Compare commits

..

35 Commits

Author SHA1 Message Date
numbus df3c3d1c08 Update Whiteboard 2026-06-08 12:45:17 +02:00
numbus e98263b100 Update Immich 2026-06-08 12:42:04 +02:00
numbus 0500445003 Update Traefik 2026-06-08 12:40:06 +02:00
numbus ce4fa00b77 Update NixOS 2026-06-08 12:38:50 +02:00
numbus ec9b8f7d55 Update Traefik 2026-05-14 11:48:55 +02:00
numbus 0cc60dcd29 Update Nextcloud, Whiteboard and OnlyOffice 2026-05-14 11:48:03 +02:00
numbus 3b432d8bd4 Update Nextcloud 2026-04-13 09:21:29 +02:00
numbus 19b2459f65 Up the amount of RAM usable by Nextcloud 2026-04-12 15:12:01 +02:00
numbus 76fbcd86db Added screen package 2026-03-25 09:13:09 +01:00
numbus d1e511bfc0 Typo : 1 data disk 2026-03-15 12:34:23 +01:00
numbus 090cb2a7e4 Remove the /mnt/content-0 if more than 2 data disks 2026-03-15 12:30:20 +01:00
numbus c994337e1f Change onlyoffice headers. 2026-03-09 00:35:21 +01:00
numbus f1e24678b9 Remove security option to make Nextcloud onlyoffice work. 2026-03-09 00:28:25 +01:00
Raphaël Numbus dcde9fad01 Changed trusted proxy address. 2026-03-05 22:09:01 +01:00
Raphaël Numbus 3c41c307ee Fixed Nextcloud headers. OnlyOffice now works with Nextcloud. 2026-03-05 22:05:32 +01:00
Raphaël Numbus 7e4ef7b679 Get nextcloud-onlyoffice to work. 2026-03-05 13:04:24 +01:00
Raphaël Numbus 3e927af8f9 Get nextcloud-onlyoffice to work. 2026-03-05 12:58:05 +01:00
Raphaël Numbus 6de5f0cd28 Get gitea to work. 2026-03-05 12:48:25 +01:00
Raphaël Numbus 5394287b3a Home-assistant bug. Get nextcloud-onlyoffice to work. 2026-03-05 12:42:26 +01:00
Raphaël Numbus a4c0c2b051 Fixed home-assistant 400: bad request. Fixed Nextcloud-Quirk failing. Fixed Nextcloud-Onlyoffice mkdir: permission denied. 2026-03-05 09:24:51 +01:00
Raphaël Numbus 7933a3aa57 Added slirp4netns 2026-03-04 21:54:46 +01:00
Raphaël Numbus b5bece34ed Moved coral tpu config to a single file. Added slirp4netns. 2026-03-04 21:22:33 +01:00
Raphaël Numbus 4ab54cae0a Added AdGuard (NEEDS TESTING). Fixed bad indentation for middlewares. Switched from every 2 month periodic scan to every 3 months. 2026-03-03 22:27:24 +01:00
Raphaël Numbus e6907ddd0a Try to fix newuidmap exec not found 2026-03-03 22:08:21 +01:00
Raphaël Numbus 5bf87a1f83 Try to fix newuidmap exec not found 2026-03-03 22:04:58 +01:00
Raphaël Numbus cca3e0d42b Try to fix newuidmap exec not found 2026-03-03 21:46:15 +01:00
Raphaël Numbus f190eb2040 Try to fix newuidmap exec not found 2026-03-03 21:14:06 +01:00
Raphaël Numbus 96d049d486 Try to fix newuidmap exec not found 2026-03-03 20:49:21 +01:00
Raphaël Numbus e09301c493 Try to fix newuidmap exec not found 2026-03-03 16:30:21 +01:00
Raphaël Numbus 3721e41e94 Try to fix newuidmap exec not found 2026-03-03 16:00:48 +01:00
Raphaël Numbus 5b604fac08 Try to fix newuidmap exec not found 2026-03-03 15:43:21 +01:00
Raphaël Numbus e1ddf88300 Try to fix newuidmap exec not found 2026-03-03 15:35:18 +01:00
Raphaël Numbus 07e7084b1b Try to fix Traefik not launching on startup 2026-03-03 15:07:39 +01:00
Raphaël Numbus e46ee8495c Fixed Home-assistant script. 2026-03-03 14:45:23 +01:00
Raphaël Numbus 5cd7f661c0 Fixed passbolt error. 2026-03-03 14:38:25 +01:00
20 changed files with 247 additions and 160 deletions
+1 -1
View File
@@ -2,7 +2,7 @@
description = "Numbus Server Module"; description = "Numbus Server Module";
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-26.05";
}; };
outputs = { self, nixpkgs }: { outputs = { self, nixpkgs }: {
+1
View File
@@ -5,5 +5,6 @@
./boot.nix ./boot.nix
./cpu.nix ./cpu.nix
./disks.nix ./disks.nix
./pcie-coral.nix
]; ];
} }
+1 -1
View File
@@ -265,7 +265,7 @@ in
services.snapraid = { services.snapraid = {
enable = true; enable = true;
contentFiles = [ "/mnt/content-0/snapraid.content" ] ++ contentFiles = (optionals (length cfg.dataDisksList == 1) [ "/mnt/content-0/snapraid.content" ]) ++
(map (i: "/mnt/content-${toString i}/snapraid.content") (range 1 (length cfg.dataDisksList))); (map (i: "/mnt/content-${toString i}/snapraid.content") (range 1 (length cfg.dataDisksList)));
parityFiles = map (i: "/mnt/parity-${toString i}/snapraid.parity") (range 1 (length cfg.parityDisksList)); parityFiles = map (i: "/mnt/parity-${toString i}/snapraid.parity") (range 1 (length cfg.parityDisksList));
dataDisks = listToAttrs (imap1 (i: _: nameValuePair "d${toString i}" "/mnt/content-${toString i}") cfg.dataDisksList); dataDisks = listToAttrs (imap1 (i: _: nameValuePair "d${toString i}" "/mnt/content-${toString i}") cfg.dataDisksList);
+111
View File
@@ -0,0 +1,111 @@
{ config, lib, pkgs, ... }:
let
cfg = config.numbus.hardware.pcie-coral;
gasket-driver = { stdenv, lib, fetchFromGitHub, kernel }: stdenv.mkDerivation rec {
pname = "gasket";
version = "1.0-18";
src = fetchFromGitHub {
owner = "google";
repo = "gasket-driver";
rev = "97aeba584efd18983850c36dcf7384b0185284b3";
sha256 = "pJwrrI7jVKFts4+bl2xmPIAD01VKFta2SRuElerQnTo=";
};
makeFlags = [
"-C"
"${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
"M=$(PWD)"
];
buildFlags = [ "modules" ];
installFlags = [ "INSTALL_MOD_PATH=${placeholder "out"}" ];
installTargets = [ "modules_install" ];
sourceRoot = "source/src";
hardeningDisable = [ "pic" "format" ];
nativeBuildInputs = kernel.moduleBuildDependencies;
meta = with lib; {
description = "The Coral Gasket Driver allows usage of the Coral EdgeTPU on Linux systems.";
homepage = "https://github.com/google/gasket-driver";
license = licenses.gpl2;
maintainers = [ maintainers.kylehendricks ];
platforms = platforms.linux;
};
};
libedgetpu-pkg = { stdenv, lib, fetchFromGitHub, libusb1, abseil-cpp, flatbuffers, xxd }:
let
flatbuffers_1_12 = flatbuffers.overrideAttrs (oldAttrs: rec {
version = "1.12.0";
NIX_CFLAGS_COMPILE = "-Wno-error=class-memaccess -Wno-error=maybe-uninitialized";
cmakeFlags = (oldAttrs.cmakeFlags or []) ++ ["-DFLATBUFFERS_BUILD_SHAREDLIB=ON"];
NIX_CXXSTDLIB_COMPILE = "-std=c++17";
configureFlags = (oldAttrs.configureFlags or []) ++ ["--enable-shared"];
src = fetchFromGitHub {
owner = "google";
repo = "flatbuffers";
rev = "v${version}";
sha256 = "sha256-L1B5Y/c897Jg9fGwT2J3+vaXsZ+lfXnskp8Gto1p/Tg=";
};
});
in stdenv.mkDerivation rec {
pname = "libedgetpu";
version = "grouper";
src = fetchFromGitHub {
owner = "google-coral";
repo = pname;
rev = "release-${version}";
sha256 = "sha256-73hwItimf88Iqnb40lk4ul/PzmCNIfdt6Afi+xjNiBE=";
};
makeFlags = ["-f" "makefile_build/Makefile" "libedgetpu" ];
buildInputs = [
libusb1
abseil-cpp
flatbuffers_1_12
];
nativeBuildInputs = [
xxd
];
NIX_CXXSTDLIB_COMPILE = "-std=c++17";
TFROOT = "${fetchFromGitHub {
owner = "tensorflow";
repo = "tensorflow";
rev = "v2.7.4";
sha256 = "sha256-liDbUAdaVllB0b74aBeqNxkYNu/zPy7k3CevzRF5dk0=";
}}";
enableParallelBuilding = false;
installPhase = ''
mkdir -p $out/lib
cp out/direct/k8/libedgetpu.so.1.0 $out/lib
ln -s $out/lib/libedgetpu.so.1.0 $out/lib/libedgetpu.so.1
mkdir -p $out/lib/udev/rules.d
cp debian/edgetpu-accelerator.rules $out/lib/udev/rules.d/99-edgetpu-accelerator.rules
'';
};
gasket = config.boot.kernelPackages.callPackage gasket-driver {};
libedgetpu = pkgs.callPackage libedgetpu-pkg {};
in
{
options.numbus.hardware.pcie-coral = lib.mkEnableOption "PCIe Coral TPU support";
config = lib.mkIf cfg {
services.udev.packages = [ libedgetpu ];
users.groups.plugdev = {};
boot.extraModulePackages = [ gasket ];
};
}
-12
View File
@@ -1,12 +0,0 @@
{ config, pkgs, ... }:
let
libedgetpu = pkgs.callPackage ./libedgetpu.nix {};
gasket = config.boot.kernelPackages.callPackage ./gasket.nix {};
in
{
services.udev.packages = [ libedgetpu ];
users.groups.plugdev = {};
boot.extraModulePackages = [ gasket ];
}
-35
View File
@@ -1,35 +0,0 @@
{ stdenv, lib, fetchFromGitHub, kernel }:
stdenv.mkDerivation rec {
pname = "gasket";
version = "1.0-18";
src = fetchFromGitHub {
owner = "google";
repo = "gasket-driver";
rev = "97aeba584efd18983850c36dcf7384b0185284b3";
sha256 = "pJwrrI7jVKFts4+bl2xmPIAD01VKFta2SRuElerQnTo=";
};
makeFlags = [
"-C"
"${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
"M=$(PWD)"
];
buildFlags = [ "modules" ];
installFlags = [ "INSTALL_MOD_PATH=${placeholder "out"}" ];
installTargets = [ "modules_install" ];
sourceRoot = "source/src";
hardeningDisable = [ "pic" "format" ];
nativeBuildInputs = kernel.moduleBuildDependencies;
meta = with lib; {
description = "The Coral Gasket Driver allows usage of the Coral EdgeTPU on Linux systems.";
homepage = "https://github.com/google/gasket-driver";
license = licenses.gpl2;
maintainers = [ lib.maintainers.kylehendricks ];
platforms = platforms.linux;
};
}
@@ -1,59 +0,0 @@
{ stdenv, lib, fetchFromGitHub, libusb1, abseil-cpp, flatbuffers, xxd }:
let
flatbuffers_1_12 = flatbuffers.overrideAttrs (oldAttrs: rec {
version = "1.12.0";
NIX_CFLAGS_COMPILE = "-Wno-error=class-memaccess -Wno-error=maybe-uninitialized";
cmakeFlags = (oldAttrs.cmakeFlags or []) ++ ["-DFLATBUFFERS_BUILD_SHAREDLIB=ON"];
NIX_CXXSTDLIB_COMPILE = "-std=c++17";
configureFlags = (oldAttrs.configureFlags or []) ++ ["--enable-shared"];
src = fetchFromGitHub {
owner = "google";
repo = "flatbuffers";
rev = "v${version}";
sha256 = "sha256-L1B5Y/c897Jg9fGwT2J3+vaXsZ+lfXnskp8Gto1p/Tg=";
};
});
in stdenv.mkDerivation rec {
pname = "libedgetpu";
version = "grouper";
src = fetchFromGitHub {
owner = "google-coral";
repo = pname;
rev = "release-${version}";
sha256 = "sha256-73hwItimf88Iqnb40lk4ul/PzmCNIfdt6Afi+xjNiBE=";
};
makeFlags = ["-f" "makefile_build/Makefile" "libedgetpu" ];
buildInputs = [
libusb1
abseil-cpp
flatbuffers_1_12
];
nativeBuildInputs = [
xxd
];
NIX_CXXSTDLIB_COMPILE = "-std=c++17";
TFROOT = "${fetchFromGitHub {
owner = "tensorflow";
repo = "tensorflow";
rev = "v2.7.4";
sha256 = "sha256-liDbUAdaVllB0b74aBeqNxkYNu/zPy7k3CevzRF5dk0=";
}}";
enableParallelBuilding = false;
installPhase = ''
mkdir -p $out/lib
cp out/direct/k8/libedgetpu.so.1.0 $out/lib
ln -s $out/lib/libedgetpu.so.1.0 $out/lib/libedgetpu.so.1
mkdir -p $out/lib/udev/rules.d
cp debian/edgetpu-accelerator.rules $out/lib/udev/rules.d/99-edgetpu-accelerator.rules
'';
}
+1
View File
@@ -5,6 +5,7 @@
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
git git
screen
ncdu ncdu
fastfetch fastfetch
tpm2-tss tpm2-tss
-2
View File
@@ -9,10 +9,8 @@
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
podman
podman-compose podman-compose
podman-tui podman-tui
passt
slirp4netns slirp4netns
]; ];
} }
+51
View File
@@ -0,0 +1,51 @@
{ config, pkgs, lib, ... }:
with lib;
let
# Version tagging
adguardVersion = "latest";
# Helper
helper = import ./lib.nix { inherit config pkgs lib; };
cfg = config.numbus.services.adguard;
# Container config
name = "adguard";
in
helper.mkPodmanService {
inherit name;
description = "AdGuard, feature-rich DNS service";
pod = "false";
defaultPort = "3000";
scheme = "http";
dependencies = [ "network.target" ];
dataDirEnabled = false;
startDelay = 10;
middlewares = [ "secureHeaders" ];
dirPermissions = [
"100999:100 ${cfg.configDir}"
];
# Compose file good
composeText = ''
services:
adguardhome:
image: adguard/adguardhome:${adguardVersion}
container_name: adguard
hostname: adguard
network_mode: pasta
user: '1000:1000'
ports:
- "3000:3000/tcp"
- "53:53/tcp"
- "53:53/udp"
volumes:
- ${cfg.configDir}/work:/opt/adguardhome/work
- ${cfg.configDir}/config:/opt/adguardhome/conf
cap_add:
- SYS_NICE
security_opt:
- no-new-privileges:true
restart: unless-stopped
'';
}
+1 -1
View File
@@ -82,7 +82,7 @@ in
description = "Timer for ClamAV periodic scan"; description = "Timer for ClamAV periodic scan";
wantedBy = [ "timers.target" ]; wantedBy = [ "timers.target" ];
timerConfig = { timerConfig = {
OnCalendar = "*-1/2-01 04:00:00"; OnCalendar = "*-1/3-01 04:00:00";
Persistent = true; Persistent = true;
Unit = "clamav-periodic-scan.service"; Unit = "clamav-periodic-scan.service";
}; };
+2 -2
View File
@@ -18,13 +18,13 @@ helper.mkPodmanService {
pod = "home-assistant"; pod = "home-assistant";
defaultPort = "8971"; defaultPort = "8971";
scheme = "https"; scheme = "https";
dependencies = [ "traefik.service" "${config.numbus.services.dns}.service" "home-assistant.service" ];
envFile = "/var/lib/numbus-server/home-assistant/.env"; envFile = "/var/lib/numbus-server/home-assistant/.env";
dependencies = [ "traefik.service" "${config.numbus.services.dns}.service" "home-assistant.service" ];
middlewares = [ "secureHeaders" ];
dirPermissions = [ dirPermissions = [
"1000:100 ${cfg.configDir}" "1000:100 ${cfg.configDir}"
"1000:100 ${cfg.dataDir}" "1000:100 ${cfg.dataDir}"
]; ];
middlewares = [ "secureHeaders" ];
extraOptions = { extraOptions = {
devices = mkOption { devices = mkOption {
+2 -2
View File
@@ -23,13 +23,13 @@ helper.mkPodmanService {
DB_USERNAME = "xkcdpass -n 2 -d -"; DB_USERNAME = "xkcdpass -n 2 -d -";
DB_PASSWORD = "xkcdpass -n 8 -d -"; DB_PASSWORD = "xkcdpass -n 8 -d -";
}; };
middlewares = [ "secureHeaders" ];
dirPermissions = [ dirPermissions = [
"100999:100 ${cfg.configDir}" "100999:100 ${cfg.configDir}"
"100999:100 ${cfg.configDir}/data" "100999:100 ${cfg.configDir}/data"
"100999:100 ${cfg.configDir}/config" "100999:100 ${cfg.configDir}/config"
"100999:100 ${cfg.configDir}/database" "100999:100 ${cfg.configDir}/database"
]; ];
middlewares = [ "secureHeaders" ];
composeText = '' composeText = ''
services: services:
@@ -53,7 +53,7 @@ helper.mkPodmanService {
- GITEA__database__USER=$DB_USERNAME - GITEA__database__USER=$DB_USERNAME
- GITEA__database__PASSWD=$DB_PASSWORD - GITEA__database__PASSWD=$DB_PASSWORD
- GITEA__server__SSH_PORT=2424 - GITEA__server__SSH_PORT=2424
- GITEA__server__ROOT_URL=${cfg.subdomain}.${config.numbus.services.domain} - GITEA__server__ROOT_URL=https://${cfg.subdomain}.${config.numbus.services.domain}
depends_on: depends_on:
- gitea-database - gitea-database
security_opt: security_opt:
+12 -12
View File
@@ -22,12 +22,12 @@ helper.mkPodmanService {
HOME_ASSISTANT_MQTT_USER = "xkcdpass -n 2 -d -"; HOME_ASSISTANT_MQTT_USER = "xkcdpass -n 2 -d -";
HOME_ASSISTANT_MQTT_PASSWORD = "xkcdpass -n 8 -d -"; HOME_ASSISTANT_MQTT_PASSWORD = "xkcdpass -n 8 -d -";
}; };
middlewares = [ "secureHeaders" ];
dirPermissions = [ dirPermissions = [
"1000:100 ${cfg.configDir}" "1000:100 ${cfg.configDir}"
"1000:100 ${cfg.configDir}/config" "1000:100 ${cfg.configDir}/config"
"100999:100 ${cfg.configDir}/mqtt" "100999:100 ${cfg.configDir}/mqtt"
]; ];
middlewares = [ "secureHeaders" ];
# Compose file good # Compose file good
composeText = '' composeText = ''
@@ -83,8 +83,8 @@ helper.mkPodmanService {
}; };
extraConfig = { extraConfig = {
systemd.services."${name}-quirk-1" = { systemd.services."${name}-quirk" = {
description = "Podman container quirk 1 : ${name}"; description = "Podman container quirk : ${name}";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "${name}.service" ]; after = [ "${name}.service" ];
onFailure = [ "service-failure-notify@%n.service" ]; onFailure = [ "service-failure-notify@%n.service" ];
@@ -100,9 +100,9 @@ helper.mkPodmanService {
if [[ -e ${cfg.configDir}/config/configuration.yaml ]]; then if [[ -e ${cfg.configDir}/config/configuration.yaml ]]; then
if grep -qF "${config.numbus.networking.ipAddress}/24" ${cfg.configDir}/config/configuration.yaml; then if grep -qF "${config.numbus.networking.ipAddress}/24" ${cfg.configDir}/config/configuration.yaml; then
exit 0 exit 0
elif grep -qF "use_x_forwarded_for" ${cfg.configDir}/config/configuration.yaml && ! grep -qF "${config.numbus.networking.ipAddress}/24" ${cfg.configDir}/config/configuration.yaml elif grep -qF "use_x_forwarded_for" ${cfg.configDir}/config/configuration.yaml && ! grep -qF "${config.numbus.networking.ipAddress}/24" ${cfg.configDir}/config/configuration.yaml; then
tmp=$(mktemp) tmp=$(mktemp)
head -n -4 ${cfg.configDir}/config/configuration.yaml > "$tmp" head -n -6 ${cfg.configDir}/config/configuration.yaml > "$tmp"
mv "$tmp" ${cfg.configDir}/config/configuration.yaml mv "$tmp" ${cfg.configDir}/config/configuration.yaml
fi fi
fi fi
@@ -114,7 +114,7 @@ helper.mkPodmanService {
http: http:
use_x_forwarded_for: true use_x_forwarded_for: true
trusted_proxies: ${config.numbus.networking.ipAddress}/24 trusted_proxies: 10.89.0.0/16
zha: zha:
EOF EOF
@@ -123,11 +123,11 @@ EOF
}; };
}; };
systemd.services."${name}-quirk-2" = { systemd.services."mqtt-quirk" = {
description = "Podman container quirk 2 : ${name}"; description = "Podman container quirk : Home-assistant MQTT";
wantedBy = [ "multi-user.target" "${name}.service" ]; wantedBy = [ "multi-user.target" "mqtt.service" ];
after = [ "${name}-secrets.service" ]; after = [ "mqtt-secrets.service" ];
before = [ "${name}.service" "${name}-permissions.service" ]; before = [ "mqtt.service" "mqtt-permissions.service" ];
onFailure = [ "service-failure-notify@%n.service" ]; onFailure = [ "service-failure-notify@%n.service" ];
startLimitBurst = 5; startLimitBurst = 5;
startLimitIntervalSec = 600; startLimitIntervalSec = 600;
@@ -157,7 +157,7 @@ listener 1883
allow_anonymous false allow_anonymous false
password_file /mosquitto/password.txt password_file /mosquitto/password.txt
EOF EOF
source /var/lib/numbus-server/${name}/.env source /var/lib/numbus-server/mqtt/.env
mosquitto_passwd -b ${cfg.configDir}/mqtt/password.txt "$HOME_ASSISTANT_MQTT_USER" "$HOME_ASSISTANT_MQTT_PASSWORD" mosquitto_passwd -b ${cfg.configDir}/mqtt/password.txt "$HOME_ASSISTANT_MQTT_USER" "$HOME_ASSISTANT_MQTT_PASSWORD"
chmod 600 ${cfg.configDir}/mqtt/password.txt chmod 600 ${cfg.configDir}/mqtt/password.txt
''; '';
+3 -3
View File
@@ -4,7 +4,7 @@ with lib;
let let
# Version tagging # Version tagging
immichVersion = "v2.5.6"; immichVersion = "v2.7.5";
redisVersion = "9@sha256:546304417feac0874c3dd576e0952c6bb8f06bb4093ea0c9ca303c73cf458f63"; redisVersion = "9@sha256:546304417feac0874c3dd576e0952c6bb8f06bb4093ea0c9ca303c73cf458f63";
databaseVersion = "14-vectorchord0.4.3-pgvectors0.2.0@sha256:bcf63357191b76a916ae5eb93464d65c07511da41e3bf7a8416db519b40b1c23"; databaseVersion = "14-vectorchord0.4.3-pgvectors0.2.0@sha256:bcf63357191b76a916ae5eb93464d65c07511da41e3bf7a8416db519b40b1c23";
# Helper # Helper
@@ -29,8 +29,9 @@ helper.mkPodmanService {
UPLOAD_LOCATION = "${cfg.dataDir}"; UPLOAD_LOCATION = "${cfg.dataDir}";
DB_DATA_LOCATION = "${cfg.configDir}/database"; DB_DATA_LOCATION = "${cfg.configDir}/database";
TZ = "${config.time.timeZone}"; TZ = "${config.time.timeZone}";
IMMICH_VERSION = "v2.5.6"; IMMICH_VERSION = "v2.7.5";
}; };
middlewares = [ "immichSecureHeaders" ];
dirPermissions = [ dirPermissions = [
"100999:100 ${cfg.configDir}" "100999:100 ${cfg.configDir}"
"100999:100 ${cfg.configDir}/redis" "100999:100 ${cfg.configDir}/redis"
@@ -40,7 +41,6 @@ helper.mkPodmanService {
"100999:100 ${cfg.configDir}/database" "100999:100 ${cfg.configDir}/database"
"100999:100 ${cfg.dataDir}" "100999:100 ${cfg.dataDir}"
]; ];
middlewares = [ "immichSecureHeaders" ];
# Compose file good # Compose file good
composeText = '' composeText = ''
+4 -6
View File
@@ -106,18 +106,16 @@ with lib;
onFailure = [ "service-failure-notify@%n.service" ]; onFailure = [ "service-failure-notify@%n.service" ];
startLimitBurst = 5; startLimitBurst = 5;
startLimitIntervalSec = 600; startLimitIntervalSec = 600;
path = [ pkgs.podman pkgs.podman-compose pkgs.su pkgs.coreutils ]; path = [ pkgs.podman pkgs.podman-compose pkgs.slirp4netns pkgs.su pkgs.sudo pkgs.coreutils ];
serviceConfig = { serviceConfig = {
Type = "exec"; Type = "exec";
User = "numbus-admin";
Group = "users";
TimeoutStartSec = "1000"; TimeoutStartSec = "1000";
ExecStartPre = [ ExecStartPre = [
"${pkgs.bash}/bin/bash -c 'sleep $((RANDOM % ${toString startDelay}))'" "${pkgs.bash}/bin/bash -c 'sleep $((RANDOM % ${toString startDelay}))'"
"${pkgs.podman-compose}/bin/podman-compose -f /etc/podman/${name}/compose.yaml pull" "${pkgs.bash}/bin/bash -c 'export PATH=/run/wrappers/bin:$PATH; exec ${pkgs.sudo}/bin/sudo -u numbus-admin podman-compose -f /etc/podman/${name}/compose.yaml pull'"
]; ];
ExecStart = "${pkgs.podman-compose}/bin/podman-compose ${envFileArg} --in-pod ${toString pod} -f /etc/podman/${name}/compose.yaml up --remove-orphans"; ExecStart = "${pkgs.bash}/bin/bash -c 'export PATH=/run/wrappers/bin:$PATH; exec ${pkgs.sudo}/bin/sudo -u numbus-admin podman-compose ${envFileArg} --in-pod ${toString pod} -f /etc/podman/${name}/compose.yaml up --remove-orphans'";
ExecStop = "${pkgs.podman-compose}/bin/podman-compose ${envFileArg} --in-pod ${toString pod} -f /etc/podman/${name}/compose.yaml down"; ExecStop = "${pkgs.bash}/bin/bash -c 'export PATH=/run/wrappers/bin:$PATH; exec ${pkgs.sudo}/bin/sudo -u numbus-admin podman-compose ${envFileArg} --in-pod ${toString pod} -f /etc/podman/${name}/compose.yaml down'";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "3m"; RestartSec = "3m";
}; };
+52 -20
View File
@@ -4,11 +4,11 @@ with lib;
let let
# Version tagging # Version tagging
nextcloudVersion = "32.0.6"; nextcloudVersion = "33.0.5-apache";
redisVersion = "8.6-alpine"; redisVersion = "8.6-alpine";
databaseVersion = "11.8"; databaseVersion = "11.8";
onlyofficeVersion = "9.2"; onlyofficeVersion = "9.4.0";
whiteboardVersion = "v1.5.6"; whiteboardVersion = "v1.5.9";
# Helper # Helper
helper = import ./lib.nix { inherit config pkgs lib; }; helper = import ./lib.nix { inherit config pkgs lib; };
cfg = config.numbus.services.nextcloud; cfg = config.numbus.services.nextcloud;
@@ -29,18 +29,19 @@ helper.mkPodmanService {
WHITEBOARD_PASSWORD = "xkcdpass -n 10 -d -"; WHITEBOARD_PASSWORD = "xkcdpass -n 10 -d -";
SMTP_PASSWORD = "cat ${config.numbus.mail.smtpPasswordPath}"; SMTP_PASSWORD = "cat ${config.numbus.mail.smtpPasswordPath}";
}; };
middlewares = [ "nextcloudSecureHeaders" ];
dirPermissions = [ dirPermissions = [
"100032:100 ${cfg.dataDir}"
"100032:100 ${cfg.configDir}" "100032:100 ${cfg.configDir}"
"100032:100 ${cfg.configDir}/web" "100032:100 ${cfg.configDir}/web"
"100999:100 ${cfg.configDir}/redis" "100999:100 ${cfg.configDir}/redis"
"100999:100 ${cfg.configDir}/database" "100999:100 ${cfg.configDir}/database"
"100999:100 ${cfg.configDir}/onlyoffice" "1000:100 ${cfg.configDir}/onlyoffice"
"100999:100 ${cfg.configDir}/onlyoffice/log" "1000:100 ${cfg.configDir}/onlyoffice/log"
"100999:100 ${cfg.configDir}/onlyoffice/cache" "1000:100 ${cfg.configDir}/onlyoffice/cache"
"100999:100 ${cfg.configDir}/onlyoffice/database" "1000:100 ${cfg.configDir}/onlyoffice/data"
"100032:100 ${cfg.dataDir}" "1000:100 ${cfg.configDir}/onlyoffice/database"
]; ];
middlewares = [ "secureHeaders" "nextcloud-dav" ];
# Compose file good # Compose file good
composeText = '' composeText = ''
@@ -74,12 +75,14 @@ helper.mkPodmanService {
MAIL_DOMAIN: ${config.numbus.services.domain} MAIL_DOMAIN: ${config.numbus.services.domain}
APACHE_DISABLE_REWRITE_IP: 1 APACHE_DISABLE_REWRITE_IP: 1
OVERWRITEPROTOCOL: https OVERWRITEPROTOCOL: https
TRUSTED_PROXIES: ${config.numbus.networking.ipAddress} TRUSTED_PROXIES: 10.89.0.0/16
NC_default_phone_region: "${config.numbus.language}" NC_default_phone_region: "${config.numbus.language}"
NC_default_language: "${config.numbus.language}" NC_default_language: "${config.numbus.language}"
NC_default_locale: "${config.numbus.locale}" NC_default_locale: "${config.numbus.locale}"
NC_default_timezone: "${config.time.timeZone}" NC_default_timezone: "${config.time.timeZone}"
NC_maintenance_window_start: "1" NC_maintenance_window_start: "1"
PHP_MEMORY_LIMIT: 1024M
PHP_OPCACHE_MEMORY_CONSUMPTION: 256
depends_on: depends_on:
- nextcloud-database - nextcloud-database
security_opt: security_opt:
@@ -130,14 +133,19 @@ helper.mkPodmanService {
image: docker.io/onlyoffice/documentserver:${onlyofficeVersion} image: docker.io/onlyoffice/documentserver:${onlyofficeVersion}
environment: environment:
- JWT_SECRET=$ONLYOFFICE_PASSWORD - JWT_SECRET=$ONLYOFFICE_PASSWORD
- REDIS_SERVER_HOST=nextcloud-redis
- REDIS_SERVER_PORT=6379
- REDIS_SERVER_PASS=$REDIS_PASSWORD
- ADMINPANEL_ENABLED=false
- EXAMPLE_ENABLED=false
- METRICS_ENABLED=false
ports: ports:
- "9980:80/tcp" - "9980:80/tcp"
volumes: volumes:
- ${cfg.configDir}/onlyoffice/log:/var/log/onlyoffice - ${cfg.configDir}/onlyoffice/log:/var/log/onlyoffice
- ${cfg.configDir}/onlyoffice/cache:/var/lib/onlyoffice - ${cfg.configDir}/onlyoffice/cache:/var/lib/onlyoffice
- ${cfg.configDir}/onlyoffice/data:/var/www/onlyoffice/Data
- ${cfg.configDir}/onlyoffice/database:/var/lib/postgresql - ${cfg.configDir}/onlyoffice/database:/var/lib/postgresql
security_opt:
- no-new-privileges:true
cap_drop: cap_drop:
- NET_RAW - NET_RAW
restart: unless-stopped restart: unless-stopped
@@ -172,7 +180,7 @@ helper.mkPodmanService {
- "websecure" - "websecure"
service: nextcloud-onlyoffice service: nextcloud-onlyoffice
middlewares: middlewares:
- "secureHeaders" - "nextcloudSecureHeaders"
tls: tls:
certresolver: "cloudflare" certresolver: "cloudflare"
options: "secureTLS" options: "secureTLS"
@@ -203,13 +211,37 @@ helper.mkPodmanService {
- url: "http://host.containers.internal:3002" - url: "http://host.containers.internal:3002"
''; '';
environment.etc."traefik/rules/nextcloud-dav.yaml".text = '' environment.etc."traefik/rules/nextcloudSecureHeaders.yaml".text = ''
http: http:
middlewares: middlewares:
nextcloud-dav: nextcloudSecureHeaders:
replacePathRegex: headers:
regex: "^/.well-known/ca(l|rd)dav" FrameDeny: false
replacement: "/remote.php/dav/" CustomFrameOptionsValue: "SAMEORIGIN"
AddVaryHeader: true
BrowserXssFilter: true
ContentTypeNosniff: true
ForceSTSHeader: true
STSSeconds: 315360000
STSIncludeSubdomains: true
STSPreload: true
AccessControlAllowMethods: "GET,OPTIONS,PUT"
AccessControlAllowOriginList:
- origin-list-or-null
AccessControlMaxAge: 100
ReferrerPolicy: same-origin
PermissionsPolicy: "vibrate=()"
ContentSecurityPolicy: >-
default-src https://onlyoffice.${config.numbus.services.domain} 'self';
script-src https://onlyoffice.${config.numbus.services.domain} 'self' 'unsafe-inline';
style-src 'self' 'unsafe-inline';
connect-src 'self';
img-src 'self' data:;
font-src 'self' data:;
frame-src https://onlyoffice.${config.numbus.services.domain} 'self';
frame-ancestors https://onlyoffice.${config.numbus.services.domain} 'self';
object-src 'none';
base-uri 'self';
''; '';
systemd.services."${name}-quirk" = { systemd.services."${name}-quirk" = {
@@ -234,9 +266,9 @@ helper.mkPodmanService {
done done
source /var/lib/numbus-server/${name}/.env source /var/lib/numbus-server/${name}/.env
until $OCC status >/dev/null 2>&1; do until $OCC status | grep -iq "installed: true" >/dev/null 2>&1; do
echo "Waiting for Nextcloud to be up and running..." echo "Waiting for Nextcloud to be up and running..."
sleep 10 sleep 60
done done
$OCC db:add-missing-indices $OCC db:add-missing-indices
+1
View File
@@ -25,6 +25,7 @@ helper.mkPodmanService {
DB_PASSWORD = "xkcdpass -n 10 -d -"; DB_PASSWORD = "xkcdpass -n 10 -d -";
SMTP_PASSWORD = "cat ${config.numbus.mail.smtpPasswordPath}"; SMTP_PASSWORD = "cat ${config.numbus.mail.smtpPasswordPath}";
}; };
middlewares = [ "secureHeaders" ];
dirPermissions = [ dirPermissions = [
"100032:100 ${cfg.configDir}" "100032:100 ${cfg.configDir}"
"100032:100 ${cfg.configDir}/gpg" "100032:100 ${cfg.configDir}/gpg"
+1 -1
View File
@@ -24,10 +24,10 @@ helper.mkPodmanService {
generatedSecrets = { generatedSecrets = {
PIHOLE_PASSWORD = "xkcdpass -n 10 -d -"; PIHOLE_PASSWORD = "xkcdpass -n 10 -d -";
}; };
middlewares = [ "secureHeaders" ];
dirPermissions = [ dirPermissions = [
"100999:100 ${cfg.configDir}" "100999:100 ${cfg.configDir}"
]; ];
middlewares = [ "secureHeaders" ];
# Compose file good # Compose file good
composeText = '' composeText = ''
+1 -1
View File
@@ -4,7 +4,7 @@ with lib;
let let
# Version tagging # Version tagging
traefikVersion = "v3.6.8"; traefikVersion = "v3.7.4";
# Helper # Helper
helper = import ./lib.nix { inherit config pkgs lib; }; helper = import ./lib.nix { inherit config pkgs lib; };
cfg = config.numbus.services.traefik; cfg = config.numbus.services.traefik;