diff --git a/config/secrets/secrets.nix b/config/secrets/secrets.nix index e2fd444..bc815e2 100644 --- a/config/secrets/secrets.nix +++ b/config/secrets/secrets.nix @@ -29,6 +29,7 @@ in { "services/minio/root-credentials.age".publicKeys = default; "services/nextcloud/admin-password.age".publicKeys = default; + "services/nextcloud/s3-secret.age".publicKeys = default; "services/wakapi/password-salt.env.age".publicKeys = default; diff --git a/config/secrets/services/attic/atticd.env.age b/config/secrets/services/attic/atticd.env.age index f17f271..40d876e 100644 Binary files a/config/secrets/services/attic/atticd.env.age and b/config/secrets/services/attic/atticd.env.age differ diff --git a/config/secrets/services/nextcloud/s3-secret.age b/config/secrets/services/nextcloud/s3-secret.age new file mode 100644 index 0000000..0ad202f --- /dev/null +++ b/config/secrets/services/nextcloud/s3-secret.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> piv-p256 ML6NcA A6rsjlRtz7QJc11jJFBoWwJtF7SXjxSEdyY3jJiZK4Eu +kiSbzDbklbInU25sPN/6KocndTl02CRhSAO4MVl60OE +-> ssh-ed25519 zj2A2A 1bWcMWRBVed0hHent3pV+ZKzEqGIiQfwzX8JMaGeBxQ +ePsM0Q4GY9FGFLKb8U/AsKXKJsWRmTnLTbigvQetQ5I +--- y4RUKInn54CwWTxLk2B/2cZyg6KRLZ8X202xhSOCJBI +m-V/ KBs qڟ3/̹gՔX0t5X P&"顬dJ[x]oL@@ \ No newline at end of file diff --git a/config/services/attic.nix b/config/services/attic.nix index 03c37bc..3b1eb2f 100644 --- a/config/services/attic.nix +++ b/config/services/attic.nix @@ -10,6 +10,12 @@ avg-size = 64 * 1024; # 64 KiB max-size = 256 * 1024; # 256 KiB }; + storage = { + bucket = "attic"; + endpoint = "https://s3.winston.sh"; + region = "eu-central-1"; + type = "s3"; + }; }; }; diff --git a/config/services/default.nix b/config/services/default.nix index 9cf5d2a..76aec30 100644 --- a/config/services/default.nix +++ b/config/services/default.nix @@ -6,6 +6,7 @@ ./freshrss.nix ./gitlab ./invidious.nix + ./minio.nix ./nextcloud.nix ./nginx.nix ./postgres.nix diff --git a/config/services/minio.nix b/config/services/minio.nix new file mode 100644 index 0000000..91771e3 --- /dev/null +++ b/config/services/minio.nix @@ -0,0 +1,36 @@ +{config, ...}: { + services.minio = { + enable = true; + browser = true; + + listenAddress = "127.0.0.1:14900"; + consoleAddress = "127.0.0.1:14901"; + + region = "eu-central-1"; + rootCredentialsFile = config.age.secrets."services/minio/root-credentials".path; + }; + + systemd.services.minio.environment = { + MINIO_BROWSER_REDIRECT = "true"; + MINIO_BROWSER_REDIRECT_URL = "https://minio.winston.sh"; + }; + + services.nginx.virtualHosts = { + "minio.winston.sh" = { + forceSSL = true; + enableACME = false; + useACMEHost = "winston.sh"; + locations."/".proxyPass = "http://${config.services.minio.consoleAddress}"; + }; + "s3.winston.sh" = { + forceSSL = true; + enableACME = false; + useACMEHost = "winston.sh"; + + locations."/" = { + extraConfig = "client_max_body_size 512M;"; + proxyPass = "http://${config.services.minio.listenAddress}"; + }; + }; + }; +} diff --git a/config/services/nextcloud.nix b/config/services/nextcloud.nix index 89ddf45..6ae9519 100644 --- a/config/services/nextcloud.nix +++ b/config/services/nextcloud.nix @@ -3,7 +3,10 @@ pkgs, ... }: { - age.secrets."services/nextcloud/admin-password".owner = "nextcloud"; + age.secrets = { + "services/nextcloud/admin-password".owner = "nextcloud"; + "services/nextcloud/s3-secret".owner = "nextcloud"; + }; services.nextcloud = { enable = true; @@ -26,7 +29,24 @@ }; extraAppsEnable = true; - config.adminpassFile = config.age.secrets."services/nextcloud/admin-password".path; + config = { + adminpassFile = config.age.secrets."services/nextcloud/admin-password".path; + objectstore.s3 = { + enable = true; + + # use `s3.winston.sh/bucket` istead of `bucket.s3.winston.sh` + usePathStyle = true; + + hostname = "s3.winston.sh"; + useSsl = true; + region = "eu-central-1"; + bucket = "nextcloud"; + autocreate = false; + + key = "nextcloud"; + secretFile = config.age.secrets."services/nextcloud/s3-secret".path; + }; + }; }; services.nginx.virtualHosts.${config.services.nextcloud.hostName} = { diff --git a/config/services/nginx.nix b/config/services/nginx.nix index 3f11d56..fe47181 100644 --- a/config/services/nginx.nix +++ b/config/services/nginx.nix @@ -1,4 +1,9 @@ -{pkgs, ...}: { +{pkgs, ...}: let + snakeoilCert = pkgs.runCommand "nginx-snakeoil-cert" {buildInputs = [pkgs.openssl];} '' + mkdir "$out" + openssl req -newkey rsa:4096 -x509 -sha256 -days 36500 -subj '/CN=Snakeoil CA' -nodes -out "$out/cert.pem" -keyout "$out/cert.key" + ''; +in { services.nginx = { enable = true; package = pkgs.nginxMainline; @@ -13,18 +18,13 @@ "defaultDummy404" = { default = true; serverName = "_"; - locations."/".extraConfig = "return 404;"; + locations."/".extraConfig = "return 444;"; locations."/.well-known/acme-challenge".root = "/var/lib/acme/acme-challenge"; }; - "defaultDummy404ssl" = let - snakeoilCert = pkgs.runCommand "nginx-snakeoil-cert" {buildInputs = [pkgs.openssl];} '' - mkdir "$out" - openssl req -newkey rsa:4096 -x509 -sha256 -days 36500 -subj '/CN=Snakeoil CA' -nodes -out "$out/cert.pem" -keyout "$out/cert.key" - ''; - in { + "defaultDummy404ssl" = { default = true; serverName = "_"; - locations."/".extraConfig = "return 404;"; + locations."/".extraConfig = "return 444;"; locations."/.well-known/acme-challenge".root = "/var/lib/acme/acme-challenge"; # Dummy SSL config onlySSL = true; @@ -33,6 +33,9 @@ }; }; }; + networking.firewall.allowedTCPPorts = [80 443]; + + # allow nginx to access Acme secrets users.users.nginx.extraGroups = ["acme"]; } diff --git a/config/users.nix b/config/users.nix index 4bcb265..f7f1721 100644 --- a/config/users.nix +++ b/config/users.nix @@ -26,12 +26,14 @@ in { programs = { bash = { enable = true; - initExtra = '' - if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]; then - shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION="" - exec ${pkgs.fish}/bin/fish $LOGIN_OPTION - fi - ''; + initExtra = + # bash + '' + if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]; then + shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION="" + exec ${pkgs.fish}/bin/fish $LOGIN_OPTION + fi + ''; }; direnv.enable = true; fish = { diff --git a/flake.lock b/flake.lock index 14fe4af..a6334f4 100644 --- a/flake.lock +++ b/flake.lock @@ -159,11 +159,11 @@ ] }, "locked": { - "lastModified": 1723352546, - "narHash": "sha256-WTIrvp0yV8ODd6lxAq4F7EbrPQv0gscBnyfn559c3k8=", + "lastModified": 1723950649, + "narHash": "sha256-dHMkGjwwCGj0c2MKyCjRXVBXq2Sz3TWbbM23AS7/5Hc=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "ec78079a904d7d55e81a0468d764d0fffb50ac06", + "rev": "392828aafbed62a6ea6ccab13728df2e67481805", "type": "github" }, "original": { @@ -194,11 +194,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1723282977, - "narHash": "sha256-oTK91aOlA/4IsjNAZGMEBz7Sq1zBS0Ltu4/nIQdYDOg=", + "lastModified": 1724316499, + "narHash": "sha256-Qb9MhKBUTCfWg/wqqaxt89Xfi6qTD3XpTzQ9eXi3JmE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "a781ff33ae258bbcfd4ed6e673860c3e923bf2cc", + "rev": "797f7dc49e0bc7fab4b57c021cdf68f595e47841", "type": "github" }, "original": { @@ -210,11 +210,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1723175592, - "narHash": "sha256-M0xJ3FbDUc4fRZ84dPGx5VvgFsOzds77KiBMW/mMTnI=", + "lastModified": 1724224976, + "narHash": "sha256-Z/ELQhrSd7bMzTO8r7NZgi9g5emh+aRKoCdaAv5fiO0=", "owner": "nixos", "repo": "nixpkgs", - "rev": "5e0ca22929f3342b19569b21b2f3462f053e497b", + "rev": "c374d94f1536013ca8e92341b540eba4c22f9c62", "type": "github" }, "original": { @@ -236,11 +236,11 @@ ] }, "locked": { - "lastModified": 1723202784, - "narHash": "sha256-qbhjc/NEGaDbyy0ucycubq4N3//gDFFH3DOmp1D3u1Q=", + "lastModified": 1724227338, + "narHash": "sha256-TuSaYdhOxeaaE9885mFO1lZHHax33GD5A9dczJrGUjw=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "c7012d0c18567c889b948781bc74a501e92275d1", + "rev": "6cedaa7c1b4f82a266e5d30f212273e60d62cb0d", "type": "github" }, "original": {