diff --git a/home-manager/homeserver/containers/nextcloud.nix b/home-manager/homeserver/containers/nextcloud.nix new file mode 100644 index 0000000..19f75ff --- /dev/null +++ b/home-manager/homeserver/containers/nextcloud.nix @@ -0,0 +1,225 @@ +{ + inputs, + outputs, + lib, + config, + pkgs, + unstablePkgs, + ... +}: { + services.podman = { + networks = { + nextcloud-net = {}; + }; + containers = { + nextcloud-aio-nextcloud = { + image = "docker.io/nextcloud/aio-nextcloud:latest"; + autoUpdate = "registry"; + network = "nextcloud-net"; + extraPodmanArgs = [ + "/usr/bin/supervisord" + "-c" + "/supervisord.conf" + ]; + env = { + ADDITIONAL_APKS = "imagemagick"; + ADDITIONAL_PHP_EXTENSIONS = "imagick"; + ADMIN_PASSWORD = config.sops.secrets.nextcloud_admin_password; + ADMIN_USER = "admin"; + AIO_TOKEN = config.sops.secrets.nextcloud_aio_token; + AIO_URL = "192.168.0.254:8081"; + APACHE_HOST = "nextcloud-aio-apache"; + APACHE_PORT = "11000"; + CLAMAV_ENABLED = "yes"; + CLAMAV_HOST = "nextcloud-aio-clamav"; + CLAMAV_MAX_SIZE = "17179869184"; + COLLABORA_ENABLED = "yes"; + COLLABORA_HOST = "nextcloud-aio-collabora"; + FULLTEXTSEARCH_ENABLED = "yes"; + FULLTEXTSEARCH_HOST = "nextcloud-aio-fulltextsearch"; + FULLTEXTSEARCH_PASSWORD = config.sops.secrets.nextcloud_fulltextsearch_password; + IMAGINARY_ENABLED = "yes"; + IMAGINARY_HOST = "nextcloud-aio-imaginary"; + IMAGINARY_SECRET = config.sops.secrets.nextcloud_imaginary_secret; + NC_DOMAIN = "nextcloud.bulba.space"; + NEXTCLOUD_DATA_DIR = "/mnt/ncdata"; + NEXTCLOUD_EXEC_COMMANDS = "php /var/www/html/occ richdocuments:activate-config"; + NEXTCLOUD_HOST = "nextcloud-aio-nextcloud"; + ONLYOFFICE_HOST = "nextcloud-aio-onlyoffice"; + ONLYOFFICE_SECRET = config.sops.secrets.nextcloud_onlyoffice_secret; + OVERWRITEHOST = "nextcloud.bulba.space"; + OVERWRITEPROTOCOL = "https"; + POSTGRES_DB = "nextcloud_database"; + POSTGRES_HOST = "nextcloud-aio-database"; + POSTGRES_PASSWORD = config.sops.secrets.nextcloud_postgres_password; + POSTGRES_PORT = "5432"; + POSTGRES_USER = "nextcloud"; + RECORDING_SECRET = config.sops.secrets.nextcloud_recording_secret; + REDIS_HOST = "nextcloud-aio-redis"; + REDIS_HOST_PASSWORD = config.sops.secrets.nextcloud_redis_host_password; + REMOVE_DISABLED_APPS = "yes"; + SIGNALING_SECRET = config.sops.secrets.nextcloud_signaling_secret; + STARTUP_APPS = "deck twofactor_totp tasks calendar contacts notes"; + TALK_PORT = "3478"; + TALK_RECORDING_HOST = "nextcloud-aio-talk-recording"; + THIS_IS_AIO = "true"; + TURN_SECRET = config.sops.secrets.nextcloud_turn_secret; + TZ = "Europe/Dublin"; + WHITEBOARD_SECRET = config.sops.secrets.nextcloud_whiteboard_secret; + }; + volumes = [ + "/home/cianh/Nextcloud/config/nextcloud_aio_nextcloud:/var/www/html" + "/home/cianh/Nextcloud/data:/mnt/ncdata" + ]; + }; + nextcloud-aio-collabora = { + image = "docker.io/nextcloud/aio-collabora:latest"; + autoUpdate = "registry"; + network = "nextcloud-net"; + environment = { + DONT_GEN_SSL_CERT = "1"; + aliasgroup1 = "https://nextcloud.bulba.space:443"; + dictionaries = "de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru"; + TZ = "Europe/Dublin"; + server_name = "nextcloud.bulba.space"; + }; + extraPodmanArgs = [ + "--o:ssl.enable=false" + "--o:ssl.termination=true" + "--o:mount_jail_tree=false" + "--o:logging.level=warning" + "--o:home_mode.enable=true" + "--o:security.seccomp=true" + "--o:remote_font_config.url=https://nextcloud.bulba.space/apps/richdocuments/settings/fonts.json" + "--o:net.post_allow.host[0]=.+" + ]; + }; + nextcloud-aio-database = { + image = "docker.io/nextcloud/aio-postgresql:latest"; + autoUpdate = "registry"; + network = "nextcloud-net"; + env = { + TZ = "Europe/Dublin"; + PGTZ = "Europe/Dublin"; + POSTGRES_PASSWORD = config.sops.secrets.nextcloud_postgres_password; + POSTGRES_DB = "nextcloud_database"; + POSTGRES_USER = "nextcloud"; + }; + volumes = [ + "/home/cianh/Nextcloud/config/nextcloud_aio_database_dump:/mnt/data" + "/home/cianh/Nextcloud/config/nextcloud_aio_database:/var/lib/postgresql/data" + ]; + }; + nextcloud-aio-redis = { + image = "docker.io/nextcloud/aio-redis:latest"; + autoUpdate = "registry"; + network = "nextcloud-net"; + env = { + TZ = "Europe/Dublin"; + REDIS_HOST_PASSWORD = config.sops.secrets.nextcloud_redis_host_password; + }; + volumes = [ + "/home/cianh/Nextcloud/config/nextcloud_aio_redis:/data" + ]; + }; + nextcloud-aio-clamav = { + image = "docker.io/nextcloud/aio-clamav:latest"; + autoUpdate = "registry"; + network = "nextcloud-net"; + env = { + TZ = "Europe/Dublin"; + MAX_SIZE = "16G"; + CLAMD_STARTUP_TIMEOUT = "90"; + }; + volumes = [ + "/home/cianh/Nextcloud/config/nextcloud_aio_clamav:/var/lib/clamav" + ]; + }; + nextcloud-aio-fulltextsearch = { + image = "docker.io/nextcloud/aio-fulltextsearch:latest"; + autoUpdate = "registry"; + network = "nextcloud-net"; + extraPodmanArgs = [ + "eswrapper" + ]; + env = { + xpack.license.self_generated.type = "basic"; + discovery.type = "single-node"; + bootstrap.memory_lock = "true"; + xpack.security.enabled = "false"; + logger.org.elasticsearch.discovery = "WARN"; + http.port = "9200"; + TZ = "Europe/Dublin"; + FULLTEXTSEARCH_PASSWORD = config.sops.secrets.nextcloud_fulltextsearch_password; + cluster.name = "nextcloud-aio"; + ES_JAVA_OPTS = "-Xms512M -Xmx512M"; + }; + volumes = [ + "/home/cianh/Nextcloud/config/nextcloud_aio_elasticsearch:/usr/share/elasticsearch/data" + ]; + }; + nextcloud-aio-imaginary = { + image = "docker.io/nextcloud/aio-imaginary:latest"; + autoUpdate = "registry"; + network = "nextcloud-net"; + env = { + TZ = "Europe/Dublin"; + IMAGINARY_SECRET = config.sops.secrets.nextcloud_imaginary_secret; + }; + }; + nextcloud-aio-notify-push = { + image = "docker.io/nextcloud/aio-notify-push:latest"; + autoUpdate = "registry"; + network = "nextcloud-net"; + env = { + NC_DOMAIN = "nextcloud.bulba.space"; + POSTGRES_DB = "nextcloud_database"; + POSTGRES_PORT = "5432"; + NEXTCLOUD_HOST = "nextcloud-aio-nextcloud"; + REDIS_HOST_PASSWORD = config.sops.secrets.nextcloud_redis_host_password; + POSTGRES_USER = "nextcloud"; + REDIS_HOST = "nextcloud-aio-redis"; + POSTGRES_HOST = "nextcloud-aio-database"; + POSTGRES_PASSWORD = config.sops.secrets.nextcloud_postgres_password; + }; + volumes = [ + "/home/cianh/Nextcloud/config/nextcloud_aio_nextcloud:/nextcloud:Z" + ]; + }; + nextcloud-aio-apache = { + image = "docker.io/nextcloud/aio-apache:latest"; + autoUpdate = "registry"; + network = [ + "nextcloud-net" + "proxy-net" + ]; + extraPodmanArgs = [ + "/usr/bin/supervisord" + "-c" + "/supervisord.conf" + ]; + env = { + APACHE_PORT = "11000"; + ONLYOFFICE_HOST = "nextcloud-aio-onlyoffice"; + APACHE_MAX_TIME = "3600"; + APACHE_HOST = "nextcloud-aio-apache"; + NOTIFY_PUSH_HOST = "nextcloud-aio-notify-push"; + NEXTCLOUD_HOST = "nextcloud-aio-nextcloud"; + TZ = "Europe/Dublin"; + APACHE_MAX_SIZE = "17179869184"; + TALK_HOST = "nextcloud-aio-talk"; + WHITEBOARD_HOST = "nextcloud-aio-whiteboard"; + COLLABORA_HOST = "nextcloud-aio-collabora"; + NC_DOMAIN = "nextcloud.bulba.space"; + }; + ports = [ + "11000:11000" + ]; + volumes = [ + "/home/cianh/Nextcloud/config/nextcloud_aio_apache:/mnt/data" + "/var/www/html:/var/www/html:Z" + ]; + }; + }; + }; +} diff --git a/home-manager/secrets.yaml b/home-manager/secrets.yaml index 51ccc39..6294ab8 100644 --- a/home-manager/secrets.yaml +++ b/home-manager/secrets.yaml @@ -1,7 +1,18 @@ -vikunja_jwtsecret: ENC[AES256_GCM,data:ncqBJnKHH7XvLS8709KsquxKHvMN07GGFLA5X23uKIOE2nipPMG6wCxvXhvjE1wi+gk7UvTe4BXtwhvc0c86Ww==,iv:P6LI9hVQVJW0wMBWBhZSCNXmVTArX5IA9pTs0YzC7mk=,tag:RUlS/qYLa/fJQDdCJQpZ1w==,type:str] -vikunja_dbpassword: ENC[AES256_GCM,data:UBGT3U1ykinOio0u0mQQNei9wPeyrRCZT2YJloTMrWY=,iv:6r3r9INjD4epQPrQoI/1Y67Vi08+DhFci29i+R7UbbY=,tag:kLh9MxhEC9s2MoSJEM0MLg==,type:str] -vikunja-db_rootpassword: ENC[AES256_GCM,data:McnoyCnx8Xo1wYw7OzgRK2osPwJH252OMzKMB830tbbixlZ/dK3Ar32SOzY=,iv:kvAkKooXA3YbJ+5s/oIvK3xeX2sx9ugYnB6j8X7Aiec=,tag:fZElm58Gu5KnsV5+sDxGSw==,type:str] -ghost_dbpassword: ENC[AES256_GCM,data:QUwDnvLEF1a79xXnXUkBMbvGa9m729uZ0Figve+nFAjQB5NqNVzKVMW6WyXeCysPrIrN6IqndgvrIIfEuGtnOg==,iv:McEaobK1mu/OxGf7CmD1mkCnWKkjkLhZQRU8eHBpNIU=,tag:xxMeHguQpUBcnZ5pLXDNJw==,type:str] +vikunja_jwtsecret: ENC[AES256_GCM,data:V+S3+TBloDVsnBu6HghMMioH6/fWMNGaInMu9BOI2d56xqVZvDmq2nq76j5U0b4+D21N74z+NdtM6T0HHh55Zw==,iv:irocW3a0njz9vm48N+KvfJWAB1nZFz5yfe5/Kpj9zRY=,tag:VEXVYWodP8kKDMlMrfplMw==,type:str] +vikunja_dbpassword: ENC[AES256_GCM,data:c1nXnCq0zkPukvauQLROA+wk1KlDrXlud/vGpF0HhPM=,iv:uBUpuMG6IJl9mS4vLdFuncYTtxxMv7fnG8JGOentPu8=,tag:etbne1MGh2QPP4drLvvzdw==,type:str] +vikunja-db_rootpassword: ENC[AES256_GCM,data:vzOmBuhbvyB21rugDcTTVDiVIDGjxH7g3PdapDEjBfKIpgJ4AX5X0B/r0yc=,iv:klZk7C3oQnhrY9qoeoc+GCrmZ0d644hGcWiysyNC7Ds=,tag:n1YH2UN1wDHwk5d4Z/m+Fw==,type:str] +ghost_dbpassword: ENC[AES256_GCM,data:QfCwX/GUU3OnKnqQIeL4axLuywOANtSkaDRUW7eZvygCJqEzJDSrr4bQ5G6RSJqQmk88pxlJimB/F/8YbqHHwQ==,iv:oKs553znybvJbj8OuVXtqgYCxnaNmUWPRlE0CLvsFHM=,tag:5EEX0p/oieYHW3vufG41+w==,type:str] +nextcloud_admin_password: ENC[AES256_GCM,data:uK82fO4AeB6eLuvnKRlP83MRdA1Qs3Z/3TH7LrV08CLCnDsr5ihOScOdbSd6a1i9,iv:dxho9Q6is3+5WXbZJ2ZHRl8OfUSNb8HFBIS+unjP98U=,tag:yTsRhMPtwZzzOVjBd97rgQ==,type:str] +nextcloud_aio_token: ENC[AES256_GCM,data:uMxWxEPs6tJwUf5BKLypjorMSiyxXyKJE7A27KZB9TK/nAhggbYlDe4Sykd6VvVj,iv:vJD+C6sv0K55IdSIGU3/svInE9aOlpBbywpcx8iI9g0=,tag:F2k5Uie0ZqUzdEf7ghKwSg==,type:str] +nextcloud_fulltextsearch_password: ENC[AES256_GCM,data:HE4NHkZ/3Xl0IfedsmvtIz0ULQSfMzDZmtrsmLdgzck03/CUTNRqay3Y1+gEPt2Q,iv:3JZ5a5DCg+hmdgQVfryyMvriQFkESyFtQHVD16fHmIg=,tag:OwB1VZRvp9Px7QMHpsdLnA==,type:str] +nextcloud_imaginary_secret: ENC[AES256_GCM,data:zmpkm7tHNCtck6Q1zuZtBrQ8/OVvJWYqPyFa/LmOcwDnaNqgYWbLPn/mhenSHJmn,iv:WmQmi/UEpKOzVC2kC8iLxgfaKsUAKUdTL3qCYUmOLvI=,tag:Olc9LQq1Kx8YSIE+v11pGg==,type:str] +nextcloud_onlyoffice_secret: ENC[AES256_GCM,data:fCkCXk7KN3XRhB9/PNGrb86Pzqew0Ad0cr6GCULwDYG9CiQATv3l8g8xpD6GbvUD,iv:azDeRT4knCIfWbZhTgMMbYYCIT6CGb5rhi7kdvehUoo=,tag:upwYdXgem9bQko1sK8lIhA==,type:str] +nextcloud_postgres_password: ENC[AES256_GCM,data:wf9UwXo0pS9hN6gjjHIdZRNZQnZ5Dt7M5eVFNRySLU6U5Nc8g5eKojcgtKepISfh,iv:CrcT3UxpJUX3CUWeLDHK/gFcn3KR6TEk4Jaug4aeFOs=,tag:fO2jysj+EEtFY7HZQsobtQ==,type:str] +nextcloud_recording_secret: ENC[AES256_GCM,data:r6TJDmXxmaa2tp3HmzWGKWQvyrOffDKvbVaGswDLL0MPKfdKmpyrUCEh0LfVqGNy,iv:Drjodww0DiaOj4sOzSSaoN0yqzfAEYlfVWDZMM8/XtY=,tag:iKoQvi9uC4r0WB7SWNSspw==,type:str] +nextcloud_redis_host_password: ENC[AES256_GCM,data:1l3dGkzuhJTgcgOjVxi5Bm2L+t9SzvPLh+Jy9FV+/0raaXGwymF6LnK7Zfi0FnOa,iv:4bnII5Btw+/hsEoUciVKhjqXtL4L0/8ZY9rexpfB9J0=,tag:G1LTz1zRba/RsbqGwoH/cA==,type:str] +nextcloud_signaling_secret: ENC[AES256_GCM,data:+Cb+saRM2Bl9kf/m8/XD3Lkya3/Yymep9E5S4Dguj/NSbNB5Qm8bExJO6o9k3cta,iv:yTDQqW6Rk7lWggmF39KGdDgQyy6CQNcNlnyGYqefMZw=,tag:ZOwg+m32PwWtzsE9WnZruA==,type:str] +nextcloud_turn_secret: ENC[AES256_GCM,data:pm1LLhKxrnxrLBGmPIeNfQ8znlVFmCr2sbivh0f4P5XEzKLQ8CJ7gcSClgesZn9V,iv:msZoWkb+RrwdLEgzlABk80NqCk2Tw3NKbwEE/7EzpN8=,tag:nSLH9ZmbbWPIzrK5GW3Emg==,type:str] +nextcloud_whiteboard_secret: ENC[AES256_GCM,data:gGMvuugXwRyXeQDFH4Ox2zCT+SZFgV7VnrtkkHSB350haHVigl1e+jDbKE54E2AZ,iv:jYZJQlw6nfb+OcA4DD0wjhKZjdKTN/4+UjM3BvT9h5Y=,tag:6+XNf3GAPQpcEPxvdaYuIg==,type:str] sops: kms: [] gcp_kms: [] @@ -11,14 +22,14 @@ sops: - recipient: age15x4h66uk6ct3436e6r4l0tkpf86e7jzl3lqd2acndq2jjvq5za3stqg2fy enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzL2tTYzRNd3VQYzJTbDAr - VlVXcEwxUXNSVzc4SEV4ZE1NZ0tVK2FoeGlJCkMwSXJVOEw5akpLYys5VndaVU1D - QW5nZ21NbFpIaitnRWhnWGJ3VnNkMlkKLS0tIHhvN1hjbm1ET3J4azNucG5CYmpn - Wm1SVHRnUGpEZnFNQ056aWtuVDNmNlkKzdi8fXl+2nUy3lGXakBky6Ll113hcAYC - y8luIXczuL7R91BfwgwAYGidgFJBzMFuE7By4J8f3RAVW8IrJoW5Xw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwV0thb3pLVStPczVCUS9K + UkJudndGUEZEeWQ5TWVSRDdqWlRkQVFrVDFnCmpvRDlPaGRtM2I4Vjc2UUh5aVdw + NmdXcmdFSWoxaG1ueGlxdFYzMWJyQXMKLS0tIHpiTTFhZW1jYXBZMGg3ekhYVENU + bWFMdmtEbzlVU1NTcGFXWE95ZzR6N0UKEtkLR+3l2lmUUUu3kVYPbMKoxnQdDH08 + nS2j5YdYVtbiYzCzw9hbOT/jY7+Uu2ZDjGsJyGkTJAI09Ai+HBw2Dg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-02-06T22:39:19Z" - mac: ENC[AES256_GCM,data:WDdHVKX5/DB6pT4vHMSDh7vM2ryUOBk8ZgthMmPpJ8kDivAKBo34l7s6bsOwzofvl35CiCy2psGYirfa4QjzqcnWPIBwUY57ird0FeFzRlzyeQShaUk50VpsXw8+lbFwUtq8Q5cHGVM/qRTuIurNbclIrpZJ3yJOsCWi0SF7bYk=,iv:6lrOFildBBRtAdC7/vNEGUE9oUub8dC8z3wi5Zi4Ynk=,tag:Jf8PfMP320FNdOS37UQ4ZA==,type:str] + lastmodified: "2025-02-10T00:02:59Z" + mac: ENC[AES256_GCM,data:D9/BZm9bhMlHup9IarAJJNTir1+qu1P6f6KgKVxW5qdxA22JcAH9on9v6qbI6GBtGbF9j5fMtuoJAjkpXQpXGLxE3dR86ofJXwYFyRWJd84T38oSVGptM45cDvGy061po2yqCcsDhrpbEhoO48ZyZGDhGXba9OlF1X5eJqvFDMg=,iv:LbX/MrCMQH9BobY60HEf3mmsAYhoLCj7DOZr4hY7suc=,tag:H4Dr18tH9E/NONrtuTXLgQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.4