Compare commits
57 Commits
41f8298078
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
| df3c3d1c08 | |||
| e98263b100 | |||
| 0500445003 | |||
| ce4fa00b77 | |||
| ec9b8f7d55 | |||
| 0cc60dcd29 | |||
| 3b432d8bd4 | |||
| 19b2459f65 | |||
| 76fbcd86db | |||
| d1e511bfc0 | |||
| 090cb2a7e4 | |||
| c994337e1f | |||
| f1e24678b9 | |||
| dcde9fad01 | |||
| 3c41c307ee | |||
| 7e4ef7b679 | |||
| 3e927af8f9 | |||
| 6de5f0cd28 | |||
| 5394287b3a | |||
| a4c0c2b051 | |||
| 7933a3aa57 | |||
| b5bece34ed | |||
| 4ab54cae0a | |||
| e6907ddd0a | |||
| 5bf87a1f83 | |||
| cca3e0d42b | |||
| f190eb2040 | |||
| 96d049d486 | |||
| e09301c493 | |||
| 3721e41e94 | |||
| 5b604fac08 | |||
| e1ddf88300 | |||
| 07e7084b1b | |||
| e46ee8495c | |||
| 5cd7f661c0 | |||
| 4d1448189c | |||
| 501383bc8d | |||
| 331b686bae | |||
| ca8e8c967e | |||
| 487889e3c6 | |||
| de6c80d7b4 | |||
| d384fe1f7c | |||
| 65e1ba4ed2 | |||
| 6705329887 | |||
| ae00cb69de | |||
| 19b2ac7426 | |||
| b12f081bc3 | |||
| 0ff3ec0e1b | |||
| 45495b114f | |||
| 3bfaf5fa6f | |||
| bbe269bfcd | |||
| af4f384797 | |||
| 68949dc81b | |||
| fad1f51323 | |||
| ab886a8a0b | |||
| 87b857071d | |||
| ea86da660d |
@@ -2,7 +2,7 @@
|
|||||||
description = "Numbus Server Module";
|
description = "Numbus Server Module";
|
||||||
|
|
||||||
inputs = {
|
inputs = {
|
||||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
|
nixpkgs.url = "github:NixOS/nixpkgs/nixos-26.05";
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs = { self, nixpkgs }: {
|
outputs = { self, nixpkgs }: {
|
||||||
|
|||||||
@@ -5,5 +5,6 @@
|
|||||||
./boot.nix
|
./boot.nix
|
||||||
./cpu.nix
|
./cpu.nix
|
||||||
./disks.nix
|
./disks.nix
|
||||||
|
./pcie-coral.nix
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
@@ -265,7 +265,7 @@ in
|
|||||||
|
|
||||||
services.snapraid = {
|
services.snapraid = {
|
||||||
enable = true;
|
enable = true;
|
||||||
contentFiles = [ "/mnt/content-0/snapraid.content" ] ++
|
contentFiles = (optionals (length cfg.dataDisksList == 1) [ "/mnt/content-0/snapraid.content" ]) ++
|
||||||
(map (i: "/mnt/content-${toString i}/snapraid.content") (range 1 (length cfg.dataDisksList)));
|
(map (i: "/mnt/content-${toString i}/snapraid.content") (range 1 (length cfg.dataDisksList)));
|
||||||
parityFiles = map (i: "/mnt/parity-${toString i}/snapraid.parity") (range 1 (length cfg.parityDisksList));
|
parityFiles = map (i: "/mnt/parity-${toString i}/snapraid.parity") (range 1 (length cfg.parityDisksList));
|
||||||
dataDisks = listToAttrs (imap1 (i: _: nameValuePair "d${toString i}" "/mnt/content-${toString i}") cfg.dataDisksList);
|
dataDisks = listToAttrs (imap1 (i: _: nameValuePair "d${toString i}" "/mnt/content-${toString i}") cfg.dataDisksList);
|
||||||
|
|||||||
@@ -0,0 +1,111 @@
|
|||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
cfg = config.numbus.hardware.pcie-coral;
|
||||||
|
|
||||||
|
gasket-driver = { stdenv, lib, fetchFromGitHub, kernel }: stdenv.mkDerivation rec {
|
||||||
|
pname = "gasket";
|
||||||
|
version = "1.0-18";
|
||||||
|
|
||||||
|
src = fetchFromGitHub {
|
||||||
|
owner = "google";
|
||||||
|
repo = "gasket-driver";
|
||||||
|
rev = "97aeba584efd18983850c36dcf7384b0185284b3";
|
||||||
|
sha256 = "pJwrrI7jVKFts4+bl2xmPIAD01VKFta2SRuElerQnTo=";
|
||||||
|
};
|
||||||
|
|
||||||
|
makeFlags = [
|
||||||
|
"-C"
|
||||||
|
"${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
|
||||||
|
"M=$(PWD)"
|
||||||
|
];
|
||||||
|
buildFlags = [ "modules" ];
|
||||||
|
|
||||||
|
installFlags = [ "INSTALL_MOD_PATH=${placeholder "out"}" ];
|
||||||
|
installTargets = [ "modules_install" ];
|
||||||
|
|
||||||
|
sourceRoot = "source/src";
|
||||||
|
hardeningDisable = [ "pic" "format" ];
|
||||||
|
nativeBuildInputs = kernel.moduleBuildDependencies;
|
||||||
|
|
||||||
|
meta = with lib; {
|
||||||
|
description = "The Coral Gasket Driver allows usage of the Coral EdgeTPU on Linux systems.";
|
||||||
|
homepage = "https://github.com/google/gasket-driver";
|
||||||
|
license = licenses.gpl2;
|
||||||
|
maintainers = [ maintainers.kylehendricks ];
|
||||||
|
platforms = platforms.linux;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
libedgetpu-pkg = { stdenv, lib, fetchFromGitHub, libusb1, abseil-cpp, flatbuffers, xxd }:
|
||||||
|
let
|
||||||
|
flatbuffers_1_12 = flatbuffers.overrideAttrs (oldAttrs: rec {
|
||||||
|
version = "1.12.0";
|
||||||
|
NIX_CFLAGS_COMPILE = "-Wno-error=class-memaccess -Wno-error=maybe-uninitialized";
|
||||||
|
cmakeFlags = (oldAttrs.cmakeFlags or []) ++ ["-DFLATBUFFERS_BUILD_SHAREDLIB=ON"];
|
||||||
|
NIX_CXXSTDLIB_COMPILE = "-std=c++17";
|
||||||
|
configureFlags = (oldAttrs.configureFlags or []) ++ ["--enable-shared"];
|
||||||
|
src = fetchFromGitHub {
|
||||||
|
owner = "google";
|
||||||
|
repo = "flatbuffers";
|
||||||
|
rev = "v${version}";
|
||||||
|
sha256 = "sha256-L1B5Y/c897Jg9fGwT2J3+vaXsZ+lfXnskp8Gto1p/Tg=";
|
||||||
|
};
|
||||||
|
});
|
||||||
|
|
||||||
|
in stdenv.mkDerivation rec {
|
||||||
|
pname = "libedgetpu";
|
||||||
|
version = "grouper";
|
||||||
|
|
||||||
|
src = fetchFromGitHub {
|
||||||
|
owner = "google-coral";
|
||||||
|
repo = pname;
|
||||||
|
rev = "release-${version}";
|
||||||
|
sha256 = "sha256-73hwItimf88Iqnb40lk4ul/PzmCNIfdt6Afi+xjNiBE=";
|
||||||
|
};
|
||||||
|
|
||||||
|
makeFlags = ["-f" "makefile_build/Makefile" "libedgetpu" ];
|
||||||
|
|
||||||
|
buildInputs = [
|
||||||
|
libusb1
|
||||||
|
abseil-cpp
|
||||||
|
flatbuffers_1_12
|
||||||
|
];
|
||||||
|
|
||||||
|
nativeBuildInputs = [
|
||||||
|
xxd
|
||||||
|
];
|
||||||
|
|
||||||
|
NIX_CXXSTDLIB_COMPILE = "-std=c++17";
|
||||||
|
|
||||||
|
TFROOT = "${fetchFromGitHub {
|
||||||
|
owner = "tensorflow";
|
||||||
|
repo = "tensorflow";
|
||||||
|
rev = "v2.7.4";
|
||||||
|
sha256 = "sha256-liDbUAdaVllB0b74aBeqNxkYNu/zPy7k3CevzRF5dk0=";
|
||||||
|
}}";
|
||||||
|
|
||||||
|
enableParallelBuilding = false;
|
||||||
|
|
||||||
|
installPhase = ''
|
||||||
|
mkdir -p $out/lib
|
||||||
|
cp out/direct/k8/libedgetpu.so.1.0 $out/lib
|
||||||
|
ln -s $out/lib/libedgetpu.so.1.0 $out/lib/libedgetpu.so.1
|
||||||
|
mkdir -p $out/lib/udev/rules.d
|
||||||
|
cp debian/edgetpu-accelerator.rules $out/lib/udev/rules.d/99-edgetpu-accelerator.rules
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
gasket = config.boot.kernelPackages.callPackage gasket-driver {};
|
||||||
|
libedgetpu = pkgs.callPackage libedgetpu-pkg {};
|
||||||
|
in
|
||||||
|
|
||||||
|
{
|
||||||
|
options.numbus.hardware.pcie-coral = lib.mkEnableOption "PCIe Coral TPU support";
|
||||||
|
|
||||||
|
config = lib.mkIf cfg {
|
||||||
|
services.udev.packages = [ libedgetpu ];
|
||||||
|
users.groups.plugdev = {};
|
||||||
|
boot.extraModulePackages = [ gasket ];
|
||||||
|
};
|
||||||
|
}
|
||||||
@@ -0,0 +1,89 @@
|
|||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
|
||||||
|
let
|
||||||
|
cfg = config.numbus.services.clamav;
|
||||||
|
clamav_notifier = pkgs.writeScript "clamav-notify.sh" ''
|
||||||
|
#!${pkgs.bash}/bin/bash
|
||||||
|
|
||||||
|
# Check if triggered by Real-time event (file exists)
|
||||||
|
if [ -f /var/lib/clamav/virus_event.env ]; then
|
||||||
|
source /var/lib/clamav/virus_event.env
|
||||||
|
rm /var/lib/clamav/virus_event.env
|
||||||
|
fi
|
||||||
|
|
||||||
|
ADMIN_EMAIL="${config.numbus.mail.adminAddress}"
|
||||||
|
USER_EMAIL="${config.numbus.mail.userAddress}"
|
||||||
|
OWNER_NAME="${config.numbus.owner}"
|
||||||
|
|
||||||
|
if [ -n "$CLAM_VIRUSEVENT_VIRUSNAME" ]; then
|
||||||
|
# --- Real-time / VirusEvent Mode ---
|
||||||
|
SUBJECT="Numbus Server Alert: Virus Detected (Real-time)"
|
||||||
|
|
||||||
|
# Retrieve logs from clamav-daemon
|
||||||
|
LOGS=$(journalctl -u clamav-daemon.service -n 50 --no-pager | grep "FOUND")
|
||||||
|
|
||||||
|
TECH_BODY="
|
||||||
|
ClamAV Real-time Alert:
|
||||||
|
Server owner: $OWNER_NAME
|
||||||
|
|
||||||
|
Virus detected: $CLAM_VIRUSEVENT_VIRUSNAME
|
||||||
|
File: $CLAM_VIRUSEVENT_FILENAME
|
||||||
|
|
||||||
|
Logs:
|
||||||
|
$LOGS
|
||||||
|
|
||||||
|
Action taken: Access blocked (OnAccessPrevention).
|
||||||
|
Please investigate manually.
|
||||||
|
"
|
||||||
|
|
||||||
|
FRIENDLY_BODY="Cher/Chère $OWNER_NAME,
|
||||||
|
|
||||||
|
L'antivirus de votre serveur a détecté et bloqué une menace en temps réel.
|
||||||
|
Fichier : $CLAM_VIRUSEVENT_FILENAME
|
||||||
|
|
||||||
|
Votre administrateur a été notifié.
|
||||||
|
"
|
||||||
|
else
|
||||||
|
# --- Scheduled Scan Summary Mode ---
|
||||||
|
SUBJECT="Numbus Server Alert: Virus Detected during Scheduled Scan"
|
||||||
|
|
||||||
|
# Retrieve logs (clamdscan prints FOUND when a virus is detected)
|
||||||
|
LOGS=$(journalctl -u clamav-periodic-scan.service -n 100 --no-pager | grep "FOUND")
|
||||||
|
|
||||||
|
TECH_BODY="
|
||||||
|
ClamAV Scan Alert:
|
||||||
|
Server owner: $OWNER_NAME
|
||||||
|
|
||||||
|
Viruses detected:
|
||||||
|
$LOGS
|
||||||
|
|
||||||
|
Action taken: Detection only.
|
||||||
|
Please investigate manually.
|
||||||
|
"
|
||||||
|
|
||||||
|
FRIENDLY_BODY="Cher/Chère $OWNER_NAME,
|
||||||
|
|
||||||
|
L'antivirus de votre serveur a détecté une menace potentielle lors de l'analyse périodique.
|
||||||
|
Votre administrateur a été notifié avec les détails techniques.
|
||||||
|
Nous vous conseillons d'être prudent avec vos fichiers récents.
|
||||||
|
"
|
||||||
|
fi
|
||||||
|
|
||||||
|
printf "Subject: [ADMIN] %s\n\n%s" "$SUBJECT" "$TECH_BODY" | /run/wrappers/bin/sendmail -t "$ADMIN_EMAIL"
|
||||||
|
printf "Subject: [Alerte] Menace détectée sur votre serveur Numbus\n\n%s\n\nMerci de votre confiance,\nL'équipe de support,\nNumbus-Server." "$FRIENDLY_BODY" | /run/wrappers/bin/sendmail -t "$USER_EMAIL"
|
||||||
|
'';
|
||||||
|
in
|
||||||
|
|
||||||
|
{
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
systemd.services.clamav-virus-notify = {
|
||||||
|
description = "Email notification for ClamAV virus detection";
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
ExecStart = "${clamav_notifier}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
@@ -2,6 +2,7 @@
|
|||||||
|
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
|
./clamav.nix
|
||||||
./smart.nix
|
./smart.nix
|
||||||
./systemd.nix
|
./systemd.nix
|
||||||
./smtp.nix
|
./smtp.nix
|
||||||
|
|||||||
@@ -5,6 +5,7 @@
|
|||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
git
|
git
|
||||||
|
screen
|
||||||
ncdu
|
ncdu
|
||||||
fastfetch
|
fastfetch
|
||||||
tpm2-tss
|
tpm2-tss
|
||||||
|
|||||||
@@ -9,10 +9,8 @@
|
|||||||
};
|
};
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
podman
|
|
||||||
podman-compose
|
podman-compose
|
||||||
podman-tui
|
podman-tui
|
||||||
passt
|
|
||||||
slirp4netns
|
slirp4netns
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
@@ -0,0 +1,51 @@
|
|||||||
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
|
||||||
|
let
|
||||||
|
# Version tagging
|
||||||
|
adguardVersion = "latest";
|
||||||
|
# Helper
|
||||||
|
helper = import ./lib.nix { inherit config pkgs lib; };
|
||||||
|
cfg = config.numbus.services.adguard;
|
||||||
|
# Container config
|
||||||
|
name = "adguard";
|
||||||
|
in
|
||||||
|
|
||||||
|
helper.mkPodmanService {
|
||||||
|
inherit name;
|
||||||
|
description = "AdGuard, feature-rich DNS service";
|
||||||
|
pod = "false";
|
||||||
|
defaultPort = "3000";
|
||||||
|
scheme = "http";
|
||||||
|
dependencies = [ "network.target" ];
|
||||||
|
dataDirEnabled = false;
|
||||||
|
startDelay = 10;
|
||||||
|
middlewares = [ "secureHeaders" ];
|
||||||
|
dirPermissions = [
|
||||||
|
"100999:100 ${cfg.configDir}"
|
||||||
|
];
|
||||||
|
|
||||||
|
# Compose file good
|
||||||
|
composeText = ''
|
||||||
|
services:
|
||||||
|
adguardhome:
|
||||||
|
image: adguard/adguardhome:${adguardVersion}
|
||||||
|
container_name: adguard
|
||||||
|
hostname: adguard
|
||||||
|
network_mode: pasta
|
||||||
|
user: '1000:1000'
|
||||||
|
ports:
|
||||||
|
- "3000:3000/tcp"
|
||||||
|
- "53:53/tcp"
|
||||||
|
- "53:53/udp"
|
||||||
|
volumes:
|
||||||
|
- ${cfg.configDir}/work:/opt/adguardhome/work
|
||||||
|
- ${cfg.configDir}/config:/opt/adguardhome/conf
|
||||||
|
cap_add:
|
||||||
|
- SYS_NICE
|
||||||
|
security_opt:
|
||||||
|
- no-new-privileges:true
|
||||||
|
restart: unless-stopped
|
||||||
|
'';
|
||||||
|
}
|
||||||
+82
-25
@@ -1,34 +1,91 @@
|
|||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
|
||||||
|
let
|
||||||
|
cfg = config.numbus.services.clamav;
|
||||||
|
onAccessPaths = lib.mapAttrsToList (n: v: v.dataDir) (lib.filterAttrs (n: v:
|
||||||
|
v ? enable && v.enable && v ? dataDir && v.dataDir != null && v.dataDir != false
|
||||||
|
) config.numbus.services);
|
||||||
|
clamonacc_virus_notifier = pkgs.writeScript "clamonacc_virus_notifier.sh" ''
|
||||||
|
#!${pkgs.bash}/bin/bash
|
||||||
|
|
||||||
|
echo "CLAM_VIRUSEVENT_VIRUSNAME=\"$CLAM_VIRUSEVENT_VIRUSNAME\"" > /var/lib/clamav/virus_event.env
|
||||||
|
echo "CLAM_VIRUSEVENT_FILENAME=\"$CLAM_VIRUSEVENT_FILENAME\"" >> /var/lib/clamav/virus_event.env
|
||||||
|
|
||||||
|
/run/wrappers/bin/sudo /run/current-system/sw/bin/systemctl start clamav-virus-notify.service
|
||||||
|
'';
|
||||||
|
in
|
||||||
|
|
||||||
{
|
{
|
||||||
environment.systemPackages = [ pkgs.clamav pkgs.curl ];
|
options.numbus.services.clamav = {
|
||||||
|
enable = mkEnableOption "ClamAV open-source anti-virus software";
|
||||||
services.clamav = {
|
|
||||||
updater.enable = true;
|
|
||||||
daemon.enable = true;
|
|
||||||
|
|
||||||
scanner = {
|
|
||||||
enable = true;
|
|
||||||
interval = "*-*-* 04:00:00"; # Everyday at 4am
|
|
||||||
scanDirectories = [
|
|
||||||
"/etc"
|
|
||||||
"/home"
|
|
||||||
"/var/lib"
|
|
||||||
"/var/tmp"
|
|
||||||
"/tmp"
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
environment.systemPackages = [ pkgs.clamav pkgs.curl ];
|
||||||
|
|
||||||
clamonacc.enable = true;
|
system.activationScripts.clamav-quarantine = ''
|
||||||
|
mkdir -p /quarantine
|
||||||
|
chown clamav:clamav /quarantine
|
||||||
|
chmod 440 /quarantine
|
||||||
|
'';
|
||||||
|
|
||||||
daemon.settings = {
|
security.sudo.extraRules = [{
|
||||||
OnAccessPrevention = true;
|
users = [ "clamav" ];
|
||||||
OnAccessIncludePath = "/mnt/data";
|
commands = [{
|
||||||
|
command = "/run/current-system/sw/bin/systemctl start clamav-virus-notify.service";
|
||||||
|
options = [ "NOPASSWD" ];
|
||||||
|
}];
|
||||||
|
}];
|
||||||
|
|
||||||
|
services.clamav = {
|
||||||
|
updater.enable = true;
|
||||||
|
clamonacc.enable = true;
|
||||||
|
|
||||||
|
scanner = {
|
||||||
|
enable = true;
|
||||||
|
interval = "*-*-* 04:00:00"; # Everyday at 4am
|
||||||
|
scanDirectories = [
|
||||||
|
"/etc"
|
||||||
|
"/home"
|
||||||
|
"/var/lib"
|
||||||
|
"/var/tmp"
|
||||||
|
"/tmp"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
daemon = {
|
||||||
|
enable = true;
|
||||||
|
settings = {
|
||||||
|
OnAccessPrevention = true;
|
||||||
|
OnAccessIncludePath = onAccessPaths;
|
||||||
|
VirusEvent = "${clamonacc_virus_notifier}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.clamav-periodic-scan = mkIf (onAccessPaths != []) {
|
||||||
|
description = "Periodic ClamAV virus scan";
|
||||||
|
after = [ "clamav-daemon.service" "clamav-freshclam.service" ];
|
||||||
|
requires = [ "clamav-daemon.service" ];
|
||||||
|
wants = [ "clamav-freshclam.service" ];
|
||||||
|
onFailure = [ "clamav-virus-notify.service" ];
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
ExecStart = "${pkgs.clamav}/bin/clamdscan --multiscan --fdpass --infected --allmatch --move=/quarantine ${lib.escapeShellArgs onAccessPaths}";
|
||||||
|
Slice = "system-clamav.slice";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.timers.clamav-periodic-scan = mkIf (onAccessPaths != []) {
|
||||||
|
description = "Timer for ClamAV periodic scan";
|
||||||
|
wantedBy = [ "timers.target" ];
|
||||||
|
timerConfig = {
|
||||||
|
OnCalendar = "*-1/3-01 04:00:00";
|
||||||
|
Persistent = true;
|
||||||
|
Unit = "clamav-periodic-scan.service";
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
|
||||||
|
|
||||||
services.clamav.daemon.enable = true;
|
|
||||||
services.clamav.updater.enable = true;
|
|
||||||
services.clamav.clamonacc.enable = true;
|
|
||||||
}
|
}
|
||||||
@@ -3,6 +3,7 @@
|
|||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
# ./adguard.nix
|
# ./adguard.nix
|
||||||
|
./clamav.nix
|
||||||
./frigate.nix
|
./frigate.nix
|
||||||
./gitea.nix
|
./gitea.nix
|
||||||
./home-assistant.nix
|
./home-assistant.nix
|
||||||
@@ -12,5 +13,6 @@
|
|||||||
./passbolt.nix
|
./passbolt.nix
|
||||||
./pi-hole.nix
|
./pi-hole.nix
|
||||||
./traefik.nix
|
./traefik.nix
|
||||||
|
./virtualization.nix
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
@@ -18,13 +18,13 @@ helper.mkPodmanService {
|
|||||||
pod = "home-assistant";
|
pod = "home-assistant";
|
||||||
defaultPort = "8971";
|
defaultPort = "8971";
|
||||||
scheme = "https";
|
scheme = "https";
|
||||||
dependencies = [ "traefik.service" "${config.numbus.services.dns}.service" "home-assistant.service" ];
|
|
||||||
envFile = "/var/lib/numbus-server/home-assistant/.env";
|
envFile = "/var/lib/numbus-server/home-assistant/.env";
|
||||||
|
dependencies = [ "traefik.service" "${config.numbus.services.dns}.service" "home-assistant.service" ];
|
||||||
|
middlewares = [ "secureHeaders" ];
|
||||||
dirPermissions = [
|
dirPermissions = [
|
||||||
"1000:100 ${cfg.configDir}"
|
"1000:100 ${cfg.configDir}"
|
||||||
"1000:100 ${cfg.dataDir}"
|
"1000:100 ${cfg.dataDir}"
|
||||||
];
|
];
|
||||||
middlewares = [ "secureHeaders" ];
|
|
||||||
|
|
||||||
extraOptions = {
|
extraOptions = {
|
||||||
devices = mkOption {
|
devices = mkOption {
|
||||||
|
|||||||
@@ -23,13 +23,13 @@ helper.mkPodmanService {
|
|||||||
DB_USERNAME = "xkcdpass -n 2 -d -";
|
DB_USERNAME = "xkcdpass -n 2 -d -";
|
||||||
DB_PASSWORD = "xkcdpass -n 8 -d -";
|
DB_PASSWORD = "xkcdpass -n 8 -d -";
|
||||||
};
|
};
|
||||||
|
middlewares = [ "secureHeaders" ];
|
||||||
dirPermissions = [
|
dirPermissions = [
|
||||||
"100999:100 ${cfg.configDir}"
|
"100999:100 ${cfg.configDir}"
|
||||||
"100999:100 ${cfg.configDir}/data"
|
"100999:100 ${cfg.configDir}/data"
|
||||||
"100999:100 ${cfg.configDir}/config"
|
"100999:100 ${cfg.configDir}/config"
|
||||||
"100999:100 ${cfg.configDir}/database"
|
"100999:100 ${cfg.configDir}/database"
|
||||||
];
|
];
|
||||||
middlewares = [ "secureHeaders" ];
|
|
||||||
|
|
||||||
composeText = ''
|
composeText = ''
|
||||||
services:
|
services:
|
||||||
@@ -53,7 +53,7 @@ helper.mkPodmanService {
|
|||||||
- GITEA__database__USER=$DB_USERNAME
|
- GITEA__database__USER=$DB_USERNAME
|
||||||
- GITEA__database__PASSWD=$DB_PASSWORD
|
- GITEA__database__PASSWD=$DB_PASSWORD
|
||||||
- GITEA__server__SSH_PORT=2424
|
- GITEA__server__SSH_PORT=2424
|
||||||
- GITEA__server__ROOT_URL=${cfg.subdomain}.${config.numbus.services.domain}
|
- GITEA__server__ROOT_URL=https://${cfg.subdomain}.${config.numbus.services.domain}
|
||||||
depends_on:
|
depends_on:
|
||||||
- gitea-database
|
- gitea-database
|
||||||
security_opt:
|
security_opt:
|
||||||
|
|||||||
@@ -22,12 +22,12 @@ helper.mkPodmanService {
|
|||||||
HOME_ASSISTANT_MQTT_USER = "xkcdpass -n 2 -d -";
|
HOME_ASSISTANT_MQTT_USER = "xkcdpass -n 2 -d -";
|
||||||
HOME_ASSISTANT_MQTT_PASSWORD = "xkcdpass -n 8 -d -";
|
HOME_ASSISTANT_MQTT_PASSWORD = "xkcdpass -n 8 -d -";
|
||||||
};
|
};
|
||||||
|
middlewares = [ "secureHeaders" ];
|
||||||
dirPermissions = [
|
dirPermissions = [
|
||||||
"1000:100 ${cfg.configDir}"
|
"1000:100 ${cfg.configDir}"
|
||||||
"1000:100 ${cfg.configDir}/config"
|
"1000:100 ${cfg.configDir}/config"
|
||||||
"100999:100 ${cfg.configDir}/mqtt"
|
"100999:100 ${cfg.configDir}/mqtt"
|
||||||
];
|
];
|
||||||
middlewares = [ "secureHeaders" ];
|
|
||||||
|
|
||||||
# Compose file good
|
# Compose file good
|
||||||
composeText = ''
|
composeText = ''
|
||||||
@@ -83,8 +83,8 @@ helper.mkPodmanService {
|
|||||||
};
|
};
|
||||||
|
|
||||||
extraConfig = {
|
extraConfig = {
|
||||||
systemd.services."${name}-quirk-1" = {
|
systemd.services."${name}-quirk" = {
|
||||||
description = "Podman container quirk 1 : ${name}";
|
description = "Podman container quirk : ${name}";
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
after = [ "${name}.service" ];
|
after = [ "${name}.service" ];
|
||||||
onFailure = [ "service-failure-notify@%n.service" ];
|
onFailure = [ "service-failure-notify@%n.service" ];
|
||||||
@@ -100,9 +100,9 @@ helper.mkPodmanService {
|
|||||||
if [[ -e ${cfg.configDir}/config/configuration.yaml ]]; then
|
if [[ -e ${cfg.configDir}/config/configuration.yaml ]]; then
|
||||||
if grep -qF "${config.numbus.networking.ipAddress}/24" ${cfg.configDir}/config/configuration.yaml; then
|
if grep -qF "${config.numbus.networking.ipAddress}/24" ${cfg.configDir}/config/configuration.yaml; then
|
||||||
exit 0
|
exit 0
|
||||||
elif grep -qF "use_x_forwarded_for" ${cfg.configDir}/config/configuration.yaml && ! grep -qF "${config.numbus.networking.ipAddress}/24" ${cfg.configDir}/config/configuration.yaml
|
elif grep -qF "use_x_forwarded_for" ${cfg.configDir}/config/configuration.yaml && ! grep -qF "${config.numbus.networking.ipAddress}/24" ${cfg.configDir}/config/configuration.yaml; then
|
||||||
tmp=$(mktemp)
|
tmp=$(mktemp)
|
||||||
head -n -4 ${cfg.configDir}/config/configuration.yaml > "$tmp"
|
head -n -6 ${cfg.configDir}/config/configuration.yaml > "$tmp"
|
||||||
mv "$tmp" ${cfg.configDir}/config/configuration.yaml
|
mv "$tmp" ${cfg.configDir}/config/configuration.yaml
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@@ -114,7 +114,7 @@ helper.mkPodmanService {
|
|||||||
|
|
||||||
http:
|
http:
|
||||||
use_x_forwarded_for: true
|
use_x_forwarded_for: true
|
||||||
trusted_proxies: ${config.numbus.networking.ipAddress}/24
|
trusted_proxies: 10.89.0.0/16
|
||||||
|
|
||||||
zha:
|
zha:
|
||||||
EOF
|
EOF
|
||||||
@@ -123,11 +123,11 @@ EOF
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services."${name}-quirk-2" = {
|
systemd.services."mqtt-quirk" = {
|
||||||
description = "Podman container quirk 2 : ${name}";
|
description = "Podman container quirk : Home-assistant MQTT";
|
||||||
wantedBy = [ "multi-user.target" "${name}.service" ];
|
wantedBy = [ "multi-user.target" "mqtt.service" ];
|
||||||
after = [ "${name}-secrets.service" ];
|
after = [ "mqtt-secrets.service" ];
|
||||||
before = [ "${name}.service" "${name}-permissions.service" ];
|
before = [ "mqtt.service" "mqtt-permissions.service" ];
|
||||||
onFailure = [ "service-failure-notify@%n.service" ];
|
onFailure = [ "service-failure-notify@%n.service" ];
|
||||||
startLimitBurst = 5;
|
startLimitBurst = 5;
|
||||||
startLimitIntervalSec = 600;
|
startLimitIntervalSec = 600;
|
||||||
@@ -157,7 +157,7 @@ listener 1883
|
|||||||
allow_anonymous false
|
allow_anonymous false
|
||||||
password_file /mosquitto/password.txt
|
password_file /mosquitto/password.txt
|
||||||
EOF
|
EOF
|
||||||
source /var/lib/numbus-server/${name}/.env
|
source /var/lib/numbus-server/mqtt/.env
|
||||||
mosquitto_passwd -b ${cfg.configDir}/mqtt/password.txt "$HOME_ASSISTANT_MQTT_USER" "$HOME_ASSISTANT_MQTT_PASSWORD"
|
mosquitto_passwd -b ${cfg.configDir}/mqtt/password.txt "$HOME_ASSISTANT_MQTT_USER" "$HOME_ASSISTANT_MQTT_PASSWORD"
|
||||||
chmod 600 ${cfg.configDir}/mqtt/password.txt
|
chmod 600 ${cfg.configDir}/mqtt/password.txt
|
||||||
'';
|
'';
|
||||||
|
|||||||
@@ -4,7 +4,7 @@ with lib;
|
|||||||
|
|
||||||
let
|
let
|
||||||
# Version tagging
|
# Version tagging
|
||||||
immichVersion = "v2.5.6";
|
immichVersion = "v2.7.5";
|
||||||
redisVersion = "9@sha256:546304417feac0874c3dd576e0952c6bb8f06bb4093ea0c9ca303c73cf458f63";
|
redisVersion = "9@sha256:546304417feac0874c3dd576e0952c6bb8f06bb4093ea0c9ca303c73cf458f63";
|
||||||
databaseVersion = "14-vectorchord0.4.3-pgvectors0.2.0@sha256:bcf63357191b76a916ae5eb93464d65c07511da41e3bf7a8416db519b40b1c23";
|
databaseVersion = "14-vectorchord0.4.3-pgvectors0.2.0@sha256:bcf63357191b76a916ae5eb93464d65c07511da41e3bf7a8416db519b40b1c23";
|
||||||
# Helper
|
# Helper
|
||||||
@@ -29,8 +29,9 @@ helper.mkPodmanService {
|
|||||||
UPLOAD_LOCATION = "${cfg.dataDir}";
|
UPLOAD_LOCATION = "${cfg.dataDir}";
|
||||||
DB_DATA_LOCATION = "${cfg.configDir}/database";
|
DB_DATA_LOCATION = "${cfg.configDir}/database";
|
||||||
TZ = "${config.time.timeZone}";
|
TZ = "${config.time.timeZone}";
|
||||||
IMMICH_VERSION = "v2.5.6";
|
IMMICH_VERSION = "v2.7.5";
|
||||||
};
|
};
|
||||||
|
middlewares = [ "immichSecureHeaders" ];
|
||||||
dirPermissions = [
|
dirPermissions = [
|
||||||
"100999:100 ${cfg.configDir}"
|
"100999:100 ${cfg.configDir}"
|
||||||
"100999:100 ${cfg.configDir}/redis"
|
"100999:100 ${cfg.configDir}/redis"
|
||||||
@@ -40,7 +41,6 @@ helper.mkPodmanService {
|
|||||||
"100999:100 ${cfg.configDir}/database"
|
"100999:100 ${cfg.configDir}/database"
|
||||||
"100999:100 ${cfg.dataDir}"
|
"100999:100 ${cfg.dataDir}"
|
||||||
];
|
];
|
||||||
middlewares = [ "immichSecureHeaders" ];
|
|
||||||
|
|
||||||
# Compose file good
|
# Compose file good
|
||||||
composeText = ''
|
composeText = ''
|
||||||
|
|||||||
@@ -17,8 +17,8 @@ helper.mkPodmanService {
|
|||||||
description = "IT-tools, useful tools when doing IT";
|
description = "IT-tools, useful tools when doing IT";
|
||||||
pod = "false";
|
pod = "false";
|
||||||
defaultPort = "8880";
|
defaultPort = "8880";
|
||||||
configDir = false;
|
configDirEnabled = false;
|
||||||
dataDir = false;
|
dataDirEnabled = false;
|
||||||
middlewares = [ "secureHeaders" ];
|
middlewares = [ "secureHeaders" ];
|
||||||
|
|
||||||
# Compose file good
|
# Compose file good
|
||||||
|
|||||||
@@ -87,7 +87,7 @@ with lib;
|
|||||||
- "websecure"
|
- "websecure"
|
||||||
service: ${name}
|
service: ${name}
|
||||||
middlewares:
|
middlewares:
|
||||||
${concatStringsSep "\n" (map (m: " - ${m}") middlewares)}
|
${concatStringsSep "\n" (map (m: " - ${m}") middlewares)}
|
||||||
tls:
|
tls:
|
||||||
certresolver: "cloudflare"
|
certresolver: "cloudflare"
|
||||||
options: "secureTLS"
|
options: "secureTLS"
|
||||||
@@ -106,18 +106,16 @@ with lib;
|
|||||||
onFailure = [ "service-failure-notify@%n.service" ];
|
onFailure = [ "service-failure-notify@%n.service" ];
|
||||||
startLimitBurst = 5;
|
startLimitBurst = 5;
|
||||||
startLimitIntervalSec = 600;
|
startLimitIntervalSec = 600;
|
||||||
path = [ pkgs.podman pkgs.podman-compose pkgs.su pkgs.coreutils ];
|
path = [ pkgs.podman pkgs.podman-compose pkgs.slirp4netns pkgs.su pkgs.sudo pkgs.coreutils ];
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "exec";
|
Type = "exec";
|
||||||
User = "numbus-admin";
|
|
||||||
Group = "users";
|
|
||||||
TimeoutStartSec = "1000";
|
TimeoutStartSec = "1000";
|
||||||
ExecStartPre = [
|
ExecStartPre = [
|
||||||
"${pkgs.bash}/bin/bash -c 'sleep $((RANDOM % ${toString startDelay}))'"
|
"${pkgs.bash}/bin/bash -c 'sleep $((RANDOM % ${toString startDelay}))'"
|
||||||
"${pkgs.podman-compose}/bin/podman-compose -f /etc/podman/${name}/compose.yaml pull"
|
"${pkgs.bash}/bin/bash -c 'export PATH=/run/wrappers/bin:$PATH; exec ${pkgs.sudo}/bin/sudo -u numbus-admin podman-compose -f /etc/podman/${name}/compose.yaml pull'"
|
||||||
];
|
];
|
||||||
ExecStart = "${pkgs.podman-compose}/bin/podman-compose ${envFileArg} --in-pod ${toString pod} -f /etc/podman/${name}/compose.yaml up --remove-orphans";
|
ExecStart = "${pkgs.bash}/bin/bash -c 'export PATH=/run/wrappers/bin:$PATH; exec ${pkgs.sudo}/bin/sudo -u numbus-admin podman-compose ${envFileArg} --in-pod ${toString pod} -f /etc/podman/${name}/compose.yaml up --remove-orphans'";
|
||||||
ExecStop = "${pkgs.podman-compose}/bin/podman-compose ${envFileArg} --in-pod ${toString pod} -f /etc/podman/${name}/compose.yaml down";
|
ExecStop = "${pkgs.bash}/bin/bash -c 'export PATH=/run/wrappers/bin:$PATH; exec ${pkgs.sudo}/bin/sudo -u numbus-admin podman-compose ${envFileArg} --in-pod ${toString pod} -f /etc/podman/${name}/compose.yaml down'";
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
RestartSec = "3m";
|
RestartSec = "3m";
|
||||||
};
|
};
|
||||||
|
|||||||
+101
-38
@@ -4,11 +4,11 @@ with lib;
|
|||||||
|
|
||||||
let
|
let
|
||||||
# Version tagging
|
# Version tagging
|
||||||
nextcloudVersion = "32.0.6";
|
nextcloudVersion = "33.0.5-apache";
|
||||||
redisVersion = "8.6-alpine";
|
redisVersion = "8.6-alpine";
|
||||||
databaseVersion = "11.8";
|
databaseVersion = "11.8";
|
||||||
onlyofficeVersion = "9.2";
|
onlyofficeVersion = "9.4.0";
|
||||||
whiteboardVersion = "v1.5.6";
|
whiteboardVersion = "v1.5.9";
|
||||||
# Helper
|
# Helper
|
||||||
helper = import ./lib.nix { inherit config pkgs lib; };
|
helper = import ./lib.nix { inherit config pkgs lib; };
|
||||||
cfg = config.numbus.services.nextcloud;
|
cfg = config.numbus.services.nextcloud;
|
||||||
@@ -29,18 +29,19 @@ helper.mkPodmanService {
|
|||||||
WHITEBOARD_PASSWORD = "xkcdpass -n 10 -d -";
|
WHITEBOARD_PASSWORD = "xkcdpass -n 10 -d -";
|
||||||
SMTP_PASSWORD = "cat ${config.numbus.mail.smtpPasswordPath}";
|
SMTP_PASSWORD = "cat ${config.numbus.mail.smtpPasswordPath}";
|
||||||
};
|
};
|
||||||
|
middlewares = [ "nextcloudSecureHeaders" ];
|
||||||
dirPermissions = [
|
dirPermissions = [
|
||||||
|
"100032:100 ${cfg.dataDir}"
|
||||||
"100032:100 ${cfg.configDir}"
|
"100032:100 ${cfg.configDir}"
|
||||||
"100032:100 ${cfg.configDir}/web"
|
"100032:100 ${cfg.configDir}/web"
|
||||||
"100999:100 ${cfg.configDir}/redis"
|
"100999:100 ${cfg.configDir}/redis"
|
||||||
"100999:100 ${cfg.configDir}/database"
|
"100999:100 ${cfg.configDir}/database"
|
||||||
"100999:100 ${cfg.configDir}/onlyoffice"
|
"1000:100 ${cfg.configDir}/onlyoffice"
|
||||||
"100999:100 ${cfg.configDir}/onlyoffice/log"
|
"1000:100 ${cfg.configDir}/onlyoffice/log"
|
||||||
"100999:100 ${cfg.configDir}/onlyoffice/cache"
|
"1000:100 ${cfg.configDir}/onlyoffice/cache"
|
||||||
"100999:100 ${cfg.configDir}/onlyoffice/database"
|
"1000:100 ${cfg.configDir}/onlyoffice/data"
|
||||||
"100032:100 ${cfg.dataDir}"
|
"1000:100 ${cfg.configDir}/onlyoffice/database"
|
||||||
];
|
];
|
||||||
middlewares = [ "secureHeaders" ];
|
|
||||||
|
|
||||||
# Compose file good
|
# Compose file good
|
||||||
composeText = ''
|
composeText = ''
|
||||||
@@ -73,12 +74,15 @@ helper.mkPodmanService {
|
|||||||
MAIL_FROM_ADDRESS: nextcloud-noreply
|
MAIL_FROM_ADDRESS: nextcloud-noreply
|
||||||
MAIL_DOMAIN: ${config.numbus.services.domain}
|
MAIL_DOMAIN: ${config.numbus.services.domain}
|
||||||
APACHE_DISABLE_REWRITE_IP: 1
|
APACHE_DISABLE_REWRITE_IP: 1
|
||||||
TRUSTED_PROXIES: ${config.numbus.networking.ipAddress}
|
OVERWRITEPROTOCOL: https
|
||||||
|
TRUSTED_PROXIES: 10.89.0.0/16
|
||||||
NC_default_phone_region: "${config.numbus.language}"
|
NC_default_phone_region: "${config.numbus.language}"
|
||||||
NC_default_language: "${config.numbus.language}"
|
NC_default_language: "${config.numbus.language}"
|
||||||
NC_default_locale: "${config.numbus.locale}"
|
NC_default_locale: "${config.numbus.locale}"
|
||||||
NC_default_timezone: "${config.time.timeZone}"
|
NC_default_timezone: "${config.time.timeZone}"
|
||||||
NC_maintenance_window_start: "1"
|
NC_maintenance_window_start: "1"
|
||||||
|
PHP_MEMORY_LIMIT: 1024M
|
||||||
|
PHP_OPCACHE_MEMORY_CONSUMPTION: 256
|
||||||
depends_on:
|
depends_on:
|
||||||
- nextcloud-database
|
- nextcloud-database
|
||||||
security_opt:
|
security_opt:
|
||||||
@@ -121,7 +125,7 @@ helper.mkPodmanService {
|
|||||||
- NET_RAW
|
- NET_RAW
|
||||||
command:
|
command:
|
||||||
- "--transaction-isolation=READ-COMMITTED"
|
- "--transaction-isolation=READ-COMMITTED"
|
||||||
- "--binlog-format=ROW"
|
- "--binlog-format=ROW"
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
nextcloud-onlyoffice:
|
nextcloud-onlyoffice:
|
||||||
container_name: nextcloud-onlyoffice
|
container_name: nextcloud-onlyoffice
|
||||||
@@ -129,14 +133,19 @@ helper.mkPodmanService {
|
|||||||
image: docker.io/onlyoffice/documentserver:${onlyofficeVersion}
|
image: docker.io/onlyoffice/documentserver:${onlyofficeVersion}
|
||||||
environment:
|
environment:
|
||||||
- JWT_SECRET=$ONLYOFFICE_PASSWORD
|
- JWT_SECRET=$ONLYOFFICE_PASSWORD
|
||||||
|
- REDIS_SERVER_HOST=nextcloud-redis
|
||||||
|
- REDIS_SERVER_PORT=6379
|
||||||
|
- REDIS_SERVER_PASS=$REDIS_PASSWORD
|
||||||
|
- ADMINPANEL_ENABLED=false
|
||||||
|
- EXAMPLE_ENABLED=false
|
||||||
|
- METRICS_ENABLED=false
|
||||||
ports:
|
ports:
|
||||||
- "9980:80/tcp"
|
- "9980:80/tcp"
|
||||||
volumes:
|
volumes:
|
||||||
- ${cfg.configDir}/onlyoffice/log:/var/log/onlyoffice
|
- ${cfg.configDir}/onlyoffice/log:/var/log/onlyoffice
|
||||||
- ${cfg.configDir}/onlyoffice/cache:/var/lib/onlyoffice
|
- ${cfg.configDir}/onlyoffice/cache:/var/lib/onlyoffice
|
||||||
|
- ${cfg.configDir}/onlyoffice/data:/var/www/onlyoffice/Data
|
||||||
- ${cfg.configDir}/onlyoffice/database:/var/lib/postgresql
|
- ${cfg.configDir}/onlyoffice/database:/var/lib/postgresql
|
||||||
security_opt:
|
|
||||||
- no-new-privileges:true
|
|
||||||
cap_drop:
|
cap_drop:
|
||||||
- NET_RAW
|
- NET_RAW
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
@@ -171,7 +180,7 @@ helper.mkPodmanService {
|
|||||||
- "websecure"
|
- "websecure"
|
||||||
service: nextcloud-onlyoffice
|
service: nextcloud-onlyoffice
|
||||||
middlewares:
|
middlewares:
|
||||||
- "secureHeaders"
|
- "nextcloudSecureHeaders"
|
||||||
tls:
|
tls:
|
||||||
certresolver: "cloudflare"
|
certresolver: "cloudflare"
|
||||||
options: "secureTLS"
|
options: "secureTLS"
|
||||||
@@ -202,6 +211,39 @@ helper.mkPodmanService {
|
|||||||
- url: "http://host.containers.internal:3002"
|
- url: "http://host.containers.internal:3002"
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
environment.etc."traefik/rules/nextcloudSecureHeaders.yaml".text = ''
|
||||||
|
http:
|
||||||
|
middlewares:
|
||||||
|
nextcloudSecureHeaders:
|
||||||
|
headers:
|
||||||
|
FrameDeny: false
|
||||||
|
CustomFrameOptionsValue: "SAMEORIGIN"
|
||||||
|
AddVaryHeader: true
|
||||||
|
BrowserXssFilter: true
|
||||||
|
ContentTypeNosniff: true
|
||||||
|
ForceSTSHeader: true
|
||||||
|
STSSeconds: 315360000
|
||||||
|
STSIncludeSubdomains: true
|
||||||
|
STSPreload: true
|
||||||
|
AccessControlAllowMethods: "GET,OPTIONS,PUT"
|
||||||
|
AccessControlAllowOriginList:
|
||||||
|
- origin-list-or-null
|
||||||
|
AccessControlMaxAge: 100
|
||||||
|
ReferrerPolicy: same-origin
|
||||||
|
PermissionsPolicy: "vibrate=()"
|
||||||
|
ContentSecurityPolicy: >-
|
||||||
|
default-src https://onlyoffice.${config.numbus.services.domain} 'self';
|
||||||
|
script-src https://onlyoffice.${config.numbus.services.domain} 'self' 'unsafe-inline';
|
||||||
|
style-src 'self' 'unsafe-inline';
|
||||||
|
connect-src 'self';
|
||||||
|
img-src 'self' data:;
|
||||||
|
font-src 'self' data:;
|
||||||
|
frame-src https://onlyoffice.${config.numbus.services.domain} 'self';
|
||||||
|
frame-ancestors https://onlyoffice.${config.numbus.services.domain} 'self';
|
||||||
|
object-src 'none';
|
||||||
|
base-uri 'self';
|
||||||
|
'';
|
||||||
|
|
||||||
systemd.services."${name}-quirk" = {
|
systemd.services."${name}-quirk" = {
|
||||||
description = "Podman container quirk : ${name}";
|
description = "Podman container quirk : ${name}";
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
@@ -209,42 +251,62 @@ helper.mkPodmanService {
|
|||||||
onFailure = [ "service-failure-notify@%n.service" ];
|
onFailure = [ "service-failure-notify@%n.service" ];
|
||||||
startLimitBurst = 5;
|
startLimitBurst = 5;
|
||||||
startLimitIntervalSec = 600;
|
startLimitIntervalSec = 600;
|
||||||
path = [ pkgs.coreutils pkgs.sudo pkgs.podman ];
|
path = [ pkgs.coreutils pkgs.sudo pkgs.podman pkgs.systemd pkgs.gnugrep ];
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "oneshot";
|
Type = "oneshot";
|
||||||
RemainAfterExit = true;
|
RemainAfterExit = true;
|
||||||
};
|
};
|
||||||
script = ''
|
script = ''
|
||||||
mkdir -p /var/lib/numbus-server/${name}
|
OCC="sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ"
|
||||||
[[ -e /var/lib/numbus-server/${name}/quirk.true ]] && exit 0
|
|
||||||
[[ ! -e /var/lib/numbus-server/${name}/.env ]] && systemctl start ${name}-secrets.service
|
[[ ! -e /var/lib/numbus-server/${name}/.env ]] && systemctl start ${name}-secrets.service
|
||||||
until [[ -e /var/lib/numbus-server/${name}/.env ]]; do
|
until [[ -e /var/lib/numbus-server/${name}/.env ]]; do
|
||||||
echo "Waiting for secrets generation..."
|
echo "Waiting for secrets generation..."
|
||||||
sleep 15
|
sleep 5
|
||||||
done
|
done
|
||||||
|
|
||||||
|
|
||||||
source /var/lib/numbus-server/${name}/.env
|
source /var/lib/numbus-server/${name}/.env
|
||||||
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ background:cron
|
|
||||||
sudo -u numbus-admin podman exec --user www-data nextcloud-server php -f /var/www/html/cron.php
|
until $OCC status | grep -iq "installed: true" >/dev/null 2>&1; do
|
||||||
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ db:add-missing-indices
|
echo "Waiting for Nextcloud to be up and running..."
|
||||||
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ maintenance:repair --include-expensive
|
sleep 60
|
||||||
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ files:scan --all
|
|
||||||
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ files:repair-tree
|
|
||||||
for app in calendar contacts mail note onlyoffice cookbook whiteboard; do
|
|
||||||
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ app:install $app
|
|
||||||
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ app:enable $app
|
|
||||||
done
|
done
|
||||||
for app in activity app_api federatedfilesharing federation webhook_listeners photos recommendations sharebymail teams support richdocumentscode; do
|
|
||||||
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ app:disable $app
|
$OCC db:add-missing-indices
|
||||||
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ app:remove $app
|
$OCC maintenance:repair --include-expensive
|
||||||
|
|
||||||
|
INSTALL_APPS_LIST=( "calendar" "contacts" "mail" "notes" "onlyoffice" "cookbook" "whiteboard" )
|
||||||
|
DISABLE_APPS_LIST=( "activity" "federation" "webhook_listeners" "photos" "recommendations" "sharebymail" "teams" "support" "richdocumentscode" )
|
||||||
|
|
||||||
|
for app in ''${INSTALL_APPS_LIST[@]}; do
|
||||||
|
if ! $OCC --no-warnings app:list | grep -iq "$app:"; then
|
||||||
|
$OCC --no-warnings app:install "$app"
|
||||||
|
fi
|
||||||
|
if $OCC --no-warnings app:list --disabled | grep -iq "$app:"; then
|
||||||
|
$OCC --no-warnings app:enable "$app"
|
||||||
|
fi
|
||||||
done
|
done
|
||||||
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ config:system:set onlyoffice DocumentServerInternalUrl --value="https://onlyoffice.${config.numbus.services.domain}/"
|
for app in ''${DISABLE_APPS_LIST[@]}; do
|
||||||
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ config:system:set onlyoffice DocumentServerUrl --value="https://onlyoffice.${config.numbus.services.domain}/"
|
if $OCC --no-warnings app:list --enabled | grep -iq "$app:"; then
|
||||||
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ config:system:set onlyoffice jwt_secret --value="$ONLYOFFICE_PASSWORD"
|
$OCC --no-warnings app:disable "$app"
|
||||||
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ config:app:set whiteboard collabBackendUrl --value="https://whiteboard.${config.numbus.services.domain}"
|
fi
|
||||||
sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ config:app:set whiteboard jwt_secret_key --value="$WHITEBOARD_PASSWORD"
|
done
|
||||||
touch /var/lib/numbus-server/${name}/quirk.true
|
$OCC --no-warnings config:system:set onlyoffice DocumentServerInternalUrl --value="https://onlyoffice.${config.numbus.services.domain}/"
|
||||||
|
$OCC --no-warnings config:system:set onlyoffice DocumentServerUrl --value="https://onlyoffice.${config.numbus.services.domain}/"
|
||||||
|
$OCC --no-warnings config:system:set onlyoffice jwt_secret --value="$ONLYOFFICE_PASSWORD"
|
||||||
|
$OCC --no-warnings config:app:set whiteboard collabBackendUrl --value="https://whiteboard.${config.numbus.services.domain}"
|
||||||
|
$OCC --no-warnings config:app:set whiteboard jwt_secret_key --value="$WHITEBOARD_PASSWORD"
|
||||||
|
|
||||||
|
if [[ ! -f /var/lib/numbus-server/${name}/croned.true ]]; then
|
||||||
|
$OCC background:cron
|
||||||
|
sudo -u numbus-admin podman exec --user www-data nextcloud-server php -f /var/www/html/cron.php
|
||||||
|
touch /var/lib/numbus-server/${name}/croned.true
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ ! -f /var/lib/numbus-server/${name}/scanned.true ]]; then
|
||||||
|
$OCC files:scan --all
|
||||||
|
$OCC files:repair-tree
|
||||||
|
touch /var/lib/numbus-server/${name}/scanned.true
|
||||||
|
fi
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
@@ -255,6 +317,7 @@ helper.mkPodmanService {
|
|||||||
path = [ pkgs.sudo pkgs.podman ];
|
path = [ pkgs.sudo pkgs.podman ];
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "oneshot";
|
Type = "oneshot";
|
||||||
|
ExecCondition = ''${pkgs.sudo}/bin/sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ status'';
|
||||||
ExecStart = "${pkgs.sudo}/bin/sudo -u numbus-admin podman exec --user www-data nextcloud-server php -f /var/www/html/cron.php";
|
ExecStart = "${pkgs.sudo}/bin/sudo -u numbus-admin podman exec --user www-data nextcloud-server php -f /var/www/html/cron.php";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|||||||
@@ -25,6 +25,7 @@ helper.mkPodmanService {
|
|||||||
DB_PASSWORD = "xkcdpass -n 10 -d -";
|
DB_PASSWORD = "xkcdpass -n 10 -d -";
|
||||||
SMTP_PASSWORD = "cat ${config.numbus.mail.smtpPasswordPath}";
|
SMTP_PASSWORD = "cat ${config.numbus.mail.smtpPasswordPath}";
|
||||||
};
|
};
|
||||||
|
middlewares = [ "secureHeaders" ];
|
||||||
dirPermissions = [
|
dirPermissions = [
|
||||||
"100032:100 ${cfg.configDir}"
|
"100032:100 ${cfg.configDir}"
|
||||||
"100032:100 ${cfg.configDir}/gpg"
|
"100032:100 ${cfg.configDir}/gpg"
|
||||||
@@ -69,7 +70,7 @@ helper.mkPodmanService {
|
|||||||
"0",
|
"0",
|
||||||
"passbolt-database:3306",
|
"passbolt-database:3306",
|
||||||
"--",
|
"--",
|
||||||
"/docker-entrypoint.sh",
|
"/docker-entrypoint.sh"
|
||||||
]
|
]
|
||||||
depends_on:
|
depends_on:
|
||||||
- passbolt-database
|
- passbolt-database
|
||||||
|
|||||||
@@ -19,15 +19,15 @@ helper.mkPodmanService {
|
|||||||
defaultPort = "4443";
|
defaultPort = "4443";
|
||||||
scheme = "https";
|
scheme = "https";
|
||||||
dependencies = [ "network.target" ];
|
dependencies = [ "network.target" ];
|
||||||
dataDir = false;
|
dataDirEnabled = false;
|
||||||
startDelay = 10;
|
startDelay = 10;
|
||||||
generatedSecrets = {
|
generatedSecrets = {
|
||||||
PIHOLE_PASSWORD = "xkcdpass -n 10 -d -";
|
PIHOLE_PASSWORD = "xkcdpass -n 10 -d -";
|
||||||
};
|
};
|
||||||
|
middlewares = [ "secureHeaders" ];
|
||||||
dirPermissions = [
|
dirPermissions = [
|
||||||
"100999:100 ${cfg.configDir}"
|
"100999:100 ${cfg.configDir}"
|
||||||
];
|
];
|
||||||
middlewares = [ "secureHeaders" ];
|
|
||||||
|
|
||||||
# Compose file good
|
# Compose file good
|
||||||
composeText = ''
|
composeText = ''
|
||||||
@@ -53,7 +53,11 @@ helper.mkPodmanService {
|
|||||||
FTLCONF_dns_hosts: |
|
FTLCONF_dns_hosts: |
|
||||||
${lib.concatStringsSep "" (lib.mapAttrsToList (name: service:
|
${lib.concatStringsSep "" (lib.mapAttrsToList (name: service:
|
||||||
if builtins.isAttrs service && service ? enable && service.enable && service ? subdomain then
|
if builtins.isAttrs service && service ? enable && service.enable && service ? subdomain then
|
||||||
" ${config.numbus.networking.ipAddress} ${service.subdomain}.${config.numbus.services.domain}\n"
|
" ${config.numbus.networking.ipAddress} ${service.subdomain}.${config.numbus.services.domain}\n" +
|
||||||
|
(if name == "nextcloud" then
|
||||||
|
" ${config.numbus.networking.ipAddress} onlyoffice.${config.numbus.services.domain}\n" +
|
||||||
|
" ${config.numbus.networking.ipAddress} whiteboard.${config.numbus.services.domain}\n"
|
||||||
|
else "")
|
||||||
else ""
|
else ""
|
||||||
) config.numbus.services)}
|
) config.numbus.services)}
|
||||||
FTLCONF_dns_listeningMode: "BIND"
|
FTLCONF_dns_listeningMode: "BIND"
|
||||||
|
|||||||
@@ -4,7 +4,7 @@ with lib;
|
|||||||
|
|
||||||
let
|
let
|
||||||
# Version tagging
|
# Version tagging
|
||||||
traefikVersion = "v3.6.8";
|
traefikVersion = "v3.7.4";
|
||||||
# Helper
|
# Helper
|
||||||
helper = import ./lib.nix { inherit config pkgs lib; };
|
helper = import ./lib.nix { inherit config pkgs lib; };
|
||||||
cfg = config.numbus.services.traefik;
|
cfg = config.numbus.services.traefik;
|
||||||
@@ -16,7 +16,7 @@ helper.mkPodmanService {
|
|||||||
inherit name;
|
inherit name;
|
||||||
description = "Traefik reverse proxy, one to rule them all";
|
description = "Traefik reverse proxy, one to rule them all";
|
||||||
pod = "false";
|
pod = "false";
|
||||||
dataDir = false;
|
dataDirEnabled = false;
|
||||||
dependencies = [ "network.target" ];
|
dependencies = [ "network.target" ];
|
||||||
startDelay = 10;
|
startDelay = 10;
|
||||||
generatedSecrets = {
|
generatedSecrets = {
|
||||||
|
|||||||
@@ -0,0 +1,17 @@
|
|||||||
|
{ config, lib, ... }:
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
|
||||||
|
let
|
||||||
|
cfg = config.numbus.services.virtualization;
|
||||||
|
in
|
||||||
|
|
||||||
|
{
|
||||||
|
options.numbus.services.virtualization = {
|
||||||
|
enable = mkEnableOption "QEMU/KVM virtualization software";
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
virtualisation.libvirtd.enable = true;
|
||||||
|
};
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user