feat: add S3, configure NextCloud for it
This commit is contained in:
parent
d0541a40b1
commit
ef0065f0bb
10 changed files with 105 additions and 29 deletions
|
@ -29,6 +29,7 @@ in {
|
|||
"services/minio/root-credentials.age".publicKeys = default;
|
||||
|
||||
"services/nextcloud/admin-password.age".publicKeys = default;
|
||||
"services/nextcloud/s3-secret.age".publicKeys = default;
|
||||
|
||||
"services/wakapi/password-salt.env.age".publicKeys = default;
|
||||
|
||||
|
|
Binary file not shown.
7
config/secrets/services/nextcloud/s3-secret.age
Normal file
7
config/secrets/services/nextcloud/s3-secret.age
Normal file
|
@ -0,0 +1,7 @@
|
|||
age-encryption.org/v1
|
||||
-> piv-p256 ML6NcA A6rsjlRtz7QJc11jJFBoWwJtF7SXjxSEdyY3jJiZK4Eu
|
||||
kiSbzDbklbInU25sPN/6KocndTl02CRhSAO4MVl60OE
|
||||
-> ssh-ed25519 zj2A2A 1bWcMWRBVed0hHent3pV+ZKzEqGIiQfwzX8JMaGeBxQ
|
||||
ePsM0Q4GY9FGFLKb8U/AsKXKJsWRmTnLTbigvQetQ5I
|
||||
--- y4RUKInn54CwWTxLk2B/2cZyg6KRLZ8X202xhSOCJBI
|
||||
<EFBFBD>m-VÐÙ/ßû
KèBs qáÚŸ3ò±à/̹gçãéÕ”X…0tÁ5X±ÖP&¸"¿ÑÀ¼æ顬d<7F>íJ[x]o‹L¡@@
|
|
@ -10,6 +10,12 @@
|
|||
avg-size = 64 * 1024; # 64 KiB
|
||||
max-size = 256 * 1024; # 256 KiB
|
||||
};
|
||||
storage = {
|
||||
bucket = "attic";
|
||||
endpoint = "https://s3.winston.sh";
|
||||
region = "eu-central-1";
|
||||
type = "s3";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
@ -6,6 +6,7 @@
|
|||
./freshrss.nix
|
||||
./gitlab
|
||||
./invidious.nix
|
||||
./minio.nix
|
||||
./nextcloud.nix
|
||||
./nginx.nix
|
||||
./postgres.nix
|
||||
|
|
36
config/services/minio.nix
Normal file
36
config/services/minio.nix
Normal file
|
@ -0,0 +1,36 @@
|
|||
{config, ...}: {
|
||||
services.minio = {
|
||||
enable = true;
|
||||
browser = true;
|
||||
|
||||
listenAddress = "127.0.0.1:14900";
|
||||
consoleAddress = "127.0.0.1:14901";
|
||||
|
||||
region = "eu-central-1";
|
||||
rootCredentialsFile = config.age.secrets."services/minio/root-credentials".path;
|
||||
};
|
||||
|
||||
systemd.services.minio.environment = {
|
||||
MINIO_BROWSER_REDIRECT = "true";
|
||||
MINIO_BROWSER_REDIRECT_URL = "https://minio.winston.sh";
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts = {
|
||||
"minio.winston.sh" = {
|
||||
forceSSL = true;
|
||||
enableACME = false;
|
||||
useACMEHost = "winston.sh";
|
||||
locations."/".proxyPass = "http://${config.services.minio.consoleAddress}";
|
||||
};
|
||||
"s3.winston.sh" = {
|
||||
forceSSL = true;
|
||||
enableACME = false;
|
||||
useACMEHost = "winston.sh";
|
||||
|
||||
locations."/" = {
|
||||
extraConfig = "client_max_body_size 512M;";
|
||||
proxyPass = "http://${config.services.minio.listenAddress}";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -3,7 +3,10 @@
|
|||
pkgs,
|
||||
...
|
||||
}: {
|
||||
age.secrets."services/nextcloud/admin-password".owner = "nextcloud";
|
||||
age.secrets = {
|
||||
"services/nextcloud/admin-password".owner = "nextcloud";
|
||||
"services/nextcloud/s3-secret".owner = "nextcloud";
|
||||
};
|
||||
|
||||
services.nextcloud = {
|
||||
enable = true;
|
||||
|
@ -26,7 +29,24 @@
|
|||
};
|
||||
extraAppsEnable = true;
|
||||
|
||||
config.adminpassFile = config.age.secrets."services/nextcloud/admin-password".path;
|
||||
config = {
|
||||
adminpassFile = config.age.secrets."services/nextcloud/admin-password".path;
|
||||
objectstore.s3 = {
|
||||
enable = true;
|
||||
|
||||
# use `s3.winston.sh/bucket` istead of `bucket.s3.winston.sh`
|
||||
usePathStyle = true;
|
||||
|
||||
hostname = "s3.winston.sh";
|
||||
useSsl = true;
|
||||
region = "eu-central-1";
|
||||
bucket = "nextcloud";
|
||||
autocreate = false;
|
||||
|
||||
key = "nextcloud";
|
||||
secretFile = config.age.secrets."services/nextcloud/s3-secret".path;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
|
||||
|
|
|
@ -1,4 +1,9 @@
|
|||
{pkgs, ...}: {
|
||||
{pkgs, ...}: let
|
||||
snakeoilCert = pkgs.runCommand "nginx-snakeoil-cert" {buildInputs = [pkgs.openssl];} ''
|
||||
mkdir "$out"
|
||||
openssl req -newkey rsa:4096 -x509 -sha256 -days 36500 -subj '/CN=Snakeoil CA' -nodes -out "$out/cert.pem" -keyout "$out/cert.key"
|
||||
'';
|
||||
in {
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
package = pkgs.nginxMainline;
|
||||
|
@ -13,18 +18,13 @@
|
|||
"defaultDummy404" = {
|
||||
default = true;
|
||||
serverName = "_";
|
||||
locations."/".extraConfig = "return 404;";
|
||||
locations."/".extraConfig = "return 444;";
|
||||
locations."/.well-known/acme-challenge".root = "/var/lib/acme/acme-challenge";
|
||||
};
|
||||
"defaultDummy404ssl" = let
|
||||
snakeoilCert = pkgs.runCommand "nginx-snakeoil-cert" {buildInputs = [pkgs.openssl];} ''
|
||||
mkdir "$out"
|
||||
openssl req -newkey rsa:4096 -x509 -sha256 -days 36500 -subj '/CN=Snakeoil CA' -nodes -out "$out/cert.pem" -keyout "$out/cert.key"
|
||||
'';
|
||||
in {
|
||||
"defaultDummy404ssl" = {
|
||||
default = true;
|
||||
serverName = "_";
|
||||
locations."/".extraConfig = "return 404;";
|
||||
locations."/".extraConfig = "return 444;";
|
||||
locations."/.well-known/acme-challenge".root = "/var/lib/acme/acme-challenge";
|
||||
# Dummy SSL config
|
||||
onlySSL = true;
|
||||
|
@ -33,6 +33,9 @@
|
|||
};
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [80 443];
|
||||
|
||||
# allow nginx to access Acme secrets
|
||||
users.users.nginx.extraGroups = ["acme"];
|
||||
}
|
||||
|
|
|
@ -26,7 +26,9 @@ in {
|
|||
programs = {
|
||||
bash = {
|
||||
enable = true;
|
||||
initExtra = ''
|
||||
initExtra =
|
||||
# bash
|
||||
''
|
||||
if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]; then
|
||||
shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION=""
|
||||
exec ${pkgs.fish}/bin/fish $LOGIN_OPTION
|
||||
|
|
24
flake.lock
24
flake.lock
|
@ -159,11 +159,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1723352546,
|
||||
"narHash": "sha256-WTIrvp0yV8ODd6lxAq4F7EbrPQv0gscBnyfn559c3k8=",
|
||||
"lastModified": 1723950649,
|
||||
"narHash": "sha256-dHMkGjwwCGj0c2MKyCjRXVBXq2Sz3TWbbM23AS7/5Hc=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nix-index-database",
|
||||
"rev": "ec78079a904d7d55e81a0468d764d0fffb50ac06",
|
||||
"rev": "392828aafbed62a6ea6ccab13728df2e67481805",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -194,11 +194,11 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1723282977,
|
||||
"narHash": "sha256-oTK91aOlA/4IsjNAZGMEBz7Sq1zBS0Ltu4/nIQdYDOg=",
|
||||
"lastModified": 1724316499,
|
||||
"narHash": "sha256-Qb9MhKBUTCfWg/wqqaxt89Xfi6qTD3XpTzQ9eXi3JmE=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "a781ff33ae258bbcfd4ed6e673860c3e923bf2cc",
|
||||
"rev": "797f7dc49e0bc7fab4b57c021cdf68f595e47841",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -210,11 +210,11 @@
|
|||
},
|
||||
"nixpkgs-unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1723175592,
|
||||
"narHash": "sha256-M0xJ3FbDUc4fRZ84dPGx5VvgFsOzds77KiBMW/mMTnI=",
|
||||
"lastModified": 1724224976,
|
||||
"narHash": "sha256-Z/ELQhrSd7bMzTO8r7NZgi9g5emh+aRKoCdaAv5fiO0=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "5e0ca22929f3342b19569b21b2f3462f053e497b",
|
||||
"rev": "c374d94f1536013ca8e92341b540eba4c22f9c62",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -236,11 +236,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1723202784,
|
||||
"narHash": "sha256-qbhjc/NEGaDbyy0ucycubq4N3//gDFFH3DOmp1D3u1Q=",
|
||||
"lastModified": 1724227338,
|
||||
"narHash": "sha256-TuSaYdhOxeaaE9885mFO1lZHHax33GD5A9dczJrGUjw=",
|
||||
"owner": "cachix",
|
||||
"repo": "pre-commit-hooks.nix",
|
||||
"rev": "c7012d0c18567c889b948781bc74a501e92275d1",
|
||||
"rev": "6cedaa7c1b4f82a266e5d30f212273e60d62cb0d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
Loading…
Reference in a new issue