feat: Deploy nextcloud

2024-11-20 17:14:34 +02:00
parent b56d9b148a
commit dc124ceceb
4 changed files with 50 additions and 0 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -0,0 +1,11 @@
+# This example uses YAML anchors which allows reuse of multiple keys 
+# without having to repeat yourself.
+# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml
+# for a more complex example.
+keys:
+  - &servius age1pw7kluxp7872c63ne4jecq75glj060jkmqwzkk6esatuyck9egfswufdpk
+creation_rules:
+  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+      - age:
+        - *servius
--- a/nixos/mirai/configuration.nix
+++ b/nixos/mirai/configuration.nix
@@ -11,6 +11,13 @@
  ];
  security.sudo.wheelNeedsPassword = false;

+  sops.defaultSopsFile = ../../secrets/secrets.yaml;
+  sops.defaultSopsFormat = "yaml";
+  sops.age.keyFile = "/home/fs0c131y/.config/sops/age/keys.txt";
+  sops.secrets."nextcloud/adminpass" = {
+    owner = config.users.users.nextcloud.name;
+  };
+
  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
--- a/nixos/mirai/services.nix
+++ b/nixos/mirai/services.nix
@@ -17,7 +17,17 @@
    enable = true;
    package = pkgs.nextcloud30;
    hostName = "cloud.darksailor.dev";
+    config.adminuser = "servius";
+    config.adminpassFile = config.sops.secrets."nextcloud/adminpass".path;
+    configureRedis = true;
  };
+  services.nginx.virtualHosts."${config.services.nextcloud.hostName}".listen = [
+    {
+      addr = "127.0.0.1";
+      port = 8080; # NOT an exposed port
+    }
+  ];
+
  services.caddy = {
    enable = true;
    virtualHosts."music.darksailor.dev".extraConfig = ''
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -0,0 +1,22 @@
+nextcloud:
+    adminpass: ENC[AES256_GCM,data:v9WXJ3Ig5NcWd+02P8VnaNkMy2yfEQ==,iv:LfS0avmRZfjdqjNE69h7L90ePzzdmtP57X+0U1vAMvs=,tag:Dq90tfGAUyqzTW3oM96IRg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1pw7kluxp7872c63ne4jecq75glj060jkmqwzkk6esatuyck9egfswufdpk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaQi9GRXpvUmVtdXJ3aitF
+            M2tLc1ZwS21yRlZnMlN4cjNuRWZWK2dWWFNBCmRVdGk3US91VUlQL0t0TEFPNU03
+            RVYwYUd3bkw3WmcxMHFUSWxqME0vMmMKLS0tIGFINWlBZDV3cWhEN2JOTXZweWZI
+            VGZKdHpVeFRpQUxtSEkyaEhLMlBJcGsKLb0DvPNZosPBUuiX6qz1s5IO5INQh8CK
+            ZtXTVClwMSmaUYhdSB2gKFrKVZHXTJZ4oAL5t/BpC0pOHyr+o96T3Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-20T14:43:08Z"
+    mac: ENC[AES256_GCM,data:j7sIw6/cKbNSRXSjAxZsDvIe5ZPnZ5YioGno33E0WWNYPohj9YtEwzi8ik59aynzSIQf3Usj76c2QMqwgjAFuaVIK5E3ASPGF2Tq4CAczNPPu3q1Kl1ZfEOGNd2nb0t3Zi0EKNE68BRCTAHJw5+UzDEDhPct1QrVlq8MfZSO494=,iv:bLNaaxnZlx8Ffvf9ohcMPDhe1jqGofL91DX1dwUHi2c=,tag:gb0aDWJFC3LX9HkaLoUgZg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1