diff --git a/provision/additional-setup.md b/provision/additional-setup.md index 5f71fc13..3368570d 100644 --- a/provision/additional-setup.md +++ b/provision/additional-setup.md @@ -15,7 +15,10 @@ settings. Keys for SSH aren't automatically placed with chezmoi `secret` since it complicated things to much. The key for github SSH must be transferred manually from Bitwarden -or `/run/secrets/keys/github_personal` to `~/.ssh/keys/github_personal`. +or: + +- `/run/secrets/keys/github_personal` to `~/.ssh/keys/github_personal`. +- `/run/secrets/radicale/users` to `~/.config/radicale/users`. ### Sops-nix diff --git a/provision/hosts/torus/configuration.nix b/provision/hosts/torus/configuration.nix index 4f481d22..fbb3bfeb 100644 --- a/provision/hosts/torus/configuration.nix +++ b/provision/hosts/torus/configuration.nix @@ -9,6 +9,8 @@ ./rss.nix ./home-assistant ./gitea.nix + ./radicale.nix + ./nextcloud.nix ]; nix = { @@ -108,6 +110,9 @@ "rss.tstarr.us" = (SSL // { locations."/".proxyPass = "http://localhost:8087/"; }); + "cal.tstarr.us" = (SSL // { + locations."/".proxyPass = "http://localhost:5232/"; + }); "media.tstarr.us" = (SSL // { locations."/".proxyPass = "http://localhost:8096/"; }); diff --git a/provision/hosts/torus/nextcloud.nix b/provision/hosts/torus/nextcloud.nix new file mode 100644 index 00000000..0894d765 --- /dev/null +++ b/provision/hosts/torus/nextcloud.nix @@ -0,0 +1,44 @@ +{ config, lib, pkgs, user, ... }: +{ + environment.systemPackages = with pkgs; [ + cron + ]; + + services = { + nginx.virtualHosts = { + "cloud.tstarr.us" = { + forceSSL = true; + enableACME = true; + }; + }; + + nextcloud = { + enable = true; + hostName = "cloud.tstarr.us"; + + # Need to manually increment with every major upgrade. + package = pkgs.nextcloud29; + + # Let NixOS install and configure the database automatically. + database.createLocally = true; + + # Let NixOS install and configure Redis caching automatically. + configureRedis = true; + + # Increase the maximum file upload size to avoid problems uploading videos. + maxUploadSize = "16G"; + https = true; + autoUpdateApps.enable = true; + settings = { + overwriteprotocol = "https"; + default_phone_region = "US"; + }; + + config = { + dbtype = "mysql"; + adminuser = "admin"; + adminpassFile = "/run/secrets/nextcloud/password"; + }; + }; + }; +} diff --git a/provision/hosts/torus/radicale.nix b/provision/hosts/torus/radicale.nix new file mode 100644 index 00000000..df1757f0 --- /dev/null +++ b/provision/hosts/torus/radicale.nix @@ -0,0 +1,22 @@ +{ config, lib, pkgs, user, ... }: +{ + networking.firewall.allowedTCPPorts = [ 5232 ]; + networking.firewall.allowedUDPPorts = [ 5232 ]; + + services.radicale = { + enable = true; + settings = { + server = { + hosts = ["0.0.0.0:5232" "[::]:5232"]; + }; + auth = { + type = "htpasswd"; + htpasswd_filename = "/run/secrets/radicale/users"; + htpasswd_encryption = "plain"; + }; + storage = { + filesystem_folder = "/var/lib/radicale/collections"; + }; + }; + }; +} diff --git a/provision/modules/system/secrets.nix b/provision/modules/system/secrets.nix index e76c7ada..3f9c429e 100644 --- a/provision/modules/system/secrets.nix +++ b/provision/modules/system/secrets.nix @@ -13,6 +13,12 @@ in { # Keys secrets."keys/github_personal" = { owner = "${user}"; }; + # Radicale users + secrets."radicale/users" = { owner = "radicale"; }; + + # Nextcloud password + secrets."nextcloud/password" = { owner = "nextcloud"; }; + # Wireguard secrets secrets."wireguard/kestrel" = { owner = "${user}"; }; secrets."wireguard/bulwark" = { owner = "${user}"; }; diff --git a/provision/secrets/secrets.yaml b/provision/secrets/secrets.yaml index 9eded859..f32832f4 100644 --- a/provision/secrets/secrets.yaml +++ b/provision/secrets/secrets.yaml @@ -1,3 +1,7 @@ +nextcloud: + password: ENC[AES256_GCM,data:qI3PV8ybqKQ=,iv:aXQyTUQ9twlmMx3j01cfk6gy/1fAfUxjYXs5QXPUTjU=,tag:kY+lM1qGm+8OCKgDnXZwSw==,type:str] +radicale: + users: ENC[AES256_GCM,data:es+72MpRq9z6wnbwbqFYEQ==,iv:0FL1APPQb0R+9SldalqIlpDj8k/dg/qBx3Cw95uh9PI=,tag:YQGjFew/Tuk2X7H6N3O9nQ==,type:str] keys: github_personal: ENC[AES256_GCM,data:JQ0l0VNKjgf2yq7nZSED+6gf27ILfkvkdJkcsBLcX0K5isogtlF8Y8zI28dqLsSmriHf7L52fy3LjXDVkxXl8XupyPxJF3roeAxtj2rwXhVxMkAAEcWCaFUpa1UI5I2LIV2Ne32Ug6I5CKLlEzWXs7AImYJmmw0B6cn1hPyHJKc0I0My5A2b6LJq5J7mrJJ+PnybDNPW7QvZ0hIcqjNIXv1gcf9XMo6RU0dYnnRJaf6w/D5Nvrj15OG6oCe2C7e7O+JjgjQahUOOTlp1/5bbTW5ZDWEUxIn4llCsrkjjdKkYrCmYhQ45NLk+ZpWgXJZLgbfgc25nUOiLOoGbxO7kXienrY1y+t7/UA5AqKHj6575Iy5wN+P/XqzQ6ARkBh5Jy5gvrGFBtxcHml5J/j8ROJ9CoHmiT0jNycEll2yFcnIqAIbPqPuuu341sErFT33SMRzxKmlmyCCjaJrZB423NHqLiTA8oQ+mmkvOaE3cmuEU5oCT7OhL+RELbMNWjNOz7weNNgbt+fyy/U+VmtobLCllhRFDo0I/OFuFZ/UUqqEAAjv/NPk5V+7yCtBb9CmFROD9cG9xxx0mdkt8GHXYML7mIrCe/8ILKm3oWSVEA5w=,iv:0my7Q3Uog/nu3A3IprXuRAMTYmSv9YV1bo3BSAk2wlk=,tag:u41VgXeMBb2righhXUrPUA==,type:str] wireguard: @@ -20,8 +24,8 @@ sops: ajM3YlJYU21PaHRyaGlUNy84RHN2SE0KAvMFdqnfV0TzfNcBdY7OvRLZrBb9uXSI 3y50yFhYnyXtWKLQFTwjN6S5dLaZgqhaGhEQyNCQxb5RGZJDR6g7Yw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-15T07:18:45Z" - mac: ENC[AES256_GCM,data:9+RGSBzLB+cEPm8DJXXHg1gJct+7rqNWfkTWs2klJ0ebNyOmIrM7YAyqve7RylUJAREp2wpWBvs61GhGOCvfe40eAdzLCkoPVP6GaDFoQ0aFZ8t3hY8dCFifOnlo2HgFJ3eAXmX4jM+EI1AaK1/inPJyDrD+asR5hi0hXPk5wkY=,iv:QsLkyf+wakIOqmH1UUgas03sZGQfF2yFzNEv4WM8U1g=,tag:1JwMUjMLdllU20AErWmOMw==,type:str] + lastmodified: "2024-05-17T06:33:39Z" + mac: ENC[AES256_GCM,data:11tWhL00CVZsmJpzrnxC1Fkc29NeHoT8TZhapOcl6pe4Nzr1T01N3gZhhywcBK1KPZWl8g7j59pepFdI6oyngdU7MDDHyD89SJ2MQbXmU6H5DYgHuL8CqzTrGiK6KgDOD9DffJ/O3NManvr8H/H4HisBaIDOZzZt6ellVFlk7Jc=,iv:4Wbwo8ErV6gA2UDSBFAP4oTwEGj1bMbji0Dt2yvv/Uc=,tag:Q4a4Nn9DyH4Wq2u5hH0EPw==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.7.3 + version: 3.8.1