dachxy/nix-conf
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: add certbot to module

Browse source
This commit is contained in:
DACHXY 2025-04-28 13:51:12 +08:00
parent d298d751fc
commit 56dfb90345
8 changed files with 176 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

154
system/dev/dn-pre7780/nextcloud.nix Normal file
View file

@ -0,0 +1,154 @@
{
config,
pkgs,
lib,
...
}:
let
acmeWebRoot = "/var/www/${config.services.nextcloud.hostName}/html/";
certScript = pkgs.writeShellScriptBin "certbot-nextcloud" ''
REQUESTS_CA_BUNDLE=./system/extra/ca.crt
${pkgs.certbot}/bin/certbot certonly --webroot \
--webroot-path ${acmeWebRoot} -v \
-d ${config.services.nextcloud.hostName}\
--server https://ca.net.dn:8443/acme/acme/directory \
-m admin@mail.net.dn
chown nginx:nginx -R /etc/letsencrypt
'';
in
{
imports = [
"${
fetchTarball {
url = "https://github.com/onny/nixos-nextcloud-testumgebung/archive/fa6f062830b4bc3cedb9694c1dbf01d5fdf775ac.tar.gz";
sha256 = "0gzd0276b8da3ykapgqks2zhsqdv4jjvbv97dsxg0hgrhb74z0fs";
}
}/nextcloud-extras.nix"
];
services.postgresql = {
enable = true;
authentication = lib.mkOverride 10 ''
#type database DBuser origin-address auth-method
local all all trust
'';
ensureUsers = [
{
name = "nextcloud";
ensureDBOwnership = true;
}
];
ensureDatabases = [
"nextcloud"
];
};
networking.firewall.allowedTCPPorts = [
80
443
];
services.nextcloud = {
enable = true;
datadir = "/mnt/windows/Linux/nextcloud";
package = pkgs.nextcloud31;
configureRedis = true;
hostName = "pre7780.net.dn";
https = false;
extraApps = {
inherit (config.services.nextcloud.package.packages.apps)
news
contacts
calendar
tasks
;
memories = pkgs.fetchNextcloudApp {
sha256 = "sha256-BfxJDCGsiRJrZWkNJSQF3rSFm/G3zzQn7C6DCETSzw4=";
url = "https://github.com/pulsejet/memories/releases/download/v7.5.2/memories.tar.gz";
license = "agpl3Plus";
};
passwords =
(pkgs.fetchNextcloudApp {
sha256 = "sha256-Nu6WViFawQWby9CEEezAwoBNdp7O5O8a9IhDp/me/E0=";
url = "https://git.mdns.eu/api/v4/projects/45/packages/generic/passwords/2025.2.0/passwords.tar.gz";
license = "agpl3Plus";
}).overrideAttrs
(prev: {
unpackPhase = ''
cp $src passwords.tar.gz
tar -xf passwords.tar.gz
mv passwords/* ./
rm passwords.tar.gz
rm -r passwords
'';
});
};
extraAppsEnable = true;
database.createLocally = true;
config = {
adminpassFile = config.sops.secrets."nextcloud/adminPassword".path;
dbtype = "pgsql";
};
settings = {
enabledPreviewProviders = [
"OC\\Preview\\BMP"
"OC\\Preview\\GIF"
"OC\\Preview\\JPEG"
"OC\\Preview\\Krita"
"OC\\Preview\\MarkDown"
"OC\\Preview\\MP3"
"OC\\Preview\\OpenDocument"
"OC\\Preview\\PNG"
"OC\\Preview\\TXT"
"OC\\Preview\\XBitmap"
"OC\\Preview\\HEIC"
];
};
};
environment.systemPackages = with pkgs; [
exiftool
];
services.nginx = {
enable = true;
virtualHosts = {
${config.services.nextcloud.hostName} = {
listen = lib.mkForce [
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
{
addr = "0.0.0.0";
port = 80;
}
];
locations."^~ /.well-known/acme-challenge/" = {
root = "/var/www/${config.services.nextcloud.hostName}/html";
extraConfig = ''
default_type "text/plain";
'';
};
forceSSL = true;
sslCertificate = "/etc/letsencrypt/live/${config.services.nextcloud.hostName}/fullchain.pem";
sslCertificateKey = "/etc/letsencrypt/live/${config.services.nextcloud.hostName}/privkey.pem";
extraConfig = ''
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;
'';
};
};
};
}