feat: add S3, configure NextCloud for it

2024-09-03 11:15:46 +02:00 · 2024-09-03 11:15:46 +02:00 · ef0065f0bb
commit ef0065f0bb
parent d0541a40b1
10 changed files with 105 additions and 29 deletions
--- a/config/secrets/secrets.nix
+++ b/config/secrets/secrets.nix
@ -29,6 +29,7 @@ in {
  "services/minio/root-credentials.age".publicKeys = default;

  "services/nextcloud/admin-password.age".publicKeys = default;
+  "services/nextcloud/s3-secret.age".publicKeys = default;

  "services/wakapi/password-salt.env.age".publicKeys = default;

--- a/config/secrets/services/attic/atticd.env.age
+++ b/config/secrets/services/attic/atticd.env.age
--- a/config/secrets/services/nextcloud/s3-secret.age
+++ b/config/secrets/services/nextcloud/s3-secret.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> piv-p256 ML6NcA A6rsjlRtz7QJc11jJFBoWwJtF7SXjxSEdyY3jJiZK4Eu
+kiSbzDbklbInU25sPN/6KocndTl02CRhSAO4MVl60OE
+-> ssh-ed25519 zj2A2A 1bWcMWRBVed0hHent3pV+ZKzEqGIiQfwzX8JMaGeBxQ
+ePsM0Q4GY9FGFLKb8U/AsKXKJsWRmTnLTbigvQetQ5I
+--- y4RUKInn54CwWTxLk2B/2cZyg6KRLZ8X202xhSOCJBI
+<EFBFBD>m-VÐÙ/ßû
KèBs qáÚŸ3ò±à/Ì¹gçãéÕ”X…0tÁ5X±ÖP&¸"¿ÑÀ¼æé¡¬d<7F>íJ[x]o‹L¡@@
--- a/config/services/attic.nix
+++ b/config/services/attic.nix
@ -10,6 +10,12 @@
        avg-size = 64 * 1024; # 64 KiB
        max-size = 256 * 1024; # 256 KiB
      };
+      storage = {
+        bucket = "attic";
+        endpoint = "https://s3.winston.sh";
+        region = "eu-central-1";
+        type = "s3";
+      };
    };
  };

--- a/config/services/default.nix
+++ b/config/services/default.nix
@ -6,6 +6,7 @@
    ./freshrss.nix
    ./gitlab
    ./invidious.nix
+    ./minio.nix
    ./nextcloud.nix
    ./nginx.nix
    ./postgres.nix
--- a/config/services/minio.nix
+++ b/config/services/minio.nix
@ -0,0 +1,36 @@
+{config, ...}: {
+  services.minio = {
+    enable = true;
+    browser = true;
+
+    listenAddress = "127.0.0.1:14900";
+    consoleAddress = "127.0.0.1:14901";
+
+    region = "eu-central-1";
+    rootCredentialsFile = config.age.secrets."services/minio/root-credentials".path;
+  };
+
+  systemd.services.minio.environment = {
+    MINIO_BROWSER_REDIRECT = "true";
+    MINIO_BROWSER_REDIRECT_URL = "https://minio.winston.sh";
+  };
+
+  services.nginx.virtualHosts = {
+    "minio.winston.sh" = {
+      forceSSL = true;
+      enableACME = false;
+      useACMEHost = "winston.sh";
+      locations."/".proxyPass = "http://${config.services.minio.consoleAddress}";
+    };
+    "s3.winston.sh" = {
+      forceSSL = true;
+      enableACME = false;
+      useACMEHost = "winston.sh";
+
+      locations."/" = {
+        extraConfig = "client_max_body_size 512M;";
+        proxyPass = "http://${config.services.minio.listenAddress}";
+      };
+    };
+  };
+}
--- a/config/services/nextcloud.nix
+++ b/config/services/nextcloud.nix
@ -3,7 +3,10 @@
  pkgs,
  ...
 }: {
-  age.secrets."services/nextcloud/admin-password".owner = "nextcloud";
+  age.secrets = {
+    "services/nextcloud/admin-password".owner = "nextcloud";
+    "services/nextcloud/s3-secret".owner = "nextcloud";
+  };

  services.nextcloud = {
    enable = true;
@ -26,7 +29,24 @@
    };
    extraAppsEnable = true;

-    config.adminpassFile = config.age.secrets."services/nextcloud/admin-password".path;
+    config = {
+      adminpassFile = config.age.secrets."services/nextcloud/admin-password".path;
+      objectstore.s3 = {
+        enable = true;
+
+        # use `s3.winston.sh/bucket` istead of `bucket.s3.winston.sh`
+        usePathStyle = true;
+
+        hostname = "s3.winston.sh";
+        useSsl = true;
+        region = "eu-central-1";
+        bucket = "nextcloud";
+        autocreate = false;
+
+        key = "nextcloud";
+        secretFile = config.age.secrets."services/nextcloud/s3-secret".path;
+      };
+    };
  };

  services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
--- a/config/services/nginx.nix
+++ b/config/services/nginx.nix
@ -1,4 +1,9 @@
-{pkgs, ...}: {
+{pkgs, ...}: let
+  snakeoilCert = pkgs.runCommand "nginx-snakeoil-cert" {buildInputs = [pkgs.openssl];} ''
+    mkdir "$out"
+    openssl req -newkey rsa:4096 -x509 -sha256 -days 36500 -subj '/CN=Snakeoil CA' -nodes -out "$out/cert.pem" -keyout "$out/cert.key"
+  '';
+in {
  services.nginx = {
    enable = true;
    package = pkgs.nginxMainline;
@ -13,18 +18,13 @@
      "defaultDummy404" = {
        default = true;
        serverName = "_";
-        locations."/".extraConfig = "return 404;";
+        locations."/".extraConfig = "return 444;";
        locations."/.well-known/acme-challenge".root = "/var/lib/acme/acme-challenge";
      };
-      "defaultDummy404ssl" = let
-        snakeoilCert = pkgs.runCommand "nginx-snakeoil-cert" {buildInputs = [pkgs.openssl];} ''
-          mkdir "$out"
-          openssl req -newkey rsa:4096 -x509 -sha256 -days 36500 -subj '/CN=Snakeoil CA' -nodes -out "$out/cert.pem" -keyout "$out/cert.key"
-        '';
-      in {
+      "defaultDummy404ssl" = {
        default = true;
        serverName = "_";
-        locations."/".extraConfig = "return 404;";
+        locations."/".extraConfig = "return 444;";
        locations."/.well-known/acme-challenge".root = "/var/lib/acme/acme-challenge";
        # Dummy SSL config
        onlySSL = true;
@ -33,6 +33,9 @@
      };
    };
  };
+
  networking.firewall.allowedTCPPorts = [80 443];
+
+  # allow nginx to access Acme secrets
  users.users.nginx.extraGroups = ["acme"];
 }
--- a/config/users.nix
+++ b/config/users.nix
@ -26,7 +26,9 @@ in {
      programs = {
        bash = {
          enable = true;
-          initExtra = ''
+          initExtra =
+            # bash
+            ''
              if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]; then
                shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION=""
                exec ${pkgs.fish}/bin/fish $LOGIN_OPTION
--- a/flake.lock
+++ b/flake.lock
@ -159,11 +159,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1723352546,
-        "narHash": "sha256-WTIrvp0yV8ODd6lxAq4F7EbrPQv0gscBnyfn559c3k8=",
+        "lastModified": 1723950649,
+        "narHash": "sha256-dHMkGjwwCGj0c2MKyCjRXVBXq2Sz3TWbbM23AS7/5Hc=",
        "owner": "nix-community",
        "repo": "nix-index-database",
-        "rev": "ec78079a904d7d55e81a0468d764d0fffb50ac06",
+        "rev": "392828aafbed62a6ea6ccab13728df2e67481805",
        "type": "github"
      },
      "original": {
@ -194,11 +194,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1723282977,
-        "narHash": "sha256-oTK91aOlA/4IsjNAZGMEBz7Sq1zBS0Ltu4/nIQdYDOg=",
+        "lastModified": 1724316499,
+        "narHash": "sha256-Qb9MhKBUTCfWg/wqqaxt89Xfi6qTD3XpTzQ9eXi3JmE=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "a781ff33ae258bbcfd4ed6e673860c3e923bf2cc",
+        "rev": "797f7dc49e0bc7fab4b57c021cdf68f595e47841",
        "type": "github"
      },
      "original": {
@ -210,11 +210,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1723175592,
-        "narHash": "sha256-M0xJ3FbDUc4fRZ84dPGx5VvgFsOzds77KiBMW/mMTnI=",
+        "lastModified": 1724224976,
+        "narHash": "sha256-Z/ELQhrSd7bMzTO8r7NZgi9g5emh+aRKoCdaAv5fiO0=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "5e0ca22929f3342b19569b21b2f3462f053e497b",
+        "rev": "c374d94f1536013ca8e92341b540eba4c22f9c62",
        "type": "github"
      },
      "original": {
@ -236,11 +236,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1723202784,
-        "narHash": "sha256-qbhjc/NEGaDbyy0ucycubq4N3//gDFFH3DOmp1D3u1Q=",
+        "lastModified": 1724227338,
+        "narHash": "sha256-TuSaYdhOxeaaE9885mFO1lZHHax33GD5A9dczJrGUjw=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
-        "rev": "c7012d0c18567c889b948781bc74a501e92275d1",
+        "rev": "6cedaa7c1b4f82a266e5d30f212273e60d62cb0d",
        "type": "github"
      },
      "original": {