dachxy/nix-conf
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: add nextcloud

Browse source
This commit is contained in:
DACHXY 2025-04-21 14:52:42 +08:00
parent ca5db8c1c2
commit b4bd51410c
10 changed files with 373 additions and 37 deletions
Download patch file Download diff file Expand all files Collapse all files

11
system/dev/dn-server/default.nix
View file

@ -11,11 +11,13 @@
intel-bus-id = settings.nvidia.intel-bus-id;
nvidia-bus-id = settings.nvidia.nvidia-bus-id;
})
./hardware-configuration.nix
./boot.nix
./packages.nix
./services.nix
./hardware-configuration.nix
./networking.nix
./services.nix
./nginx.nix
./nextcloud.nix
# ./step-ca.nix
../../modules/presets/minimal.nix
../../modules/bluetooth.nix
../../modules/cuda.nix
@ -24,6 +26,7 @@
environment.systemPackages = with pkgs; [
ferium
openssl
];
home-manager = {
@ -40,7 +43,7 @@
{
home.packages = with pkgs; [
inputs.ghostty.packages.${system}.default
(python3.withPacakges (
(python3.withPackages (
p: with p; [
pip
]

99
system/dev/dn-server/nextcloud.nix Normal file
View file

@ -0,0 +1,99 @@
{
config,
pkgs,
lib,
...
}:
{
imports = [
"${
fetchTarball {
url = "https://github.com/onny/nixos-nextcloud-testumgebung/archive/fa6f062830b4bc3cedb9694c1dbf01d5fdf775ac.tar.gz";
sha256 = "0gzd0276b8da3ykapgqks2zhsqdv4jjvbv97dsxg0hgrhb74z0fs";
}
}/nextcloud-extras.nix"
];
services.postgresql = {
enable = true;
authentication = lib.mkOverride 10 ''
#type database DBuser origin-address auth-method
local all all trust
'';
ensureUsers = [
{
name = "nextcloud";
ensureDBOwnership = true;
}
];
ensureDatabases = [
"nextcloud"
];
};
services.nextcloud = {
enable = true;
package = pkgs.nextcloud31;
configureRedis = true;
hostName = "nextcloud.net.dn";
https = true;
extraApps = {
inherit (config.services.nextcloud.package.packages.apps)
news
contacts
calendar
tasks
;
memories = pkgs.fetchNextcloudApp {
sha256 = "sha256-BfxJDCGsiRJrZWkNJSQF3rSFm/G3zzQn7C6DCETSzw4=";
url = "https://github.com/pulsejet/memories/releases/download/v7.5.2/memories.tar.gz";
license = "agpl3Plus";
};
passwords =
(pkgs.fetchNextcloudApp {
sha256 = "sha256-Nu6WViFawQWby9CEEezAwoBNdp7O5O8a9IhDp/me/E0=";
url = "https://git.mdns.eu/api/v4/projects/45/packages/generic/passwords/2025.2.0/passwords.tar.gz";
license = "agpl3Plus";
}).overrideAttrs
(prev: {
unpackPhase = ''
cp $src passwords.tar.gz
tar -xf passwords.tar.gz
mv passwords/* ./
rm passwords.tar.gz
rm -rpasswords
'';
});
};
extraAppsEnable = true;
database.createLocally = true;
config = {
adminpassFile = "/run/keys/nextcloud-admin-password.key";
dbtype = "pgsql";
};
settings = {
enabledPreviewProviders = [
"OC\\Preview\\BMP"
"OC\\Preview\\GIF"
"OC\\Preview\\JPEG"
"OC\\Preview\\Krita"
"OC\\Preview\\MarkDown"
"OC\\Preview\\MP3"
"OC\\Preview\\OpenDocument"
"OC\\Preview\\PNG"
"OC\\Preview\\TXT"
"OC\\Preview\\XBitmap"
"OC\\Preview\\HEIC"
];
};
};
environment.systemPackages = with pkgs; [
exiftool
];
}

30
system/dev/dn-server/nginx.nix Normal file
View file

@ -0,0 +1,30 @@
{
config,
lib,
...
}:
{
services.nginx = {
enable = true;
virtualHosts = {
${config.services.nextcloud.hostName} = {
listen = lib.mkForce [
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
];
forceSSL = true;
sslCertificate = "/var/lib/acme/net.dn.crt";
sslCertificateKey = "/var/lib/acme/net.dn.key";
sslTrustedCertificate = "/var/lib/acme/net.dn.crt";
extraConfig = ''
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;
'';
};
};
};
}

204
system/dev/dn-server/services.nix
View file

@ -1,14 +1,73 @@
{ username, pkgs, ... }:
{
settings,
pkgs,
lib,
...
}:
let
username = settings.personal.username;
ethInterface = "enp0s31f6";
wlInterface = "wlp0s20f3";
sshPorts = [ 30072 ];
sshPortsString = builtins.concatStringsSep ", " (builtins.map (p: builtins.toString p) sshPorts);
getCleanAddress =
ip:
with builtins;
let
result = replaceStrings [ "/24" "/32" ] [ "" "" ] ip;
in
result;
getReverseFilename =
ip:
with builtins;
with lib.lists;
with lib.strings;
let
octets = take 3 (splitString "." (getCleanAddress ip));
reversedFilename = "db." + (concatStringsSep "." (reverseList octets));
in
reversedFilename;
getSubAddress =
ip:
with builtins;
with lib.lists;
with lib.strings;
let
octets = reverseList (splitString "." (getCleanAddress ip));
sub = head octets;
in
sub;
reverseIP =
ip:
with builtins;
with lib.lists;
with lib.strings;
let
octets = splitString "." (getCleanAddress ip);
reversedIP = (concatStringsSep "." (reverseList octets)) + ".in-addr.arpa";
in
reversedIP;
reverseZone =
ip:
with builtins;
with lib.lists;
with lib.strings;
let
octets = take 3 (splitString "." (getCleanAddress ip));
reversedZone = (concatStringsSep "." (reverseList octets)) + ".in-addr.arpa";
in
reversedZone;
personal = {
ip = "10.0.0.1/24";
interface = "wg0";
port = 51820;
domain = "net.dn";
range = "10.0.0.0/24";
full = "10.0.0.1/25";
restrict = "10.0.0.128/25";
@ -19,6 +78,9 @@ let
range = "10.10.0.0/24";
interface = "wg1";
port = 51821;
masterIP = "10.10.0.1";
masterHostname = "api-kube.net.dn";
masterAPIServerPort = 6443;
};
allowedSSHIPs = builtins.concatStringsSep ", " [
@ -72,6 +134,12 @@ let
publicKey = "Cm2AZU+zlv+ThMqah6WiLVxgPNvMHm9DEGd4PfywNWU=";
allowedIPs = [ "10.0.0.135/32" ];
}
{
# justin03
dns = "justin";
publicKey = "WOze/PPilBPqQudk1D4Se34zWV3UghKXWTG6M/f7bEM=";
allowedIPs = [ "10.0.0.136/32" ];
}
{
# ahhaha
dns = "ahhaha";
@ -96,14 +164,49 @@ let
publicKey = "VVzGcHjSo6QkvN6raS9g/NYLIrZ1xzxdnEronQaTIHs=";
allowedIPs = [ "10.0.0.141/32" ];
}
{
dns = "yc-mesh";
publicKey = "dKcEjRq9eYA8rXVfispNoKEbrs9R3ZIVlQi5AXfFch8=";
allowedIPs = [ "10.0.0.142/32" ];
}
{
dns = "jonly-mesh";
publicKey = "EyRL+iyKZJaqz9DXVsH2Ne/wVInx5hg9oQARrXP3/k0=";
allowedIPs = [ "10.0.0.143/32" ];
}
{
dns = "tommy-mesh";
publicKey = "oCRNCyg0bw6W6W87XQ4pIUW+WFi/bx9MG4cIwE23GxI=";
allowedIPs = [ "10.0.0.144/32" ];
}
];
dnsRecords =
with builtins;
concatStringsSep "\n" (
map (r: ''
${r.dns} IN A ${replaceStrings [ "/32" ] [ "" ] (elemAt r.allowedIPs 0)}
'') (fullRoute ++ meshRoute)
map (
r:
let
ip = getCleanAddress (elemAt r.allowedIPs 0);
in
''
${r.dns} IN A ${ip}
''
) (fullRoute ++ meshRoute)
);
dnsReversedRecords =
with builtins;
concatStringsSep "\n" (
map (
r:
let
reversed = getSubAddress (getCleanAddress (elemAt r.allowedIPs 0));
in
''
${reversed} IN PTR ${r.dns}.${personal.domain}.
''
) (fullRoute ++ meshRoute)
);
in
{
@ -124,10 +227,12 @@ in
personal.port
kube.port
25565
kube.masterAPIServerPort
];
allowedTCPPorts = sshPorts ++ [
53
25565
kube.masterAPIServerPort
];
};
@ -213,11 +318,12 @@ in
};
};
};
extraHosts = "${kube.masterIP} ${kube.masterHostname}";
};
services = {
dbus.enable = true;
blueman.enable = true;
openssh = {
@ -232,6 +338,10 @@ in
bind = {
enable = true;
forwarders = [
"8.8.8.8"
"8.8.4.4"
];
cacheNetworks = [
"127.0.0.0/24"
"::1/128"
@ -239,7 +349,7 @@ in
kube.range
];
zones = {
"net.dn" = {
"${personal.domain}" = {
master = true;
allowQuery = [
"127.0.0.0/24"
@ -247,25 +357,67 @@ in
personal.range
kube.range
];
file = pkgs.writeText "zone-net.dn" ''
$ORIGIN net.dn.
$TTL 1h
@ IN SOA server hostmaster (
1 ; Serial
3h ; Refresh
1h ; Retry
1w ; Expire
1h) ; Negative Cache TTL
IN NS server
IN NS phone
@ IN A 10.0.0.1
IN AAAA fe80::3319:e2bb:fc15:c9df
IN MX 10 mail
IN TXT "v=spf1 mx"
file =
let
serverIP = getCleanAddress personal.ip;
kubeIP = getCleanAddress kube.ip;
origin = "${personal.domain}.";
in
pkgs.writeText "db.${personal.domain}" ''
$ORIGIN ${origin}
$TTL 1h
@ IN SOA dns.${origin} admin.dns.${origin} (
1 ; Serial
3h ; Refresh
1h ; Retry
1w ; Expire
1h) ; Negative Cache TTL
IN NS dns.${origin}
@ IN A ${serverIP}
IN AAAA fe80::3319:e2bb:fc15:c9df
IN MX 10 mail.${origin}
IN TXT "v=spf1 mx"
dns IN A ${serverIP}
nextcloud IN A ${serverIP}
ca IN A ${serverIP}
server IN A ${serverIP}
mail IN A ${serverIP}
api-kube IN A ${kubeIP}
${dnsRecords}
'';
};
"${reverseZone personal.ip}" = {
master = true;
allowQuery = [
"127.0.0.0/24"
"::1/128"
personal.range
kube.range
];
file =
let
serverIP = getSubAddress personal.ip;
mailIP = getSubAddress personal.ip;
in
pkgs.writeText "${getReverseFilename personal.ip}" ''
$TTL 86400
@ IN SOA dns.${personal.domain}. admin.dns.${personal.domain}. (
1 ; Serial
3h ; Refresh
1h ; Retry
1w ; Expire
1h) ; Negative Cache TTL
IN NS dns.${personal.domain}.
${serverIP} IN PTR dns.${personal.domain}.
${serverIP} IN PTR server.${personal.domain}.
${serverIP} IN PTR nextcloud.${personal.domain}.
${serverIP} IN PTR ca.${personal.domain}.
${mailIP} IN PTR mail.${personal.domain}.
${dnsReversedRecords}
'';
server IN A 10.0.0.1
${dnsRecords}
'';
};
};
};
@ -278,7 +430,7 @@ in
users.users = {
root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBzLpMKn0Q24ACC6k/7lOX0FIdcFhq15NY6849yROeUK danny@dn-pre7780"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJSAOufpee7f8D8ONIIGU3qsN+8+DGO7BfZnEOTYqtQ5 danny@pre7780.dn"
];
"${username}".openssh.authorizedKeys.keys = [

20
system/dev/dn-server/step-ca.nix Normal file
View file

@ -0,0 +1,20 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [ step-cli ];
users.users.step-ca = {
isSystemUser = true;
group = "step-ca";
};
users.groups.step-ca = { };
services.step-ca = {
enable = true;
address = "0.0.0.0";
settings = builtins.fromJSON (builtins.readFile /var/lib/step-ca/config/ca.json);
port = 8443;
openFirewall = true;
intermediatePasswordFile = "/run/keys/step-password";
};
}