diff options
| author | Valentin <valentin@fricklerhandwerk.de> | 2025-11-04 18:27:33 +0100 |
|---|---|---|
| committer | Valentin <valentin@fricklerhandwerk.de> | 2025-11-06 16:46:28 +0100 |
| commit | c298e9e2ec45ddfe64fca4ed62f948dc05cde219 (patch) | |
| tree | fdeb4f72ef415ae15603e5a8408ba760cf431167 | |
| parent | 3a353d69df1da87002307bf46d320505fb60e829 (diff) | |
Nextcloud
| -rw-r--r-- | nextcloud.nix | 108 |
1 files changed, 108 insertions, 0 deletions
diff --git a/nextcloud.nix b/nextcloud.nix new file mode 100644 index 0000000..df89990 --- /dev/null +++ b/nextcloud.nix @@ -0,0 +1,108 @@ +{ self, ... }: +{ + flake.machines.tharos = { + nixos = + { config, lib, ... }: + let + apps = config.services.nextcloud.package.packages.apps; + nextcloud = config.services.nextcloud.hostName; + nginx = lib.head config.services.nginx.virtualHosts.${nextcloud}.listen; + in + { + services.nextcloud = { + enable = true; + hostName = "nextcloud.${self.domain}"; + database.createLocally = true; + config.dbtype = "pgsql"; + extraAppsEnable = true; + extraApps = { + inherit (apps) + contacts + calendar + tables + spreed # Videokonferenzen + # cospend # Rudimentäre Buchhaltung + # deck # Issue-Tracker + ; + }; + settings = { + trusted_proxies = [ nginx.addr ]; + mail_smtpmode = "smtp"; + mail_smtphost = "smtp.tharos-net.de"; + mail_smtpport = 587; + mail_smtpauth = true; + mail_smtptimeout = 30; + mail_smtpname = "nextcloud@${self.domain}"; + mail_from_address = "nextcloud"; + mail_domain = self.domain; + mail_smtpstreamoptions = { + /* + ACHTUNG: Hier ist Angriffsfläche! + Dringend den Mailserver ordentlich einrichten! + */ + ssl = { + allow_self_signed = true; + verify_peer = false; + verify_peer_name = false; + }; + }; + }; + /* + Vor erstmaligem Anwenden der Konfiguration: + + echo $PASSWORT | ssh tharos 'sudo install -m 600 /dev/stdin /var/lib/nextcloud/initialrootpassword' + cat $SECRETS | ssh tharos 'sudo install -m 600 -o nextcloud -g nextcloud /dev/stdin /var/lib/nextcloud/secrets.json' + + Die Dateien bleiben auf dem System! + Das einmalige Root-Passwort wird nicht wieder verwendet. + + Besser wäre natürlich zentralisiertes Management von geheimen Daten. + */ + secretFile = "/var/lib/nextcloud/secrets.json"; + config.adminpassFile = "/var/lib/nextcloud/initialrootpassword"; + }; + services.nginx.virtualHosts.${nextcloud} = { + listen = [ + { + addr = "127.0.0.1"; + port = 8080; + } + ]; + }; + services.caddy = { + virtualHosts.${nextcloud}.extraConfig = '' + reverse_proxy http://${nginx.addr}:${toString nginx.port} + ''; + }; + }; + vm = + { config, lib, ... }: + + let + httpPort = 900; + nextcloud = config.services.nextcloud.hostName; + in + { + services.nextcloud = { + https = lib.mkForce false; + hostName = lib.mkForce "localhost"; + }; + + systemd.tmpfiles.rules = [ + "f /var/lib/nextcloud/secrets.json 0600 nextcloud nextcloud - {}" + "f /var/lib/nextcloud/initialrootpassword 0600 nextcloud nextcloud - root" + ]; + + services.caddy.virtualHosts = { + "http://localhost:${toString httpPort}".extraConfig = + config.services.caddy.virtualHosts.${nextcloud}.extraConfig; + }; + networking.firewall.allowedTCPPorts = [ + httpPort + ]; + services.getty.helpLine = lib.mkBefore '' + Nextcloud: http://localhost:${toString (config.virtualisation.portOffset + httpPort)} + ''; + }; + }; +} |