dachxy/nix-conf
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: add certbot to module

Browse source
This commit is contained in:
DACHXY 2025-04-28 13:51:12 +08:00
parent d298d751fc
commit 56dfb90345
8 changed files with 176 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

2
system/dev/dn-pre7780/default.nix
View file

@ -13,6 +13,7 @@
./hardware-configuration.nix ./hardware-configuration.nix
./boot.nix ./boot.nix
./sops-conf.nix ./sops-conf.nix
./nextcloud.nix
../../modules/presets/basic.nix ../../modules/presets/basic.nix
../../modules/cuda.nix ../../modules/cuda.nix
../../modules/gaming.nix ../../modules/gaming.nix
@ -20,6 +21,7 @@
../../modules/virtualization.nix ../../modules/virtualization.nix
../../modules/wine.nix ../../modules/wine.nix
../../modules/wireguard.nix ../../modules/wireguard.nix
../../modules/certbot.nix
]; ];
home-manager = { home-manager = {

154
system/dev/dn-pre7780/nextcloud.nix Normal file
View file

@ -0,0 +1,154 @@
{
config,
pkgs,
lib,
...
}:
let
acmeWebRoot = "/var/www/${config.services.nextcloud.hostName}/html/";
certScript = pkgs.writeShellScriptBin "certbot-nextcloud" ''
REQUESTS_CA_BUNDLE=./system/extra/ca.crt
${pkgs.certbot}/bin/certbot certonly --webroot \
--webroot-path ${acmeWebRoot} -v \
-d ${config.services.nextcloud.hostName}\
--server https://ca.net.dn:8443/acme/acme/directory \
-m admin@mail.net.dn
chown nginx:nginx -R /etc/letsencrypt
'';
in
{
imports = [
"${
fetchTarball {
url = "https://github.com/onny/nixos-nextcloud-testumgebung/archive/fa6f062830b4bc3cedb9694c1dbf01d5fdf775ac.tar.gz";
sha256 = "0gzd0276b8da3ykapgqks2zhsqdv4jjvbv97dsxg0hgrhb74z0fs";
}
}/nextcloud-extras.nix"
];
services.postgresql = {
enable = true;
authentication = lib.mkOverride 10 ''
#type database DBuser origin-address auth-method
local all all trust
'';
ensureUsers = [
{
name = "nextcloud";
ensureDBOwnership = true;
}
];
ensureDatabases = [
"nextcloud"
];
};
networking.firewall.allowedTCPPorts = [
80
443
];
services.nextcloud = {
enable = true;
datadir = "/mnt/windows/Linux/nextcloud";
package = pkgs.nextcloud31;
configureRedis = true;
hostName = "pre7780.net.dn";
https = false;
extraApps = {
inherit (config.services.nextcloud.package.packages.apps)
news
contacts
calendar
tasks
;
memories = pkgs.fetchNextcloudApp {
sha256 = "sha256-BfxJDCGsiRJrZWkNJSQF3rSFm/G3zzQn7C6DCETSzw4=";
url = "https://github.com/pulsejet/memories/releases/download/v7.5.2/memories.tar.gz";
license = "agpl3Plus";
};
passwords =
(pkgs.fetchNextcloudApp {
sha256 = "sha256-Nu6WViFawQWby9CEEezAwoBNdp7O5O8a9IhDp/me/E0=";
url = "https://git.mdns.eu/api/v4/projects/45/packages/generic/passwords/2025.2.0/passwords.tar.gz";
license = "agpl3Plus";
}).overrideAttrs
(prev: {
unpackPhase = ''
cp $src passwords.tar.gz
tar -xf passwords.tar.gz
mv passwords/* ./
rm passwords.tar.gz
rm -r passwords
'';
});
};
extraAppsEnable = true;
database.createLocally = true;
config = {
adminpassFile = config.sops.secrets."nextcloud/adminPassword".path;
dbtype = "pgsql";
};
settings = {
enabledPreviewProviders = [
"OC\\Preview\\BMP"
"OC\\Preview\\GIF"
"OC\\Preview\\JPEG"
"OC\\Preview\\Krita"
"OC\\Preview\\MarkDown"
"OC\\Preview\\MP3"
"OC\\Preview\\OpenDocument"
"OC\\Preview\\PNG"
"OC\\Preview\\TXT"
"OC\\Preview\\XBitmap"
"OC\\Preview\\HEIC"
];
};
};
environment.systemPackages = with pkgs; [
exiftool
];
services.nginx = {
enable = true;
virtualHosts = {
${config.services.nextcloud.hostName} = {
listen = lib.mkForce [
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
{
addr = "0.0.0.0";
port = 80;
}
];
locations."^~ /.well-known/acme-challenge/" = {
root = "/var/www/${config.services.nextcloud.hostName}/html";
extraConfig = ''
default_type "text/plain";
'';
};
forceSSL = true;
sslCertificate = "/etc/letsencrypt/live/${config.services.nextcloud.hostName}/fullchain.pem";
sslCertificateKey = "/etc/letsencrypt/live/${config.services.nextcloud.hostName}/privkey.pem";
extraConfig = ''
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;
'';
};
};
};
}

6
system/dev/dn-pre7780/secret.yaml
View file

@ -1,5 +1,7 @@
wireguard: wireguard:
conf: ENC[AES256_GCM,data:ozLdARKsxx5WNxyDgNttKW+FC9/4xEZ0UYmayf04IYNwzzps5Njdtwz1M8/sJoFKoqR7FlQ8eEz1RLCHl9nFwwLkcd14Qm3Du/8Rujw2ZiGJWxO1H71tnJwZBNg0Hr0ex5j4aCs7A38yWA+Grj4FOPvfyMt/zTzUZfu2PYWfPuwMmxR6EU8AMTSDaHUhf26ZwpWg5TG3QjiEJHKnJPzjUo8Imff7XnMENmVMbRSgxCe7CDyrKIAkxQ568sqJpNIovtEXRdEtdLnzI3wUW8WEEnRrfpPwACBsxJxyXLvkr2KIboA4caKiqcFNnx0dzVbDbbWOcgipN3b/ztzNU+mp,iv:p+ITGhlXfDsbx4V+1+P0wKy4OCMXxQZb4loflzFUcrw=,tag:bJuOcphL/K9pBHs/CLQ8rA==,type:str] conf: ENC[AES256_GCM,data:ozLdARKsxx5WNxyDgNttKW+FC9/4xEZ0UYmayf04IYNwzzps5Njdtwz1M8/sJoFKoqR7FlQ8eEz1RLCHl9nFwwLkcd14Qm3Du/8Rujw2ZiGJWxO1H71tnJwZBNg0Hr0ex5j4aCs7A38yWA+Grj4FOPvfyMt/zTzUZfu2PYWfPuwMmxR6EU8AMTSDaHUhf26ZwpWg5TG3QjiEJHKnJPzjUo8Imff7XnMENmVMbRSgxCe7CDyrKIAkxQ568sqJpNIovtEXRdEtdLnzI3wUW8WEEnRrfpPwACBsxJxyXLvkr2KIboA4caKiqcFNnx0dzVbDbbWOcgipN3b/ztzNU+mp,iv:p+ITGhlXfDsbx4V+1+P0wKy4OCMXxQZb4loflzFUcrw=,tag:bJuOcphL/K9pBHs/CLQ8rA==,type:str]
nextcloud:
adminPassword: ENC[AES256_GCM,data:7rC29qpvDGDZOuW+ONot,iv:+A7yoeys74IRsAR5unH4eHcgjbzF/UKZWY9Q0AVLN7U=,tag:v/KWQH+p0Yh9CIt7sHHDGA==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -15,8 +17,8 @@ sops:
MEdmWkFwNXZoR1ZVRnQ0aWlkYzZwSmsK0EFecUIdqlDKX08oRCoDQQ3QCX1wzb8w MEdmWkFwNXZoR1ZVRnQ0aWlkYzZwSmsK0EFecUIdqlDKX08oRCoDQQ3QCX1wzb8w
lghDJhWlfuKr+X24GoE4UK04aJVLqVMRRI4BJW+LQXeHS+dWKu3mQA== lghDJhWlfuKr+X24GoE4UK04aJVLqVMRRI4BJW+LQXeHS+dWKu3mQA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-04-22T05:56:47Z" lastmodified: "2025-04-28T04:43:00Z"
mac: ENC[AES256_GCM,data:0fP411k5BcJAujDLPT7Z1SeU+VKUW77KGKxsDTol6ZD6Qa0V12e2iTG0eA5dW0jKf5RUN7I8r5CHFcxyuBjnwkZ+nGYVsYvNWZf5I446+6JMq5lD/Rt+0GtheRZYNnnvHR+4t8+BUzrvB+mmXhizI3lLWloWzivv8pEgZPZlgjk=,iv:ohNabL4SYdDMn98vhPj46kSGHusOS/RdrcY9yoqHqPs=,tag:Jtv4rf6joq9yzN8iRx/pkw==,type:str] mac: ENC[AES256_GCM,data:EQgrbquDQa0+U8jUKA5XxVqueiwibuRXHoXUcvgGOvhvXkOR2WdKvyia+UhWze2DBfYXWgAEG2Ljt1xUWSo0OhCjLbHTHmu9DCywbpeiRpAAFH0xj0wdvSVG3amsEIN6a3RyLpCq8P/n8F2HeB9dLNZvddmTgBsfGxyS0okUGuk=,iv:zntdTMwkOs+c3fIevzqCalSZjB7lAHvGB2PhEnLB3Hc=,tag:ngtyM1wMESWfGEFdxCcwDg==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.4 version: 3.9.4

1
system/dev/dn-pre7780/sops-conf.nix
View file

@ -2,6 +2,7 @@
sops = { sops = {
secrets = { secrets = {
"wireguard/conf" = { }; "wireguard/conf" = { };
"nextcloud/adminPassword" = { };
}; };
}; };
} }

2
system/dev/dn-server/default.nix
View file

@ -19,11 +19,11 @@
./nginx.nix ./nginx.nix
./nextcloud.nix ./nextcloud.nix
./step-ca.nix ./step-ca.nix
./cerbot.nix
../../modules/presets/minimal.nix ../../modules/presets/minimal.nix
../../modules/bluetooth.nix ../../modules/bluetooth.nix
../../modules/cuda.nix ../../modules/cuda.nix
../../modules/gc.nix ../../modules/gc.nix
../../modules/certbot.nix
]; ];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [

11
system/extra/ca.crt Normal file
View file

@ -0,0 +1,11 @@
-----BEGIN CERTIFICATE-----
MIIBqDCCAU2gAwIBAgIQBnU3DLmknEy9zgvkjtIhEjAKBggqhkjOPQQDAjAyMRMw
EQYDVQQKEwpzdGVwLWNhLWRuMRswGQYDVQQDExJzdGVwLWNhLWRuIFJvb3QgQ0Ew
HhcNMjUwNDE4MTQ1NjU1WhcNMzUwNDE2MTQ1NjU1WjAyMRMwEQYDVQQKEwpzdGVw
LWNhLWRuMRswGQYDVQQDExJzdGVwLWNhLWRuIFJvb3QgQ0EwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAAQT0Q5Zt9yRE6LGDGzMqxyzxDHH6yMcpRHxeam5QWNyBLT2
TLhQvH/xJSFxeolKbf+kQGlE1armOqOxVUuy1kbho0UwQzAOBgNVHQ8BAf8EBAMC
AQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQU2Cr1FiPu24tU5Asobi0Z
t3R9HvUwCgYIKoZIzj0EAwIDSQAwRgIhAINLdkW3wqMSzIZro3JbYbX+T7MYVQFM
Weu1hXe28LWsAiEA371C55I6Dooe2hRZ1KaUAdZ5jh4hk63o7m0/B2xgFSc=
-----END CERTIFICATE-----

17
system/modules/ca.nix
View file

@ -1,19 +1,6 @@
{ {
security.pki.certificates = [ security.pki.certificateFiles = [
# Step CA Root # Step CA Root
'' ../extra/ca.crt
-----BEGIN CERTIFICATE-----
MIIBqDCCAU2gAwIBAgIQBnU3DLmknEy9zgvkjtIhEjAKBggqhkjOPQQDAjAyMRMw
EQYDVQQKEwpzdGVwLWNhLWRuMRswGQYDVQQDExJzdGVwLWNhLWRuIFJvb3QgQ0Ew
HhcNMjUwNDE4MTQ1NjU1WhcNMzUwNDE2MTQ1NjU1WjAyMRMwEQYDVQQKEwpzdGVw
LWNhLWRuMRswGQYDVQQDExJzdGVwLWNhLWRuIFJvb3QgQ0EwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAAQT0Q5Zt9yRE6LGDGzMqxyzxDHH6yMcpRHxeam5QWNyBLT2
TLhQvH/xJSFxeolKbf+kQGlE1armOqOxVUuy1kbho0UwQzAOBgNVHQ8BAf8EBAMC
AQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQU2Cr1FiPu24tU5Asobi0Z
t3R9HvUwCgYIKoZIzj0EAwIDSQAwRgIhAINLdkW3wqMSzIZro3JbYbX+T7MYVQFM
Weu1hXe28LWsAiEA371C55I6Dooe2hRZ1KaUAdZ5jh4hk63o7m0/B2xgFSc=
-----END CERTIFICATE-----
''
]; ];
} }

2
system/dev/dn-server/cerbot.nix → system/modules/certbot.nix
View file

@ -20,7 +20,7 @@
]; ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
environment = { environment = {
"REQUESTS_CA_BUNDLE" = "/var/lib/step-ca/certs/root_ca.crt"; "REQUESTS_CA_BUNDLE" = ../extra/ca.crt;
}; };
serviceConfig = { serviceConfig = {
ExecStart = "${pkgs.certbot}/bin/certbot renew"; ExecStart = "${pkgs.certbot}/bin/certbot renew";