feat: add S3, configure NextCloud for it
This commit is contained in:
parent
d0541a40b1
commit
ef0065f0bb
10 changed files with 105 additions and 29 deletions
|
@ -29,6 +29,7 @@ in {
|
||||||
"services/minio/root-credentials.age".publicKeys = default;
|
"services/minio/root-credentials.age".publicKeys = default;
|
||||||
|
|
||||||
"services/nextcloud/admin-password.age".publicKeys = default;
|
"services/nextcloud/admin-password.age".publicKeys = default;
|
||||||
|
"services/nextcloud/s3-secret.age".publicKeys = default;
|
||||||
|
|
||||||
"services/wakapi/password-salt.env.age".publicKeys = default;
|
"services/wakapi/password-salt.env.age".publicKeys = default;
|
||||||
|
|
||||||
|
|
Binary file not shown.
7
config/secrets/services/nextcloud/s3-secret.age
Normal file
7
config/secrets/services/nextcloud/s3-secret.age
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> piv-p256 ML6NcA A6rsjlRtz7QJc11jJFBoWwJtF7SXjxSEdyY3jJiZK4Eu
|
||||||
|
kiSbzDbklbInU25sPN/6KocndTl02CRhSAO4MVl60OE
|
||||||
|
-> ssh-ed25519 zj2A2A 1bWcMWRBVed0hHent3pV+ZKzEqGIiQfwzX8JMaGeBxQ
|
||||||
|
ePsM0Q4GY9FGFLKb8U/AsKXKJsWRmTnLTbigvQetQ5I
|
||||||
|
--- y4RUKInn54CwWTxLk2B/2cZyg6KRLZ8X202xhSOCJBI
|
||||||
|
<EFBFBD>m-VÐÙ/ßû
KèBs qáÚŸ3ò±à/̹gçãéÕ”X…0tÁ5X±ÖP&¸"¿ÑÀ¼æ顬d<7F>íJ[x]o‹L¡@@
|
|
@ -10,6 +10,12 @@
|
||||||
avg-size = 64 * 1024; # 64 KiB
|
avg-size = 64 * 1024; # 64 KiB
|
||||||
max-size = 256 * 1024; # 256 KiB
|
max-size = 256 * 1024; # 256 KiB
|
||||||
};
|
};
|
||||||
|
storage = {
|
||||||
|
bucket = "attic";
|
||||||
|
endpoint = "https://s3.winston.sh";
|
||||||
|
region = "eu-central-1";
|
||||||
|
type = "s3";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -6,6 +6,7 @@
|
||||||
./freshrss.nix
|
./freshrss.nix
|
||||||
./gitlab
|
./gitlab
|
||||||
./invidious.nix
|
./invidious.nix
|
||||||
|
./minio.nix
|
||||||
./nextcloud.nix
|
./nextcloud.nix
|
||||||
./nginx.nix
|
./nginx.nix
|
||||||
./postgres.nix
|
./postgres.nix
|
||||||
|
|
36
config/services/minio.nix
Normal file
36
config/services/minio.nix
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
{config, ...}: {
|
||||||
|
services.minio = {
|
||||||
|
enable = true;
|
||||||
|
browser = true;
|
||||||
|
|
||||||
|
listenAddress = "127.0.0.1:14900";
|
||||||
|
consoleAddress = "127.0.0.1:14901";
|
||||||
|
|
||||||
|
region = "eu-central-1";
|
||||||
|
rootCredentialsFile = config.age.secrets."services/minio/root-credentials".path;
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.minio.environment = {
|
||||||
|
MINIO_BROWSER_REDIRECT = "true";
|
||||||
|
MINIO_BROWSER_REDIRECT_URL = "https://minio.winston.sh";
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts = {
|
||||||
|
"minio.winston.sh" = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = false;
|
||||||
|
useACMEHost = "winston.sh";
|
||||||
|
locations."/".proxyPass = "http://${config.services.minio.consoleAddress}";
|
||||||
|
};
|
||||||
|
"s3.winston.sh" = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = false;
|
||||||
|
useACMEHost = "winston.sh";
|
||||||
|
|
||||||
|
locations."/" = {
|
||||||
|
extraConfig = "client_max_body_size 512M;";
|
||||||
|
proxyPass = "http://${config.services.minio.listenAddress}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -3,7 +3,10 @@
|
||||||
pkgs,
|
pkgs,
|
||||||
...
|
...
|
||||||
}: {
|
}: {
|
||||||
age.secrets."services/nextcloud/admin-password".owner = "nextcloud";
|
age.secrets = {
|
||||||
|
"services/nextcloud/admin-password".owner = "nextcloud";
|
||||||
|
"services/nextcloud/s3-secret".owner = "nextcloud";
|
||||||
|
};
|
||||||
|
|
||||||
services.nextcloud = {
|
services.nextcloud = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -26,7 +29,24 @@
|
||||||
};
|
};
|
||||||
extraAppsEnable = true;
|
extraAppsEnable = true;
|
||||||
|
|
||||||
config.adminpassFile = config.age.secrets."services/nextcloud/admin-password".path;
|
config = {
|
||||||
|
adminpassFile = config.age.secrets."services/nextcloud/admin-password".path;
|
||||||
|
objectstore.s3 = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
# use `s3.winston.sh/bucket` istead of `bucket.s3.winston.sh`
|
||||||
|
usePathStyle = true;
|
||||||
|
|
||||||
|
hostname = "s3.winston.sh";
|
||||||
|
useSsl = true;
|
||||||
|
region = "eu-central-1";
|
||||||
|
bucket = "nextcloud";
|
||||||
|
autocreate = false;
|
||||||
|
|
||||||
|
key = "nextcloud";
|
||||||
|
secretFile = config.age.secrets."services/nextcloud/s3-secret".path;
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
|
services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
|
||||||
|
|
|
@ -1,4 +1,9 @@
|
||||||
{pkgs, ...}: {
|
{pkgs, ...}: let
|
||||||
|
snakeoilCert = pkgs.runCommand "nginx-snakeoil-cert" {buildInputs = [pkgs.openssl];} ''
|
||||||
|
mkdir "$out"
|
||||||
|
openssl req -newkey rsa:4096 -x509 -sha256 -days 36500 -subj '/CN=Snakeoil CA' -nodes -out "$out/cert.pem" -keyout "$out/cert.key"
|
||||||
|
'';
|
||||||
|
in {
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.nginxMainline;
|
package = pkgs.nginxMainline;
|
||||||
|
@ -13,18 +18,13 @@
|
||||||
"defaultDummy404" = {
|
"defaultDummy404" = {
|
||||||
default = true;
|
default = true;
|
||||||
serverName = "_";
|
serverName = "_";
|
||||||
locations."/".extraConfig = "return 404;";
|
locations."/".extraConfig = "return 444;";
|
||||||
locations."/.well-known/acme-challenge".root = "/var/lib/acme/acme-challenge";
|
locations."/.well-known/acme-challenge".root = "/var/lib/acme/acme-challenge";
|
||||||
};
|
};
|
||||||
"defaultDummy404ssl" = let
|
"defaultDummy404ssl" = {
|
||||||
snakeoilCert = pkgs.runCommand "nginx-snakeoil-cert" {buildInputs = [pkgs.openssl];} ''
|
|
||||||
mkdir "$out"
|
|
||||||
openssl req -newkey rsa:4096 -x509 -sha256 -days 36500 -subj '/CN=Snakeoil CA' -nodes -out "$out/cert.pem" -keyout "$out/cert.key"
|
|
||||||
'';
|
|
||||||
in {
|
|
||||||
default = true;
|
default = true;
|
||||||
serverName = "_";
|
serverName = "_";
|
||||||
locations."/".extraConfig = "return 404;";
|
locations."/".extraConfig = "return 444;";
|
||||||
locations."/.well-known/acme-challenge".root = "/var/lib/acme/acme-challenge";
|
locations."/.well-known/acme-challenge".root = "/var/lib/acme/acme-challenge";
|
||||||
# Dummy SSL config
|
# Dummy SSL config
|
||||||
onlySSL = true;
|
onlySSL = true;
|
||||||
|
@ -33,6 +33,9 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [80 443];
|
networking.firewall.allowedTCPPorts = [80 443];
|
||||||
|
|
||||||
|
# allow nginx to access Acme secrets
|
||||||
users.users.nginx.extraGroups = ["acme"];
|
users.users.nginx.extraGroups = ["acme"];
|
||||||
}
|
}
|
||||||
|
|
|
@ -26,12 +26,14 @@ in {
|
||||||
programs = {
|
programs = {
|
||||||
bash = {
|
bash = {
|
||||||
enable = true;
|
enable = true;
|
||||||
initExtra = ''
|
initExtra =
|
||||||
if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]; then
|
# bash
|
||||||
shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION=""
|
''
|
||||||
exec ${pkgs.fish}/bin/fish $LOGIN_OPTION
|
if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]; then
|
||||||
fi
|
shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION=""
|
||||||
'';
|
exec ${pkgs.fish}/bin/fish $LOGIN_OPTION
|
||||||
|
fi
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
direnv.enable = true;
|
direnv.enable = true;
|
||||||
fish = {
|
fish = {
|
||||||
|
|
24
flake.lock
24
flake.lock
|
@ -159,11 +159,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1723352546,
|
"lastModified": 1723950649,
|
||||||
"narHash": "sha256-WTIrvp0yV8ODd6lxAq4F7EbrPQv0gscBnyfn559c3k8=",
|
"narHash": "sha256-dHMkGjwwCGj0c2MKyCjRXVBXq2Sz3TWbbM23AS7/5Hc=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "nix-index-database",
|
"repo": "nix-index-database",
|
||||||
"rev": "ec78079a904d7d55e81a0468d764d0fffb50ac06",
|
"rev": "392828aafbed62a6ea6ccab13728df2e67481805",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -194,11 +194,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1723282977,
|
"lastModified": 1724316499,
|
||||||
"narHash": "sha256-oTK91aOlA/4IsjNAZGMEBz7Sq1zBS0Ltu4/nIQdYDOg=",
|
"narHash": "sha256-Qb9MhKBUTCfWg/wqqaxt89Xfi6qTD3XpTzQ9eXi3JmE=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "a781ff33ae258bbcfd4ed6e673860c3e923bf2cc",
|
"rev": "797f7dc49e0bc7fab4b57c021cdf68f595e47841",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -210,11 +210,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs-unstable": {
|
"nixpkgs-unstable": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1723175592,
|
"lastModified": 1724224976,
|
||||||
"narHash": "sha256-M0xJ3FbDUc4fRZ84dPGx5VvgFsOzds77KiBMW/mMTnI=",
|
"narHash": "sha256-Z/ELQhrSd7bMzTO8r7NZgi9g5emh+aRKoCdaAv5fiO0=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "5e0ca22929f3342b19569b21b2f3462f053e497b",
|
"rev": "c374d94f1536013ca8e92341b540eba4c22f9c62",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -236,11 +236,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1723202784,
|
"lastModified": 1724227338,
|
||||||
"narHash": "sha256-qbhjc/NEGaDbyy0ucycubq4N3//gDFFH3DOmp1D3u1Q=",
|
"narHash": "sha256-TuSaYdhOxeaaE9885mFO1lZHHax33GD5A9dczJrGUjw=",
|
||||||
"owner": "cachix",
|
"owner": "cachix",
|
||||||
"repo": "pre-commit-hooks.nix",
|
"repo": "pre-commit-hooks.nix",
|
||||||
"rev": "c7012d0c18567c889b948781bc74a501e92275d1",
|
"rev": "6cedaa7c1b4f82a266e5d30f212273e60d62cb0d",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
Loading…
Reference in a new issue