From 04d0e3e9a7acd3429f1e3aa0e747715f72603489 Mon Sep 17 00:00:00 2001 From: Gerg-L Date: Sun, 12 Mar 2023 03:28:57 -0400 Subject: [PATCH] flexing on Plumeria --- systems/gerg-desktop/containers/website.nix | 66 ++++++++++++++++++++- systems/gerg-desktop/secrets.yaml | 8 ++- 2 files changed, 68 insertions(+), 6 deletions(-) diff --git a/systems/gerg-desktop/containers/website.nix b/systems/gerg-desktop/containers/website.nix index 6b8a08a..238d0d9 100644 --- a/systems/gerg-desktop/containers/website.nix +++ b/systems/gerg-desktop/containers/website.nix @@ -1,5 +1,15 @@ _: {...}: { - sops.secrets."website/sql" = {}; + sops.secrets = { + "website/sql_gitea" = { + mode = "0444"; + }; + "website/sql_nextcloud" = { + mode = "0444"; + }; + "website/nextcloud" = { + mode = "0444"; + }; + }; containers."website" = { ephemeral = true; autoStart = true; @@ -31,7 +41,6 @@ _: {...}: { defaultGateway = "192.168.1.1"; nameservers = ["1.1.1.1" "1.0.0.1"]; firewall = { - #allowedUDPPorts = [giteaPort 80 443]; allowedTCPPorts = [giteaPort 80 443 22]; }; }; @@ -46,7 +55,7 @@ _: {...}: { services = { gitea = { enable = true; - appName = "WEEEWOOOO"; + appName = "Powered by NixOS"; domain = "git.gerg-l.com"; rootUrl = "https://git.gerg-l.com/"; httpPort = giteaPort; @@ -61,9 +70,52 @@ _: {...}: { DISABLE_REGISTRATION = true; }; }; + database = { + type = "postgres"; + passwordFile = "/secrets/sql_gitea"; + }; + }; + nextcloud = { + enable = true; + package = pkgs.nextcloud25; + hostName = "next.gerg-l.com"; + nginx.recommendedHttpHeaders = true; + enableBrokenCiphersForSSE = false; + https = true; + autoUpdateApps.enable = true; + config = { + dbtype = "pgsql"; + dbhost = "/run/postgresql"; + dbpassFile = "/secrets/sql_nextcloud"; + adminpassFile = "/secrets/nextcloud"; + adminuser = "admin-root"; + defaultPhoneRegion = "IL"; + extraTrustedDomains = ["[2605:59c8:252e:500:200:ff:fe00:11]"]; + }; + }; + postgresql = { + enable = true; + package = pkgs.postgresql_13; + ensureDatabases = [config.services.nextcloud.config.dbname]; + ensureUsers = [ + { + name = config.services.nextcloud.config.dbuser; + ensurePermissions."DATABASE ${config.services.nextcloud.config.dbname}" = "ALL PRIVILEGES"; + } + ]; + authentication = '' + local gitea all ident map=gitea-users + ''; + identMap = '' + gitea-users gitea gitea + ''; }; nginx = { enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; virtualHosts = { "git.gerg-l.com" = { forceSSL = true; @@ -72,6 +124,10 @@ _: {...}: { proxyPass = "http://localhost:${toString giteaPort}"; }; }; + "next.gerg-l.com" = { + forceSSL = true; + enableACME = true; + }; }; }; openssh = { @@ -83,6 +139,10 @@ _: {...}: { }; }; }; + systemd.services."nextcloud-setup" = { + requires = ["postgresql.service"]; + after = ["postgresql.service"]; + }; security.acme = { acceptTerms = true; defaults.email = "gregleyda@proton.me"; diff --git a/systems/gerg-desktop/secrets.yaml b/systems/gerg-desktop/secrets.yaml index c60a1d9..cefa47b 100644 --- a/systems/gerg-desktop/secrets.yaml +++ b/systems/gerg-desktop/secrets.yaml @@ -2,7 +2,9 @@ discordenv: ENC[AES256_GCM,data:/A46urPOiqH2ejKmmzCIpR/g2hU6n/AUTNQPikAxvp1PikWg root: ENC[AES256_GCM,data:9rmkBNILB1vvfaXtnU8mXqTIkoyI5R3FJKkh941Jhszrdj0FsmO8u3IFGAaCoe3TLVFOcRCS3QQWOZeZOvhUDvebZyYpVP/3ow==,iv:y8jvSxfrONSYqJ+xoxecN712EGiyawN1Q3VFjAMZO+g=,tag:jCCTZHTs01hioNKMlTd7Rw==,type:str] gerg: ENC[AES256_GCM,data:iSwWGIIxQenCPMd/Tith/eagjVINn0mgrO99IG85cP4UXtut6GF2R57XDMeD7SU18vW1ULod/lYuTo0SmmrkmX+wlDWgm4cODw==,iv:fHTcn4ZmjSqLC8jQkuualRbp+RwvgblS1ic6WPb2WEY=,tag:rkDuXhvleKekv3bVpdNNuw==,type:str] website: - sql: ENC[AES256_GCM,data:NmP4AZjEmS+q/5oRjcst3e9Jhqk=,iv:OcQwjBPOu50YOVqKhM/1j/Vfx9LchX2HkquhofQkeU8=,tag:rpm0Kcpuy133dWX7aQX4hg==,type:str] + nextcloud: ENC[AES256_GCM,data:JoxSXYzBhXV+h4Ar,iv:jKlAwWfX58DpgGbGOqWBIwcnx8EdIxhFKOUzsDccr7w=,tag:L6UBHh1HU8Je+OczQCypXg==,type:str] + sql_gitea: ENC[AES256_GCM,data:Usfd0QDm/4ntj7kzXXYa3O7H7/E=,iv:3xUD2KuQvJUQtai6C+qAnQ2RbkpN5VLK8BUJFiMpQkY=,tag:E6KNzFIZekgecJCBPlw4YA==,type:str] + sql_nextcloud: ENC[AES256_GCM,data:xkJioAZCCd8aIxS283UhZ2yfLgQ=,iv:7SQ2iSJShX6dDP3qD0KPaJP49CQ6RMHQ6uY5J/WODtI=,tag:HNXYa1L88mGB5uOrmTuFDg==,type:str] sops: kms: [] gcp_kms: [] @@ -18,8 +20,8 @@ sops: dGhDRXRTWE9xSGtxQU80RVpuL1A5MkEKxAxC/wDkq+6hM8eXkWd/RBDNIUtGYnPy MvVxB6dkj+S11oRcMpdFqiM9jSzz/gYecB2tfuDgj+UX/VAzSkvPxA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-03-12T04:27:16Z" - mac: ENC[AES256_GCM,data:xhZW5nsu9w/83Stm21NQ4kHvletVB1QbF9oaDyKLYk1AMe5hLH+SPgk2OWTMAIuZcYne69UP/XjI9PO9w3apa+P6hf47wAyyl1hmS/kqfA80K+qmvee1Pl9idjskhSe3+ypAiZBDEbjMDglamqSgv0cq3EyhOOQDlTNLju8BAXc=,iv:VtVJqYzWA7OvyR9hYTnkMUsxOOG8qVX80sjYifPwiJo=,tag:CHYxsZz05HkXNDLhURqtOw==,type:str] + lastmodified: "2023-03-12T06:10:20Z" + mac: ENC[AES256_GCM,data:0x7fngutav44zWsytXfxrOYYWvJsAVPGhG4KC8Vu6mxVz27alK52ZksLraQ6C+vGzUiPca1cv6nN/+aYBzU0NdxIJQOeCr//H1oDf7X8k5wTzcwxDRxqu6og66zCuMcLW5WZhuaoCKSIZX120gVZe4a6q1E2JzbpaXwlzz7wH8E=,iv:Htgcu9LvHOV1Xsxknq2vf9GEE9WG6ffS7q0D50xLiac=,tag:p6AL3w5PgqvQg2MuZ+URRw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3