedFilesystems.zfs = false;
};
} }

2
systems/x86_64-install-iso/minimal/default.nix
View File

@@ -66,7 +66,7 @@
# ################################################### # ###################################################
boot = { boot = {
kernelPackages = lib.mkForce pkgs.linuxPackages_cachyos-gcc; kernelPackages = lib.mkForce pkgs.linuxPackages_cachyos-lto;
supportedFilesystems.zfs = false; supportedFilesystems.zfs = false;
}; };

3
systems/x86_64-linux/jallen-nas/apps.nix
View File

@@ -16,7 +16,8 @@
port = 9200; port = 9200;
reverseProxy.enable = true; reverseProxy.enable = true;
}; };
onlyoffice.enable = true; onlyoffice.enable = false;
collabora.enable = true;
ai.enable = true; ai.enable = true;
paperless.enable = true; paperless.enable = true;
traefik.enable = true; traefik.enable = true;

2
systems/x86_64-linux/jallen-nas/default.nix
View File

@@ -159,6 +159,8 @@ in
5201 # iperf 5201 # iperf
8400 8400
9200 9200
9233
9980
]; ];
allowedUDPPorts = config.${namespace}.network.firewall.allowedTCPPorts; allowedUDPPorts = config.${namespace}.network.firewall.allowedTCPPorts;
}; };