From 99fe50f4fedc289d05f29d11623649d6975c4a91 Mon Sep 17 00:00:00 2001 From: Chris Toph Date: Wed, 4 Sep 2024 00:05:23 -0400 Subject: [PATCH] initial working setup for nextcloud needs more setup --- nixos/configuration.nix | 44 ++++++++++++++++------ {nextcloud => nixos/imports}/nextcloud.nix | 9 +++-- nixos/imports/nginx.nix | 23 +++++++++++ 3 files changed, 62 insertions(+), 14 deletions(-) rename {nextcloud => nixos/imports}/nextcloud.nix (92%) create mode 100644 nixos/imports/nginx.nix diff --git a/nixos/configuration.nix b/nixos/configuration.nix index 63855c1..788c4b4 100644 --- a/nixos/configuration.nix +++ b/nixos/configuration.nix @@ -1,7 +1,7 @@ { modulesPath, config, pkgs, ... }: let hostname = "cloud"; - user = "toph"; + admin = "toph"; password = "[REDACTED]"; timeZone = "America/New_York"; defaultLocale = "en_US.UTF-8"; @@ -19,6 +19,9 @@ in { # NETWORKING networking = { + firewall = { + allowedTCPPorts = [ 80 443 ]; + }; dhcpcd.enable = false; hostName = hostname; networkmanager.enable = true; @@ -38,6 +41,11 @@ in { }; }; + security.acme = { + acceptTerms = true; + defaults.email = "chris@toph.cc"; + }; + # LOCALE time.timeZone = timeZone; i18n.defaultLocale = defaultLocale; @@ -45,20 +53,28 @@ in { # USERS users = { mutableUsers = false; - users."${user}" = { - isNormalUser = true; - password = password; - extraGroups = [ "wheel" ]; - shell = pkgs.fish; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIClZstYoT64zHnGfE7LMYNiQPN5/gmCt382lC+Ji8lrH PVE" - ]; + users ={ + "${admin}" = { + isNormalUser = true; + createHome = true; + homeMode = "750"; + home = "/home/${admin}"; + password = password; + extraGroups = [ "wheel" ]; + shell = pkgs.fish; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIClZstYoT64zHnGfE7LMYNiQPN5/gmCt382lC+Ji8lrH PVE" + ]; + }; + + nextcloud.extraGroups = [ "users" "root" "wheel" ]; + nextcloud.homeMode = "750"; }; }; # Enable passwordless sudo. security.sudo.extraRules= [ - { users = [ user ]; + { users = [ admin ]; commands = [ { command = "ALL" ; options= [ "NOPASSWD" ]; @@ -79,7 +95,13 @@ in { # PROGRAMS & SERVICES programs.ssh.startAgent = true; - services.nextcloud = import ../nextcloud/nextcloud.nix { inherit pkgs config; }; + + # Nextcloud + environment.etc."nextcloud-admin-pass".text = "snYBkSxkFZ6a7Y"; + services.nextcloud = import ./imports/nextcloud.nix { inherit pkgs config; }; + + # Nginx + services.nginx = import ./imports/nginx.nix; # Shells environment.shells = with pkgs; [ bash fish ]; diff --git a/nextcloud/nextcloud.nix b/nixos/imports/nextcloud.nix similarity index 92% rename from nextcloud/nextcloud.nix rename to nixos/imports/nextcloud.nix index cc30bcb..8206010 100644 --- a/nextcloud/nextcloud.nix +++ b/nixos/imports/nextcloud.nix @@ -32,11 +32,14 @@ # }; }; - config = { - overwriteprotocol = "https"; + settings = { + overwriteProtocol = "https"; default_phone_region = "US"; + }; + + config = { dbtype = "pgsql"; adminuser = "admin"; - adminpassFile = "./adminpass"; + adminpassFile = "/etc/nextcloud-admin-pass"; }; } \ No newline at end of file diff --git a/nixos/imports/nginx.nix b/nixos/imports/nginx.nix new file mode 100644 index 0000000..1c5e54a --- /dev/null +++ b/nixos/imports/nginx.nix @@ -0,0 +1,23 @@ +{ + enable = true; + + # Use recommended settings + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + # Only allow PFS-enabled ciphers with AES256 + sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + + # Setup Nextcloud virtual host to listen on ports + virtualHosts = { + + "cloud.ryot.foo" = { + ## Force HTTP redirect to HTTPS + forceSSL = true; + ## LetsEncrypt + enableACME = true; + }; + }; +} \ No newline at end of file