From 4a4a1f92ecc1fb9b659283d474c5f5128d5569cd Mon Sep 17 00:00:00 2001 From: Tyler Starr Date: Tue, 21 May 2024 21:53:08 -0700 Subject: [PATCH 1/3] add radicale and nextcloud --- provision/additional-setup.md | 5 ++- provision/hosts/torus/configuration.nix | 5 +++ provision/hosts/torus/nextcloud.nix | 44 +++++++++++++++++++++++++ provision/hosts/torus/radicale.nix | 22 +++++++++++++ provision/modules/system/secrets.nix | 6 ++++ provision/secrets/secrets.yaml | 10 ++++-- 6 files changed, 88 insertions(+), 4 deletions(-) create mode 100644 provision/hosts/torus/nextcloud.nix create mode 100644 provision/hosts/torus/radicale.nix diff --git a/provision/additional-setup.md b/provision/additional-setup.md index 5f71fc13..3368570d 100644 --- a/provision/additional-setup.md +++ b/provision/additional-setup.md @@ -15,7 +15,10 @@ settings. Keys for SSH aren't automatically placed with chezmoi `secret` since it complicated things to much. The key for github SSH must be transferred manually from Bitwarden -or `/run/secrets/keys/github_personal` to `~/.ssh/keys/github_personal`. +or: + +- `/run/secrets/keys/github_personal` to `~/.ssh/keys/github_personal`. +- `/run/secrets/radicale/users` to `~/.config/radicale/users`. ### Sops-nix diff --git a/provision/hosts/torus/configuration.nix b/provision/hosts/torus/configuration.nix index 4f481d22..fbb3bfeb 100644 --- a/provision/hosts/torus/configuration.nix +++ b/provision/hosts/torus/configuration.nix @@ -9,6 +9,8 @@ ./rss.nix ./home-assistant ./gitea.nix + ./radicale.nix + ./nextcloud.nix ]; nix = { @@ -108,6 +110,9 @@ "rss.tstarr.us" = (SSL // { locations."/".proxyPass = "http://localhost:8087/"; }); + "cal.tstarr.us" = (SSL // { + locations."/".proxyPass = "http://localhost:5232/"; + }); "media.tstarr.us" = (SSL // { locations."/".proxyPass = "http://localhost:8096/"; }); diff --git a/provision/hosts/torus/nextcloud.nix b/provision/hosts/torus/nextcloud.nix new file mode 100644 index 00000000..0894d765 --- /dev/null +++ b/provision/hosts/torus/nextcloud.nix @@ -0,0 +1,44 @@ +{ config, lib, pkgs, user, ... }: +{ + environment.systemPackages = with pkgs; [ + cron + ]; + + services = { + nginx.virtualHosts = { + "cloud.tstarr.us" = { + forceSSL = true; + enableACME = true; + }; + }; + + nextcloud = { + enable = true; + hostName = "cloud.tstarr.us"; + + # Need to manually increment with every major upgrade. + package = pkgs.nextcloud29; + + # Let NixOS install and configure the database automatically. + database.createLocally = true; + + # Let NixOS install and configure Redis caching automatically. + configureRedis = true; + + # Increase the maximum file upload size to avoid problems uploading videos. + maxUploadSize = "16G"; + https = true; + autoUpdateApps.enable = true; + settings = { + overwriteprotocol = "https"; + default_phone_region = "US"; + }; + + config = { + dbtype = "mysql"; + adminuser = "admin"; + adminpassFile = "/run/secrets/nextcloud/password"; + }; + }; + }; +} diff --git a/provision/hosts/torus/radicale.nix b/provision/hosts/torus/radicale.nix new file mode 100644 index 00000000..df1757f0 --- /dev/null +++ b/provision/hosts/torus/radicale.nix @@ -0,0 +1,22 @@ +{ config, lib, pkgs, user, ... }: +{ + networking.firewall.allowedTCPPorts = [ 5232 ]; + networking.firewall.allowedUDPPorts = [ 5232 ]; + + services.radicale = { + enable = true; + settings = { + server = { + hosts = ["0.0.0.0:5232" "[::]:5232"]; + }; + auth = { + type = "htpasswd"; + htpasswd_filename = "/run/secrets/radicale/users"; + htpasswd_encryption = "plain"; + }; + storage = { + filesystem_folder = "/var/lib/radicale/collections"; + }; + }; + }; +} diff --git a/provision/modules/system/secrets.nix b/provision/modules/system/secrets.nix index e76c7ada..3f9c429e 100644 --- a/provision/modules/system/secrets.nix +++ b/provision/modules/system/secrets.nix @@ -13,6 +13,12 @@ in { # Keys secrets."keys/github_personal" = { owner = "${user}"; }; + # Radicale users + secrets."radicale/users" = { owner = "radicale"; }; + + # Nextcloud password + secrets."nextcloud/password" = { owner = "nextcloud"; }; + # Wireguard secrets secrets."wireguard/kestrel" = { owner = "${user}"; }; secrets."wireguard/bulwark" = { owner = "${user}"; }; diff --git a/provision/secrets/secrets.yaml b/provision/secrets/secrets.yaml index 9eded859..f32832f4 100644 --- a/provision/secrets/secrets.yaml +++ b/provision/secrets/secrets.yaml @@ -1,3 +1,7 @@ +nextcloud: + password: ENC[AES256_GCM,data:qI3PV8ybqKQ=,iv:aXQyTUQ9twlmMx3j01cfk6gy/1fAfUxjYXs5QXPUTjU=,tag:kY+lM1qGm+8OCKgDnXZwSw==,type:str] +radicale: + users: ENC[AES256_GCM,data:es+72MpRq9z6wnbwbqFYEQ==,iv:0FL1APPQb0R+9SldalqIlpDj8k/dg/qBx3Cw95uh9PI=,tag:YQGjFew/Tuk2X7H6N3O9nQ==,type:str] keys: github_personal: ENC[AES256_GCM,data:JQ0l0VNKjgf2yq7nZSED+6gf27ILfkvkdJkcsBLcX0K5isogtlF8Y8zI28dqLsSmriHf7L52fy3LjXDVkxXl8XupyPxJF3roeAxtj2rwXhVxMkAAEcWCaFUpa1UI5I2LIV2Ne32Ug6I5CKLlEzWXs7AImYJmmw0B6cn1hPyHJKc0I0My5A2b6LJq5J7mrJJ+PnybDNPW7QvZ0hIcqjNIXv1gcf9XMo6RU0dYnnRJaf6w/D5Nvrj15OG6oCe2C7e7O+JjgjQahUOOTlp1/5bbTW5ZDWEUxIn4llCsrkjjdKkYrCmYhQ45NLk+ZpWgXJZLgbfgc25nUOiLOoGbxO7kXienrY1y+t7/UA5AqKHj6575Iy5wN+P/XqzQ6ARkBh5Jy5gvrGFBtxcHml5J/j8ROJ9CoHmiT0jNycEll2yFcnIqAIbPqPuuu341sErFT33SMRzxKmlmyCCjaJrZB423NHqLiTA8oQ+mmkvOaE3cmuEU5oCT7OhL+RELbMNWjNOz7weNNgbt+fyy/U+VmtobLCllhRFDo0I/OFuFZ/UUqqEAAjv/NPk5V+7yCtBb9CmFROD9cG9xxx0mdkt8GHXYML7mIrCe/8ILKm3oWSVEA5w=,iv:0my7Q3Uog/nu3A3IprXuRAMTYmSv9YV1bo3BSAk2wlk=,tag:u41VgXeMBb2righhXUrPUA==,type:str] wireguard: @@ -20,8 +24,8 @@ sops: ajM3YlJYU21PaHRyaGlUNy84RHN2SE0KAvMFdqnfV0TzfNcBdY7OvRLZrBb9uXSI 3y50yFhYnyXtWKLQFTwjN6S5dLaZgqhaGhEQyNCQxb5RGZJDR6g7Yw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-15T07:18:45Z" - mac: ENC[AES256_GCM,data:9+RGSBzLB+cEPm8DJXXHg1gJct+7rqNWfkTWs2klJ0ebNyOmIrM7YAyqve7RylUJAREp2wpWBvs61GhGOCvfe40eAdzLCkoPVP6GaDFoQ0aFZ8t3hY8dCFifOnlo2HgFJ3eAXmX4jM+EI1AaK1/inPJyDrD+asR5hi0hXPk5wkY=,iv:QsLkyf+wakIOqmH1UUgas03sZGQfF2yFzNEv4WM8U1g=,tag:1JwMUjMLdllU20AErWmOMw==,type:str] + lastmodified: "2024-05-17T06:33:39Z" + mac: ENC[AES256_GCM,data:11tWhL00CVZsmJpzrnxC1Fkc29NeHoT8TZhapOcl6pe4Nzr1T01N3gZhhywcBK1KPZWl8g7j59pepFdI6oyngdU7MDDHyD89SJ2MQbXmU6H5DYgHuL8CqzTrGiK6KgDOD9DffJ/O3NManvr8H/H4HisBaIDOZzZt6ellVFlk7Jc=,iv:4Wbwo8ErV6gA2UDSBFAP4oTwEGj1bMbji0Dt2yvv/Uc=,tag:Q4a4Nn9DyH4Wq2u5hH0EPw==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.7.3 + version: 3.8.1 From 4365b73384d94629692b45f6ddc28cdedf9582ba Mon Sep 17 00:00:00 2001 From: Tyler Starr Date: Tue, 21 May 2024 21:54:10 -0700 Subject: [PATCH 2/3] remove radicale --- provision/hosts/torus/configuration.nix | 4 ---- provision/hosts/torus/radicale.nix | 22 ---------------------- provision/modules/system/secrets.nix | 3 --- provision/secrets/secrets.yaml | 6 ++---- 4 files changed, 2 insertions(+), 33 deletions(-) delete mode 100644 provision/hosts/torus/radicale.nix diff --git a/provision/hosts/torus/configuration.nix b/provision/hosts/torus/configuration.nix index fbb3bfeb..e02755f1 100644 --- a/provision/hosts/torus/configuration.nix +++ b/provision/hosts/torus/configuration.nix @@ -9,7 +9,6 @@ ./rss.nix ./home-assistant ./gitea.nix - ./radicale.nix ./nextcloud.nix ]; @@ -110,9 +109,6 @@ "rss.tstarr.us" = (SSL // { locations."/".proxyPass = "http://localhost:8087/"; }); - "cal.tstarr.us" = (SSL // { - locations."/".proxyPass = "http://localhost:5232/"; - }); "media.tstarr.us" = (SSL // { locations."/".proxyPass = "http://localhost:8096/"; }); diff --git a/provision/hosts/torus/radicale.nix b/provision/hosts/torus/radicale.nix deleted file mode 100644 index df1757f0..00000000 --- a/provision/hosts/torus/radicale.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ config, lib, pkgs, user, ... }: -{ - networking.firewall.allowedTCPPorts = [ 5232 ]; - networking.firewall.allowedUDPPorts = [ 5232 ]; - - services.radicale = { - enable = true; - settings = { - server = { - hosts = ["0.0.0.0:5232" "[::]:5232"]; - }; - auth = { - type = "htpasswd"; - htpasswd_filename = "/run/secrets/radicale/users"; - htpasswd_encryption = "plain"; - }; - storage = { - filesystem_folder = "/var/lib/radicale/collections"; - }; - }; - }; -} diff --git a/provision/modules/system/secrets.nix b/provision/modules/system/secrets.nix index 3f9c429e..4648b3ce 100644 --- a/provision/modules/system/secrets.nix +++ b/provision/modules/system/secrets.nix @@ -13,9 +13,6 @@ in { # Keys secrets."keys/github_personal" = { owner = "${user}"; }; - # Radicale users - secrets."radicale/users" = { owner = "radicale"; }; - # Nextcloud password secrets."nextcloud/password" = { owner = "nextcloud"; }; diff --git a/provision/secrets/secrets.yaml b/provision/secrets/secrets.yaml index f32832f4..27fb8ea7 100644 --- a/provision/secrets/secrets.yaml +++ b/provision/secrets/secrets.yaml @@ -1,7 +1,5 @@ nextcloud: password: ENC[AES256_GCM,data:qI3PV8ybqKQ=,iv:aXQyTUQ9twlmMx3j01cfk6gy/1fAfUxjYXs5QXPUTjU=,tag:kY+lM1qGm+8OCKgDnXZwSw==,type:str] -radicale: - users: ENC[AES256_GCM,data:es+72MpRq9z6wnbwbqFYEQ==,iv:0FL1APPQb0R+9SldalqIlpDj8k/dg/qBx3Cw95uh9PI=,tag:YQGjFew/Tuk2X7H6N3O9nQ==,type:str] keys: github_personal: ENC[AES256_GCM,data:JQ0l0VNKjgf2yq7nZSED+6gf27ILfkvkdJkcsBLcX0K5isogtlF8Y8zI28dqLsSmriHf7L52fy3LjXDVkxXl8XupyPxJF3roeAxtj2rwXhVxMkAAEcWCaFUpa1UI5I2LIV2Ne32Ug6I5CKLlEzWXs7AImYJmmw0B6cn1hPyHJKc0I0My5A2b6LJq5J7mrJJ+PnybDNPW7QvZ0hIcqjNIXv1gcf9XMo6RU0dYnnRJaf6w/D5Nvrj15OG6oCe2C7e7O+JjgjQahUOOTlp1/5bbTW5ZDWEUxIn4llCsrkjjdKkYrCmYhQ45NLk+ZpWgXJZLgbfgc25nUOiLOoGbxO7kXienrY1y+t7/UA5AqKHj6575Iy5wN+P/XqzQ6ARkBh5Jy5gvrGFBtxcHml5J/j8ROJ9CoHmiT0jNycEll2yFcnIqAIbPqPuuu341sErFT33SMRzxKmlmyCCjaJrZB423NHqLiTA8oQ+mmkvOaE3cmuEU5oCT7OhL+RELbMNWjNOz7weNNgbt+fyy/U+VmtobLCllhRFDo0I/OFuFZ/UUqqEAAjv/NPk5V+7yCtBb9CmFROD9cG9xxx0mdkt8GHXYML7mIrCe/8ILKm3oWSVEA5w=,iv:0my7Q3Uog/nu3A3IprXuRAMTYmSv9YV1bo3BSAk2wlk=,tag:u41VgXeMBb2righhXUrPUA==,type:str] wireguard: @@ -24,8 +22,8 @@ sops: ajM3YlJYU21PaHRyaGlUNy84RHN2SE0KAvMFdqnfV0TzfNcBdY7OvRLZrBb9uXSI 3y50yFhYnyXtWKLQFTwjN6S5dLaZgqhaGhEQyNCQxb5RGZJDR6g7Yw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-17T06:33:39Z" - mac: ENC[AES256_GCM,data:11tWhL00CVZsmJpzrnxC1Fkc29NeHoT8TZhapOcl6pe4Nzr1T01N3gZhhywcBK1KPZWl8g7j59pepFdI6oyngdU7MDDHyD89SJ2MQbXmU6H5DYgHuL8CqzTrGiK6KgDOD9DffJ/O3NManvr8H/H4HisBaIDOZzZt6ellVFlk7Jc=,iv:4Wbwo8ErV6gA2UDSBFAP4oTwEGj1bMbji0Dt2yvv/Uc=,tag:Q4a4Nn9DyH4Wq2u5hH0EPw==,type:str] + lastmodified: "2024-05-22T04:53:58Z" + mac: ENC[AES256_GCM,data:kFwTfaMijQWWfNMSkDjeVlPXhfrhxfgCgLZDTS4h2ENuNLhQkkUYfHyRaRFAzl+A74XydmAuHTdvl57yuehSkoXSE1NgmkbNVBbBxKB8p/HtFBV3hK0tuTE6E6ZzryI/9C7yPdKmuRIqIftUmdSaGPIU7CduBM+t1v1rhi8aWNg=,iv:HaQ+YUSRgqQSsyzvHGpDuC/Rw2jHJb4KtpvESzTBc8g=,tag:HVr6X67mIRPq038k/MnNkw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 From 15848ec7ff548ea1fba797c7ad314c63188f7f34 Mon Sep 17 00:00:00 2001 From: Tyler Starr Date: Tue, 21 May 2024 23:31:11 -0700 Subject: [PATCH 3/3] remove dufs --- provision/hosts/torus/configuration.nix | 8 -------- provision/hosts/torus/share.nix | 22 ---------------------- provision/modules/desktop/browser.nix | 2 +- 3 files changed, 1 insertion(+), 31 deletions(-) delete mode 100644 provision/hosts/torus/share.nix diff --git a/provision/hosts/torus/configuration.nix b/provision/hosts/torus/configuration.nix index e02755f1..36391edd 100644 --- a/provision/hosts/torus/configuration.nix +++ b/provision/hosts/torus/configuration.nix @@ -5,7 +5,6 @@ ./wireguard-server.nix ./samba-server.nix ./syncthing.nix - ./share.nix ./rss.nix ./home-assistant ./gitea.nix @@ -127,13 +126,6 @@ "plot.tstarr.us" = (SSL // { locations."/".proxyPass = "http://localhost:8988/"; }); - "share.tstarr.us" = (SSL // { - locations."/".proxyPass = "http://localhost:5001/"; - extraConfig = '' - auth_pam "Password Required"; - auth_pam_service_name "nginx"; - ''; - }); }; }; diff --git a/provision/hosts/torus/share.nix b/provision/hosts/torus/share.nix deleted file mode 100644 index 006638e0..00000000 --- a/provision/hosts/torus/share.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ config, lib, pkgs, user, ... }: -{ - networking.firewall.allowedTCPPorts = [ 5001 ]; - networking.firewall.allowedUDPPorts = [ 5001 ]; - - environment.systemPackages = with pkgs; [ - dufs # Distinctive utility file server - ]; - - systemd.services.share = { - description = "Start dufs for quick sharing of files"; - wantedBy = [ "default.target" ]; - - restartIfChanged = true; - - serviceConfig = { - Type = "simple"; - Restart = "always"; - ExecStart = "${pkgs.dufs}/bin/dufs -p 5001 -A /engi/apps/dufs/share"; - }; - }; -} diff --git a/provision/modules/desktop/browser.nix b/provision/modules/desktop/browser.nix index d1773492..7e7cf4a0 100644 --- a/provision/modules/desktop/browser.nix +++ b/provision/modules/desktop/browser.nix @@ -52,10 +52,10 @@ in { { "toplevel_name" = "Bookmarks"; } { "name" = "Daily"; "children" = [ { "url" = "https://rss.tstarr.us"; name = "Miniflux"; } + { "url" = "https://cloud.tstarr.us"; name = "Nextcloud"; } { "url" = "https://git.tstarr.us"; name = "Gitea"; } { "url" = "https://media.tstarr.us/web/index.html#!/home.html"; name = "Jellyfin"; } { "url" = "https://home.tstarr.us"; name = "Home Assistant"; } - { "url" = "https://share.tstarr.us"; name = "Share (dufs)"; } { "url" = "https://www.youtube.com/feed/subscriptions"; name = "Youtube"; } { "url" = "https://gmail.com/"; name = "Mail"; } { "url" = "https://github.com/"; name = "GitHub"; }