From 35e93ce43b12e3be922e37b27f74d5d4b86929f4 Mon Sep 17 00:00:00 2001 From: "root@dishwasher" Date: Sun, 26 Jun 2022 21:17:20 +0200 Subject: [PATCH] nextcloud: init --- flake.nix | 16 +++ hosts/dishwasher/configuration.nix | 1 + hosts/dishwasher/default.nix | 1 + hosts/dishwasher/hardware-configuration.nix | 6 + hosts/dishwasher/mcvm-network.nix | 51 ++++++++ microvms/nextcloud/default.nix | 122 ++++++++++++++++++++ microvms/nextcloud/oxaproxy.nix | 58 ++++++++++ microvms/nextcloud/secrets.nix | 11 ++ 8 files changed, 266 insertions(+) create mode 100644 hosts/dishwasher/mcvm-network.nix create mode 100644 microvms/nextcloud/default.nix create mode 100644 microvms/nextcloud/oxaproxy.nix create mode 100644 microvms/nextcloud/secrets.nix diff --git a/flake.nix b/flake.nix index cc9a3fe..2d4f13d 100644 --- a/flake.nix +++ b/flake.nix @@ -50,6 +50,22 @@ microvm.nixosModules.host ./hosts/dishwasher ./modules/basic-tools.nix + ./modules/binary-caches.nix + + { + microvm.vms.nextcloud = { + flake = self; + updateFlake = "git+file:///etc/nixos"; + }; + } + ]; + }; + nextcloud = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + sops-nix.nixosModules.sops + microvm.nixosModules.microvm + ./microvms/nextcloud ]; }; }; diff --git a/hosts/dishwasher/configuration.nix b/hosts/dishwasher/configuration.nix index 258c3a5..ea1b070 100644 --- a/hosts/dishwasher/configuration.nix +++ b/hosts/dishwasher/configuration.nix @@ -61,6 +61,7 @@ # List services that you want to enable: # Enable the OpenSSH daemon. + programs.mosh.enable = true; services.openssh = { enable = true; permitRootLogin = "prohibit-password"; diff --git a/hosts/dishwasher/default.nix b/hosts/dishwasher/default.nix index c50e6cf..b6c6651 100644 --- a/hosts/dishwasher/default.nix +++ b/hosts/dishwasher/default.nix @@ -4,5 +4,6 @@ ./hardware-configuration.nix ./secrets.nix ./oxalab.nix + ./mcvm-network.nix ]; } diff --git a/hosts/dishwasher/hardware-configuration.nix b/hosts/dishwasher/hardware-configuration.nix index 68182c8..ebbd0ff 100644 --- a/hosts/dishwasher/hardware-configuration.nix +++ b/hosts/dishwasher/hardware-configuration.nix @@ -31,6 +31,12 @@ options = [ "subvol=var-log" "compress=zstd" "noatime" ]; }; + fileSystems."/var/microvms" = + { device = "/dev/disk/by-uuid/2971597a-b364-405d-8bb2-287556e819e1"; + fsType = "btrfs"; + options = [ "subvol=microvms" "compress=zstd" "noatime" ]; + }; + fileSystems."/nix" = { device = "/dev/disk/by-uuid/2971597a-b364-405d-8bb2-287556e819e1"; fsType = "btrfs"; diff --git a/hosts/dishwasher/mcvm-network.nix b/hosts/dishwasher/mcvm-network.nix new file mode 100644 index 0000000..518cab8 --- /dev/null +++ b/hosts/dishwasher/mcvm-network.nix @@ -0,0 +1,51 @@ +{ config, pkgs, ... }: { + systemd.network = { + netdevs."microvm-bridge".netdevConfig = { + Kind = "bridge"; + Name = "microvm-bridge"; + }; + + networks."0-microvm-bridge" = { + matchConfig.Name = "microvm-bridge"; + networkConfig = { + DHCPServer = false; + IPv6SendRA = true; + }; + addresses = [ { + addressConfig.Address = "10.99.99.1/24"; + } { + addressConfig.Address = "fd12:3456:789a::1/64"; + } ]; + ipv6Prefixes = [ { + ipv6PrefixConfig.Prefix = "fd12:3456:789a::/64"; + } ]; + # networkConfig = { + # Address = "10.99.99.1/24"; + # IPForward = "ipv4"; + # }; + # routes = [{ + # routeConfig = { + # GatewayOnLink = true; + # };}]; + # IPForward = "ipv4"; + # DHCPServer = true; + # IPv6SendRA = true; + # addresses = [{ + # addressConfig.Address = "10.99.99.1/24"; + # }]; + }; + + networks."1-microvm-bridge" = { + matchConfig.Name = "vm-*"; + networkConfig.Bridge = "microvm-bridge"; + }; + }; + + networking.nat = { + enable = true; + enableIPv6 = true; + externalInterface = "enp1s0"; + internalInterfaces = [ "microvm-bridge" ]; + }; + +} diff --git a/microvms/nextcloud/default.nix b/microvms/nextcloud/default.nix new file mode 100644 index 0000000..c6c07bd --- /dev/null +++ b/microvms/nextcloud/default.nix @@ -0,0 +1,122 @@ +{ config, pkgs, ... }: { + + imports = [ + ./oxaproxy.nix + ./secrets.nix + ]; + + # nextcloud goes here + networking.firewall.interfaces.oxaproxy.allowedTCPPorts = [ 8080 ]; + + services.postgresql = { + enable = true; + package = pkgs.postgresql_14; + ensureDatabases = [ "nextcloud" ]; + ensureUsers = [{ + name = "nextcloud"; + ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; + }]; + }; + + services.redis.enable = true; + + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + virtualHosts."nc.oxapentane.com" = { + extraConfig = '' + # HTTP response headers borrowed from Nextcloud .htaccess + add_header Referrer-Policy "no-referrer" always; + #add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + #add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; + ''; + listen = [{ + # We are listening on wireguard interface only + addr = "10.34.45.100"; + port = 8080; + ssl = false; + }]; + }; + }; + + services.nextcloud = { + enable = true; + hostName = "nc.oxapentane.com"; + home = "/var/lib/nextcloud-oxa"; + package = pkgs.nextcloud24; + maxUploadSize = "5000M"; + caching.redis = true; + autoUpdateApps = { + enable = true; + startAt = "07:00:00"; + }; + config = { + overwriteProtocol = "https"; + trustedProxies = [ "10.34.45.1" ]; + + dbtype = "pgsql"; + dbuser = "nextcloud"; + dbhost = "/run/postgresql"; + dbname = "nextcloud"; + adminuser = "admin"; + adminpassFile = config.sops.secrets."nextcloud/adminpass".path; + }; + }; + + systemd.services."nextcloud-setup" = { + requires = [ "postgresql.service" ]; + after = [ "postgresql.service" ]; + }; + + + + + microvm = { + hypervisor = "qemu"; + mem = 4 * 1024; + + shares = [{ + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + tag = "store"; + proto = "virtiofs"; + socket = "store.socket"; + }] ++ map (dir: { + source = "/var/lib/microvms/${config.networking.hostName}/${dir}"; + mountPoint = "/${dir}"; + tag = dir; + proto = "virtiofs"; + socket = "${dir}.socket"; + }) [ "etc" "var" "home" ]; + + interfaces = [{ + type = "tap"; + id = "vm-nextcloud"; + mac = "EA:40:E8:60:C5:36"; + }]; + }; + + networking = { + hostName = "nextcloud"; + }; + + services.openssh = { + enable = true; + permitRootLogin = "prohibit-password"; + }; + + networking.firewall.allowedTCPPorts = [ 22 ]; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDP6xE2ey0C8XXfvniiiHiqXsCC277jKI9RXEA+s2LQLUI5zl7v350i3Oa8H3NCcPj39lfMreqE6ncxcOhqYyzahPrrMkOqgbPAoRvq8H3ophLK+56O3xdHoKwLBwRD1yoGACjqG4UTiTrmnN2ateENgYcnTEY1e4vDw1qMj1drUXCsZ/6mkBBmHJiFfCaR4yCMt1r4gGi/dAC7ifnBP3oSyV/lJEwPxYYkGlbOBIvX/7Ar98pJS6xYPB3jHs9gwyNNON63d0fNYrwBojXPPCnGGaRZNOkBTzex3zZYp12ThINQ2xl8tRp9D8qpZ7vrLjhTD6AXkOBRzmDj+NsCeEaeTuWajqUM93iKncYUI+JxR1t7q8gA2pBMFzLesMXnx7R+5Kw7QDtSJM7a4GMIfsocPwf64BH6rzxEz68rXFE3P+J77PPM9CuaYw90JXHo3z220zYw2nMQ/1qjATVZw/hiVrLmQMVfmFJIufnGjTBs2sy3IoNyzvYm/oDeNNg1cdSV9gyyRKZhK08fxjXN5GSf9vZkfZa9tHtqaZ99HI40GQBHUVx1K2/NQJY8TVTSA+v16SFnJK8BIbmp/WFCuvDcMkgLIbqiYtDASe7P2mKIib86uOENT+P820egeLiTQ06kFw/gfUa8t69d5qEcjiQZ+lxCeYIs/E9KrEXHvRUWew== cardno:16 811 348" + ]; + + system.stateVersion = "22.05"; + } diff --git a/microvms/nextcloud/oxaproxy.nix b/microvms/nextcloud/oxaproxy.nix new file mode 100644 index 0000000..42290ac --- /dev/null +++ b/microvms/nextcloud/oxaproxy.nix @@ -0,0 +1,58 @@ +{ config, ... }: { + networking.wireguard.enable = true; + networking.useNetworkd = true; + systemd.network = { + enable = true; + netdevs."10-oxaproxy" = { + netdevConfig = { + Kind = "wireguard"; + Name = "oxaproxy"; + Description = "oxa's enterprise reverse-proxy network"; + }; + wireguardConfig = { + PrivateKeyFile = config.sops.secrets."wg/oxaproxy-seckey".path; + #own pubkey: KCYoGx7TGei4X79EZo2NONCcmQjPzBUN1Ds6I9lQbz0= + }; + wireguardPeers = [ + { + # cirrus + wireguardPeerConfig = { + PublicKey = "0KMtL2fQOrrCH6c2a2l4FKiM73G86sUuyaNj4FarzVM="; + AllowedIPs = [ "10.34.45.0/24" ]; + Endpoint = [ "95.216.166.21:51821" ]; + PersistentKeepalive = 25; + }; + } + ]; + }; + networks."10-oxaproxy" = { + matchConfig.Name = "oxaproxy"; + networkConfig = { + Address = "10.34.45.100/24"; + }; + }; + + networks."111-host" = { + matchConfig.Name = "enp0s8"; + networkConfig = { + Address = "10.99.99.100/24"; + }; + routes = [ + { + routeConfig = { + Gateway="10.99.99.1"; + Destination="0.0.0.0/0"; + Metric=1024; + }; + } + { + routeConfig = { + Gateway="10.99.99.1"; + Destination="10.99.99.0/24"; + Metric=1024; + }; + } + ]; + }; + }; +} diff --git a/microvms/nextcloud/secrets.nix b/microvms/nextcloud/secrets.nix new file mode 100644 index 0000000..50ae8e0 --- /dev/null +++ b/microvms/nextcloud/secrets.nix @@ -0,0 +1,11 @@ +{ config, ... }: { + sops.defaultSopsFile = ../../secrets/nextcloud/secrets.yaml; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + + sops.secrets."wg/oxaproxy-seckey" = { + owner = config.users.users.systemd-network.name; + }; + sops.secrets."nextcloud/adminpass" = { + owner = config.users.users.nextcloud.name; + }; +}