nx2/dotfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nextcloud

Browse Source
This commit is contained in:
Lennart J. Kurzweg (Nx2)
2026-05-03 00:00:07 +02:00
parent b2a322b269
commit 6ab13007de
8 changed files with 159 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
system-modules/nx2site/maddy.nix
View File

@@ -1,8 +1,12 @@
{ config, pkgs, ... }@all: with all; {
sops.secrets = {
"nx2site/maddy/nxcaldav_password" = { owner = "maddy"; group = "maddy"; mode = "600"; };
"nx2site/maddy/nextcloud_password" = { owner = "maddy"; group = "maddy"; mode = "600"; };
"nx2site/maddy/lennart_password" = { owner = "maddy"; group = "maddy"; mode = "600"; };
"nx2site/maddy/daniel_password" = { owner = "maddy"; group = "maddy"; mode = "600"; };
"nx2site/maddy/diane_password" = { owner = "maddy"; group = "maddy"; mode = "600"; };
"nx2site/maddy/georg_password" = { owner = "maddy"; group = "maddy"; mode = "600"; };
"nx2site/maddy/tessa_password" = { owner = "maddy"; group = "maddy"; mode = "600"; };
};
users.users."maddy" = {
extraGroups = [ "acme" "nginx" ];
@@ -15,13 +19,21 @@
hostname = "mail.${hyper.domain}";
ensureAccounts = [
"nxcaldav@${hyper.domain}"
"nextcloud@${hyper.domain}"
"lennart@${hyper.domain}"
"daniel@${hyper.domain}"
"diane@${hyper.domain}"
"georg@${hyper.domain}"
"tessa@${hyper.domain}"
];
ensureCredentials = {
"nxcaldav@${hyper.domain}".passwordFile = config.sops.secrets."nx2site/maddy/nxcaldav_password".path;
"nextcloud@${hyper.domain}".passwordFile = config.sops.secrets."nx2site/maddy/nextcloud_password".path;
"lennart@${hyper.domain}".passwordFile = config.sops.secrets."nx2site/maddy/lennart_password".path;
"daniel@${hyper.domain}".passwordFile = config.sops.secrets."nx2site/maddy/daniel_password".path;
"diane@${hyper.domain}".passwordFile = config.sops.secrets."nx2site/maddy/diane_password".path;
"georg@${hyper.domain}".passwordFile = config.sops.secrets."nx2site/maddy/georg_password".path;
"tessa@${hyper.domain}".passwordFile = config.sops.secrets."nx2site/maddy/tessa_password".path;
};
openFirewall = true;
@@ -34,12 +46,28 @@
};
# Enable TLS listeners. Configuring this via the module is not yet
# implemented, see https://github.com/NixOS/nixpkgs/pull/153372
config = builtins.replaceStrings [
config = (builtins.replaceStrings [
"imap tcp://0.0.0.0:143"
"submission tcp://0.0.0.0:587"
] [
"imap tls://0.0.0.0:993 tcp://0.0.0.0:143"
"submission tls://0.0.0.0:465 tcp://0.0.0.0:587"
] options.services.maddy.config.default;
] options.services.maddy.config.default) + ''
smtp tcp://127.0.0.1:2525 {
tls off
# 1. Allow local delivery (e.g., app sending to admin@nx2.site)
destination postmaster $(local_domains) {
deliver_to &local_routing
}
# 2. Allow remote delivery (e.g., app sending to gmail.com)
default_destination {
modify {
# Ensure outgoing mail is signed even if sent via 2525
dkim $(primary_domain) $(local_domains) default
}
deliver_to &remote_queue
}
}
'';
};
}

117
system-modules/nx2site/nextcloud.nix
View File

@@ -1,27 +1,98 @@
{ pkgs, ...}@all: with all;
{
sops.secrets = {
"nx2site/nextcloud/admin-pass" = { owner = "nextcloud"; };
"nx2site/nextcloud/db-pass" = { owner = "nextcloud"; };
# "nx2site/nextcloud/users-pass/nx2" = { owner = "nextcloud"; };
{ config, pkgs, ... }@all: with all; let
user = "nextcloud";
in {
sops.secrets = let ss = { owner = user; group = user; mode = "777"; }; in {
"nx2site/nextcloud/admin_pass" = ss;
"nx2site/nextcloud/db_pass" = ss;
"nx2site/nextcloud/lennart_pass" = ss;
"nx2site/nextcloud/daniel_pass" = ss;
"nx2site/nextcloud/diane_pass" = ss;
"nx2site/nextcloud/georg_pass" = ss;
"nx2site/nextcloud/tessa_pass" = ss;
};
services = {
nextcloud = {
enable = true;
package = pkgs.nextcloud;
hostName = "nc.${hyper.domain}";
https = true;
configureRedis = true;
config = {
adminpassFile = config.sops.secrets."nx2site/nextcloud/admin-pass".path;
adminuser = "nx2";
dbtype = "pgsql";
# dbhost = config.services.postgresql.settings.port; # using usix socket
dbname = "nextcloud";
dbpassFile = config.sops.secrets."nx2site/nextcloud/db-pass".path;
};
users.users."${user}" = {
isSystemUser = true;
isNormalUser = false;
group = user;
};
# users.groups."${user}" = {};
users.groups.nextcloud.members = [ "nextcloud" config.services.nginx.user ];
services.nextcloud = {
enable = true;
hostName = "n.${hyper.domain}";
# Need to manually increment with every major upgrade.
package = pkgs.nextcloud33;
# Let NixOS install and configure the database automatically.
# database.createLocally = false;
# Let NixOS install and configure Redis caching automatically.
configureRedis = true;
# Increase the maximum file upload size.
maxUploadSize = "16G";
https = true;
# autoUpdateApps.enable = true;
appstoreEnable = false;
extraAppsEnable = true;
extraApps = with config.services.nextcloud.package.packages.apps; {
inherit calendar contacts notes tasks;
};
settings = {
overwriteProtocol = "https";
default_phone_region = "DE";
"mail_smtpmode" = "smtp";
"mail_smtphost" = "127.0.0.1";
"mail_smtpport" = 2525;
"mail_from_address" = "nextcloud";
"mail_domain" = hyper.domain;
"mail_smtpsecure" = ""; # = STARTTLS
# "mail_smtpauth" = true;
# "mail_smtpauthtype" = "LOGIN";
# "mail_smtpname" = "nextcloud@${hyper.domain}";
};
secrets."mail_smtppassword" = config.sops.secrets."nx2site/maddy/nextcloud_password".path;
# secrets.settings."mail_smtppassword" = config.sops.secrets."nx2site/maddy/nextcloud_password".path;
config = {
adminpassFile = config.sops.secrets."nx2site/nextcloud/admin_pass".path;
dbtype = "pgsql";
adminuser = "nextcloud";
# dbhost = "localhost:5432";
dbhost = "/run/postgresql";
dbname = "nextcloud";
dbuser = "nextcloud";
dbpassFile = config.sops.secrets."nx2site/nextcloud/db_pass".path;
};
phpOptions = {
"memory_limit" = pkgs.lib.mkForce "2G";
"opcache.interned_strings_buffer" = "16";
};
};
systemd.services.nextcloud-ensure-users = let
users = pkgs.lib.mergeAttrsList (pkgs.lib.map (name: {
"${name}" = {
email = "${name}@nx2.site";
passwordFile = config.sops.secrets."nx2site/nextcloud/${name}_pass".path;
};
}) [ "lennart" "daniel" "diane" "georg" "tessa" ]);
in {
enable = true;
script = let occ = "${config.services.nextcloud.occ}/bin/nextcloud-occ"; in /* bash */ ''
${pkgs.lib.optionalString (users != {}) ''
${pkgs.lib.concatStringsSep "\n" (pkgs.lib.mapAttrsToList (name: cfg: ''
if ${occ} user:info "${name}" | grep "user not found"; then
export OC_PASS="$(cat ${pkgs.lib.escapeShellArg cfg.passwordFile})"
${occ} user:add --password-from-env "${name}"
fi
${pkgs.lib.optionalString (cfg.email != null) ''
${occ} user:setting "${name}" settings email "${cfg.email}"
''}
'') users)}
''}
'';
wantedBy = [ "multi-user.target" ];
after = [ "nextcloud-setup.service" ];
};
services.phpfpm.pools.nextcloud.settings = pkgs.lib.mkIf config.services.nextcloud.enable {
"listen.owner" = config.services.nginx.user;
"listen.group" = config.services.nginx.group;
};
}

4
system-modules/nx2site/nxcaldav.nix
View File

@@ -112,6 +112,10 @@
User = user;
Group = user;
ExecStart = ''${nxc}/bin/nxcaldav -c ${cfg}'';
Restart = "on-failure";
RestartSec = 5;
StartLimitBurst = 5;
StartLimitIntervalSec = 60;
};
};
}

10
system-modules/nx2site/proxy.nix
View File

@@ -173,6 +173,14 @@
listen = dl;
locations = { "/" = { proxyPass = "http://127.0.0.1:14243"; }; };
});
"n.${hyper.domain}" = {
listen = dl;
forceSSL = true;
enableACME = true;
# rest is done by the nextcloud module
};
# "nc.${hyper.domain}" = vh // {
# # directly to nc
# };
@@ -240,7 +248,7 @@
};
};
};
"~^(.*).${hyper.domain}$" = {
"~^(?!n\.)(.*)\.${hyper.domain}$" = {
listen = dl;
root = "/var/nginx/webroot";
locations."~.*".return = "502";