parent
40f0f233c2
commit
58bc179192
11 changed files with 650 additions and 0 deletions
219
demo/nextcloud/README.md
Normal file
219
demo/nextcloud/README.md
Normal file
|
@ -0,0 +1,219 @@
|
||||||
|
# Nextcloud Demo {#demo-nextcloud}
|
||||||
|
|
||||||
|
**This whole demo is highly insecure as all the private keys are available publicly. This is
|
||||||
|
only done for convenience as it is just a demo. Do not expose the VM to the internet.**
|
||||||
|
|
||||||
|
The [`flake.nix`](./flake.nix) file sets up a Nextcloud server in only about [15
|
||||||
|
lines](./flake.nix#L29-L45) of related code.
|
||||||
|
|
||||||
|
This guide will show how to deploy this setup to a Virtual Machine, like showed
|
||||||
|
[here](https://nixos.wiki/wiki/NixOS_modules#Developing_modules), in 6 commands.
|
||||||
|
|
||||||
|
## Deploy to the VM {#deploy-to-the-vm}
|
||||||
|
|
||||||
|
Build the VM and start it:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
rm nixos.qcow2; \
|
||||||
|
nixos-rebuild build-vm-with-bootloader --fast -I nixos-config=./configuration.nix -I nixpkgs=. ; \
|
||||||
|
QEMU_NET_OPTS="hostfwd=tcp::2222-:2222,hostfwd=tcp::8080-:80" ./result/bin/run-nixos-vm
|
||||||
|
```
|
||||||
|
|
||||||
|
This last call is blocking, so I advice adding a `&` at the end of the command otherwise you will
|
||||||
|
need to run the rest of the commands in another terminal.
|
||||||
|
|
||||||
|
The nested command, the one in between the parenthesis `$(...)` is used to print the VM's public age key, whic.
|
||||||
|
|
||||||
|
With the VM started, make the secrets in `secrets.yaml` decryptable in the VM. This change will
|
||||||
|
appear in `git status` but you don't need to commit this.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
SOPS_AGE_KEY_FILE=keys.txt \
|
||||||
|
nix run --impure nixpkgs#sops -- --config sops.yaml -r -i \
|
||||||
|
--add-age $(nix shell nixpkgs#ssh-to-age --command sh -c 'ssh-keyscan -p 2222 -t ed25519 -4 localhost 2>/dev/null | ssh-to-age') \
|
||||||
|
secrets.yaml
|
||||||
|
```
|
||||||
|
|
||||||
|
If you forget this step, the deploy will seem to go fine but the secrets won't be populated and
|
||||||
|
Nextcloud will not start.
|
||||||
|
|
||||||
|
Make the ssh key private:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
chmod 600 sshkey
|
||||||
|
```
|
||||||
|
|
||||||
|
This is only needed because git mangles with the permissions. You will not even see this change in
|
||||||
|
`git status`.
|
||||||
|
|
||||||
|
You can ssh into the VM with, but this is not required for the demo:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
ssh -F ssh_config example
|
||||||
|
```
|
||||||
|
|
||||||
|
Finally, deploy with:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply
|
||||||
|
```
|
||||||
|
|
||||||
|
The deploy will take a few minutes the first time and subsequent deploys will take around 15
|
||||||
|
seconds.
|
||||||
|
|
||||||
|
## Access Nextcloud Through Your Browser {#access-nextcloud-through-your-browser}
|
||||||
|
|
||||||
|
Add the following entry to your `/etc/hosts` file:
|
||||||
|
|
||||||
|
```nix
|
||||||
|
networking.hosts = {
|
||||||
|
"127.0.0.1" = [ "n.example.com" ];
|
||||||
|
};
|
||||||
|
```
|
||||||
|
|
||||||
|
Which produces:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ cat /etc/hosts
|
||||||
|
127.0.0.1 n.example.com
|
||||||
|
```
|
||||||
|
|
||||||
|
Go to [http://n.example.com:8080](http://n.example.com:8080) and login with:
|
||||||
|
|
||||||
|
- username: `root`
|
||||||
|
- password: the value of the field `nextcloud.adminpass` in the `secrets.yaml` file which is `43bb4b8f82fc645ce3260b5db803c5a8`.
|
||||||
|
|
||||||
|
Nextcloud doesn't like being run without SSL protection, which this demo does not setup yet, so you
|
||||||
|
might see errors loading scripts.
|
||||||
|
|
||||||
|
## In More Details {#in-more-details}
|
||||||
|
|
||||||
|
### Files {#files}
|
||||||
|
|
||||||
|
- [`flake.nix`](./flake.nix): nix entry point, defines one target host for
|
||||||
|
[colmena](https://colmena.cli.rs) to deploy to as well as the selfhostblock's config for
|
||||||
|
setting up the Nextcloud service.
|
||||||
|
- [`configuration.nix`](./configuration.nix): defines all configuration required for colmena
|
||||||
|
to deploy to the VM. The file has comments if you're interested.
|
||||||
|
- [`hardware-configuration.nix`](./hardware-configuration.nix): defines VM specific layout.
|
||||||
|
This was generated with nixos-generate-config on the VM.
|
||||||
|
- Secrets related files:
|
||||||
|
- [`keys.txt`](./keys.txt): your private key for sops-nix, allows you to edit the `secrets.yaml`
|
||||||
|
file. This file should never be published but here I did it for convenience, to be able to
|
||||||
|
deploy to the VM in less steps.
|
||||||
|
- [`secrets.yaml`](./secrets.yaml): encrypted file containing required secrets for Nextcloud. This file can be publicly accessible.
|
||||||
|
- [`sops.yaml`](./sops.yaml): describes how to create the `secrets.yaml` file. Can be publicly
|
||||||
|
accessible.
|
||||||
|
- SSH related files:
|
||||||
|
- [`sshkey(.pub)`](./sshkey): your private and public ssh keys. Again, the private key should usually not
|
||||||
|
be published as it is here but this makes it possible to deploy to the VM in less steps.
|
||||||
|
- [`ssh_config`](./ssh_config): the ssh config allowing you to ssh into the VM by just using the
|
||||||
|
hostname `example`. Usually you would store this info in your `~/.ssh/config` file but it's
|
||||||
|
provided here to avoid making you do that.
|
||||||
|
|
||||||
|
### Virtual Machine {#virtual-machine}
|
||||||
|
|
||||||
|
_More info about the VM._
|
||||||
|
|
||||||
|
We use `build-vm-with-bootloader` instead of just `build-vm` as that's the only way to deploy to the VM.
|
||||||
|
|
||||||
|
The VM's User and password are both `nixos`, as setup in the [`configuration.nix`](./configuration.nix) file under
|
||||||
|
`user.users.nixos.initialPassword`.
|
||||||
|
|
||||||
|
You can login with `ssh -F ssh_config example`. You just need to accept the fingerprint.
|
||||||
|
|
||||||
|
The VM's hard drive is a file name `nixos.qcow2` in this directory. It is created when you first create the VM and re-used since. You can just remove it when you're done.
|
||||||
|
|
||||||
|
That being said, the VM uses `tmpfs` to create the writable nix store so if you stumble in a disk
|
||||||
|
space issue, you must increase the
|
||||||
|
`virtualisation.vmVariantWithBootLoader.virtualisation.memorySize` setting.
|
||||||
|
|
||||||
|
### Secrets {#secrets}
|
||||||
|
|
||||||
|
_More info about the secrets._
|
||||||
|
|
||||||
|
The private key in the `keys.txt` file is created with:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ nix shell nixpkgs#age --command age-keygen -o keys.txt
|
||||||
|
Public key: age1algdv9xwjre3tm7969eyremfw2ftx4h8qehmmjzksrv7f2qve9dqg8pug7
|
||||||
|
```
|
||||||
|
|
||||||
|
We use the printed public key in the `admin` field of the `sops.yaml` file.
|
||||||
|
|
||||||
|
The `secrets.yaml` file must follow the format:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
nextcloud:
|
||||||
|
adminpass: 43bb4b8f82fc645ce3260b5db803c5a8
|
||||||
|
onlyoffice:
|
||||||
|
jwt_secret: XYZ...
|
||||||
|
```
|
||||||
|
|
||||||
|
To open the `secrets.yaml` file and optionnally edit it, run:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
SOPS_AGE_KEY_FILE=keys.txt nix run --impure nixpkgs#sops -- \
|
||||||
|
--config sops.yaml \
|
||||||
|
secrets.yaml
|
||||||
|
```
|
||||||
|
|
||||||
|
You can generate random secrets with:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ nix run nixpkgs#openssl -- rand -hex 64
|
||||||
|
```
|
||||||
|
|
||||||
|
If you choose a password too small, ldap could refuse to start.
|
||||||
|
|
||||||
|
#### Why do we need the VM's public key {#public-key-necessity}
|
||||||
|
|
||||||
|
The [`sops.yaml`](./sops.yaml) file describes what private keys can decrypt and encrypt the
|
||||||
|
[`secrets.yaml`](./secrets.yaml) file containing the application secrets. Usually, you will create and add
|
||||||
|
secrets to that file and when deploying, it will be decrypted and the secrets will be copied
|
||||||
|
in the `/run/secrets` folder on the VM. We thus need one private key for you to edit the
|
||||||
|
[`secrets.yaml`](./secrets.yaml) file and one in the VM for it to decrypt the secrets.
|
||||||
|
|
||||||
|
Your private key is already pre-generated in this repo, it's the [`sshkey`](./sshkey) file. But when
|
||||||
|
creating the VM in the step above, a new private key and its accompanying public key were
|
||||||
|
automatically generated under `/etc/ssh/ssh_host_ed25519_key` in the VM. We just need to get the
|
||||||
|
public key and add it to the `secrets.yaml` which we did in the Deploy section.
|
||||||
|
|
||||||
|
### SSH {#ssh}
|
||||||
|
|
||||||
|
The private and public ssh keys were created with:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
ssh-keygen -t ed25519 -f sshkey
|
||||||
|
```
|
||||||
|
|
||||||
|
You don't need to copy over the ssh public key over to the VM as we set the `keyFiles` option which copies the public key when the VM gets created.
|
||||||
|
This allows us also to disable ssh password authentication.
|
||||||
|
|
||||||
|
For reference, if instead you didn't copy the key over on VM creating and enabled ssh
|
||||||
|
authentication, here is what you would need to do to copy over the key:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ nix shell nixpkgs#openssh --command ssh-copy-id -i sshkey -F ssh_config example
|
||||||
|
```
|
||||||
|
|
||||||
|
### Deploy {#deploy}
|
||||||
|
|
||||||
|
If you get a NAR hash mismatch error like hereunder, you need to run `nix flake lock --update-input
|
||||||
|
selfhostblocks`.
|
||||||
|
|
||||||
|
```
|
||||||
|
error: NAR hash mismatch in input ...
|
||||||
|
```
|
||||||
|
|
||||||
|
### Update Demo {#update-demo}
|
||||||
|
|
||||||
|
If you update the Self Host Blocks configuration in `flake.nix` file, you can just re-deploy.
|
||||||
|
|
||||||
|
If you update the `configuration.nix` file, you will need to rebuild the VM from scratch.
|
||||||
|
|
||||||
|
If you update a module in the Self Host Blocks repository, you will need to update the lock file with:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
nix flake lock --override-input selfhostblocks ../.. --update-input selfhostblocks
|
||||||
|
```
|
65
demo/nextcloud/configuration.nix
Normal file
65
demo/nextcloud/configuration.nix
Normal file
|
@ -0,0 +1,65 @@
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
targetUser = "nixos";
|
||||||
|
targetPort = 2222;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
imports =
|
||||||
|
[ # Include the results of the hardware scan.
|
||||||
|
./hardware-configuration.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.loader.grub.enable = true;
|
||||||
|
boot.kernelModules = [ "kvm-intel" ];
|
||||||
|
system.stateVersion = "22.11";
|
||||||
|
|
||||||
|
# Options above are generate by running nixos-generate-config on the VM.
|
||||||
|
|
||||||
|
# Needed otherwise deploy will say system won't be able to boot.
|
||||||
|
boot.loader.grub.device = "/dev/vdb";
|
||||||
|
# Needed to avoid getting into not available disk space in /boot.
|
||||||
|
boot.loader.grub.configurationLimit = 1;
|
||||||
|
# The NixOS /nix/.rw-store mountpoint is backed by tmpfs which uses memory. We need to increase
|
||||||
|
# the available disk space to install home-assistant.
|
||||||
|
virtualisation.vmVariantWithBootLoader.virtualisation.memorySize = 8192;
|
||||||
|
|
||||||
|
# Options above are needed to deploy in a VM.
|
||||||
|
|
||||||
|
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
||||||
|
|
||||||
|
# We need to create the user we will deploy with.
|
||||||
|
users.users.${targetUser} = {
|
||||||
|
isNormalUser = true;
|
||||||
|
extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
|
||||||
|
initialPassword = "nixos";
|
||||||
|
# With this option, you don't need to use ssh-copy-id to copy the public ssh key to the VM.
|
||||||
|
openssh.authorizedKeys.keyFiles = [
|
||||||
|
./sshkey.pub
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
# The user we're deploying with must be able to run sudo without password.
|
||||||
|
security.sudo.extraRules = [
|
||||||
|
{ users = [ targetUser ];
|
||||||
|
commands = [
|
||||||
|
{ command = "ALL";
|
||||||
|
options = [ "NOPASSWD" ];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
# Needed to allow the user we're deploying with to write to the nix store.
|
||||||
|
nix.settings.trusted-users = [
|
||||||
|
targetUser
|
||||||
|
];
|
||||||
|
|
||||||
|
# We need to enable the ssh daemon to be able to deploy.
|
||||||
|
services.openssh = {
|
||||||
|
enable = true;
|
||||||
|
ports = [ targetPort ];
|
||||||
|
permitRootLogin = "no";
|
||||||
|
passwordAuthentication = false;
|
||||||
|
};
|
||||||
|
}
|
170
demo/nextcloud/flake.lock
Normal file
170
demo/nextcloud/flake.lock
Normal file
|
@ -0,0 +1,170 @@
|
||||||
|
{
|
||||||
|
"nodes": {
|
||||||
|
"flake-utils": {
|
||||||
|
"inputs": {
|
||||||
|
"systems": "systems"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1694529238,
|
||||||
|
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
|
||||||
|
"owner": "numtide",
|
||||||
|
"repo": "flake-utils",
|
||||||
|
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "numtide",
|
||||||
|
"repo": "flake-utils",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nix-flake-tests": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1677844186,
|
||||||
|
"narHash": "sha256-ErJZ/Gs1rxh561CJeWP5bohA2IcTq1rDneu1WT6CVII=",
|
||||||
|
"owner": "antifuchs",
|
||||||
|
"repo": "nix-flake-tests",
|
||||||
|
"rev": "bbd9216bd0f6495bb961a8eb8392b7ef55c67afb",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "antifuchs",
|
||||||
|
"repo": "nix-flake-tests",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nixpkgs": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1687681650,
|
||||||
|
"narHash": "sha256-M2If+gRcfpmaJy/XbfSsRzLlPpoU4nr0NHnKKl50fd8=",
|
||||||
|
"owner": "nixos",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "1c9db9710cb23d60570ad4d7ab829c2d34403de3",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nixos",
|
||||||
|
"ref": "nixos-unstable",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nixpkgs-stable": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1687031877,
|
||||||
|
"narHash": "sha256-yMFcVeI+kZ6KD2QBrFPNsvBrLq2Gt//D0baHByMrjFY=",
|
||||||
|
"owner": "NixOS",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "e2e2059d19668dab1744301b8b0e821e3aae9c99",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "NixOS",
|
||||||
|
"ref": "release-23.05",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nixpkgs_2": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1686628398,
|
||||||
|
"narHash": "sha256-jXEuS/dex59Oon4tll+Jb8aVl6B8HX/aREigHjt2S6E=",
|
||||||
|
"owner": "nixos",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "202850e1a11a939364cef0f326cb1352b3f2d8cd",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nixos",
|
||||||
|
"ref": "master",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nmdsrc": {
|
||||||
|
"flake": false,
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1701431551,
|
||||||
|
"narHash": "sha256-5HPHG1u3koaWHG/TXHl5/YxYPYOuKc58104btrD8ypE=",
|
||||||
|
"ref": "refs/heads/master",
|
||||||
|
"rev": "f18defadcc25e69e95b04493ee02682005472255",
|
||||||
|
"revCount": 65,
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://git.sr.ht/~rycee/nmd"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://git.sr.ht/~rycee/nmd"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"root": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": "nixpkgs",
|
||||||
|
"selfhostblocks": "selfhostblocks",
|
||||||
|
"sops-nix": "sops-nix"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"selfhostblocks": {
|
||||||
|
"inputs": {
|
||||||
|
"flake-utils": "flake-utils",
|
||||||
|
"nix-flake-tests": "nix-flake-tests",
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
],
|
||||||
|
"nmdsrc": "nmdsrc",
|
||||||
|
"sops-nix": [
|
||||||
|
"sops-nix"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1703412385,
|
||||||
|
"narHash": "sha256-nPOnGY7V54rZezB0RelV2Kvqtv7yd84247y8AJg66rY=",
|
||||||
|
"owner": "ibizaman",
|
||||||
|
"repo": "selfhostblocks",
|
||||||
|
"rev": "40f0f233c247b26f98b8912ffab0feb8283744d1",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "ibizaman",
|
||||||
|
"repo": "selfhostblocks",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"sops-nix": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": "nixpkgs_2",
|
||||||
|
"nixpkgs-stable": "nixpkgs-stable"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1687398569,
|
||||||
|
"narHash": "sha256-e/umuIKFcFtZtWeX369Hbdt9r+GQ48moDmlTcyHWL28=",
|
||||||
|
"owner": "Mic92",
|
||||||
|
"repo": "sops-nix",
|
||||||
|
"rev": "2ff6973350682f8d16371f8c071a304b8067f192",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "Mic92",
|
||||||
|
"repo": "sops-nix",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"systems": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1681028828,
|
||||||
|
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||||
|
"owner": "nix-systems",
|
||||||
|
"repo": "default",
|
||||||
|
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nix-systems",
|
||||||
|
"repo": "default",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"root": "root",
|
||||||
|
"version": 7
|
||||||
|
}
|
64
demo/nextcloud/flake.nix
Normal file
64
demo/nextcloud/flake.nix
Normal file
|
@ -0,0 +1,64 @@
|
||||||
|
{
|
||||||
|
description = "Home Assistant example for Self Host Blocks";
|
||||||
|
|
||||||
|
inputs = {
|
||||||
|
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
|
||||||
|
sops-nix.url = "github:Mic92/sops-nix";
|
||||||
|
|
||||||
|
selfhostblocks.url = "github:ibizaman/selfhostblocks";
|
||||||
|
selfhostblocks.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
selfhostblocks.inputs.sops-nix.follows = "sops-nix";
|
||||||
|
};
|
||||||
|
|
||||||
|
outputs = inputs@{ self, nixpkgs, sops-nix, selfhostblocks, ... }: {
|
||||||
|
colmena = {
|
||||||
|
meta = {
|
||||||
|
nixpkgs = import nixpkgs {
|
||||||
|
system = "x86_64-linux";
|
||||||
|
};
|
||||||
|
specialArgs = inputs;
|
||||||
|
};
|
||||||
|
|
||||||
|
myserver = { config, ... }: {
|
||||||
|
imports = [
|
||||||
|
./configuration.nix
|
||||||
|
sops-nix.nixosModules.default
|
||||||
|
selfhostblocks.nixosModules.x86_64-linux.default
|
||||||
|
];
|
||||||
|
|
||||||
|
# Used by colmena to know which target host to deploy to.
|
||||||
|
deployment = {
|
||||||
|
targetHost = "example";
|
||||||
|
targetUser = "nixos";
|
||||||
|
targetPort = 2222;
|
||||||
|
};
|
||||||
|
|
||||||
|
shb.nextcloud = {
|
||||||
|
enable = true;
|
||||||
|
domain = "example.com";
|
||||||
|
subdomain = "n";
|
||||||
|
dataDir = "/var/lib/nextcloud";
|
||||||
|
tracing = null;
|
||||||
|
|
||||||
|
# This option is only needed because we do not access Nextcloud at the default port in the VM.
|
||||||
|
externalFqdn = "n.example.com:8080";
|
||||||
|
|
||||||
|
adminPassFile = config.sops.secrets."nextcloud/adminpass".path;
|
||||||
|
};
|
||||||
|
|
||||||
|
# Secret needed for services.nextcloud.config.adminpassFile.
|
||||||
|
sops.secrets."nextcloud/adminpass" = {
|
||||||
|
sopsFile = ./secrets.yaml;
|
||||||
|
mode = "0440";
|
||||||
|
owner = "nextcloud";
|
||||||
|
group = "nextcloud";
|
||||||
|
restartUnits = [ "phpfpm-nextcloud.service" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
# Set to true for more debug info with `journalctl -f -u nginx`.
|
||||||
|
shb.nginx.accessLog = true;
|
||||||
|
shb.nginx.debugLog = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
64
demo/nextcloud/hardware-configuration.nix
Normal file
64
demo/nextcloud/hardware-configuration.nix
Normal file
|
@ -0,0 +1,64 @@
|
||||||
|
# This file was generated by running nixos-generate-config on the VM.
|
||||||
|
#
|
||||||
|
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||||
|
# and may be overwritten by future invocations. Please make changes
|
||||||
|
# to /etc/nixos/configuration.nix instead.
|
||||||
|
{ config, lib, pkgs, modulesPath, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports =
|
||||||
|
[ (modulesPath + "/profiles/qemu-guest.nix")
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "floppy" "sr_mod" "virtio_blk" ];
|
||||||
|
boot.initrd.kernelModules = [ ];
|
||||||
|
boot.kernelModules = [ "kvm-intel" ];
|
||||||
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
|
fileSystems."/" =
|
||||||
|
{ device = "/dev/vda";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/nix/.ro-store" =
|
||||||
|
{ device = "nix-store";
|
||||||
|
fsType = "9p";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/nix/.rw-store" =
|
||||||
|
{ device = "tmpfs";
|
||||||
|
fsType = "tmpfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/tmp/shared" =
|
||||||
|
{ device = "shared";
|
||||||
|
fsType = "9p";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/tmp/xchg" =
|
||||||
|
{ device = "xchg";
|
||||||
|
fsType = "9p";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/nix/store" =
|
||||||
|
{ device = "overlay";
|
||||||
|
fsType = "overlay";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/boot" =
|
||||||
|
{ device = "/dev/vdb2";
|
||||||
|
fsType = "vfat";
|
||||||
|
};
|
||||||
|
|
||||||
|
swapDevices = [ ];
|
||||||
|
|
||||||
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
|
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||||
|
# still possible to use this option, but it's recommended to use it in conjunction
|
||||||
|
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||||
|
networking.useDHCP = lib.mkDefault true;
|
||||||
|
# networking.interfaces.eth0.useDHCP = lib.mkDefault true;
|
||||||
|
|
||||||
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
|
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||||
|
}
|
3
demo/nextcloud/keys.txt
Normal file
3
demo/nextcloud/keys.txt
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
# created: 2023-11-17T00:05:25-08:00
|
||||||
|
# public key: age1algdv9xwjre3tm7969eyremfw2ftx4h8qehmmjzksrv7f2qve9dqg8pug7
|
||||||
|
AGE-SECRET-KEY-1EPLAHXWDEM5ZZAU7NFGHT5TWU08ZUCWTHYTLD8XC89350MZ0T79SA2MQAL
|
42
demo/nextcloud/secrets.yaml
Normal file
42
demo/nextcloud/secrets.yaml
Normal file
|
@ -0,0 +1,42 @@
|
||||||
|
nextcloud:
|
||||||
|
adminpass: ENC[AES256_GCM,data:3FXgVNzKAKrQxoDmRIq188YYrfiEEyYqU3lgwydXHp4=,iv:KoxmL9tLPBoIJT7rxkEhxrQqZFicbEm8qXbZMrnHSGY=,tag:nBt+8ciDRBiUzg3JEmiYnw==,type:str]
|
||||||
|
onlyoffice:
|
||||||
|
jwt_secret: ENC[AES256_GCM,data:+6qLNuOaFYRT092i1mkboi4DswEbcv/5+fQ0TpTCMkToWtNoxce5FyLoYpJoJIG3Kg5rrpNkfUYDugG9/5KWFu+31h8i8JdsxyiG0GGjtMbaUCzgiUyL+apMxl4S2b6jS2tGoExZhbgDFErE3p/wM5JTic1DE5HsFQr/49JI78w=,iv:TFs+fTlMGWKTVJ3pUmXCpGskQ2h6uSLr+TlmG6OXQYg=,tag:/Z6oSecHHhZVx/jpbx4Wgw==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1algdv9xwjre3tm7969eyremfw2ftx4h8qehmmjzksrv7f2qve9dqg8pug7
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArRFc0aGZxa1RaWmZ4SlRk
|
||||||
|
c2MweTlQdGNQZE1VTDhrTHUzZ2pocUJFWEhNCndjcHB2elp0Zk1MbEFKTzN6a3pI
|
||||||
|
amdmSERWRFU4dzY1ck5MUE14SXV2c1UKLS0tIFk2MktiV1ljb3E3aXBFdTVlNUk0
|
||||||
|
QWZUZWc4amJFVkkxb0tPc1FmeklTNFEK1Pqwg8AI2yw3y9dU9p6Mx2bhKb3lUPt7
|
||||||
|
WhyWZbRT4zKjkcUp2NazqMKM35ru5i0037praFJgz05zkStn6twMqA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1ej98rmjug4j0psyr3ppwmddtu868mlhknjkcx4a7yjrgk480dfrs3ayjl9
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHckF2U0NLaXhsaGVtcms2
|
||||||
|
bWZWN1RLQXh3VXRHTzQyM20wTFd0NVA5WTFBCjZvcXlDQS81NXhFRmlHZVV4WHRT
|
||||||
|
VUhteXIyc1dtRE1OZmk1MmVaM3VzSkEKLS0tIGgrYzFaRkdwMnNEc1F1MGNwQjVx
|
||||||
|
U3RwYXR6elZ4YTFTNGk4dDVuaUhDUjQKfkIG0oDVqDfSZCxHOZThFlY2V0KpXwBY
|
||||||
|
D7eodJ26fjJBAaqbvZkWF/BMCKTpAs4cQEHIW70yu6c+kMdV10D9fA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1j6scagnygyzr4q96l0a5ntwgjqj7xscx5sx4avy7fry3fzgcff8se0ylfq
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2cm5oRXpPTER3a0djWVov
|
||||||
|
b2E3UjVNQnNKdFVxZnpkN0l6MjdkdDdXbkZrCk1nQ3Z3Y1psZmdRelJsZkRmV2Zk
|
||||||
|
WWVXMVplL0gxRDFlemhGQVp3eDhuajgKLS0tIGMxQVJjc0xkOVIrSzFYNXk0MHNM
|
||||||
|
aHg3S3MycVJTcVZvR0hYZ1RXelhqcWMKsb4tbh/q/XDdDmwkxLvaa5olDjYIGIVH
|
||||||
|
oZSqSF4ws7bRPTX8WAFFyoRw2kcZyc41WfBY1/8DcBKE/SHe5TKPEg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2023-12-22T07:04:41Z"
|
||||||
|
mac: ENC[AES256_GCM,data:J9EsLR+Rr23io0zx7NnHahds3Y4PNGgKoooLb4hXXeu/sORz+IWALhnF35SHsZaAAvwdCtjy5G7jrryRMKWGXy1uMs7WcsDGtI36Q9DVBuUav8gLWes0NEMv62nKrruS1zMcgYQdEPo7AL3sadbQxusEQNbhVfGxbiPXE9U3sfE=,iv:EpwwUnIhQeIHB13GBHFYELMeo36Qm45G382wQTcE8FM=,tag:Jb9C28oQjzsGVE1oFJzIBg==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.8.1
|
7
demo/nextcloud/sops.yaml
Normal file
7
demo/nextcloud/sops.yaml
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
keys:
|
||||||
|
- &admin age1algdv9xwjre3tm7969eyremfw2ftx4h8qehmmjzksrv7f2qve9dqg8pug7
|
||||||
|
creation_rules:
|
||||||
|
- path_regex: secrets.yaml$
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *admin
|
8
demo/nextcloud/ssh_config
Normal file
8
demo/nextcloud/ssh_config
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
Host example
|
||||||
|
Port 2222
|
||||||
|
User nixos
|
||||||
|
HostName 127.0.0.1
|
||||||
|
IdentityFile sshkey
|
||||||
|
IdentitiesOnly yes
|
||||||
|
StrictHostKeyChecking no
|
||||||
|
UserKnownHostsFile=/dev/null
|
7
demo/nextcloud/sshkey
Normal file
7
demo/nextcloud/sshkey
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
-----BEGIN OPENSSH PRIVATE KEY-----
|
||||||
|
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
|
||||||
|
QyNTUxOQAAACD7ngEdcDu4UVbe2ZzBhKn2HhPW0PlEmgEpb/kkMieFIwAAAJiBL8xSgS/M
|
||||||
|
UgAAAAtzc2gtZWQyNTUxOQAAACD7ngEdcDu4UVbe2ZzBhKn2HhPW0PlEmgEpb/kkMieFIw
|
||||||
|
AAAECzMZfgJIQJUVgyKZ3IYnEVvwnYXJ8nstc4/g1H41dC/vueAR1wO7hRVt7ZnMGEqfYe
|
||||||
|
E9bQ+USaASlv+SQyJ4UjAAAAEWV4YW1wbGVAbG9jYWxob3N0AQIDBA==
|
||||||
|
-----END OPENSSH PRIVATE KEY-----
|
1
demo/nextcloud/sshkey.pub
Normal file
1
demo/nextcloud/sshkey.pub
Normal file
|
@ -0,0 +1 @@
|
||||||
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPueAR1wO7hRVt7ZnMGEqfYeE9bQ+USaASlv+SQyJ4Uj example@localhost
|
Loading…
Reference in a new issue