diff --git a/hosts/next/agenix.nix b/hosts/next/agenix.nix new file mode 100644 index 0000000..e53bb04 --- /dev/null +++ b/hosts/next/agenix.nix @@ -0,0 +1,24 @@ +{ pkgs, ... }: { + imports = [ + + ]; + + environment.systemPackages = [ (pkgs.callPackage {}) ]; + age.secrets.secret_restic = { + file = ./secrets/secret_restic.age; + path = "/run/restic_pass"; + }; + age.secrets.secret_nextcloud_admin = { + file = ./secrets/nextcloud-admin-pass.age; + path = "/run/nextcloud-admin"; + owner = "nextcloud"; + group = "nextcloud"; + }; + age.secrets.secret_nextcloud_db = { + file = ./secrets/nextcloud-db-pass.age; + path = "/run/nextcloud-db"; + owner = "nextcloud"; + group = "nextcloud"; + }; + +} diff --git a/hosts/next/backup.nix b/hosts/next/backup.nix new file mode 100644 index 0000000..136b473 --- /dev/null +++ b/hosts/next/backup.nix @@ -0,0 +1,15 @@ +{config, pkgs, ...}: +{ +services.restic.backups = { + localbackup = { + initialize = true; + passwordFile = "/run/restic_pass"; + paths = [ "/var/lib/nextcloud/data/" ]; + repository = "rest:https://back.atlanticaweb.fr/Nextcloud"; + timerConfig = { + OnCalendar = "00:05"; + RandomizedDelaySec = "5h"; + }; + }; +}; +} diff --git a/hosts/next/configuration.nix b/hosts/next/configuration.nix new file mode 100644 index 0000000..52803ea --- /dev/null +++ b/hosts/next/configuration.nix @@ -0,0 +1,31 @@ +{ pkgs, ... }: { + imports = [ + ./hardware-configuration.nix + ./nextcloud.nix + ./backup.nix + ../modules/users.nix + ../modules/common.nix + ../modules/prometheus-node.nix + ./agenix.nix +# + ]; + + system.stateVersion = "21.05"; + boot.cleanTmpDir = true; + zramSwap.enable = true; + networking.hostName = "next"; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUA1RW6JwZasspAp8qmFRFnlV5WXjhLfStAAkM+KYLv lucazeau.alexandre@gmail.com" + ]; + + networking.firewall.allowedTCPPorts = [ 80 443 22 9002]; + services.qemuGuest.enable = true; + +# environment.systemPackages = [ (pkgs.callPackage {}) ]; +# age.secrets.secret_restic = { +# file = ./secrets/secret_restic.age; +# path = "/run/restic_pass"; +# }; + +} diff --git a/hosts/next/hardware-configuration.nix b/hosts/next/hardware-configuration.nix new file mode 100644 index 0000000..a08c213 --- /dev/null +++ b/hosts/next/hardware-configuration.nix @@ -0,0 +1,8 @@ +{ modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot.loader.grub.device = "/dev/sda"; + boot.initrd.kernelModules = [ "nvme" ]; + fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; + +} diff --git a/hosts/next/nextcloud.nix b/hosts/next/nextcloud.nix new file mode 100644 index 0000000..d5a678d --- /dev/null +++ b/hosts/next/nextcloud.nix @@ -0,0 +1,86 @@ +{config, pkgs, ...}: +{ + +# Enable Nginx +services.nginx = { + enable = true; + + # Use recommended settings + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + # Only allow PFS-enabled ciphers with AES256 + sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + +# Setup Nextcloud virtual host to listen on ports + virtualHosts = { + + "next.atlanticaweb.fr" = { + ## Force HTTP redirect to HTTPS + forceSSL = true; + ## LetsEncrypt + enableACME = true; + }; + }; +}; + +security.acme.defaults.email = "lucazeau.alexandre@gmail.com"; +security.acme.acceptTerms = true; + +# Actual Nextcloud Config + services.nextcloud = { + enable = true; + package = pkgs.nextcloud24; + hostName = "next.atlanticaweb.fr"; + # Enable built-in virtual host management + # Takes care of somewhat complicated setup + # See here: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/web-apps/nextcloud.nix#L529 + + + # Use HTTPS for links + https = true; + + # Auto-update Nextcloud Apps + autoUpdateApps.enable = true; + # Set what time makes sense for you + autoUpdateApps.startAt = "05:00:00"; + + config = { + # Further forces Nextcloud to use HTTPS + overwriteProtocol = "https"; + + # Nextcloud PostegreSQL database configuration, recommended over using SQLite + dbtype = "pgsql"; + dbuser = "nextcloud"; + dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself + dbname = "nextcloud"; + dbpassFile = "/run/nextcloud-db"; + #dbpassFile = "/var/nextcloud-db-pass"; + + adminpassFile = "/run/nextcloud-admin"; + #adminpassFile = "/var/nextcloud-admin-pass"; + adminuser = "admin"; + }; +}; + +# Enable PostgreSQL + services.postgresql = { + enable = true; + + # Ensure the database, user, and permissions always exist + ensureDatabases = [ "nextcloud" ]; + ensureUsers = [ + { name = "nextcloud"; + ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; + } + ]; +}; + + # Ensure that postgres is running before running the setup + systemd.services."nextcloud-setup" = { + requires = ["postgresql.service"]; + after = ["postgresql.service"]; +}; +} diff --git a/hosts/next/prometheus-node.nix b/hosts/next/prometheus-node.nix new file mode 100644 index 0000000..9814e32 --- /dev/null +++ b/hosts/next/prometheus-node.nix @@ -0,0 +1,12 @@ +{ config, pkgs, lib, ... }: + { + services.prometheus = { + exporters = { + node = { + enable = true; + enabledCollectors = [ "systemd" ]; + port = 9002; + }; + }; + }; + } diff --git a/hosts/next/secrets/nextcloud-admin-pass.age b/hosts/next/secrets/nextcloud-admin-pass.age new file mode 100644 index 0000000..a703b07 --- /dev/null +++ b/hosts/next/secrets/nextcloud-admin-pass.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 AsRWPA 5ZW4bbKR4eBq9udfQt0aSxKLGqeRfK12CKbK5uO8PXQ +jFF9AppAOlTo3K1djnZs6RiqgUvdnxD0qa/oiB/MAhs +-> ssh-ed25519 AsRWPA l6PCaq/TiVFb5u6ohyQKDGuRkg5dXWOnnkvXRfo9eng +YPxMklq50g8aOsWEbkfk8pprzfUOh2ks7g1HoEuGFRQ +-> 6p!-grease J= W~ +MiJKoixj2WhO2O/DBIfPe80yu7mZ8wIVxyfNhw +--- CBRiDc/5kln0elYaqSxwgp39zUWfIPv1/QgLCE39CYw +>A+T.Setݯ ;{zUF2%Cȏ \ No newline at end of file diff --git a/hosts/next/secrets/nextcloud-db-pass.age b/hosts/next/secrets/nextcloud-db-pass.age new file mode 100644 index 0000000..690d2c8 Binary files /dev/null and b/hosts/next/secrets/nextcloud-db-pass.age differ diff --git a/hosts/next/secrets/secret_restic.age b/hosts/next/secrets/secret_restic.age new file mode 100644 index 0000000..0b0db10 --- /dev/null +++ b/hosts/next/secrets/secret_restic.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 cRwSCQ R0+fx+GjiA4oGjdu1jaMAiXFvOD/TAmh+od55rShTGw +FBk21m1dWNmo4X3mnjBhvZrlXAlcUFNiNs96BU8NHCU +-> ssh-ed25519 cRwSCQ GAcBRtCTRUnPrXDXpU8It5OQnz+3J8IdqHiWW5k200s +rCGGuHZ4helvsIQPLBWDMCPV3ZvOMoJ7kPxmwB+RJGw +-> ssh-ed25519 AsRWPA PNboiDuuin5kY7HMLzZYruip0whF9xs1IAr9RNfQwXA +3mmQBxi3IGgnHBsWNeUuDvoa3ZMhGJdbRksRQtiRk5k +-> :Gel-grease +atx1cHPtIL3FMjXKj5+MGm4 +--- cfMzYeRC6IY4Xsg+tMfT3SpMzwPPi7ZhS68NPbrLwDI +:e{*n<1?9X`T:AAw|OW \ No newline at end of file diff --git a/hosts/next/secrets/secrets.nix b/hosts/next/secrets/secrets.nix new file mode 100644 index 0000000..ac41a9e --- /dev/null +++ b/hosts/next/secrets/secrets.nix @@ -0,0 +1,12 @@ +let + nextcloud-db = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGgO3EpoG14fn0VYC69sSS0iI5ZEB4qx9adFS+L5U5ZB"; + nextcloud-admin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGgO3EpoG14fn0VYC69sSS0iI5ZEB4qx9adFS+L5U5ZB"; + restic = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGgO3EpoG14fn0VYC69sSS0iI5ZEB4qx9adFS+L5U5ZB"; + users_nextcloud = [ nextcloud-db nextcloud-admin ]; + users_backup = [ restic ]; +in +{ + "nextcloud-db-pass.age".publicKeys = users_nextcloud; + "nextcloud-admin-pass.age".publicKeys = users_nextcloud; + "secret_restic.age".publicKeys = users_backup; +} diff --git a/modules/common.nix b/modules/common.nix index 046c9bd..5d3df66 100644 --- a/modules/common.nix +++ b/modules/common.nix @@ -15,6 +15,7 @@ procs plocate exa + age ]; # Nix Garbage Collector nix.gc = {