Compare commits
2 commits
6fe61dd9b6
...
6cc85011ea
Author | SHA1 | Date | |
---|---|---|---|
Tristan Daniël Maat | 6cc85011ea | ||
Tristan Daniël Maat | a84529d9a3 |
|
@ -5,10 +5,10 @@
|
|||
...
|
||||
}: {
|
||||
imports = [
|
||||
./services/gitea.nix
|
||||
./services/nextcloud.nix
|
||||
./services/webserver.nix
|
||||
./services/starbound.nix
|
||||
./services/postgres.nix
|
||||
./ids.nix
|
||||
./sops.nix
|
||||
];
|
||||
|
@ -80,8 +80,6 @@
|
|||
domain = config.services.nginx.domain;
|
||||
in {
|
||||
"${domain}" = proxyPassToPort 3002 {serverAliases = ["www.${domain}"];};
|
||||
"gitea.${domain}" = proxyPassToPort 3000 {};
|
||||
"nextcloud.${domain}" = proxyPassToPort 3001 {};
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
@ -1,48 +1,30 @@
|
|||
{config, ...}: {
|
||||
users = {
|
||||
extraUsers.gitea = {
|
||||
uid = config.ids.uids.git;
|
||||
isSystemUser = true;
|
||||
description = "Gitea Service";
|
||||
group = config.users.extraGroups.gitea.name;
|
||||
};
|
||||
extraGroups.gitea = {gid = config.ids.gids.git;};
|
||||
{config, ...}: let
|
||||
domain = "gitea.${config.services.nginx.domain}";
|
||||
in {
|
||||
services.gitea = {
|
||||
inherit domain;
|
||||
enable = true;
|
||||
|
||||
httpAddress = "127.0.0.1";
|
||||
database.type = "postgres";
|
||||
|
||||
ssh.clonePort = 2222;
|
||||
rootUrl = "https://gitea.tlater.net/";
|
||||
cookieSecure = true;
|
||||
|
||||
appName = "Gitea: Git with a cup of tea";
|
||||
};
|
||||
|
||||
virtualisation.pods.gitea = {
|
||||
hostname = "gitea.tlater.net";
|
||||
publish = ["3000:3000" "2221:2221"];
|
||||
network = "slirp4netns";
|
||||
# Set up SSL
|
||||
services.nginx.virtualHosts."${domain}" = let
|
||||
inherit (config.services.gitea) httpAddress httpPort;
|
||||
in {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
extraConfig = ''
|
||||
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
|
||||
'';
|
||||
|
||||
containers = {
|
||||
gitea = {
|
||||
image = "gitea/gitea:latest";
|
||||
volumes = ["gitea:/data:Z" "/etc/localtime:/etc/localtime:ro"];
|
||||
dependsOn = ["postgres"];
|
||||
|
||||
environment = {
|
||||
DB_TYPE = "postgres";
|
||||
DB_HOST = "localhost:5432";
|
||||
DB_NAME = "gitea";
|
||||
DB_USER = "gitea";
|
||||
|
||||
USER_UID = toString config.users.extraUsers.gitea.uid;
|
||||
USER_GID = toString config.users.extraGroups.gitea.gid;
|
||||
|
||||
RUN_MODE = "prod";
|
||||
DOMAIN = "gitea.tlater.net";
|
||||
SSH_PORT = "2221";
|
||||
};
|
||||
};
|
||||
|
||||
postgres = {
|
||||
image = "postgres:alpine";
|
||||
environment = {
|
||||
POSTGRES_DB = "gitea";
|
||||
POSTGRES_USER = "gitea";
|
||||
};
|
||||
volumes = ["gitea-postgres-14:/var/lib/postgresql/data"];
|
||||
};
|
||||
};
|
||||
locations."/".proxyPass = "http://${httpAddress}:httpPort";
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,53 +1,43 @@
|
|||
{config, ...}: {
|
||||
virtualisation.pods.nextcloud = {
|
||||
hostname = "nextcloud.tlater.net";
|
||||
publish = ["3001:80"];
|
||||
network = "slirp4netns";
|
||||
{
|
||||
pkgs,
|
||||
config,
|
||||
...
|
||||
}: let
|
||||
inherit (pkgs) fetchNextcloudApp;
|
||||
nextcloud = pkgs.nextcloud23;
|
||||
hostName = "nextcloud.${config.services.nginx.domain}"
|
||||
in {
|
||||
services.nextcloud = {
|
||||
inherit hostName;
|
||||
|
||||
containers = {
|
||||
nextcloud = {
|
||||
image = "nextcloud:fpm-alpine";
|
||||
dependsOn = ["postgres"];
|
||||
volumes = [
|
||||
"nextcloud-root:/var/www/html"
|
||||
"nextcloud-apps:/var/www/html/custom_apps"
|
||||
"nextcloud-config:/var/www/html/config"
|
||||
"nextcloud-data:/var/www/html/data"
|
||||
];
|
||||
environment = {
|
||||
POSTGRES_DB = "nextcloud";
|
||||
POSTGRES_USER = "nextcloud";
|
||||
POSTGRES_HOST = "localhost";
|
||||
OVERWRITEPROTOCOL = "https";
|
||||
TRUSTED_PROXIES = "127.0.0.1";
|
||||
};
|
||||
};
|
||||
package = nextcloud;
|
||||
enable = true;
|
||||
maxUploadSize = "2G";
|
||||
https = true;
|
||||
|
||||
cron = {
|
||||
image = "nextcloud:fpm-alpine";
|
||||
entrypoint = "/cron.sh";
|
||||
dependsOn = ["postgres" "nextcloud"];
|
||||
extraOptions = ["--volumes-from=nextcloud-nextcloud"];
|
||||
};
|
||||
config = {
|
||||
overwriteProtocol = "https";
|
||||
|
||||
nginx = {
|
||||
image = "nginx:alpine";
|
||||
dependsOn = ["nextcloud"];
|
||||
volumes = [
|
||||
"nextcloud-root:/var/www/html:ro"
|
||||
"${./configs/nginx-nextcloud.conf}:/etc/nginx/nginx.conf:ro"
|
||||
];
|
||||
extraOptions = ["--volumes-from=nextcloud-nextcloud"];
|
||||
};
|
||||
dbtype = "pgsql";
|
||||
dbhost = "/run/postgresql";
|
||||
|
||||
postgres = {
|
||||
image = "postgres:alpine";
|
||||
environment = {
|
||||
POSTGRES_DB = "nextcloud";
|
||||
POSTGRES_USER = "nextcloud";
|
||||
};
|
||||
volumes = ["nextcloud-postgres-14:/var/lib/postgresql/data"];
|
||||
};
|
||||
adminuser = "tlater";
|
||||
adminpassFile = config.sops.secrets."nextcloud/tlater".path;
|
||||
|
||||
defaultPhoneRegion = "AT";
|
||||
};
|
||||
|
||||
# TODO(tlater): Add redis config. This will be much easier
|
||||
# starting with 22.11, since this will add an `extraOptions` where
|
||||
# the necessary redis config can go.
|
||||
};
|
||||
|
||||
# Ensure that this service doesn't start before postgres is ready
|
||||
systemd.services.nextcloud-setup.after = ["postgresql.service"];
|
||||
|
||||
# Set up SSL
|
||||
services.nginx.virtualHosts."${hostName}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
};
|
||||
}
|
||||
|
|
30
configuration/services/postgres.nix
Normal file
30
configuration/services/postgres.nix
Normal file
|
@ -0,0 +1,30 @@
|
|||
{
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
|
||||
# Only enable connections via the unix socket, and check with the
|
||||
# OS to make sure the user matches the database name.
|
||||
#
|
||||
# See https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
|
||||
authentication = ''
|
||||
local sameuser all peer
|
||||
'';
|
||||
|
||||
# Note: The following options with ensure.* are set-only; i.e.,
|
||||
# when permissions/users/databases are removed from these lists,
|
||||
# that operation needs to be performed manually on the system as
|
||||
# well.
|
||||
ensureUsers = [
|
||||
{
|
||||
name = "nextcloud";
|
||||
ensurePermissions = {
|
||||
"DATABASE nextcloud" = "ALL PRIVILEGES";
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
ensureDatabases = [
|
||||
"nextcloud"
|
||||
];
|
||||
};
|
||||
}
|
Loading…
Reference in a new issue