From ef0065f0bb1284f6a460d152d2fb993e1231e6f0 Mon Sep 17 00:00:00 2001 From: winston Date: Tue, 3 Sep 2024 11:15:46 +0200 Subject: [PATCH] feat: add S3, configure NextCloud for it --- config/secrets/secrets.nix | 1 + config/secrets/services/attic/atticd.env.age | Bin 450 -> 556 bytes .../secrets/services/nextcloud/s3-secret.age | 7 ++++ config/services/attic.nix | 6 +++ config/services/default.nix | 1 + config/services/minio.nix | 36 ++++++++++++++++++ config/services/nextcloud.nix | 24 +++++++++++- config/services/nginx.nix | 21 +++++----- config/users.nix | 14 ++++--- flake.lock | 24 ++++++------ 10 files changed, 105 insertions(+), 29 deletions(-) create mode 100644 config/secrets/services/nextcloud/s3-secret.age create mode 100644 config/services/minio.nix diff --git a/config/secrets/secrets.nix b/config/secrets/secrets.nix index e2fd444..bc815e2 100644 --- a/config/secrets/secrets.nix +++ b/config/secrets/secrets.nix @@ -29,6 +29,7 @@ in { "services/minio/root-credentials.age".publicKeys = default; "services/nextcloud/admin-password.age".publicKeys = default; + "services/nextcloud/s3-secret.age".publicKeys = default; "services/wakapi/password-salt.env.age".publicKeys = default; diff --git a/config/secrets/services/attic/atticd.env.age b/config/secrets/services/attic/atticd.env.age index f17f271d2dd27e384f38405af5c9640c9d977af6..40d876e7b4c74f9f1b09114498b6823c1cce7d25 100644 GIT binary patch delta 505 zcmVX7bJe|l_ARyjdxZwi3vvxL{8DO90jqyTP-Q}%sN zL$c6^QSiCUCn_f}^ZkN)=T0gRg+V3&tOjS@n2t-@PVRV+XmDG%yrDH4c$M4K2pFWc z%?*LnEPfv6R)*zf>(RU^d<(TK`q*l9d5_1BhFR8hmff$LP~I&GkP;jY3kjG2e-l}j zY8q64-Qikv`Ec5lE9Qz|7}&`Sb(a37dD{g5c=ntg;D?54$lNH-Gj!-BFdXU7^oU`9 z;uY-IW(`6iR8avw@NNyG2o?Z#Tu7e>K{sU2*%&U~Eu_(Yj!yB2630lWLSi|F(1Sp5 vDjqydN2u8*69~;wsnwJtj05{P7rVL4aYl(7l1py`ioJrQK delta 398 zcmV;90dfAU1i}N5DpzP{W=V2HLv2rLOhqj0YGPzdYFK(!N-$w%Nm4mfVM=FbcTqWPD>YM93S?M%F=KL2 zG*nSyXG~5wc`<2cV|7ATNKHssFH>h#c28AIXF*DMLOF3!3N0-yAa7<(M=&-@N>oI5 zHEuI^a&k0BSX69gYfV>Xa#C=3Yh+Dze?nGyH%E9gFbcmK35$|x=|l&axXH-C8LIpH z^kc;=EWOV$Qc-dM+NLH!ia@CtG6W%vNgQ5sKN6GEM<$iEDh7(AgLP-;TnfgXWJ%>< z(_d-u`VU>mZ3;}^q6S3ot>u>Z6PH7z9D{~y4NyDm3{!&g?YJD`FqLt9W3F>TEKKQs shTmv9hoyJN5W!*zG*mdBAaJ?OfYMi#(#&EHfylHQCcw_0>09;YK!mHC!T piv-p256 ML6NcA A6rsjlRtz7QJc11jJFBoWwJtF7SXjxSEdyY3jJiZK4Eu +kiSbzDbklbInU25sPN/6KocndTl02CRhSAO4MVl60OE +-> ssh-ed25519 zj2A2A 1bWcMWRBVed0hHent3pV+ZKzEqGIiQfwzX8JMaGeBxQ +ePsM0Q4GY9FGFLKb8U/AsKXKJsWRmTnLTbigvQetQ5I +--- y4RUKInn54CwWTxLk2B/2cZyg6KRLZ8X202xhSOCJBI +m-V/ KBs qڟ3/̹gՔX0t5X P&"顬dJ[x]oL@@ \ No newline at end of file diff --git a/config/services/attic.nix b/config/services/attic.nix index 03c37bc..3b1eb2f 100644 --- a/config/services/attic.nix +++ b/config/services/attic.nix @@ -10,6 +10,12 @@ avg-size = 64 * 1024; # 64 KiB max-size = 256 * 1024; # 256 KiB }; + storage = { + bucket = "attic"; + endpoint = "https://s3.winston.sh"; + region = "eu-central-1"; + type = "s3"; + }; }; }; diff --git a/config/services/default.nix b/config/services/default.nix index 9cf5d2a..76aec30 100644 --- a/config/services/default.nix +++ b/config/services/default.nix @@ -6,6 +6,7 @@ ./freshrss.nix ./gitlab ./invidious.nix + ./minio.nix ./nextcloud.nix ./nginx.nix ./postgres.nix diff --git a/config/services/minio.nix b/config/services/minio.nix new file mode 100644 index 0000000..91771e3 --- /dev/null +++ b/config/services/minio.nix @@ -0,0 +1,36 @@ +{config, ...}: { + services.minio = { + enable = true; + browser = true; + + listenAddress = "127.0.0.1:14900"; + consoleAddress = "127.0.0.1:14901"; + + region = "eu-central-1"; + rootCredentialsFile = config.age.secrets."services/minio/root-credentials".path; + }; + + systemd.services.minio.environment = { + MINIO_BROWSER_REDIRECT = "true"; + MINIO_BROWSER_REDIRECT_URL = "https://minio.winston.sh"; + }; + + services.nginx.virtualHosts = { + "minio.winston.sh" = { + forceSSL = true; + enableACME = false; + useACMEHost = "winston.sh"; + locations."/".proxyPass = "http://${config.services.minio.consoleAddress}"; + }; + "s3.winston.sh" = { + forceSSL = true; + enableACME = false; + useACMEHost = "winston.sh"; + + locations."/" = { + extraConfig = "client_max_body_size 512M;"; + proxyPass = "http://${config.services.minio.listenAddress}"; + }; + }; + }; +} diff --git a/config/services/nextcloud.nix b/config/services/nextcloud.nix index 89ddf45..6ae9519 100644 --- a/config/services/nextcloud.nix +++ b/config/services/nextcloud.nix @@ -3,7 +3,10 @@ pkgs, ... }: { - age.secrets."services/nextcloud/admin-password".owner = "nextcloud"; + age.secrets = { + "services/nextcloud/admin-password".owner = "nextcloud"; + "services/nextcloud/s3-secret".owner = "nextcloud"; + }; services.nextcloud = { enable = true; @@ -26,7 +29,24 @@ }; extraAppsEnable = true; - config.adminpassFile = config.age.secrets."services/nextcloud/admin-password".path; + config = { + adminpassFile = config.age.secrets."services/nextcloud/admin-password".path; + objectstore.s3 = { + enable = true; + + # use `s3.winston.sh/bucket` istead of `bucket.s3.winston.sh` + usePathStyle = true; + + hostname = "s3.winston.sh"; + useSsl = true; + region = "eu-central-1"; + bucket = "nextcloud"; + autocreate = false; + + key = "nextcloud"; + secretFile = config.age.secrets."services/nextcloud/s3-secret".path; + }; + }; }; services.nginx.virtualHosts.${config.services.nextcloud.hostName} = { diff --git a/config/services/nginx.nix b/config/services/nginx.nix index 3f11d56..fe47181 100644 --- a/config/services/nginx.nix +++ b/config/services/nginx.nix @@ -1,4 +1,9 @@ -{pkgs, ...}: { +{pkgs, ...}: let + snakeoilCert = pkgs.runCommand "nginx-snakeoil-cert" {buildInputs = [pkgs.openssl];} '' + mkdir "$out" + openssl req -newkey rsa:4096 -x509 -sha256 -days 36500 -subj '/CN=Snakeoil CA' -nodes -out "$out/cert.pem" -keyout "$out/cert.key" + ''; +in { services.nginx = { enable = true; package = pkgs.nginxMainline; @@ -13,18 +18,13 @@ "defaultDummy404" = { default = true; serverName = "_"; - locations."/".extraConfig = "return 404;"; + locations."/".extraConfig = "return 444;"; locations."/.well-known/acme-challenge".root = "/var/lib/acme/acme-challenge"; }; - "defaultDummy404ssl" = let - snakeoilCert = pkgs.runCommand "nginx-snakeoil-cert" {buildInputs = [pkgs.openssl];} '' - mkdir "$out" - openssl req -newkey rsa:4096 -x509 -sha256 -days 36500 -subj '/CN=Snakeoil CA' -nodes -out "$out/cert.pem" -keyout "$out/cert.key" - ''; - in { + "defaultDummy404ssl" = { default = true; serverName = "_"; - locations."/".extraConfig = "return 404;"; + locations."/".extraConfig = "return 444;"; locations."/.well-known/acme-challenge".root = "/var/lib/acme/acme-challenge"; # Dummy SSL config onlySSL = true; @@ -33,6 +33,9 @@ }; }; }; + networking.firewall.allowedTCPPorts = [80 443]; + + # allow nginx to access Acme secrets users.users.nginx.extraGroups = ["acme"]; } diff --git a/config/users.nix b/config/users.nix index 4bcb265..f7f1721 100644 --- a/config/users.nix +++ b/config/users.nix @@ -26,12 +26,14 @@ in { programs = { bash = { enable = true; - initExtra = '' - if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]; then - shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION="" - exec ${pkgs.fish}/bin/fish $LOGIN_OPTION - fi - ''; + initExtra = + # bash + '' + if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]; then + shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION="" + exec ${pkgs.fish}/bin/fish $LOGIN_OPTION + fi + ''; }; direnv.enable = true; fish = { diff --git a/flake.lock b/flake.lock index 14fe4af..a6334f4 100644 --- a/flake.lock +++ b/flake.lock @@ -159,11 +159,11 @@ ] }, "locked": { - "lastModified": 1723352546, - "narHash": "sha256-WTIrvp0yV8ODd6lxAq4F7EbrPQv0gscBnyfn559c3k8=", + "lastModified": 1723950649, + "narHash": "sha256-dHMkGjwwCGj0c2MKyCjRXVBXq2Sz3TWbbM23AS7/5Hc=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "ec78079a904d7d55e81a0468d764d0fffb50ac06", + "rev": "392828aafbed62a6ea6ccab13728df2e67481805", "type": "github" }, "original": { @@ -194,11 +194,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1723282977, - "narHash": "sha256-oTK91aOlA/4IsjNAZGMEBz7Sq1zBS0Ltu4/nIQdYDOg=", + "lastModified": 1724316499, + "narHash": "sha256-Qb9MhKBUTCfWg/wqqaxt89Xfi6qTD3XpTzQ9eXi3JmE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "a781ff33ae258bbcfd4ed6e673860c3e923bf2cc", + "rev": "797f7dc49e0bc7fab4b57c021cdf68f595e47841", "type": "github" }, "original": { @@ -210,11 +210,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1723175592, - "narHash": "sha256-M0xJ3FbDUc4fRZ84dPGx5VvgFsOzds77KiBMW/mMTnI=", + "lastModified": 1724224976, + "narHash": "sha256-Z/ELQhrSd7bMzTO8r7NZgi9g5emh+aRKoCdaAv5fiO0=", "owner": "nixos", "repo": "nixpkgs", - "rev": "5e0ca22929f3342b19569b21b2f3462f053e497b", + "rev": "c374d94f1536013ca8e92341b540eba4c22f9c62", "type": "github" }, "original": { @@ -236,11 +236,11 @@ ] }, "locked": { - "lastModified": 1723202784, - "narHash": "sha256-qbhjc/NEGaDbyy0ucycubq4N3//gDFFH3DOmp1D3u1Q=", + "lastModified": 1724227338, + "narHash": "sha256-TuSaYdhOxeaaE9885mFO1lZHHax33GD5A9dczJrGUjw=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "c7012d0c18567c889b948781bc74a501e92275d1", + "rev": "6cedaa7c1b4f82a266e5d30f212273e60d62cb0d", "type": "github" }, "original": {