mirror of
https://gitlab.com/upRootNutrition/dotfiles.git
synced 2025-12-06 21:17:14 -06:00
163 lines
3.8 KiB
Nix
Executable file
163 lines
3.8 KiB
Nix
Executable file
{
|
|
flake,
|
|
config,
|
|
pkgs,
|
|
...
|
|
}:
|
|
let
|
|
inherit (flake.config.people) user0;
|
|
inherit (flake.config.people.users.${user0}) name;
|
|
inherit (flake.config.services.instances)
|
|
nextcloud
|
|
nginx
|
|
caddy
|
|
smtp
|
|
web
|
|
;
|
|
service = nextcloud;
|
|
localhost = web.localhost.address0;
|
|
host = service.domains.url0;
|
|
|
|
in
|
|
{
|
|
services = {
|
|
nextcloud = {
|
|
appstoreEnable = true;
|
|
autoUpdateApps.enable = true;
|
|
configureRedis = true;
|
|
enable = true;
|
|
hostName = host;
|
|
https = true;
|
|
package = pkgs.nextcloud31;
|
|
phpOptions."opcache.interned_strings_buffer" = "24";
|
|
extraAppsEnable = true;
|
|
extraApps = {
|
|
inherit (pkgs.nextcloud31Packages.apps)
|
|
contacts
|
|
calendar
|
|
deck
|
|
;
|
|
};
|
|
config = {
|
|
adminpassFile = config.sops.secrets."${service.name}-pass".path;
|
|
adminuser = name;
|
|
dbtype = "pgsql";
|
|
};
|
|
database = {
|
|
createLocally = true;
|
|
};
|
|
settings = {
|
|
default_phone_region = "CA";
|
|
log_type = "file";
|
|
mail_domain = host;
|
|
mail_from_address = "noreply";
|
|
mail_sendmailmode = smtp.name;
|
|
mail_smtpmode = smtp.name;
|
|
mail_smtphost = smtp.hostname;
|
|
mail_smtpport = smtp.ports.port1;
|
|
mail_smtpsecure = "";
|
|
mail_smtptimeout = 30;
|
|
mail_smtpauth = 1;
|
|
mail_smtpname = smtp.email.address0;
|
|
mail_smtppassword = config.sops.secrets."${service.name}-smtp".path;
|
|
maintenance_window_start = 4;
|
|
overwriteprotocol = "https";
|
|
trusted_proxies = [
|
|
localhost
|
|
web.localhost.address1
|
|
];
|
|
security.headers = {
|
|
Strict-Transport-Security = "max-age=15552000; includeSubDomains";
|
|
X-XSS-Protection = "1; mode=block";
|
|
X-Content-Type-Options = "nosniff";
|
|
X-Frame-Options = "SAMEORIGIN";
|
|
Referrer-Policy = "strict-origin-when-cross-origin";
|
|
};
|
|
};
|
|
|
|
};
|
|
nginx = {
|
|
enable = true;
|
|
virtualHosts.${host} = {
|
|
listen = [
|
|
{
|
|
addr = localhost;
|
|
port = nginx.ports.port0;
|
|
}
|
|
];
|
|
forceSSL = false;
|
|
onlySSL = false;
|
|
addSSL = false;
|
|
};
|
|
};
|
|
caddy = {
|
|
virtualHosts = {
|
|
":${toString caddy.ports.port3}" = {
|
|
extraConfig = ''
|
|
header {
|
|
# Enable XSS protection and block instead of sanitizing
|
|
X-XSS-Protection "1; mode=block"
|
|
# Enable HSTS with 6 month duration
|
|
Strict-Transport-Security "max-age=15552000; includeSubDomains"
|
|
# Additional security headers
|
|
X-Content-Type-Options "nosniff"
|
|
X-Frame-Options "SAMEORIGIN"
|
|
Referrer-Policy "strict-origin-when-cross-origin"
|
|
# Remove server identification
|
|
-Server
|
|
}
|
|
reverse_proxy http://${localhost}:${toString nginx.ports.port0}
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
};
|
|
sops =
|
|
let
|
|
sopsPath = secret: {
|
|
path = "${service.sops.path0}/${service.name}-${secret}";
|
|
owner = service.name;
|
|
mode = "600";
|
|
};
|
|
in
|
|
{
|
|
secrets = builtins.listToAttrs (
|
|
map
|
|
(secret: {
|
|
name = "${service.name}-${secret}";
|
|
value = sopsPath secret;
|
|
})
|
|
[
|
|
"pass"
|
|
"smtp"
|
|
]
|
|
);
|
|
};
|
|
|
|
systemd = {
|
|
tmpfiles.rules = [
|
|
"Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
|
|
];
|
|
};
|
|
|
|
users.users.${service.name} = {
|
|
packages = with pkgs; [
|
|
php
|
|
];
|
|
extraGroups = [
|
|
"caddy"
|
|
"nginx"
|
|
"postgres"
|
|
];
|
|
};
|
|
|
|
networking = {
|
|
firewall = {
|
|
allowedTCPPorts = [
|
|
nginx.ports.port0
|
|
service.ports.port0
|
|
caddy.ports.port3
|
|
];
|
|
};
|
|
};
|
|
}
|