Compare commits

..

59 Commits

Author SHA1 Message Date
numbus df3c3d1c08 Update Whiteboard 2026-06-08 12:45:17 +02:00
numbus e98263b100 Update Immich 2026-06-08 12:42:04 +02:00
numbus 0500445003 Update Traefik 2026-06-08 12:40:06 +02:00
numbus ce4fa00b77 Update NixOS 2026-06-08 12:38:50 +02:00
numbus ec9b8f7d55 Update Traefik 2026-05-14 11:48:55 +02:00
numbus 0cc60dcd29 Update Nextcloud, Whiteboard and OnlyOffice 2026-05-14 11:48:03 +02:00
numbus 3b432d8bd4 Update Nextcloud 2026-04-13 09:21:29 +02:00
numbus 19b2459f65 Up the amount of RAM usable by Nextcloud 2026-04-12 15:12:01 +02:00
numbus 76fbcd86db Added screen package 2026-03-25 09:13:09 +01:00
numbus d1e511bfc0 Typo : 1 data disk 2026-03-15 12:34:23 +01:00
numbus 090cb2a7e4 Remove the /mnt/content-0 if more than 2 data disks 2026-03-15 12:30:20 +01:00
numbus c994337e1f Change onlyoffice headers. 2026-03-09 00:35:21 +01:00
numbus f1e24678b9 Remove security option to make Nextcloud onlyoffice work. 2026-03-09 00:28:25 +01:00
Raphaël Numbus dcde9fad01 Changed trusted proxy address. 2026-03-05 22:09:01 +01:00
Raphaël Numbus 3c41c307ee Fixed Nextcloud headers. OnlyOffice now works with Nextcloud. 2026-03-05 22:05:32 +01:00
Raphaël Numbus 7e4ef7b679 Get nextcloud-onlyoffice to work. 2026-03-05 13:04:24 +01:00
Raphaël Numbus 3e927af8f9 Get nextcloud-onlyoffice to work. 2026-03-05 12:58:05 +01:00
Raphaël Numbus 6de5f0cd28 Get gitea to work. 2026-03-05 12:48:25 +01:00
Raphaël Numbus 5394287b3a Home-assistant bug. Get nextcloud-onlyoffice to work. 2026-03-05 12:42:26 +01:00
Raphaël Numbus a4c0c2b051 Fixed home-assistant 400: bad request. Fixed Nextcloud-Quirk failing. Fixed Nextcloud-Onlyoffice mkdir: permission denied. 2026-03-05 09:24:51 +01:00
Raphaël Numbus 7933a3aa57 Added slirp4netns 2026-03-04 21:54:46 +01:00
Raphaël Numbus b5bece34ed Moved coral tpu config to a single file. Added slirp4netns. 2026-03-04 21:22:33 +01:00
Raphaël Numbus 4ab54cae0a Added AdGuard (NEEDS TESTING). Fixed bad indentation for middlewares. Switched from every 2 month periodic scan to every 3 months. 2026-03-03 22:27:24 +01:00
Raphaël Numbus e6907ddd0a Try to fix newuidmap exec not found 2026-03-03 22:08:21 +01:00
Raphaël Numbus 5bf87a1f83 Try to fix newuidmap exec not found 2026-03-03 22:04:58 +01:00
Raphaël Numbus cca3e0d42b Try to fix newuidmap exec not found 2026-03-03 21:46:15 +01:00
Raphaël Numbus f190eb2040 Try to fix newuidmap exec not found 2026-03-03 21:14:06 +01:00
Raphaël Numbus 96d049d486 Try to fix newuidmap exec not found 2026-03-03 20:49:21 +01:00
Raphaël Numbus e09301c493 Try to fix newuidmap exec not found 2026-03-03 16:30:21 +01:00
Raphaël Numbus 3721e41e94 Try to fix newuidmap exec not found 2026-03-03 16:00:48 +01:00
Raphaël Numbus 5b604fac08 Try to fix newuidmap exec not found 2026-03-03 15:43:21 +01:00
Raphaël Numbus e1ddf88300 Try to fix newuidmap exec not found 2026-03-03 15:35:18 +01:00
Raphaël Numbus 07e7084b1b Try to fix Traefik not launching on startup 2026-03-03 15:07:39 +01:00
Raphaël Numbus e46ee8495c Fixed Home-assistant script. 2026-03-03 14:45:23 +01:00
Raphaël Numbus 5cd7f661c0 Fixed passbolt error. 2026-03-03 14:38:25 +01:00
Raphaël Numbus 4d1448189c Added coral TPU driver compile files. Try to fix passbolt YAML error. 2026-03-03 14:23:53 +01:00
Raphaël Numbus 501383bc8d Get periodic scan to work. 2026-03-02 14:45:59 +01:00
Raphaël Numbus 331b686bae Get periodic scan to work. 2026-03-01 19:11:39 +01:00
Raphaël Numbus ca8e8c967e Remove unnecessary input 2026-03-01 17:58:26 +01:00
Raphaël Numbus 487889e3c6 Forgot with lib 2026-03-01 17:58:04 +01:00
Raphaël Numbus de6c80d7b4 Fixed bad option in it-tools, pi-hole and traefik. Added virtualization file. 2026-03-01 17:57:01 +01:00
Raphaël Numbus d384fe1f7c Fix clamAV onacc service. 2026-03-01 17:39:30 +01:00
Raphaël Numbus 65e1ba4ed2 Enable clamAV mail alerts. 2026-03-01 15:06:36 +01:00
Raphaël Numbus 6705329887 Debugging 2026-03-01 15:02:58 +01:00
Raphaël Numbus ae00cb69de Fix nextcloud-quirk systemD service failures. Also get clamAV configuration to work. 2026-03-01 14:49:28 +01:00
Raphaël Numbus 19b2ac7426 Fix nextcloud-quirk systemD service failures. 2026-03-01 14:25:19 +01:00
Raphaël Numbus b12f081bc3 Malformed if statement. 2026-03-01 14:10:38 +01:00
Raphaël Numbus 0ff3ec0e1b Fix nextcloud-quirk systemD service failures. 2026-03-01 14:08:03 +01:00
Raphaël Numbus 45495b114f Fix nextcloud-quirk systemD service failures. 2026-03-01 13:46:18 +01:00
Raphaël Numbus 3bfaf5fa6f Added periodic clamAV scan. Added mail alert on virus detection. 2026-03-01 13:18:35 +01:00
Raphaël Numbus bbe269bfcd Fix systemD service failures. 2026-03-01 12:25:12 +01:00
Raphaël Numbus af4f384797 Fixed syntax error. 2026-03-01 12:10:03 +01:00
Raphaël Numbus 68949dc81b Forgot to add lib. 2026-03-01 12:06:57 +01:00
Raphaël Numbus fad1f51323 Updated clamAV configuration. Fixed nextcloud-quirk typo. 2026-03-01 12:05:30 +01:00
Raphaël Numbus ab886a8a0b Fixed error. 2026-03-01 11:29:26 +01:00
Raphaël Numbus 87b857071d Add records for onlyoffice and whiteboard. 2026-03-01 11:22:16 +01:00
Raphaël Numbus ea86da660d Improved Nextcloud systemD services to avoid failures. Added middleware for carddav/caldav 2026-02-28 22:41:11 +01:00
Raphaël Numbus 41f8298078 Set slirp4netns as default bridge backend. 2026-02-28 18:24:21 +01:00
Raphaël Numbus 60bf000973 Fix missing else. 2026-02-28 15:14:44 +01:00
22 changed files with 500 additions and 101 deletions
+1 -1
View File
@@ -2,7 +2,7 @@
description = "Numbus Server Module"; description = "Numbus Server Module";
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-26.05";
}; };
outputs = { self, nixpkgs }: { outputs = { self, nixpkgs }: {
+1
View File
@@ -5,5 +5,6 @@
./boot.nix ./boot.nix
./cpu.nix ./cpu.nix
./disks.nix ./disks.nix
./pcie-coral.nix
]; ];
} }
+1 -1
View File
@@ -265,7 +265,7 @@ in
services.snapraid = { services.snapraid = {
enable = true; enable = true;
contentFiles = [ "/mnt/content-0/snapraid.content" ] ++ contentFiles = (optionals (length cfg.dataDisksList == 1) [ "/mnt/content-0/snapraid.content" ]) ++
(map (i: "/mnt/content-${toString i}/snapraid.content") (range 1 (length cfg.dataDisksList))); (map (i: "/mnt/content-${toString i}/snapraid.content") (range 1 (length cfg.dataDisksList)));
parityFiles = map (i: "/mnt/parity-${toString i}/snapraid.parity") (range 1 (length cfg.parityDisksList)); parityFiles = map (i: "/mnt/parity-${toString i}/snapraid.parity") (range 1 (length cfg.parityDisksList));
dataDisks = listToAttrs (imap1 (i: _: nameValuePair "d${toString i}" "/mnt/content-${toString i}") cfg.dataDisksList); dataDisks = listToAttrs (imap1 (i: _: nameValuePair "d${toString i}" "/mnt/content-${toString i}") cfg.dataDisksList);
+111
View File
@@ -0,0 +1,111 @@
{ config, lib, pkgs, ... }:
let
cfg = config.numbus.hardware.pcie-coral;
gasket-driver = { stdenv, lib, fetchFromGitHub, kernel }: stdenv.mkDerivation rec {
pname = "gasket";
version = "1.0-18";
src = fetchFromGitHub {
owner = "google";
repo = "gasket-driver";
rev = "97aeba584efd18983850c36dcf7384b0185284b3";
sha256 = "pJwrrI7jVKFts4+bl2xmPIAD01VKFta2SRuElerQnTo=";
};
makeFlags = [
"-C"
"${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
"M=$(PWD)"
];
buildFlags = [ "modules" ];
installFlags = [ "INSTALL_MOD_PATH=${placeholder "out"}" ];
installTargets = [ "modules_install" ];
sourceRoot = "source/src";
hardeningDisable = [ "pic" "format" ];
nativeBuildInputs = kernel.moduleBuildDependencies;
meta = with lib; {
description = "The Coral Gasket Driver allows usage of the Coral EdgeTPU on Linux systems.";
homepage = "https://github.com/google/gasket-driver";
license = licenses.gpl2;
maintainers = [ maintainers.kylehendricks ];
platforms = platforms.linux;
};
};
libedgetpu-pkg = { stdenv, lib, fetchFromGitHub, libusb1, abseil-cpp, flatbuffers, xxd }:
let
flatbuffers_1_12 = flatbuffers.overrideAttrs (oldAttrs: rec {
version = "1.12.0";
NIX_CFLAGS_COMPILE = "-Wno-error=class-memaccess -Wno-error=maybe-uninitialized";
cmakeFlags = (oldAttrs.cmakeFlags or []) ++ ["-DFLATBUFFERS_BUILD_SHAREDLIB=ON"];
NIX_CXXSTDLIB_COMPILE = "-std=c++17";
configureFlags = (oldAttrs.configureFlags or []) ++ ["--enable-shared"];
src = fetchFromGitHub {
owner = "google";
repo = "flatbuffers";
rev = "v${version}";
sha256 = "sha256-L1B5Y/c897Jg9fGwT2J3+vaXsZ+lfXnskp8Gto1p/Tg=";
};
});
in stdenv.mkDerivation rec {
pname = "libedgetpu";
version = "grouper";
src = fetchFromGitHub {
owner = "google-coral";
repo = pname;
rev = "release-${version}";
sha256 = "sha256-73hwItimf88Iqnb40lk4ul/PzmCNIfdt6Afi+xjNiBE=";
};
makeFlags = ["-f" "makefile_build/Makefile" "libedgetpu" ];
buildInputs = [
libusb1
abseil-cpp
flatbuffers_1_12
];
nativeBuildInputs = [
xxd
];
NIX_CXXSTDLIB_COMPILE = "-std=c++17";
TFROOT = "${fetchFromGitHub {
owner = "tensorflow";
repo = "tensorflow";
rev = "v2.7.4";
sha256 = "sha256-liDbUAdaVllB0b74aBeqNxkYNu/zPy7k3CevzRF5dk0=";
}}";
enableParallelBuilding = false;
installPhase = ''
mkdir -p $out/lib
cp out/direct/k8/libedgetpu.so.1.0 $out/lib
ln -s $out/lib/libedgetpu.so.1.0 $out/lib/libedgetpu.so.1
mkdir -p $out/lib/udev/rules.d
cp debian/edgetpu-accelerator.rules $out/lib/udev/rules.d/99-edgetpu-accelerator.rules
'';
};
gasket = config.boot.kernelPackages.callPackage gasket-driver {};
libedgetpu = pkgs.callPackage libedgetpu-pkg {};
in
{
options.numbus.hardware.pcie-coral = lib.mkEnableOption "PCIe Coral TPU support";
config = lib.mkIf cfg {
services.udev.packages = [ libedgetpu ];
users.groups.plugdev = {};
boot.extraModulePackages = [ gasket ];
};
}
+89
View File
@@ -0,0 +1,89 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.numbus.services.clamav;
clamav_notifier = pkgs.writeScript "clamav-notify.sh" ''
#!${pkgs.bash}/bin/bash
# Check if triggered by Real-time event (file exists)
if [ -f /var/lib/clamav/virus_event.env ]; then
source /var/lib/clamav/virus_event.env
rm /var/lib/clamav/virus_event.env
fi
ADMIN_EMAIL="${config.numbus.mail.adminAddress}"
USER_EMAIL="${config.numbus.mail.userAddress}"
OWNER_NAME="${config.numbus.owner}"
if [ -n "$CLAM_VIRUSEVENT_VIRUSNAME" ]; then
# --- Real-time / VirusEvent Mode ---
SUBJECT="Numbus Server Alert: Virus Detected (Real-time)"
# Retrieve logs from clamav-daemon
LOGS=$(journalctl -u clamav-daemon.service -n 50 --no-pager | grep "FOUND")
TECH_BODY="
ClamAV Real-time Alert:
Server owner: $OWNER_NAME
Virus detected: $CLAM_VIRUSEVENT_VIRUSNAME
File: $CLAM_VIRUSEVENT_FILENAME
Logs:
$LOGS
Action taken: Access blocked (OnAccessPrevention).
Please investigate manually.
"
FRIENDLY_BODY="Cher/Chère $OWNER_NAME,
L'antivirus de votre serveur a détecté et bloqué une menace en temps réel.
Fichier : $CLAM_VIRUSEVENT_FILENAME
Votre administrateur a été notifié.
"
else
# --- Scheduled Scan Summary Mode ---
SUBJECT="Numbus Server Alert: Virus Detected during Scheduled Scan"
# Retrieve logs (clamdscan prints FOUND when a virus is detected)
LOGS=$(journalctl -u clamav-periodic-scan.service -n 100 --no-pager | grep "FOUND")
TECH_BODY="
ClamAV Scan Alert:
Server owner: $OWNER_NAME
Viruses detected:
$LOGS
Action taken: Detection only.
Please investigate manually.
"
FRIENDLY_BODY="Cher/Chère $OWNER_NAME,
L'antivirus de votre serveur a détecté une menace potentielle lors de l'analyse périodique.
Votre administrateur a été notifié avec les détails techniques.
Nous vous conseillons d'être prudent avec vos fichiers récents.
"
fi
printf "Subject: [ADMIN] %s\n\n%s" "$SUBJECT" "$TECH_BODY" | /run/wrappers/bin/sendmail -t "$ADMIN_EMAIL"
printf "Subject: [Alerte] Menace détectée sur votre serveur Numbus\n\n%s\n\nMerci de votre confiance,\nL'équipe de support,\nNumbus-Server." "$FRIENDLY_BODY" | /run/wrappers/bin/sendmail -t "$USER_EMAIL"
'';
in
{
config = mkIf cfg.enable {
systemd.services.clamav-virus-notify = {
description = "Email notification for ClamAV virus detection";
serviceConfig = {
Type = "oneshot";
ExecStart = "${clamav_notifier}";
};
};
};
}
+1
View File
@@ -2,6 +2,7 @@
{ {
imports = [ imports = [
./clamav.nix
./smart.nix ./smart.nix
./systemd.nix ./systemd.nix
./smtp.nix ./smtp.nix
+1
View File
@@ -5,6 +5,7 @@
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
git git
screen
ncdu ncdu
fastfetch fastfetch
tpm2-tss tpm2-tss
+4 -1
View File
@@ -4,8 +4,11 @@
virtualisation.podman.enable = true; virtualisation.podman.enable = true;
virtualisation.podman.defaultNetwork.settings.dns_enabled = true; virtualisation.podman.defaultNetwork.settings.dns_enabled = true;
virtualisation.containers.containersConf.settings = {
network.default_rootless_network_cmd = "slirp4netns";
};
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
podman
podman-compose podman-compose
podman-tui podman-tui
slirp4netns slirp4netns
+51
View File
@@ -0,0 +1,51 @@
{ config, pkgs, lib, ... }:
with lib;
let
# Version tagging
adguardVersion = "latest";
# Helper
helper = import ./lib.nix { inherit config pkgs lib; };
cfg = config.numbus.services.adguard;
# Container config
name = "adguard";
in
helper.mkPodmanService {
inherit name;
description = "AdGuard, feature-rich DNS service";
pod = "false";
defaultPort = "3000";
scheme = "http";
dependencies = [ "network.target" ];
dataDirEnabled = false;
startDelay = 10;
middlewares = [ "secureHeaders" ];
dirPermissions = [
"100999:100 ${cfg.configDir}"
];
# Compose file good
composeText = ''
services:
adguardhome:
image: adguard/adguardhome:${adguardVersion}
container_name: adguard
hostname: adguard
network_mode: pasta
user: '1000:1000'
ports:
- "3000:3000/tcp"
- "53:53/tcp"
- "53:53/udp"
volumes:
- ${cfg.configDir}/work:/opt/adguardhome/work
- ${cfg.configDir}/config:/opt/adguardhome/conf
cap_add:
- SYS_NICE
security_opt:
- no-new-privileges:true
restart: unless-stopped
'';
}
+70 -13
View File
@@ -1,11 +1,47 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
{ with lib;
environment.systemPackages = [ pkgs.clamav pkgs.curl ];
services.clamav = { let
cfg = config.numbus.services.clamav;
onAccessPaths = lib.mapAttrsToList (n: v: v.dataDir) (lib.filterAttrs (n: v:
v ? enable && v.enable && v ? dataDir && v.dataDir != null && v.dataDir != false
) config.numbus.services);
clamonacc_virus_notifier = pkgs.writeScript "clamonacc_virus_notifier.sh" ''
#!${pkgs.bash}/bin/bash
echo "CLAM_VIRUSEVENT_VIRUSNAME=\"$CLAM_VIRUSEVENT_VIRUSNAME\"" > /var/lib/clamav/virus_event.env
echo "CLAM_VIRUSEVENT_FILENAME=\"$CLAM_VIRUSEVENT_FILENAME\"" >> /var/lib/clamav/virus_event.env
/run/wrappers/bin/sudo /run/current-system/sw/bin/systemctl start clamav-virus-notify.service
'';
in
{
options.numbus.services.clamav = {
enable = mkEnableOption "ClamAV open-source anti-virus software";
};
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.clamav pkgs.curl ];
system.activationScripts.clamav-quarantine = ''
mkdir -p /quarantine
chown clamav:clamav /quarantine
chmod 440 /quarantine
'';
security.sudo.extraRules = [{
users = [ "clamav" ];
commands = [{
command = "/run/current-system/sw/bin/systemctl start clamav-virus-notify.service";
options = [ "NOPASSWD" ];
}];
}];
services.clamav = {
updater.enable = true; updater.enable = true;
daemon.enable = true; clamonacc.enable = true;
scanner = { scanner = {
enable = true; enable = true;
@@ -19,16 +55,37 @@ services.clamav = {
]; ];
}; };
daemon = {
clamonacc.enable = true; enable = true;
settings = {
daemon.settings = {
OnAccessPrevention = true; OnAccessPrevention = true;
OnAccessIncludePath = "/mnt/data"; OnAccessIncludePath = onAccessPaths;
VirusEvent = "${clamonacc_virus_notifier}";
};
};
}; };
};
services.clamav.daemon.enable = true; systemd.services.clamav-periodic-scan = mkIf (onAccessPaths != []) {
services.clamav.updater.enable = true; description = "Periodic ClamAV virus scan";
services.clamav.clamonacc.enable = true; after = [ "clamav-daemon.service" "clamav-freshclam.service" ];
requires = [ "clamav-daemon.service" ];
wants = [ "clamav-freshclam.service" ];
onFailure = [ "clamav-virus-notify.service" ];
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.clamav}/bin/clamdscan --multiscan --fdpass --infected --allmatch --move=/quarantine ${lib.escapeShellArgs onAccessPaths}";
Slice = "system-clamav.slice";
};
};
systemd.timers.clamav-periodic-scan = mkIf (onAccessPaths != []) {
description = "Timer for ClamAV periodic scan";
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "*-1/3-01 04:00:00";
Persistent = true;
Unit = "clamav-periodic-scan.service";
};
};
};
} }
+2
View File
@@ -3,6 +3,7 @@
{ {
imports = [ imports = [
# ./adguard.nix # ./adguard.nix
./clamav.nix
./frigate.nix ./frigate.nix
./gitea.nix ./gitea.nix
./home-assistant.nix ./home-assistant.nix
@@ -12,5 +13,6 @@
./passbolt.nix ./passbolt.nix
./pi-hole.nix ./pi-hole.nix
./traefik.nix ./traefik.nix
./virtualization.nix
]; ];
} }
+2 -2
View File
@@ -18,13 +18,13 @@ helper.mkPodmanService {
pod = "home-assistant"; pod = "home-assistant";
defaultPort = "8971"; defaultPort = "8971";
scheme = "https"; scheme = "https";
dependencies = [ "traefik.service" "${config.numbus.services.dns}.service" "home-assistant.service" ];
envFile = "/var/lib/numbus-server/home-assistant/.env"; envFile = "/var/lib/numbus-server/home-assistant/.env";
dependencies = [ "traefik.service" "${config.numbus.services.dns}.service" "home-assistant.service" ];
middlewares = [ "secureHeaders" ];
dirPermissions = [ dirPermissions = [
"1000:100 ${cfg.configDir}" "1000:100 ${cfg.configDir}"
"1000:100 ${cfg.dataDir}" "1000:100 ${cfg.dataDir}"
]; ];
middlewares = [ "secureHeaders" ];
extraOptions = { extraOptions = {
devices = mkOption { devices = mkOption {
+2 -2
View File
@@ -23,13 +23,13 @@ helper.mkPodmanService {
DB_USERNAME = "xkcdpass -n 2 -d -"; DB_USERNAME = "xkcdpass -n 2 -d -";
DB_PASSWORD = "xkcdpass -n 8 -d -"; DB_PASSWORD = "xkcdpass -n 8 -d -";
}; };
middlewares = [ "secureHeaders" ];
dirPermissions = [ dirPermissions = [
"100999:100 ${cfg.configDir}" "100999:100 ${cfg.configDir}"
"100999:100 ${cfg.configDir}/data" "100999:100 ${cfg.configDir}/data"
"100999:100 ${cfg.configDir}/config" "100999:100 ${cfg.configDir}/config"
"100999:100 ${cfg.configDir}/database" "100999:100 ${cfg.configDir}/database"
]; ];
middlewares = [ "secureHeaders" ];
composeText = '' composeText = ''
services: services:
@@ -53,7 +53,7 @@ helper.mkPodmanService {
- GITEA__database__USER=$DB_USERNAME - GITEA__database__USER=$DB_USERNAME
- GITEA__database__PASSWD=$DB_PASSWORD - GITEA__database__PASSWD=$DB_PASSWORD
- GITEA__server__SSH_PORT=2424 - GITEA__server__SSH_PORT=2424
- GITEA__server__ROOT_URL=${cfg.subdomain}.${config.numbus.services.domain} - GITEA__server__ROOT_URL=https://${cfg.subdomain}.${config.numbus.services.domain}
depends_on: depends_on:
- gitea-database - gitea-database
security_opt: security_opt:
+12 -12
View File
@@ -22,12 +22,12 @@ helper.mkPodmanService {
HOME_ASSISTANT_MQTT_USER = "xkcdpass -n 2 -d -"; HOME_ASSISTANT_MQTT_USER = "xkcdpass -n 2 -d -";
HOME_ASSISTANT_MQTT_PASSWORD = "xkcdpass -n 8 -d -"; HOME_ASSISTANT_MQTT_PASSWORD = "xkcdpass -n 8 -d -";
}; };
middlewares = [ "secureHeaders" ];
dirPermissions = [ dirPermissions = [
"1000:100 ${cfg.configDir}" "1000:100 ${cfg.configDir}"
"1000:100 ${cfg.configDir}/config" "1000:100 ${cfg.configDir}/config"
"100999:100 ${cfg.configDir}/mqtt" "100999:100 ${cfg.configDir}/mqtt"
]; ];
middlewares = [ "secureHeaders" ];
# Compose file good # Compose file good
composeText = '' composeText = ''
@@ -83,8 +83,8 @@ helper.mkPodmanService {
}; };
extraConfig = { extraConfig = {
systemd.services."${name}-quirk-1" = { systemd.services."${name}-quirk" = {
description = "Podman container quirk 1 : ${name}"; description = "Podman container quirk : ${name}";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "${name}.service" ]; after = [ "${name}.service" ];
onFailure = [ "service-failure-notify@%n.service" ]; onFailure = [ "service-failure-notify@%n.service" ];
@@ -100,9 +100,9 @@ helper.mkPodmanService {
if [[ -e ${cfg.configDir}/config/configuration.yaml ]]; then if [[ -e ${cfg.configDir}/config/configuration.yaml ]]; then
if grep -qF "${config.numbus.networking.ipAddress}/24" ${cfg.configDir}/config/configuration.yaml; then if grep -qF "${config.numbus.networking.ipAddress}/24" ${cfg.configDir}/config/configuration.yaml; then
exit 0 exit 0
elif grep -qF "use_x_forwarded_for" ${cfg.configDir}/config/configuration.yaml && ! grep -qF "${config.numbus.networking.ipAddress}/24" ${cfg.configDir}/config/configuration.yaml elif grep -qF "use_x_forwarded_for" ${cfg.configDir}/config/configuration.yaml && ! grep -qF "${config.numbus.networking.ipAddress}/24" ${cfg.configDir}/config/configuration.yaml; then
tmp=$(mktemp) tmp=$(mktemp)
head -n -4 ${cfg.configDir}/config/configuration.yaml > "$tmp" head -n -6 ${cfg.configDir}/config/configuration.yaml > "$tmp"
mv "$tmp" ${cfg.configDir}/config/configuration.yaml mv "$tmp" ${cfg.configDir}/config/configuration.yaml
fi fi
fi fi
@@ -114,7 +114,7 @@ helper.mkPodmanService {
http: http:
use_x_forwarded_for: true use_x_forwarded_for: true
trusted_proxies: ${config.numbus.networking.ipAddress}/24 trusted_proxies: 10.89.0.0/16
zha: zha:
EOF EOF
@@ -123,11 +123,11 @@ EOF
}; };
}; };
systemd.services."${name}-quirk-2" = { systemd.services."mqtt-quirk" = {
description = "Podman container quirk 2 : ${name}"; description = "Podman container quirk : Home-assistant MQTT";
wantedBy = [ "multi-user.target" "${name}.service" ]; wantedBy = [ "multi-user.target" "mqtt.service" ];
after = [ "${name}-secrets.service" ]; after = [ "mqtt-secrets.service" ];
before = [ "${name}.service" "${name}-permissions.service" ]; before = [ "mqtt.service" "mqtt-permissions.service" ];
onFailure = [ "service-failure-notify@%n.service" ]; onFailure = [ "service-failure-notify@%n.service" ];
startLimitBurst = 5; startLimitBurst = 5;
startLimitIntervalSec = 600; startLimitIntervalSec = 600;
@@ -157,7 +157,7 @@ listener 1883
allow_anonymous false allow_anonymous false
password_file /mosquitto/password.txt password_file /mosquitto/password.txt
EOF EOF
source /var/lib/numbus-server/${name}/.env source /var/lib/numbus-server/mqtt/.env
mosquitto_passwd -b ${cfg.configDir}/mqtt/password.txt "$HOME_ASSISTANT_MQTT_USER" "$HOME_ASSISTANT_MQTT_PASSWORD" mosquitto_passwd -b ${cfg.configDir}/mqtt/password.txt "$HOME_ASSISTANT_MQTT_USER" "$HOME_ASSISTANT_MQTT_PASSWORD"
chmod 600 ${cfg.configDir}/mqtt/password.txt chmod 600 ${cfg.configDir}/mqtt/password.txt
''; '';
+3 -3
View File
@@ -4,7 +4,7 @@ with lib;
let let
# Version tagging # Version tagging
immichVersion = "v2.5.6"; immichVersion = "v2.7.5";
redisVersion = "9@sha256:546304417feac0874c3dd576e0952c6bb8f06bb4093ea0c9ca303c73cf458f63"; redisVersion = "9@sha256:546304417feac0874c3dd576e0952c6bb8f06bb4093ea0c9ca303c73cf458f63";
databaseVersion = "14-vectorchord0.4.3-pgvectors0.2.0@sha256:bcf63357191b76a916ae5eb93464d65c07511da41e3bf7a8416db519b40b1c23"; databaseVersion = "14-vectorchord0.4.3-pgvectors0.2.0@sha256:bcf63357191b76a916ae5eb93464d65c07511da41e3bf7a8416db519b40b1c23";
# Helper # Helper
@@ -29,8 +29,9 @@ helper.mkPodmanService {
UPLOAD_LOCATION = "${cfg.dataDir}"; UPLOAD_LOCATION = "${cfg.dataDir}";
DB_DATA_LOCATION = "${cfg.configDir}/database"; DB_DATA_LOCATION = "${cfg.configDir}/database";
TZ = "${config.time.timeZone}"; TZ = "${config.time.timeZone}";
IMMICH_VERSION = "v2.5.6"; IMMICH_VERSION = "v2.7.5";
}; };
middlewares = [ "immichSecureHeaders" ];
dirPermissions = [ dirPermissions = [
"100999:100 ${cfg.configDir}" "100999:100 ${cfg.configDir}"
"100999:100 ${cfg.configDir}/redis" "100999:100 ${cfg.configDir}/redis"
@@ -40,7 +41,6 @@ helper.mkPodmanService {
"100999:100 ${cfg.configDir}/database" "100999:100 ${cfg.configDir}/database"
"100999:100 ${cfg.dataDir}" "100999:100 ${cfg.dataDir}"
]; ];
middlewares = [ "immichSecureHeaders" ];
# Compose file good # Compose file good
composeText = '' composeText = ''
+2 -2
View File
@@ -17,8 +17,8 @@ helper.mkPodmanService {
description = "IT-tools, useful tools when doing IT"; description = "IT-tools, useful tools when doing IT";
pod = "false"; pod = "false";
defaultPort = "8880"; defaultPort = "8880";
configDir = false; configDirEnabled = false;
dataDir = false; dataDirEnabled = false;
middlewares = [ "secureHeaders" ]; middlewares = [ "secureHeaders" ];
# Compose file good # Compose file good
+4 -6
View File
@@ -106,18 +106,16 @@ with lib;
onFailure = [ "service-failure-notify@%n.service" ]; onFailure = [ "service-failure-notify@%n.service" ];
startLimitBurst = 5; startLimitBurst = 5;
startLimitIntervalSec = 600; startLimitIntervalSec = 600;
path = [ pkgs.podman pkgs.podman-compose pkgs.su pkgs.coreutils ]; path = [ pkgs.podman pkgs.podman-compose pkgs.slirp4netns pkgs.su pkgs.sudo pkgs.coreutils ];
serviceConfig = { serviceConfig = {
Type = "exec"; Type = "exec";
User = "numbus-admin";
Group = "users";
TimeoutStartSec = "1000"; TimeoutStartSec = "1000";
ExecStartPre = [ ExecStartPre = [
"${pkgs.bash}/bin/bash -c 'sleep $((RANDOM % ${toString startDelay}))'" "${pkgs.bash}/bin/bash -c 'sleep $((RANDOM % ${toString startDelay}))'"
"${pkgs.podman-compose}/bin/podman-compose -f /etc/podman/${name}/compose.yaml pull" "${pkgs.bash}/bin/bash -c 'export PATH=/run/wrappers/bin:$PATH; exec ${pkgs.sudo}/bin/sudo -u numbus-admin podman-compose -f /etc/podman/${name}/compose.yaml pull'"
]; ];
ExecStart = "${pkgs.podman-compose}/bin/podman-compose ${envFileArg} --in-pod ${toString pod} -f /etc/podman/${name}/compose.yaml up --remove-orphans"; ExecStart = "${pkgs.bash}/bin/bash -c 'export PATH=/run/wrappers/bin:$PATH; exec ${pkgs.sudo}/bin/sudo -u numbus-admin podman-compose ${envFileArg} --in-pod ${toString pod} -f /etc/podman/${name}/compose.yaml up --remove-orphans'";
ExecStop = "${pkgs.podman-compose}/bin/podman-compose ${envFileArg} --in-pod ${toString pod} -f /etc/podman/${name}/compose.yaml down"; ExecStop = "${pkgs.bash}/bin/bash -c 'export PATH=/run/wrappers/bin:$PATH; exec ${pkgs.sudo}/bin/sudo -u numbus-admin podman-compose ${envFileArg} --in-pod ${toString pod} -f /etc/podman/${name}/compose.yaml down'";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "3m"; RestartSec = "3m";
}; };
+100 -38
View File
@@ -4,11 +4,11 @@ with lib;
let let
# Version tagging # Version tagging
nextcloudVersion = "32.0.6"; nextcloudVersion = "33.0.5-apache";
redisVersion = "8.6-alpine"; redisVersion = "8.6-alpine";
databaseVersion = "11.8"; databaseVersion = "11.8";
onlyofficeVersion = "9.2"; onlyofficeVersion = "9.4.0";
whiteboardVersion = "v1.5.6"; whiteboardVersion = "v1.5.9";
# Helper # Helper
helper = import ./lib.nix { inherit config pkgs lib; }; helper = import ./lib.nix { inherit config pkgs lib; };
cfg = config.numbus.services.nextcloud; cfg = config.numbus.services.nextcloud;
@@ -29,18 +29,19 @@ helper.mkPodmanService {
WHITEBOARD_PASSWORD = "xkcdpass -n 10 -d -"; WHITEBOARD_PASSWORD = "xkcdpass -n 10 -d -";
SMTP_PASSWORD = "cat ${config.numbus.mail.smtpPasswordPath}"; SMTP_PASSWORD = "cat ${config.numbus.mail.smtpPasswordPath}";
}; };
middlewares = [ "nextcloudSecureHeaders" ];
dirPermissions = [ dirPermissions = [
"100032:100 ${cfg.dataDir}"
"100032:100 ${cfg.configDir}" "100032:100 ${cfg.configDir}"
"100032:100 ${cfg.configDir}/web" "100032:100 ${cfg.configDir}/web"
"100999:100 ${cfg.configDir}/redis" "100999:100 ${cfg.configDir}/redis"
"100999:100 ${cfg.configDir}/database" "100999:100 ${cfg.configDir}/database"
"100999:100 ${cfg.configDir}/onlyoffice" "1000:100 ${cfg.configDir}/onlyoffice"
"100999:100 ${cfg.configDir}/onlyoffice/log" "1000:100 ${cfg.configDir}/onlyoffice/log"
"100999:100 ${cfg.configDir}/onlyoffice/cache" "1000:100 ${cfg.configDir}/onlyoffice/cache"
"100999:100 ${cfg.configDir}/onlyoffice/database" "1000:100 ${cfg.configDir}/onlyoffice/data"
"100032:100 ${cfg.dataDir}" "1000:100 ${cfg.configDir}/onlyoffice/database"
]; ];
middlewares = [ "secureHeaders" ];
# Compose file good # Compose file good
composeText = '' composeText = ''
@@ -73,13 +74,15 @@ helper.mkPodmanService {
MAIL_FROM_ADDRESS: nextcloud-noreply MAIL_FROM_ADDRESS: nextcloud-noreply
MAIL_DOMAIN: ${config.numbus.services.domain} MAIL_DOMAIN: ${config.numbus.services.domain}
APACHE_DISABLE_REWRITE_IP: 1 APACHE_DISABLE_REWRITE_IP: 1
TRUSTED_PROXIES: ${config.numbus.networking.ipAddress}
OVERWRITEPROTOCOL: https OVERWRITEPROTOCOL: https
TRUSTED_PROXIES: 10.89.0.0/16
NC_default_phone_region: "${config.numbus.language}" NC_default_phone_region: "${config.numbus.language}"
NC_default_language: "${config.numbus.language}" NC_default_language: "${config.numbus.language}"
NC_default_locale: "${config.numbus.locale}" NC_default_locale: "${config.numbus.locale}"
NC_default_timezone: "${config.time.timeZone}" NC_default_timezone: "${config.time.timeZone}"
NC_maintenance_window_start: "1" NC_maintenance_window_start: "1"
PHP_MEMORY_LIMIT: 1024M
PHP_OPCACHE_MEMORY_CONSUMPTION: 256
depends_on: depends_on:
- nextcloud-database - nextcloud-database
security_opt: security_opt:
@@ -130,14 +133,19 @@ helper.mkPodmanService {
image: docker.io/onlyoffice/documentserver:${onlyofficeVersion} image: docker.io/onlyoffice/documentserver:${onlyofficeVersion}
environment: environment:
- JWT_SECRET=$ONLYOFFICE_PASSWORD - JWT_SECRET=$ONLYOFFICE_PASSWORD
- REDIS_SERVER_HOST=nextcloud-redis
- REDIS_SERVER_PORT=6379
- REDIS_SERVER_PASS=$REDIS_PASSWORD
- ADMINPANEL_ENABLED=false
- EXAMPLE_ENABLED=false
- METRICS_ENABLED=false
ports: ports:
- "9980:80/tcp" - "9980:80/tcp"
volumes: volumes:
- ${cfg.configDir}/onlyoffice/log:/var/log/onlyoffice - ${cfg.configDir}/onlyoffice/log:/var/log/onlyoffice
- ${cfg.configDir}/onlyoffice/cache:/var/lib/onlyoffice - ${cfg.configDir}/onlyoffice/cache:/var/lib/onlyoffice
- ${cfg.configDir}/onlyoffice/data:/var/www/onlyoffice/Data
- ${cfg.configDir}/onlyoffice/database:/var/lib/postgresql - ${cfg.configDir}/onlyoffice/database:/var/lib/postgresql
security_opt:
- no-new-privileges:true
cap_drop: cap_drop:
- NET_RAW - NET_RAW
restart: unless-stopped restart: unless-stopped
@@ -172,7 +180,7 @@ helper.mkPodmanService {
- "websecure" - "websecure"
service: nextcloud-onlyoffice service: nextcloud-onlyoffice
middlewares: middlewares:
- "secureHeaders" - "nextcloudSecureHeaders"
tls: tls:
certresolver: "cloudflare" certresolver: "cloudflare"
options: "secureTLS" options: "secureTLS"
@@ -203,6 +211,39 @@ helper.mkPodmanService {
- url: "http://host.containers.internal:3002" - url: "http://host.containers.internal:3002"
''; '';
environment.etc."traefik/rules/nextcloudSecureHeaders.yaml".text = ''
http:
middlewares:
nextcloudSecureHeaders:
headers:
FrameDeny: false
CustomFrameOptionsValue: "SAMEORIGIN"
AddVaryHeader: true
BrowserXssFilter: true
ContentTypeNosniff: true
ForceSTSHeader: true
STSSeconds: 315360000
STSIncludeSubdomains: true
STSPreload: true
AccessControlAllowMethods: "GET,OPTIONS,PUT"
AccessControlAllowOriginList:
- origin-list-or-null
AccessControlMaxAge: 100
ReferrerPolicy: same-origin
PermissionsPolicy: "vibrate=()"
ContentSecurityPolicy: >-
default-src https://onlyoffice.${config.numbus.services.domain} 'self';
script-src https://onlyoffice.${config.numbus.services.domain} 'self' 'unsafe-inline';
style-src 'self' 'unsafe-inline';
connect-src 'self';
img-src 'self' data:;
font-src 'self' data:;
frame-src https://onlyoffice.${config.numbus.services.domain} 'self';
frame-ancestors https://onlyoffice.${config.numbus.services.domain} 'self';
object-src 'none';
base-uri 'self';
'';
systemd.services."${name}-quirk" = { systemd.services."${name}-quirk" = {
description = "Podman container quirk : ${name}"; description = "Podman container quirk : ${name}";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
@@ -210,42 +251,62 @@ helper.mkPodmanService {
onFailure = [ "service-failure-notify@%n.service" ]; onFailure = [ "service-failure-notify@%n.service" ];
startLimitBurst = 5; startLimitBurst = 5;
startLimitIntervalSec = 600; startLimitIntervalSec = 600;
path = [ pkgs.coreutils pkgs.sudo pkgs.podman ]; path = [ pkgs.coreutils pkgs.sudo pkgs.podman pkgs.systemd pkgs.gnugrep ];
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
RemainAfterExit = true; RemainAfterExit = true;
}; };
script = '' script = ''
mkdir -p /var/lib/numbus-server/${name} OCC="sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ"
[[ -e /var/lib/numbus-server/${name}/quirk.true ]] && exit 0
[[ ! -e /var/lib/numbus-server/${name}/.env ]] && systemctl start ${name}-secrets.service [[ ! -e /var/lib/numbus-server/${name}/.env ]] && systemctl start ${name}-secrets.service
until [[ -e /var/lib/numbus-server/${name}/.env ]]; do until [[ -e /var/lib/numbus-server/${name}/.env ]]; do
echo "Waiting for secrets generation..." echo "Waiting for secrets generation..."
sleep 15 sleep 5
done done
source /var/lib/numbus-server/${name}/.env source /var/lib/numbus-server/${name}/.env
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ background:cron
until $OCC status | grep -iq "installed: true" >/dev/null 2>&1; do
echo "Waiting for Nextcloud to be up and running..."
sleep 60
done
$OCC db:add-missing-indices
$OCC maintenance:repair --include-expensive
INSTALL_APPS_LIST=( "calendar" "contacts" "mail" "notes" "onlyoffice" "cookbook" "whiteboard" )
DISABLE_APPS_LIST=( "activity" "federation" "webhook_listeners" "photos" "recommendations" "sharebymail" "teams" "support" "richdocumentscode" )
for app in ''${INSTALL_APPS_LIST[@]}; do
if ! $OCC --no-warnings app:list | grep -iq "$app:"; then
$OCC --no-warnings app:install "$app"
fi
if $OCC --no-warnings app:list --disabled | grep -iq "$app:"; then
$OCC --no-warnings app:enable "$app"
fi
done
for app in ''${DISABLE_APPS_LIST[@]}; do
if $OCC --no-warnings app:list --enabled | grep -iq "$app:"; then
$OCC --no-warnings app:disable "$app"
fi
done
$OCC --no-warnings config:system:set onlyoffice DocumentServerInternalUrl --value="https://onlyoffice.${config.numbus.services.domain}/"
$OCC --no-warnings config:system:set onlyoffice DocumentServerUrl --value="https://onlyoffice.${config.numbus.services.domain}/"
$OCC --no-warnings config:system:set onlyoffice jwt_secret --value="$ONLYOFFICE_PASSWORD"
$OCC --no-warnings config:app:set whiteboard collabBackendUrl --value="https://whiteboard.${config.numbus.services.domain}"
$OCC --no-warnings config:app:set whiteboard jwt_secret_key --value="$WHITEBOARD_PASSWORD"
if [[ ! -f /var/lib/numbus-server/${name}/croned.true ]]; then
$OCC background:cron
sudo -u numbus-admin podman exec --user www-data nextcloud-server php -f /var/www/html/cron.php sudo -u numbus-admin podman exec --user www-data nextcloud-server php -f /var/www/html/cron.php
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ db:add-missing-indices touch /var/lib/numbus-server/${name}/croned.true
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ maintenance:repair --include-expensive fi
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ files:scan --all
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ files:repair-tree if [[ ! -f /var/lib/numbus-server/${name}/scanned.true ]]; then
for app in calendar contacts mail note onlyoffice cookbook whiteboard; do $OCC files:scan --all
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ app:install $app $OCC files:repair-tree
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ app:enable $app touch /var/lib/numbus-server/${name}/scanned.true
done fi
for app in activity app_api federatedfilesharing federation webhook_listeners photos recommendations sharebymail teams support richdocumentscode; do
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ app:disable $app
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ app:remove $app
done
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ config:system:set onlyoffice DocumentServerInternalUrl --value="https://onlyoffice.${config.numbus.services.domain}/"
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ config:system:set onlyoffice DocumentServerUrl --value="https://onlyoffice.${config.numbus.services.domain}/"
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ config:system:set onlyoffice jwt_secret --value="$ONLYOFFICE_PASSWORD"
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ config:app:set whiteboard collabBackendUrl --value="https://whiteboard.${config.numbus.services.domain}"
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ config:app:set whiteboard jwt_secret_key --value="$WHITEBOARD_PASSWORD"
touch /var/lib/numbus-server/${name}/quirk.true
''; '';
}; };
@@ -256,6 +317,7 @@ helper.mkPodmanService {
path = [ pkgs.sudo pkgs.podman ]; path = [ pkgs.sudo pkgs.podman ];
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
ExecCondition = ''${pkgs.sudo}/bin/sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ status'';
ExecStart = "${pkgs.sudo}/bin/sudo -u numbus-admin podman exec --user www-data nextcloud-server php -f /var/www/html/cron.php"; ExecStart = "${pkgs.sudo}/bin/sudo -u numbus-admin podman exec --user www-data nextcloud-server php -f /var/www/html/cron.php";
}; };
}; };
+2 -1
View File
@@ -25,6 +25,7 @@ helper.mkPodmanService {
DB_PASSWORD = "xkcdpass -n 10 -d -"; DB_PASSWORD = "xkcdpass -n 10 -d -";
SMTP_PASSWORD = "cat ${config.numbus.mail.smtpPasswordPath}"; SMTP_PASSWORD = "cat ${config.numbus.mail.smtpPasswordPath}";
}; };
middlewares = [ "secureHeaders" ];
dirPermissions = [ dirPermissions = [
"100032:100 ${cfg.configDir}" "100032:100 ${cfg.configDir}"
"100032:100 ${cfg.configDir}/gpg" "100032:100 ${cfg.configDir}/gpg"
@@ -69,7 +70,7 @@ helper.mkPodmanService {
"0", "0",
"passbolt-database:3306", "passbolt-database:3306",
"--", "--",
"/docker-entrypoint.sh", "/docker-entrypoint.sh"
] ]
depends_on: depends_on:
- passbolt-database - passbolt-database
+8 -3
View File
@@ -19,15 +19,15 @@ helper.mkPodmanService {
defaultPort = "4443"; defaultPort = "4443";
scheme = "https"; scheme = "https";
dependencies = [ "network.target" ]; dependencies = [ "network.target" ];
dataDir = false; dataDirEnabled = false;
startDelay = 10; startDelay = 10;
generatedSecrets = { generatedSecrets = {
PIHOLE_PASSWORD = "xkcdpass -n 10 -d -"; PIHOLE_PASSWORD = "xkcdpass -n 10 -d -";
}; };
middlewares = [ "secureHeaders" ];
dirPermissions = [ dirPermissions = [
"100999:100 ${cfg.configDir}" "100999:100 ${cfg.configDir}"
]; ];
middlewares = [ "secureHeaders" ];
# Compose file good # Compose file good
composeText = '' composeText = ''
@@ -53,7 +53,12 @@ helper.mkPodmanService {
FTLCONF_dns_hosts: | FTLCONF_dns_hosts: |
${lib.concatStringsSep "" (lib.mapAttrsToList (name: service: ${lib.concatStringsSep "" (lib.mapAttrsToList (name: service:
if builtins.isAttrs service && service ? enable && service.enable && service ? subdomain then if builtins.isAttrs service && service ? enable && service.enable && service ? subdomain then
" ${config.numbus.networking.ipAddress} ${service.subdomain}.${config.numbus.services.domain}\n" " ${config.numbus.networking.ipAddress} ${service.subdomain}.${config.numbus.services.domain}\n" +
(if name == "nextcloud" then
" ${config.numbus.networking.ipAddress} onlyoffice.${config.numbus.services.domain}\n" +
" ${config.numbus.networking.ipAddress} whiteboard.${config.numbus.services.domain}\n"
else "")
else ""
) config.numbus.services)} ) config.numbus.services)}
FTLCONF_dns_listeningMode: "BIND" FTLCONF_dns_listeningMode: "BIND"
FTLCONF_dns_domain_name: "${config.numbus.services.domain}" FTLCONF_dns_domain_name: "${config.numbus.services.domain}"
+2 -2
View File
@@ -4,7 +4,7 @@ with lib;
let let
# Version tagging # Version tagging
traefikVersion = "v3.6.8"; traefikVersion = "v3.7.4";
# Helper # Helper
helper = import ./lib.nix { inherit config pkgs lib; }; helper = import ./lib.nix { inherit config pkgs lib; };
cfg = config.numbus.services.traefik; cfg = config.numbus.services.traefik;
@@ -16,7 +16,7 @@ helper.mkPodmanService {
inherit name; inherit name;
description = "Traefik reverse proxy, one to rule them all"; description = "Traefik reverse proxy, one to rule them all";
pod = "false"; pod = "false";
dataDir = false; dataDirEnabled = false;
dependencies = [ "network.target" ]; dependencies = [ "network.target" ];
startDelay = 10; startDelay = 10;
generatedSecrets = { generatedSecrets = {
+17
View File
@@ -0,0 +1,17 @@
{ config, lib, ... }:
with lib;
let
cfg = config.numbus.services.virtualization;
in
{
options.numbus.services.virtualization = {
enable = mkEnableOption "QEMU/KVM virtualization software";
};
config = mkIf cfg.enable {
virtualisation.libvirtd.enable = true;
};
}