Cloonar/nixos
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add web.social-grow.tech

Browse Source
This commit is contained in:
Dominik Polakovics Polakovics
2024-10-24 00:26:32 +02:00
parent ef8f774f4f
commit d8db7df64e
22 changed files with 1670 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

108
hosts/web.social-grow.tech/modules/nextcloud/default.nix Normal file
View File

@@ -0,0 +1,108 @@
{ pkgs, config, ... }:
let
domain = config.networking.domain;
in {
imports = [
./ldap.nix
];
sops.secrets.nextcloud-smb-credentials = {};
sops.secrets.nextcloud-adminpass.owner = "nextcloud";
sops.secrets.nextcloud-secrets.owner = "nextcloud";
services.nextcloud = {
enable = true;
hostName = "cloud.${domain}";
https = true;
package = pkgs.nextcloud29;
# Instead of using pkgs.nextcloud27Packages.apps,
# we'll reference the package version specified above
extraApps = {
inherit (config.services.nextcloud.package.packages.apps) calendar contacts deck forms groupfolders richdocuments;
oidc_login = pkgs.fetchNextcloudApp rec {
url = "https://github.com/pulsejet/nextcloud-oidc-login/releases/download/v3.1.1/oidc_login.tar.gz";
sha256 = "sha256-EVHDDFtz92lZviuTqr+St7agfBWok83HpfuL6DFCoTE=";
license = "gpl3";
};
guests = pkgs.fetchNextcloudApp rec {
url = "https://github.com/nextcloud-releases/guests/releases/download/v4.0.0/guests-v4.0.0.tar.gz";
sha256 = "sha256-dM2BmckOGZpcFDVs2oYVDqPafyBtLFB3ZCcsnOflteM=";
license = "gpl3";
};
files_accesscontrol = pkgs.fetchNextcloudApp rec {
url = "https://github.com/nextcloud/files_accesscontrol/archive/refs/tags/v1.20.1.tar.gz";
sha256 = "sha256-3vcnXiLsmUnt3GiF8H9Mw8jOwAmIn1cqr13SBgvdm+g=";
license = "gpl3";
};
appointments = pkgs.fetchNextcloudApp rec {
url = "https://github.com/SergeyMosin/Appointments/raw/refs/tags/v2.1.12/build/artifacts/appstore/appointments.tar.gz";
sha256 = "sha256-hMLimaBz5RBRzkEwpWJ9ZUrNY0oRTbPeYFCvH8hl1YE=";
license = "gpl3";
};
};
autoUpdateApps.enable = true;
extraAppsEnable = true;
database.createLocally = true;
caching.apcu = true;
configureRedis = true;
phpOptions."opcache.interned_strings_buffer" = "23";
config = {
adminpassFile = config.sops.secrets.nextcloud-adminpass.path;
dbtype = "mysql";
};
secretFile = config.sops.secrets.nextcloud-secrets.path;
settings = {
log_type = "file";
log_level = 0;
allow_user_to_change_display_name = false;
maintenance_window_start = 1;
lost_password_link = "disabled";
sharing.enable_share_mail = true;
oidc_login_provider_url = "https://auth.${domain}";
oidc_login_client_id = "nextcloud";
oidc_login_button_text = "Log in with Authelia";
oidc_login_auto_redirect = false;
oidc_login_proxy_ldap = true;
oidc_login_attributes = {
id = "preferred_username";
name = "name";
mail = "email";
groups = "groups";
ldap_uid = "email";
};
oidc_login_scope = "openid profile email groups";
default_phone_region = "AT";
};
};
environment.systemPackages = [ pkgs.cifs-utils ];
fileSystems."/var/lib/nextcloud/data" = {
device = "//u428777.your-storagebox.de/u428777-sub2/";
fsType = "cifs";
options = let
automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s,user,users,file_mode=0770,dir_mode=0770";
in ["${automount_opts},credentials=${config.sops.secrets.nextcloud-smb-credentials.path},uid=992,gid=992"];
};
services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
};
services.mysql = {
ensureUsers = [
{
name = "nextcloud";
ensurePermissions = {
"nextcloud.*" = "ALL PRIVILEGES";
};
}
];
ensureDatabases = [ "nextcloud" ];
};
services.mysqlBackup.databases = [ "nextcloud" ];
}

24
hosts/web.social-grow.tech/modules/nextcloud/ldap.nix Normal file
View File

@@ -0,0 +1,24 @@
{ config, pkgs, ... }:
let
updateLdapSettings = pkgs.writeText "nextcloud-update-ldap-settings.sql" (builtins.readFile ./update-ldap-settings.sql);
in {
sops.secrets.nextcloud-ldap-password.owner = "nextcloud";
systemd.services."nextcloud-update-ldap-settings" = {
enable = true;
description = "My custom service";
after = [ "nextcloud-setup.service" ];
script = let
updateLdapSettings = pkgs.writeText "nextcloud-update-ldap-settings.sql" (builtins.readFile ./update-ldap-settings.sql);
in ''
ldappass=$(base64 -w 0 ${config.sops.secrets.nextcloud-ldap-password.path})
${pkgs.mysql}/bin/mysql -u nextcloud -e "INSERT INTO oc_appconfig (appid, configkey, configvalue, type, lazy) VALUES ('user_ldap', 's01ldap_agent_password', '$ldappass', 2, 0) ON DUPLICATE KEY UPDATE configvalue = '$ldappass';" nextcloud
${pkgs.mysql}/bin/mysql -u nextcloud nextcloud < ${updateLdapSettings}
'';
serviceConfig = {
Type = "exec";
User = "nextcloud";
};
};
}

39
hosts/web.social-grow.tech/modules/nextcloud/secrets.yaml Normal file
View File

@@ -0,0 +1,39 @@
nextcloud-adminpass: ENC[AES256_GCM,data:WJA7+5XqLK2eYefCviHqvHwqYPy9yfN+/3j5RTF0edrw41oB/wC5JWYejK2FzMkjkXZM0BUQ6waE3PCal3Ebqvzt/ZyC8Pwm8Z+PuMuXFx/6fQLJDxHALXH03GWAzNhUZpcZUYoNtu+uwaROg/4ZVNRu3IXxw+b2DWN65EaMO48=,iv:arkUgibmZQuaiCwYg6NBrMHZXUCLY2y/XiuVjB450ag=,tag:RH6r8nJPU24qq/EUC3jQ/A==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0VmR4THNkUGpvVHB6WWtw
WkQ1dlc3R0FWaXpVZ29Sd2g1ZWJzYUFQWHdFCndkUWxqZEdIQlBnSDluN2NEWmZG
VndCbXlqV3p0ZnYwcFhjeGZVa09xcW8KLS0tIHVnc2RPWTF1b2NvWVp3OEFwVDZk
V0FWOXhSbXQyd0JmVEVpdG9IeXlsQ1UKFxGluq+uOgkA7UUa6/4ZErEPRgQQ5cXS
PdB5Et5f02RWBRAUtGEE0UrLiINlIFvFAIr3PKctNVc8/Ovf/jGojg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0RnRPK0Y4ekRiYS9xdGs0
ZE5oT1FIWmlySERMbDAyQXlHNDJnQ2Q2dkVvCjNQSGlyQXlzUXAzV0wrNHppUFY4
a3k4Y2VtQ1Z4UjVqcnQ4MXhjSzJoM0UKLS0tIHBORnVoSHlJVnpjcmdZVTA1NHhF
dHVTWnpXTnNNc0l1M3J6enFBdUwwNWcK80nKzyIrrKaEa0naFsnuie+732hMZQUg
IAU9V7/bZiDItTUVdATDjjNBiXnMgDB73SqHhuyIDD+VhDkVUBhjWw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1y6lvl5jkwc47p5ae9yz9j9kuwhy7rtttua5xhygrgmr7ehd49svsszyt42
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVdDduRUZOS2VEUldmRFRS
QUVxeUVWRERSQ2ZkdnV1ekw4SVVFSzZvUFN3CkQrRnBQQzlnL2xtcFpVd0xiQmda
NFZnQmhxcm1xUnVZY3l2eHp6Sjl4a0UKLS0tIG1maDNiRW44VmJDSlk2eWRQcHB2
ZHpwQURoNGhuOWJPUkFpc0RSaHFBM0UKW4lMlcxC5+Hpm6DO3wwco41kJsfuWP33
+2qhmnwt8mXWxAVxNreQQ0YQDliBnQR3uUny7hWyfrIkeQzOBLBrOw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-08-18T17:47:34Z"
mac: ENC[AES256_GCM,data:bm/lHsobqvZSzk9crPmf8vc2idN3h/HOpQab7n7N6vtEY0QpMTv+6K7YERBD7T9oIxSNtcLNOcw6Rr2w9Cd1cq+W0azPA2dxd6/crq6rbhAgld/MipemP+YfdENxRrdyastk7P3FWyHZzhKlhem/ft0lpeiJg5NWRjA8IkLSDZc=,iv:W4cYC/e1CO5nsLx5yOaH0vGJ7fAx5bAH9acJShciHcI=,tag:whYqwogQMPPklHqoyhuL8g==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

83
hosts/web.social-grow.tech/modules/nextcloud/update-ldap-settings.sql Normal file
View File

@@ -0,0 +1,83 @@
INSERT IGNORE INTO oc_appconfig (appid, configkey, configvalue, type, lazy)
VALUES
("user_ldap", "background_sync_interval", "43200", 2, 0),
("user_ldap", "background_sync_offset", "0", 2, 0),
("user_ldap", "background_sync_prefix", "s01", 2, 0),
("user_ldap", "cleanUpJobOffset", "0", 2, 0),
("user_ldap", "enabled", "yes", 2, 0),
("user_ldap", "installed_version", "1.20.0", 2, 0),
("user_ldap", "types", "authentication", 2, 0),
("user_ldap", "s01_lastChange", "1729585245", 2, 0),
("user_ldap", "s01has_memberof_filter_support", "1", 2, 0),
("user_ldap", "s01home_folder_naming_rule", "", 2, 0),
("user_ldap", "s01last_jpegPhoto_lookup", "0", 2, 0),
("user_ldap", "s01ldap_admin_group", "admin_2", 2, 0),
("user_ldap", "s01ldap_attr_address", "", 2, 0),
("user_ldap", "s01ldap_attr_biography", "", 2, 0),
("user_ldap", "s01ldap_attr_fediverse", "", 2, 0),
("user_ldap", "s01ldap_attr_headline", "", 2, 0),
("user_ldap", "s01ldap_attr_organisation", "", 2, 0),
("user_ldap", "s01ldap_attr_phone", "", 2, 0),
("user_ldap", "s01ldap_attr_role", "", 2, 0),
("user_ldap", "s01ldap_attr_twitter", "", 2, 0),
("user_ldap", "s01ldap_attr_website", "", 2, 0),
("user_ldap", "s01ldap_attributes_for_group_search", "", 2, 0),
("user_ldap", "s01ldap_attributes_for_user_search", "", 2, 0),
("user_ldap", "s01ldap_background_host", "", 2, 0),
("user_ldap", "s01ldap_background_port", "", 2, 0),
("user_ldap", "s01ldap_backup_host", "", 2, 0),
("user_ldap", "s01ldap_backup_port", "636", 2, 0),
("user_ldap", "s01ldap_base", "dc=social-grow,dc=tech", 2, 0),
("user_ldap", "s01ldap_base_groups", "cn=cloud,ou=groups,dc=social-grow,dc=tech", 2, 0),
("user_ldap", "s01ldap_base_users", "ou=users,dc=social-grow,dc=tech", 2, 0),
("user_ldap", "s01ldap_cache_ttl", "600", 2, 0),
("user_ldap", "s01ldap_configuration_active", "1", 2, 0),
("user_ldap", "s01ldap_connection_timeout", "15", 2, 0),
("user_ldap", "s01ldap_default_ppolicy_dn", "", 2, 0),
("user_ldap", "s01ldap_display_name", "cn", 2, 0),
("user_ldap", "s01ldap_dn", "cn=cloud,ou=system,ou=users,dc=social-grow,dc=tech", 2, 0),
("user_ldap", "s01ldap_dynamic_group_member_url", "", 2, 0),
("user_ldap", "s01ldap_email_attr", "mail", 2, 0),
("user_ldap", "s01ldap_experienced_admin", "0", 2, 0),
("user_ldap", "s01ldap_expert_username_attr", "mail", 2, 0),
("user_ldap", "s01ldap_expert_uuid_group_attr", "", 2, 0),
("user_ldap", "s01ldap_expert_uuid_user_attr", "mail", 2, 0),
("user_ldap", "s01ldap_ext_storage_home_attribute", "", 2, 0),
("user_ldap", "s01ldap_gid_number", "gidNumber", 2, 0),
("user_ldap", "s01ldap_group_display_name", "cn", 2, 0),
("user_ldap", "s01ldap_group_filter", "(objectClass=groupOfNames)", 2, 0),
("user_ldap", "s01ldap_group_filter_mode", "1", 2, 0),
("user_ldap", "s01ldap_group_member_assoc_attribute", "member", 2, 0),
("user_ldap", "s01ldap_groupfilter_groups", "", 2, 0),
("user_ldap", "s01ldap_groupfilter_objectclass", "", 2, 0),
("user_ldap", "s01ldap_host", "ldaps://ldap.social-grow.tech", 2, 0),
("user_ldap", "s01ldap_login_filter", "(&(objectclass=inetOrgPerson)(owncloudQuota=*)(mail=%uid))", 2, 0),
("user_ldap", "s01ldap_login_filter_mode", "1", 2, 0),
("user_ldap", "s01ldap_loginfilter_attributes", "", 2, 0),
("user_ldap", "s01ldap_loginfilter_email", "0", 2, 0),
("user_ldap", "s01ldap_loginfilter_username", "1", 2, 0),
("user_ldap", "s01ldap_mark_remnants_as_disabled", "0", 2, 0),
("user_ldap", "s01ldap_matching_rule_in_chain_state", "unknown", 2, 0),
("user_ldap", "s01ldap_nested_groups", "0", 2, 0),
("user_ldap", "s01ldap_override_main_server", "", 2, 0),
("user_ldap", "s01ldap_paging_size", "500", 2, 0),
("user_ldap", "s01ldap_port", "636", 2, 0),
("user_ldap", "s01ldap_quota_attr", "owncloudQuota", 2, 0),
("user_ldap", "s01ldap_quota_def", "1GB", 2, 0),
("user_ldap", "s01ldap_tls", "0", 2, 0),
("user_ldap", "s01ldap_turn_off_cert_check", "0", 2, 0),
("user_ldap", "s01ldap_turn_on_pwd_change", "0", 2, 0),
("user_ldap", "s01ldap_user_avatar_rule", "default", 2, 0),
("user_ldap", "s01ldap_user_display_name_2", "", 2, 0),
("user_ldap", "s01ldap_user_filter_mode", "1", 2, 0),
("user_ldap", "s01ldap_userfilter_groups", "", 2, 0),
("user_ldap", "s01ldap_userfilter_objectclass", "person", 2, 0),
("user_ldap", "s01ldap_userlist_filter", "(&(objectclass=inetOrgPerson)(owncloudQuota=*))", 2, 0),
("user_ldap", "s01use_memberof_to_detect_membership", "1", 2, 0)
ON DUPLICATE KEY UPDATE
appid = VALUES(appid),
configkey = VALUES(configkey),
configvalue = VALUES(configvalue),
type = VALUES(type),
lazy = VALUES(lazy);