blob: eedb507adaaae99971c05e43b80ce5c56d27c97d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
{ self, ... }:
{
flake.machines.tharos = {
nixos =
{ config, lib, ... }:
let
apps = config.services.nextcloud.package.packages.apps;
nextcloud = config.services.nextcloud.hostName;
nginx = lib.head config.services.nginx.virtualHosts.${nextcloud}.listen;
in
{
services.nextcloud = {
enable = true;
hostName = "nextcloud.${self.domain}";
database.createLocally = true;
config.dbtype = "pgsql";
extraAppsEnable = true;
extraApps = {
inherit (apps)
contacts
calendar
tables
spreed # Videokonferenzen
# cospend # Rudimentäre Buchhaltung
# deck # Issue-Tracker
;
};
settings = {
trusted_proxies = [ nginx.addr ];
mail_smtpmode = "smtp";
mail_smtphost = "smtp.tharos-net.de";
mail_smtpport = 587;
mail_smtpauth = true;
mail_smtptimeout = 30;
mail_smtpname = "nextcloud@${self.domain}";
mail_from_address = "nextcloud";
mail_domain = self.domain;
mail_smtpstreamoptions = {
/*
ACHTUNG: Hier ist Angriffsfläche!
Dringend den Mailserver ordentlich einrichten!
*/
ssl = {
allow_self_signed = true;
verify_peer = false;
verify_peer_name = false;
};
};
};
/*
Vor erstmaligem Anwenden der Konfiguration:
echo $PASSWORT | ssh tharos 'sudo install -m 600 /dev/stdin /var/lib/nextcloud/initialrootpassword'
cat $SECRETS | ssh tharos 'sudo install -m 600 -o nextcloud -g nextcloud /dev/stdin /var/lib/nextcloud/secrets.json'
Die Dateien bleiben auf dem System!
Das einmalige Root-Passwort wird nicht wieder verwendet.
Besser wäre natürlich zentralisiertes Management von geheimen Daten.
*/
secretFile = "/var/lib/nextcloud/secrets.json";
config.adminpassFile = "/var/lib/nextcloud/initialrootpassword";
};
services.nginx.virtualHosts.${nextcloud} = {
listen = [
{
addr = "127.0.0.1";
port = 8080;
}
];
};
services.caddy = {
virtualHosts.${nextcloud}.extraConfig = ''
reverse_proxy http://${nginx.addr}:${toString nginx.port}
'';
};
};
vm =
{ config, lib, ... }:
let
nextcloud = config.services.nextcloud.hostName;
in
{
services.nextcloud = {
https = lib.mkForce false;
hostName = lib.mkForce "nextcloud.localhost";
};
systemd.tmpfiles.rules = [
"f /var/lib/nextcloud/secrets.json 0600 nextcloud nextcloud - {}"
"f /var/lib/nextcloud/initialrootpassword 0600 nextcloud nextcloud - root"
];
services.caddy.virtualHosts = {
"http://${nextcloud}:${toString config.virtualisation.exposedPorts.http.port}".extraConfig =
config.services.caddy.virtualHosts.${nextcloud}.extraConfig;
};
services.getty.helpLine = lib.mkBefore ''
Nextcloud: http://${nextcloud}:${
with config.virtualisation; toString (portOffset + exposedPorts.http.port)
}
'';
};
};
}
|
