dachxy/nix-conf
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: nextcloud reverse proxy

Browse source
This commit is contained in:
DACHXY 2025-05-03 22:23:20 +08:00
parent 2c628abdc0
commit add7bfc2c1
8 changed files with 307 additions and 361 deletions
Download patch file Download diff file Expand all files Collapse all files

1
flake.nix
View file

@ -237,6 +237,7 @@
system system
nix-version nix-version
settings settings
devices
; ;
}; };
users."${username}" = { users."${username}" = {

6
system/dev/dn-pre7780/default.nix
View file

@ -13,8 +13,7 @@
./hardware-configuration.nix ./hardware-configuration.nix
./boot.nix ./boot.nix
./sops-conf.nix ./sops-conf.nix
./nextcloud.nix ./nginx.nix
../../modules/presets/basic.nix
../../modules/cuda.nix ../../modules/cuda.nix
../../modules/gaming.nix ../../modules/gaming.nix
../../modules/secure-boot.nix ../../modules/secure-boot.nix
@ -22,6 +21,9 @@
../../modules/wine.nix ../../modules/wine.nix
../../modules/wireguard.nix ../../modules/wireguard.nix
../../modules/certbot.nix ../../modules/certbot.nix
(import ../../modules/nextcloud.nix {
hostname = "pre7780.net.dn";
})
]; ];
home-manager = { home-manager = {

159
system/dev/dn-pre7780/nextcloud.nix
View file

@ -1,159 +0,0 @@
{
config,
pkgs,
lib,
...
}:
let
acmeWebRoot = "/var/www/${config.services.nextcloud.hostName}/html/";
certScript = pkgs.writeShellScriptBin "certbot-nextcloud" ''
REQUESTS_CA_BUNDLE=./system/extra/ca.crt
${pkgs.certbot}/bin/certbot certonly --webroot \
--webroot-path ${acmeWebRoot} -v \
-d ${config.services.nextcloud.hostName}\
--server https://ca.net.dn:8443/acme/acme/directory \
-m admin@mail.net.dn
chown nginx:nginx -R /etc/letsencrypt
'';
in
{
imports = [
"${
fetchTarball {
url = "https://github.com/onny/nixos-nextcloud-testumgebung/archive/fa6f062830b4bc3cedb9694c1dbf01d5fdf775ac.tar.gz";
sha256 = "0gzd0276b8da3ykapgqks2zhsqdv4jjvbv97dsxg0hgrhb74z0fs";
}
}/nextcloud-extras.nix"
];
services.postgresql = {
enable = true;
authentication = lib.mkOverride 10 ''
#type database DBuser origin-address auth-method
local all all trust
'';
ensureUsers = [
{
name = "nextcloud";
ensureDBOwnership = true;
}
];
ensureDatabases = [
"nextcloud"
];
};
networking.firewall.allowedTCPPorts = [
80
443
];
users.groups.windows = {
members = [ "nextcloud" ];
};
services.nextcloud = {
enable = true;
datadir = "/mnt/nextcloud";
package = pkgs.nextcloud31;
configureRedis = true;
hostName = "pre7780.net.dn";
https = true;
extraApps = {
inherit (config.services.nextcloud.package.packages.apps)
news
contacts
calendar
tasks
;
memories = pkgs.fetchNextcloudApp {
sha256 = "sha256-BfxJDCGsiRJrZWkNJSQF3rSFm/G3zzQn7C6DCETSzw4=";
url = "https://github.com/pulsejet/memories/releases/download/v7.5.2/memories.tar.gz";
license = "agpl3Plus";
};
passwords =
(pkgs.fetchNextcloudApp {
sha256 = "sha256-Nu6WViFawQWby9CEEezAwoBNdp7O5O8a9IhDp/me/E0=";
url = "https://git.mdns.eu/api/v4/projects/45/packages/generic/passwords/2025.2.0/passwords.tar.gz";
license = "agpl3Plus";
}).overrideAttrs
(prev: {
unpackPhase = ''
cp $src passwords.tar.gz
tar -xf passwords.tar.gz
mv passwords/* ./
rm passwords.tar.gz
rm -r passwords
'';
});
};
extraAppsEnable = true;
database.createLocally = true;
config = {
adminpassFile = config.sops.secrets."nextcloud/adminPassword".path;
dbtype = "pgsql";
};
settings = {
enabledPreviewProviders = [
"OC\\Preview\\BMP"
"OC\\Preview\\GIF"
"OC\\Preview\\JPEG"
"OC\\Preview\\Krita"
"OC\\Preview\\MarkDown"
"OC\\Preview\\MP3"
"OC\\Preview\\OpenDocument"
"OC\\Preview\\PNG"
"OC\\Preview\\TXT"
"OC\\Preview\\XBitmap"
"OC\\Preview\\HEIC"
];
};
};
environment.systemPackages = with pkgs; [
exiftool
];
services.nginx = {
enable = true;
virtualHosts = {
${config.services.nextcloud.hostName} = {
listen = lib.mkForce [
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
{
addr = "0.0.0.0";
port = 80;
}
];
locations."^~ /.well-known/acme-challenge/" = {
root = "/var/www/${config.services.nextcloud.hostName}/html";
extraConfig = ''
default_type "text/plain";
'';
};
forceSSL = true;
sslCertificate = "/etc/letsencrypt/live/${config.services.nextcloud.hostName}/fullchain.pem";
sslCertificateKey = "/etc/letsencrypt/live/${config.services.nextcloud.hostName}/privkey.pem";
extraConfig = ''
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;
'';
};
};
};
}

24
system/dev/dn-pre7780/nginx.nix Normal file
View file

@ -0,0 +1,24 @@
{ config, ... }:
{
services.nginx = {
enable = true;
enableReload = true;
virtualHosts = {
${config.services.nextcloud.hostName} = {
listen = [
{
addr = "0.0.0.0";
port = 80;
}
];
extraConfig = ''
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;
'';
};
};
};
}

6
system/dev/dn-server/default.nix
View file

@ -17,13 +17,17 @@
./networking.nix ./networking.nix
./services.nix ./services.nix
./nginx.nix ./nginx.nix
./nextcloud.nix
./step-ca.nix ./step-ca.nix
../../modules/presets/minimal.nix ../../modules/presets/minimal.nix
../../modules/bluetooth.nix ../../modules/bluetooth.nix
../../modules/cuda.nix ../../modules/cuda.nix
../../modules/gc.nix ../../modules/gc.nix
../../modules/certbot.nix ../../modules/certbot.nix
(import ../../modules/nextcloud.nix {
hostname = "nextcloud.net.dn";
dataBackupPath = "/mnt/backup_dn";
dbBackupPath = "/mnt/backup_dn";
})
]; ];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [

199
system/dev/dn-server/nextcloud.nix
View file

@ -1,199 +0,0 @@
{
config,
pkgs,
lib,
...
}:
let
acmeWebRoot = "/var/www/nextcloud.net.dn/html/";
certScript = pkgs.writeShellScriptBin "certbot-nextcloud" ''
${pkgs.certbot}/bin/certbot certonly --webroot \
--webroot-path ${acmeWebRoot} -v \
-d nextcloud.net.dn \
--server https://ca.net.dn:8443/acme/acme/directory \
-m admin@mail.net.dn
chown nginx:nginx -R /etc/letsencrypt
'';
in
{
imports = [
"${
fetchTarball {
url = "https://github.com/onny/nixos-nextcloud-testumgebung/archive/fa6f062830b4bc3cedb9694c1dbf01d5fdf775ac.tar.gz";
sha256 = "0gzd0276b8da3ykapgqks2zhsqdv4jjvbv97dsxg0hgrhb74z0fs";
}
}/nextcloud-extras.nix"
];
services.postgresql = {
enable = true;
authentication = lib.mkOverride 10 ''
#type database DBuser origin-address auth-method
local all all trust
'';
ensureUsers = [
{
name = "nextcloud";
ensureDBOwnership = true;
}
];
ensureDatabases = [
"nextcloud"
];
};
services.nextcloud = {
enable = true;
package = pkgs.nextcloud31;
configureRedis = true;
hostName = "nextcloud.net.dn";
https = true;
phpExtraExtensions =
all: with all; [
imagick
];
extraApps = {
inherit (config.services.nextcloud.package.packages.apps)
news
contacts
calendar
tasks
;
passwords =
(pkgs.fetchNextcloudApp {
sha256 = "sha256-Nu6WViFawQWby9CEEezAwoBNdp7O5O8a9IhDp/me/E0=";
url = "https://git.mdns.eu/api/v4/projects/45/packages/generic/passwords/2025.2.0/passwords.tar.gz";
license = "agpl3Plus";
}).overrideAttrs
(prev: {
unpackPhase = ''
cp $src passwords.tar.gz
tar -xf passwords.tar.gz
mv passwords/* ./
rm passwords.tar.gz
rm -r passwords
'';
});
};
extraAppsEnable = true;
database.createLocally = true;
config = {
adminpassFile = config.sops.secrets."nextcloud/adminPassword".path;
dbtype = "pgsql";
};
settings = {
log_type = "file";
enabledPreviewProviders = [
"OC\\Preview\\BMP"
"OC\\Preview\\GIF"
"OC\\Preview\\JPEG"
"OC\\Preview\\Krita"
"OC\\Preview\\MarkDown"
"OC\\Preview\\MP3"
"OC\\Preview\\OpenDocument"
"OC\\Preview\\PNG"
"OC\\Preview\\TXT"
"OC\\Preview\\XBitmap"
"OC\\Preview\\HEIC"
];
};
};
environment.systemPackages = with pkgs; [
exiftool
];
services.nginx = {
virtualHosts = {
${config.services.nextcloud.hostName} = {
listen = lib.mkForce [
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
{
addr = "0.0.0.0";
port = 80;
}
];
locations."^~ /.well-known/acme-challenge/" = {
root = "/var/www/nextcloud.net.dn/html";
extraConfig = ''
default_type "text/plain";
'';
};
forceSSL = true;
sslCertificate = "/etc/letsencrypt/live/nextcloud.net.dn/fullchain.pem";
sslCertificateKey = "/etc/letsencrypt/live/nextcloud.net.dn/privkey.pem";
extraConfig = ''
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;
'';
};
};
};
systemd.timers."nextcloud-backup" = {
enable = true;
description = "Nextcloud backup";
timerConfig = {
OnCalendar = "*-*-* 03:00:00";
Persistent = true;
OnUnitActiveSec = "1d";
AccuracySec = "1h";
Unit = "nextcloud-backup.service";
};
wantedBy = [ "timers.target" ];
};
systemd.services."nextcloud-backup" = {
enable = true;
serviceConfig = {
User = "nextcloud";
ExecStart =
let
script = pkgs.writeShellScriptBin "backup" ''
nextcloudPath="/var/lib/nextcloud"
mountPoint="/mnt/backup_dn"
nextcloudBakPath="$mountPoint"
nextcloudDBBakPath="$mountPoint/nextcloud-db.bak.tar"
if [ ! -d "$nextcloudPath" ]; then
echo "nextcloud path not found: $nextcloudPath"
exit 1
fi
if [ ! -d "$mountPoint" ]; then
echo "Backup device is not mounted: $mountPoint"
exit 1
fi
if [ ! -d "$nextcloudBakPath" ]; then
mkdir -p "$nextcloudBakPath"
fi
echo "Start syncing..."
${pkgs.rsync}/bin/rsync -rh --delete "$nextcloudPath" "$nextcloudBakPath"
echo "Data dir backup completed."
echo "Try backing up database (postgresql)"
${pkgs.postgresql}/bin/pg_dump -F t nextcloud -f "$nextcloudDBBakPath"
echo "Database backup completed."
'';
in
"${script}/bin/backup";
};
};
}

96
system/dev/dn-server/nginx.nix
View file

@ -1,9 +1,105 @@
{ {
config,
lib,
pkgs,
settings,
devices,
... ...
}: }:
let
acmeWebRoot = "/var/www/${config.services.nextcloud.hostName}/html/";
certScript = pkgs.writeShellScriptBin "certbot-nextcloud" ''
${pkgs.certbot}/bin/certbot certonly --webroot \
--webroot-path ${acmeWebRoot} -v \
-d ${config.services.neextcloud.hostName} \
--server https://ca.net.dn:8443/acme/acme/directory \
-m admin@mail.net.dn
chown nginx:nginx -R /etc/letsencrypt
'';
pre7780 = {
hostname = "pre7780.net.dn";
ip = "10.0.0.130";
};
in
{ {
services.nginx = { services.nginx = {
enable = true; enable = true;
enableReload = true; enableReload = true;
virtualHosts = {
# Nextcloud - Server
${config.services.nextcloud.hostName} = {
listen = lib.mkForce [
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
{
addr = "0.0.0.0";
port = 80;
}
];
locations."^~ /.well-known/acme-challenge/" = {
root = "/var/www/${config.services.nextcloud.hostName}/html";
extraConfig = ''
default_type "text/plain";
'';
};
forceSSL = true;
sslCertificate = "/etc/letsencrypt/live/${config.services.nextcloud.hostName}/fullchain.pem";
sslCertificateKey = "/etc/letsencrypt/live/${config.services.nextcloud.hostName}/privkey.pem";
extraConfig = ''
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;
'';
};
pre7780Hostname = {
listen = [
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
{
addr = "0.0.0.0";
port = 80;
}
];
locations."/" = {
proxyPass = "http://${pre7780.ip}/";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
locations."^~ /.well-known/acme-challenge/" = {
root = "/var/www/${pre7780.hostname}/html";
extraConfig = ''
default_type "text/plain";
'';
};
extraConfig = ''
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;
'';
};
};
}; };
} }

177
system/modules/nextcloud.nix Normal file
View file

@ -0,0 +1,177 @@
{
hostname,
dataBackupPath ? null,
dbBackupPath ? null,
}:
{
config,
pkgs,
lib,
...
}:
{
imports = [
"${
fetchTarball {
url = "https://github.com/onny/nixos-nextcloud-testumgebung/archive/fa6f062830b4bc3cedb9694c1dbf01d5fdf775ac.tar.gz";
sha256 = "0gzd0276b8da3ykapgqks2zhsqdv4jjvbv97dsxg0hgrhb74z0fs";
}
}/nextcloud-extras.nix"
];
services.postgresql = {
enable = true;
authentication = lib.mkOverride 10 ''
#type database DBuser origin-address auth-method
local all all trust
'';
ensureUsers = [
{
name = "nextcloud";
ensureDBOwnership = true;
}
];
ensureDatabases = [
"nextcloud"
];
};
services.nextcloud = {
enable = true;
package = pkgs.nextcloud31;
configureRedis = true;
hostName = hostname;
https = true;
phpExtraExtensions =
all: with all; [
imagick
];
maxUploadSize = "10240M";
extraApps = {
inherit (config.services.nextcloud.package.packages.apps)
contacts
calendar
tasks
;
passwords =
(pkgs.fetchNextcloudApp {
sha256 = "sha256-Nu6WViFawQWby9CEEezAwoBNdp7O5O8a9IhDp/me/E0=";
url = "https://git.mdns.eu/api/v4/projects/45/packages/generic/passwords/2025.2.0/passwords.tar.gz";
license = "agpl3Plus";
}).overrideAttrs
(prev: {
unpackPhase = ''
cp $src passwords.tar.gz
tar -xf passwords.tar.gz
mv passwords/* ./
rm passwords.tar.gz
rm -r passwords
'';
});
};
extraAppsEnable = true;
database.createLocally = true;
config = {
adminpassFile = config.sops.secrets."nextcloud/adminPassword".path;
dbtype = "pgsql";
};
settings = {
log_type = "file";
enabledPreviewProviders = [
"OC\\Preview\\BMP"
"OC\\Preview\\GIF"
"OC\\Preview\\JPEG"
"OC\\Preview\\Krita"
"OC\\Preview\\MarkDown"
"OC\\Preview\\MP3"
"OC\\Preview\\OpenDocument"
"OC\\Preview\\PNG"
"OC\\Preview\\TXT"
"OC\\Preview\\XBitmap"
"OC\\Preview\\HEIC"
];
};
};
environment.systemPackages = with pkgs; [
exiftool
];
systemd = {
timers = lib.mkIf (dataBackupPath != null || dbBackupPath != null) {
"nextcloud-backup" = {
enable = true;
description = "Nextcloud backup";
timerConfig = {
OnCalendar = "*-*-* 03:00:00";
Persistent = true;
OnUnitActiveSec = "1d";
AccuracySec = "1h";
Unit = "nextcloud-backup.service";
};
wantedBy = [ "timers.target" ];
};
};
services = lib.mkIf (dataBackupPath != null || dbBackupPath != null) {
"nextcloud-backup" = {
enable = true;
serviceConfig = {
User = "nextcloud";
ExecStart =
let
script = pkgs.writeShellScriptBin "backup" (
''
nextcloudPath="${config.services.nextcloud.datadir}"
if [ ! -d "$nextcloudPath" ]; then
echo "nextcloud path not found: $nextcloudPath"
exit 1
fi
''
+ (
if dataBackupPath != null then
''
backupPath="${dataBackupPath}"
nextcloudBakPath="$backupPath"
if [ ! -d "$backupPath" ]; then
echo "Backup device is not mounted: $backupPath"
exit 1
fi
echo "Start syncing..."
${pkgs.rsync}/bin/rsync -rh --delete "$nextcloudPath" "$nextcloudBakPath"
echo "Data dir backup completed."
''
else
""
)
+ (
if dbBackupPath != null then
''
nextcloudDBBakPath="${dbBackupPath}/nextcloud-db.bak.tar"
if [ ! -d "$nextcloudBakPath" ]; then
mkdir -p "$nextcloudBakPath"
fi
echo "Try backing up database (postgresql)"
${pkgs.postgresql}/bin/pg_dump -F t nextcloud -f "$nextcloudDBBakPath"
echo "Database backup completed."
''
else
""
)
);
in
"${script}/bin/backup";
};
};
};
};
}