added nextcloud

modules/nextcloud.nix

@@ -1,124 +1,179 @@
-{ pkgs, config, lib, ... }:
+{ config, lib, ... }:
 let
-  oo_domain = "onlyoffice.mc-fucker.cool";
-  domain = "nc.mc-fucker.cool";
+  cfg = import ./vars.nix;
+  name = "nextcloud";
+  dbport = cfg.${name}.dbport;
+  #db_host = cfg.podman.hostIP;
+  port = cfg.${name}.port;
+  domain = cfg.${name}.domain;
 in
 {
 
-  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "corefonts" ]; #allow a single package from unfree
+  imports = [
+    #./podman.nix
+    ./podman-postgresql.nix # for the database
+    ./nginx.nix             # for the webserver
+  ];
 
-  services.postgresql = {
-    ensureDatabases = [ "nextcloud" ];
-    ensureUsers = [
-      {
-        name = "nextcloud";
-        ensurePermissions = {
-          "DATABASE nextcloud" = "ALL PRIVILEGES";
-        };
-      }
-    ];
+  sops.secrets."${name}/db" = {};
+  #sops.secrets."${name}/env" = {};
+
+  services.podman-postgresql."${name}" = {
+    enable = true;
+    image = "docker.io/library/postgres:16-alpine";
+    port = (lib.strings.toInt dbport);
+    passwordFile = config.sops.secrets."${name}/db".path;
   };
 
-  services.postgresqlBackup.databases = [ "nextcloud" ];
-
-  services.nextcloud = {
-    autoUpdateApps.enable = true;
-    enable = true;
-    caching.redis = true;
-    hostName = "${domain}";
-    package = pkgs.nextcloud25;
-    https = true;
-    config = {
-      dbtype = "pgsql";
-      #dbhost = "postgres";
-      dbhost = "/run/postgresql";
-      #dbpassFile = "/etc/nixos/keys/nextcloud-dbpassword";
-      extraTrustedDomains = [ "mc4" ];
-      adminpassFile = "/etc/nixos/keys/nextcloud-adminpassword";
-      adminuser = "Superadmin";
-      defaultPhoneRegion = "DE";
+  virtualisation.oci-containers.containers.${name} = {
+    image = "lscr.io/linuxserver/nextcloud";
+    environment = {
+      TZ = "Europe/Berlin";
+      #DOCKER_MODS = "linuxserver/mods:universal-calibre";
+      PUID = "2000";
+      PGID = "2000";
     };
-    enableBrokenCiphersForSSE = false;
-    #poolSettings = {
-    #  "pm" = "dynamic";
-    #  "pm.max_children" = "256";
-    #  "pm.max_requests" = "1000";
-    #  "pm.max_spare_servers" = "64";
-    #  "pm.min_spare_servers" = "24";
-    #  "pm.start_servers" = "32";
-    #};
+    #environmentFiles = [ config.sops.secrets."${name}/env".path ];
+    ports = [
+      "${port}:443"
+    ];
+    volumes = [
+      "/var/lib/nextcloud:/config"
+      "/mnt/mergerfs/nextcloud:/data"
+    ];
+    extraOptions = cfg.podman.extraOptions;
+    autoStart = false;
+  };
+
+  virtualisation.oci-containers.containers.collabora = {
+    image = "docker.io/collabora/code";
+    environment = {
+      TZ = "Europe/Berlin";
+      #DOCKER_MODS = "linuxserver/mods:universal-calibre";
+      #PUID = "2000";
+      #PGID = "2000";
+    };
+    #environmentFiles = [ config.sops.secrets."${name}/env".path ];
+    environment = {
+      extra_params = "--o:ssl.enable=false --o:ssl.termination=true";
+      domain = "cloud.mc-fucker.cool";
+      VIRTUAL_HOST = "collabora.mc-fucker.cool";
+    };
+    ports = [
+      "9980:9980"
+    ];
+    #volumes = [
+    #  "/var/lib/nextcloud:/config"
+    #  "/mnt/mergerfs/nextcloud:/data"
+    #];
+    extraOptions = cfg.podman.extraOptions;
   };
 
   services.nginx = {
-    #package = pkgs.nginxMainline;
-    package = pkgs.nginxQuic;
-    virtualHosts."${domain}" = {
+
+    #upstreams.authentik = {
+    #  servers."localhost:${port}" = {};
+    #};
+
+    #appendHttpConfig = ''
+    #  map $http_upgrade $connection_upgrade_keepalive {
+    #    default upgrade;
+    #    '''      ''';
+    #  }
+    #'';
+
+    virtualHosts.${domain} = {
       forceSSL = true;
       enableACME = true;
-      #http3 = true;
-    extraConfig = ''
-      access_log  /var/log/nginx/${domain}_access.log;
-      error_log   /var/log/nginx/${domain}_error.log;
-    '';
+
+      locations."/" = {
+        proxyPass = "https://127.0.0.1:${port}";
+        extraConfig = ''
+          proxy_set_header    Host $host;
+          proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header    X-Forwarded-Host $host;
+          proxy_set_header    X-Forwarded-Proto $scheme;
+          proxy_set_header    Upgrade $http_upgrade;
+          proxy_set_header    Connection "Upgrade";
+          proxy_redirect      off;
+          proxy_http_version  1.1;
+        '';
+      };
+
+      extraConfig = ''
+        access_log  /var/log/nginx/${domain}_access.log;
+        error_log   /var/log/nginx/${domain}_error.log;
+        client_max_body_size 5000M;
+      '';
+    };
+
+    virtualHosts."collabora.mc-fucker.cool" = let
+      dom = "collabora.mc-fucker.cool";
+      url = "http://127.0.0.1:9980";
+    in
+    {
+      forceSSL = true;
+      enableACME = true;
+
+      locations."^~ /browser" = {
+        proxyPass = url;
+        extraConfig = ''
+          proxy_set_header    Host $host;
+        '';
+      };
+
+      locations."^~ /hosting/discovery" = {
+        proxyPass = url;
+        extraConfig = ''
+          proxy_set_header    Host $host;
+        '';
+      };
+
+      locations."^~ /hosting/capabilities" = {
+        proxyPass = url;
+        extraConfig = ''
+          proxy_set_header    Host $host;
+        '';
+      };
+
+      locations."~ ^/cool/(.*)/ws$" = {
+        proxyPass = url;
+        extraConfig = ''
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection "Upgrade";
+          proxy_set_header    Host $host;
+          proxy_read_timeout 36000s;
+        '';
+      };
+
+      locations."~ ^/(c|l)ool" = {
+        proxyPass = url;
+        extraConfig = ''
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection "Upgrade";
+          proxy_set_header    Host $host;
+          proxy_read_timeout 36000s;
+        '';
+      };
+
+      locations."^~ /cool/adminws" = {
+        proxyPass = url;
+        extraConfig = ''
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection "Upgrade";
+          proxy_set_header    Host $host;
+          proxy_read_timeout 36000s;
+        '';
+      };
+
+      extraConfig = ''
+        access_log  /var/log/nginx/${dom}_access.log;
+        error_log   /var/log/nginx/${dom}_error.log;
+        client_max_body_size 5000M;
+      '';
     };
   };
 
-  services.redis = {
-    enable = true;
-    unixSocket = "/run/redis/redis.sock";
-    unixSocketPerm = 770;
-  };
-
-  services.onlyoffice = {
-    enable = true;
-    hostname = oo_domain;
-  };
-
-  services.nginx.virtualHosts."${oo_domain}" = {
-    forceSSL = true;
-    enableACME = true;
-  };
-
-  users.users = {
-    nginx = {
-      extraGroups = [ "onlyoffice" ];
-    };
-  };
-
-
-  users.groups.redis.members = [ "nextcloud" ];
-
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "dev@mc-fucker.cool";
-  };
-
-  systemd.services.nextcloud-redis-setup = let
-    redisConfig = pkgs.writeText "nextcloud-redis-config.php" ''
-      <?php
-      $CONFIG = [
-        'memcache.distributed' => '\OC\Memcache\Redis',
-        'memcache.locking' => '\OC\Memcache\Redis',
-        'redis' => [
-          'host'     => '${config.services.redis.unixSocket}',
-          'port'     => 0,
-          'dbindex'  => 0,
-          'timeout'  => 1.5,
-        ],
-        'allow_local_remote_servers' => true,
-      ];
-    '';
-  in {
-    wantedBy = [ "multi-user.target" ];
-    before = [ "phpfpm-nextcloud.service" ];
-    script = ''
-      ln -sf ${redisConfig} ${config.services.nextcloud.datadir}/config/redis.config.php
-    '';
-    serviceConfig.Type = "oneshot";
-    serviceConfig.User = "nextcloud";
-  };
 
 }
-
 # vim: set et ts=2 sw=2 ai:

systems/nasty/configuration.nix

@@ -18,7 +18,7 @@
       ./modules/tvproxy.nix
       #./modules/calibre-web.nix
       ./modules/borg.nix
-      ./modules/nctest.nix
+      ./modules/nextcloud.nix
       ./modules/encode
       ./modules/lancache.nix
     ];