add radicale and nextcloud

provision/additional-setup.md

@@ -15,7 +15,10 @@ settings.
 
 Keys for SSH aren't automatically placed with chezmoi `secret` since it complicated
 things to much. The key for github SSH must be transferred manually from Bitwarden
-or `/run/secrets/keys/github_personal` to `~/.ssh/keys/github_personal`.
+or:
+
+- `/run/secrets/keys/github_personal` to `~/.ssh/keys/github_personal`.
+- `/run/secrets/radicale/users` to `~/.config/radicale/users`.
 
 ### Sops-nix 
 

provision/hosts/torus/configuration.nix

@@ -9,6 +9,8 @@
     ./rss.nix
     ./home-assistant
     ./gitea.nix
+    ./radicale.nix
+    ./nextcloud.nix
   ];
 
   nix = {
@@ -108,6 +110,9 @@
       "rss.tstarr.us" = (SSL // {
         locations."/".proxyPass = "http://localhost:8087/"; 
       });
+      "cal.tstarr.us" = (SSL // {
+        locations."/".proxyPass = "http://localhost:5232/"; 
+      });
       "media.tstarr.us" = (SSL // {
         locations."/".proxyPass = "http://localhost:8096/"; 
       });

provision/hosts/torus/nextcloud.nix

@@ -0,0 +1,44 @@
+{ config, lib, pkgs, user, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    cron
+  ];
+  
+  services = {
+    nginx.virtualHosts = {
+      "cloud.tstarr.us" = {
+        forceSSL = true;
+        enableACME = true;
+      };
+    };
+
+    nextcloud = {
+      enable = true;
+      hostName = "cloud.tstarr.us";
+
+       # Need to manually increment with every major upgrade.
+      package = pkgs.nextcloud29;
+
+      # Let NixOS install and configure the database automatically.
+      database.createLocally = true;
+
+      # Let NixOS install and configure Redis caching automatically.
+      configureRedis = true;
+
+      # Increase the maximum file upload size to avoid problems uploading videos.
+      maxUploadSize = "16G";
+      https = true;
+      autoUpdateApps.enable = true;
+      settings = {
+        overwriteprotocol = "https";
+        default_phone_region = "US";
+      };
+
+      config = {
+        dbtype = "mysql";
+        adminuser = "admin";
+        adminpassFile = "/run/secrets/nextcloud/password";
+      };
+    };
+  };
+}

provision/hosts/torus/radicale.nix

@@ -0,0 +1,22 @@
+{ config, lib, pkgs, user, ... }:
+{
+  networking.firewall.allowedTCPPorts = [ 5232 ];
+  networking.firewall.allowedUDPPorts = [ 5232 ];
+  
+  services.radicale = {
+    enable = true;
+    settings = {
+      server = {
+        hosts = ["0.0.0.0:5232" "[::]:5232"];
+      };
+      auth = {
+        type = "htpasswd";
+        htpasswd_filename = "/run/secrets/radicale/users";
+        htpasswd_encryption = "plain";
+      };
+      storage = {
+        filesystem_folder = "/var/lib/radicale/collections";
+      };
+    };
+  };
+}

provision/modules/system/secrets.nix

@@ -13,6 +13,12 @@ in {
       # Keys
       secrets."keys/github_personal" = { owner = "${user}"; };
 
+      # Radicale users
+      secrets."radicale/users" = { owner = "radicale"; };
+
+      # Nextcloud password
+      secrets."nextcloud/password" = { owner = "nextcloud"; };
+
       # Wireguard secrets
       secrets."wireguard/kestrel" = { owner = "${user}"; };
       secrets."wireguard/bulwark" = { owner = "${user}"; };

provision/secrets/secrets.yaml

@@ -1,3 +1,7 @@
+nextcloud:
+    password: ENC[AES256_GCM,data:qI3PV8ybqKQ=,iv:aXQyTUQ9twlmMx3j01cfk6gy/1fAfUxjYXs5QXPUTjU=,tag:kY+lM1qGm+8OCKgDnXZwSw==,type:str]
+radicale:
+    users: ENC[AES256_GCM,data:es+72MpRq9z6wnbwbqFYEQ==,iv:0FL1APPQb0R+9SldalqIlpDj8k/dg/qBx3Cw95uh9PI=,tag:YQGjFew/Tuk2X7H6N3O9nQ==,type:str]
 keys:
     github_personal: ENC[AES256_GCM,data:JQ0l0VNKjgf2yq7nZSED+6gf27ILfkvkdJkcsBLcX0K5isogtlF8Y8zI28dqLsSmriHf7L52fy3LjXDVkxXl8XupyPxJF3roeAxtj2rwXhVxMkAAEcWCaFUpa1UI5I2LIV2Ne32Ug6I5CKLlEzWXs7AImYJmmw0B6cn1hPyHJKc0I0My5A2b6LJq5J7mrJJ+PnybDNPW7QvZ0hIcqjNIXv1gcf9XMo6RU0dYnnRJaf6w/D5Nvrj15OG6oCe2C7e7O+JjgjQahUOOTlp1/5bbTW5ZDWEUxIn4llCsrkjjdKkYrCmYhQ45NLk+ZpWgXJZLgbfgc25nUOiLOoGbxO7kXienrY1y+t7/UA5AqKHj6575Iy5wN+P/XqzQ6ARkBh5Jy5gvrGFBtxcHml5J/j8ROJ9CoHmiT0jNycEll2yFcnIqAIbPqPuuu341sErFT33SMRzxKmlmyCCjaJrZB423NHqLiTA8oQ+mmkvOaE3cmuEU5oCT7OhL+RELbMNWjNOz7weNNgbt+fyy/U+VmtobLCllhRFDo0I/OFuFZ/UUqqEAAjv/NPk5V+7yCtBb9CmFROD9cG9xxx0mdkt8GHXYML7mIrCe/8ILKm3oWSVEA5w=,iv:0my7Q3Uog/nu3A3IprXuRAMTYmSv9YV1bo3BSAk2wlk=,tag:u41VgXeMBb2righhXUrPUA==,type:str]
 wireguard:
@@ -20,8 +24,8 @@ sops:
             ajM3YlJYU21PaHRyaGlUNy84RHN2SE0KAvMFdqnfV0TzfNcBdY7OvRLZrBb9uXSI
             3y50yFhYnyXtWKLQFTwjN6S5dLaZgqhaGhEQyNCQxb5RGZJDR6g7Yw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-01-15T07:18:45Z"
+    lastmodified: "2024-05-17T06:33:39Z"
-    mac: ENC[AES256_GCM,data:9+RGSBzLB+cEPm8DJXXHg1gJct+7rqNWfkTWs2klJ0ebNyOmIrM7YAyqve7RylUJAREp2wpWBvs61GhGOCvfe40eAdzLCkoPVP6GaDFoQ0aFZ8t3hY8dCFifOnlo2HgFJ3eAXmX4jM+EI1AaK1/inPJyDrD+asR5hi0hXPk5wkY=,iv:QsLkyf+wakIOqmH1UUgas03sZGQfF2yFzNEv4WM8U1g=,tag:1JwMUjMLdllU20AErWmOMw==,type:str]
+    mac: ENC[AES256_GCM,data:11tWhL00CVZsmJpzrnxC1Fkc29NeHoT8TZhapOcl6pe4Nzr1T01N3gZhhywcBK1KPZWl8g7j59pepFdI6oyngdU7MDDHyD89SJ2MQbXmU6H5DYgHuL8CqzTrGiK6KgDOD9DffJ/O3NManvr8H/H4HisBaIDOZzZt6ellVFlk7Jc=,iv:4Wbwo8ErV6gA2UDSBFAP4oTwEGj1bMbji0Dt2yvv/Uc=,tag:Q4a4Nn9DyH4Wq2u5hH0EPw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1