From df6139c3bc29600d49fdf608ce3fdf72c7df4b62 Mon Sep 17 00:00:00 2001 From: Jurn Wubben Date: Sat, 26 Jul 2025 23:42:08 +0200 Subject: [PATCH 01/11] Mako: fixed defaulttimeout --- home/wayland/mako.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/wayland/mako.nix b/home/wayland/mako.nix index 7ccbfd9..b132e29 100644 --- a/home/wayland/mako.nix +++ b/home/wayland/mako.nix @@ -3,6 +3,6 @@ in { services.mako = { inherit (osConfig.programs.hyprland) enable; - settings.defaultTimeout = 5000; + settings.default_timeout = 5000; }; } From f79aa0d5d65bd57f6ffbdc806d10d0a8c0328a27 Mon Sep 17 00:00:00 2001 From: Jurn Wubben Date: Sun, 27 Jul 2025 23:11:24 +0200 Subject: [PATCH 02/11] WLUMA: was peaking out cpu usgage via dbus?!? --- hosts/laptop/default.nix | 1 - hosts/laptop/wluma.nix | 31 ------------------------------- 2 files changed, 32 deletions(-) delete mode 100644 hosts/laptop/wluma.nix diff --git a/hosts/laptop/default.nix b/hosts/laptop/default.nix index e417d54..072ace5 100644 --- a/hosts/laptop/default.nix +++ b/hosts/laptop/default.nix @@ -2,7 +2,6 @@ imports = [ ./hardware-configuration.nix ./virt.nix - ./wluma.nix ]; programs.appimage.enable = true; diff --git a/hosts/laptop/wluma.nix b/hosts/laptop/wluma.nix deleted file mode 100644 index 593c1c1..0000000 --- a/hosts/laptop/wluma.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ - hardware.sensor.iio.enable = true; # brightness sensor - home-manager.users.jsw.services.wluma = { - enable = true; - settings = { - als.iio = { - path = "/sys/bus/iio/devices"; - thresholds = { - "0" = "night"; - "10" = "dark"; - "100" = "normal"; - "20" = "dim"; - "200" = "bright"; - "500" = "outdoors"; - }; - }; - output.backlight = [ - { - capturer = "none"; - name = "eDP-1"; - path = "/sys/class/backlight/amdgpu_bl1"; - } - { - capturer = "none"; - name = "keyboard"; - path = "/sys/bus/platform/devices/cros-keyboard-leds.5.auto/leds/chromeos::kbd_backlight"; - } - ]; - }; - }; -} From 0ece7c4a29cffdf88af4e4621194aa77e0c9280c Mon Sep 17 00:00:00 2001 From: Jurn Wubben Date: Sun, 27 Jul 2025 23:12:03 +0200 Subject: [PATCH 03/11] Fixed mako; added visicut --- flake.nix | 1 + home/programs/other.nix | 19 ++++++++++-------- home/wayland/mako.nix | 2 +- pkgs/default.nix | 8 ++++++++ pkgs/visicut/default.nix | 43 ++++++++++++++++++++++++++++++++++++++++ 5 files changed, 64 insertions(+), 9 deletions(-) create mode 100644 pkgs/default.nix create mode 100644 pkgs/visicut/default.nix diff --git a/flake.nix b/flake.nix index e246a86..b0126ab 100644 --- a/flake.nix +++ b/flake.nix @@ -7,6 +7,7 @@ imports = [ inputs.git-hooks-nix.flakeModule ./hosts + ./pkgs ]; perSystem = { diff --git a/home/programs/other.nix b/home/programs/other.nix index ded8233..15404d7 100644 --- a/home/programs/other.nix +++ b/home/programs/other.nix @@ -2,14 +2,17 @@ pkgs, lib, osConfig, + self, ... }: { - home.packages = lib.mkIf osConfig.niksos.desktop.apps [ - pkgs.spotify - pkgs.signal-desktop - pkgs.bambu-studio - pkgs.gimp - pkgs.inkscape - pkgs.thunderbird - ]; + home.packages = + lib.optionals osConfig.niksos.desktop.apps [ + pkgs.spotify + pkgs.signal-desktop + pkgs.bambu-studio + pkgs.gimp + pkgs.inkscape + pkgs.thunderbird + ] + ++ lib.optional osConfig.niksos.hardware.portable.enable self.packages.${pkgs.system}.visicut; } diff --git a/home/wayland/mako.nix b/home/wayland/mako.nix index b132e29..c35e59b 100644 --- a/home/wayland/mako.nix +++ b/home/wayland/mako.nix @@ -3,6 +3,6 @@ in { services.mako = { inherit (osConfig.programs.hyprland) enable; - settings.default_timeout = 5000; + settings.default-timeout = 5000; }; } diff --git a/pkgs/default.nix b/pkgs/default.nix new file mode 100644 index 0000000..888892c --- /dev/null +++ b/pkgs/default.nix @@ -0,0 +1,8 @@ +{ + systems = ["x86_64-linux"]; + perSystem = {pkgs, ...}: { + packages = { + visicut = pkgs.callPackage ./visicut {}; + }; + }; +} diff --git a/pkgs/visicut/default.nix b/pkgs/visicut/default.nix new file mode 100644 index 0000000..ef92913 --- /dev/null +++ b/pkgs/visicut/default.nix @@ -0,0 +1,43 @@ +{ + appimageTools, + fetchurl, + lib, +}: let + pname = "VisiCut"; + version = "2.1"; + + src = fetchurl { + url = "https://github.com/t-oster/VisiCut/releases/download/${version}/VisiCut-${version}+devel-x86_64.AppImage"; + hash = "sha256-Mq6Rjozshwk8asY+5egScQ5TkoxzRnWlZ9p0WeEOoiE="; + }; + + appimageContents = appimageTools.extract { + inherit pname version src; + postExtract = '' + substituteInPlace $out/${desktopFile} --replace-fail 'Exec=visicut' 'Exec=${pname}' + ''; + }; + + desktopFile = "VisiCut.desktop"; + iconFile = "visicut.png"; +in + appimageTools.wrapType2 { + inherit pname version src; + + extraInstallCommands = '' + install -m 444 -D ${appimageContents}/${desktopFile} $out/share/applications/${desktopFile} + install -m 444 -D ${appimageContents}/usr/share/icons/hicolor/128x128/apps/${iconFile} \ + $out/share/icons/hicolor/128x128/apps/${iconFile} + ''; + + meta = { + description = "A userfriendly tool to prepare, save and send Jobs to Lasercutters."; + homepage = "https://visicut.org/"; + downloadPage = "https://github.com/t-oster/VisiCut/releases/"; + license = lib.licenses.lgpl3; + sourceProvenance = with lib.sourceTypes; [binaryNativeCode]; + # maintainers = with lib.maintainers; [onny]; + mainProgram = "VisiCut"; + platforms = ["x86_64-linux"]; + }; + } From 3507a04fcee4b413ff99d5a3cd77d6f188eb1264 Mon Sep 17 00:00:00 2001 From: Jurn Wubben Date: Tue, 29 Jul 2025 11:03:04 +0200 Subject: [PATCH 04/11] DerekBot: breadbot update --- secrets/bread-dcbot.age | Bin 1009 -> 1124 bytes system/server/derekBot.nix | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/secrets/bread-dcbot.age b/secrets/bread-dcbot.age index 81ae673fa70e39c73ce58ef4fbae133889cf1f74..e65c88bd9b882ef55c2e2bf2f372502f7b60c6d3 100644 GIT binary patch delta 1038 zcmey!{)A(KPQ6EJN^WFQZltk)g_mP~l7B|Fcc`zse`3C~QASCXp|fvURZdxMN^wbf zAeTvcuzpZjSZP?OaiP0KM3QGoRB=>Zs7JA7s7XprXl`JoNuXI?h_-u$374*&LUD11 zZfc5=si~o*f^S-od6=U@Zb6Bkc7%43rDt(^U`l{tlv|3Cp>I)Tg=LasO177CNWQOU zpl^U{s)cbVSCBLGLtJ3D+(i%0&>k=obs|gGn`zx4DzBp^E0(mvy2Q&i*r&# z1Ii-;{8B<)%aTkB(u4fH{R1p>(%dTC9gAHjpJf!U4@=J|jwlZ_@U(RCvM{O0ckxe* z$V_r_42Uo^Gmdhy46bktOA9qjD$H=@@-a5jb_uU^&NdAUO}8|O$V+wgaVZG$N^~`M z%yLPO@~QBuD2u2}@yPW>kAbkjN;88%g;WcpKo4z~0`26`#H7kVNA3FTydaabO3!>Z zGb8=b3In5JeV2?%@3JbVa;}ncUq{nS%UrLBaC4IgBkv&d5(D#aZPSXVK+~#%+^RGm z!wi4_^b%8pY%X10U4_sLZJ+EaQ{ONz-=xf-l-#HcqmsakfZ~u0uRyOXC*xHA3{St5 zfPmugY_6owC*7PxxYO#V9qBnPrky1g?dB4!AHP!Ykw?*ShAZ*&?WW5H`QF<8{?;$H ze{N0DOq-Y*@+#)-TVnH+A#0z_>m7o}iv14O=1%0<~`}XIKa{y(=}b zk9Xa3=~LIm1mpgO^W9~)C9YVlJCk*?=<@MyZHu{wz9|V?Uhb{9BY&*?<9o$>e{BU< zCOFDOHx_?7=b&(K%|gy*KCzCAFMk(I_#X7^@J=}J06^~CCSD@KVi+ehD?T5vJ-)(#I=J%63H@?M59lq1`Jtk%T zVaHj{3jbWpcjO+zMV_AM7m#v$|AAkYqEqtz N9JOV&E^n9g0RWm|lPv%M delta 922 zcmaFD@sWLkPJMobw||6Bes-dxiFsLYKxl?@ev)@oUa(hiZb(F=sfSyVf3CSvM6ypt zK37mixN};#uV;Efw^&Hpm)A+aao~xB$uw8LUD11 zZfc5=si~o*f^S-od6=U@Zm6?&qN|yAiBGv}VTGYbsGFCMb4t07vyZF3S8h^KaZYKt zo3me@t3g#VS46l)W<|1TSU_ZOrc+soTZzBBVX$XnWl?UBd2w#3L8NwguyaPCXOX|> z#E;_PQKqh`5dl#qrQVi>1tEFH5tf13e(AY|VZp)4k=mxgewE>dX=&Ptmf@aUfg$N- z7U5yq1-`~c{;7^Z=AJ2zo~eZ?k-?Q&?m<(Ji3U%=*_Y95jtTM{Y@hlH2cJ<2l zDlqVN&rON)iwN^G*AELskAbkjN;88%g*?N^LhX$F(DJOzBCpcoB#-*whz!RZFPA_! zSBngv^88Y_vOGCpgb3o zP_OigVlJ`vt%uVtEL&f1pwwe~=U_J1)mv%ZOi2M=+ve@{NUL4 z{CDg6w(r+2C#E&~9M|gT zagWaAf=5d#B7faYpS?TiO!cN$jfcKXc<}x9?F+pJ!-5x|@RX~I>{f^i(0IAuo@1)$ ztc{y^|C!HrF)@2;cHgyh^_n?X0(X9Sdb77dY+n^eQEvR2X=ndfrWvYLF10?dKb`sf xcd_YqGmMVBSv`I8;+&Uuy|1+w`fXir+9kMWhEIM2PfW)3WhQ3EpA9zK0{{fwV@Uu2 diff --git a/system/server/derekBot.nix b/system/server/derekBot.nix index 4c5791f..c71da3d 100644 --- a/system/server/derekBot.nix +++ b/system/server/derekBot.nix @@ -53,7 +53,7 @@ in { cd "${programDir}" git fetch - git reset --hard HEAD + git reset --hard origin/HEAD DENO_DIR=${denoDir} deno i ''; From 1f8a4e0e79a940dfedd8bcd97367bfdcfe5d3c2e Mon Sep 17 00:00:00 2001 From: Jurn Wubben Date: Fri, 25 Jul 2025 14:40:16 +0200 Subject: [PATCH 05/11] Added base nexcloud --- secrets/default.nix | 4 ++ secrets/nextcloud-admin-pass.age | 17 +++++ secrets/secrets.nix | 1 + system/server/default.nix | 1 + system/server/nextcloud.nix | 109 +++++++++++++++++++++++++++++++ 5 files changed, 132 insertions(+) create mode 100644 secrets/nextcloud-admin-pass.age create mode 100644 system/server/nextcloud.nix diff --git a/secrets/default.nix b/secrets/default.nix index b2ffdcc..eb03533 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -42,5 +42,9 @@ in { file = ./immich-oidc.age; owner = abstrServiceUser "immich"; }; + nextcloud-admin-pass = mkIf server { + file = ./nextcloud-admin-pass.age; + owner = "nextcloud"; + }; }; } diff --git a/secrets/nextcloud-admin-pass.age b/secrets/nextcloud-admin-pass.age new file mode 100644 index 0000000..23c404a --- /dev/null +++ b/secrets/nextcloud-admin-pass.age @@ -0,0 +1,17 @@ +age-encryption.org/v1 +-> ssh-ed25519 GQzYWA Njcl+VZAFcfupb9luHQjSAzzPar8k0G0WVU8EtS37EY +8IPsa1mz7qpxOmzXRNCwcp2KsBH45nM6M4D5vm1BgE8 +-> ssh-ed25519 MfR7VA WjSU/1VNHqylcPlaB+5FIyY879kQy/c+AyfdHrt6Xyo +KIDdbbNcy+DQ9q+Eo8dzxDMlq8vR8XeKvRps+/ghe+E +-> ssh-ed25519 +cvRTg eEExK1tU/S//HUL4x0SsJw8taRdOgLnOntUlpqVvMwk +7pB4ROtshkMGw/D4mkVdi7a3vYGoIyCodSCsKcplTws +-> ssh-ed25519 WCPLrA dNpd63ZB4ZlsgMlvdPeiW8VguhPkgRjCBor66cTAq1Q +IFSbLiZs8QBAqruyV3Zuoe6iE5ctW4Aw+8ipQ/5rUGM +-> ssh-ed25519 7/ziYw asgAI0TYuK4irNyoq/WFVCBrWC7NIJU5S4HQEfqEWTA +YoCVz1GzZ+swKb/qT+hhnTy3/mcBDFkaHAomzyApY6I +-> ssh-ed25519 VQy60Q 3XY6OcWrf3ZmXJNMo0tPrXofyjNtvt9VQaewkDZymTs ++JLpflAACxg6Esvq43FedOs56BuGa/6usymtfZl96nI +--- 4dcH0MunNPsvsrUmFGYIgSMsgS2BNluJOa9ZmgZro6k +Ød+ +Tðß +5òB}¢GÊkKÐ9Èšžqû$(q`†u$¶ù“»êÿ“Hˆ¦gC!÷ \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index df90563..72393aa 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -22,4 +22,5 @@ in { "zitadel-key.age".publicKeys = keys; "forgejo-mailpass.age".publicKeys = keys; "immich-oidc.age".publicKeys = keys; + "nextcloud-admin-pass.age".publicKeys = keys; } diff --git a/system/server/default.nix b/system/server/default.nix index c6ac1c8..7319695 100644 --- a/system/server/default.nix +++ b/system/server/default.nix @@ -10,6 +10,7 @@ ./matrix.nix ./temp.nix ./zitadel.nix + ./nextcloud.nix ]; options.niksos.server = lib.mkEnableOption "server servcies (such as caddy)."; #TODO: per service option. } diff --git a/system/server/nextcloud.nix b/system/server/nextcloud.nix new file mode 100644 index 0000000..8014370 --- /dev/null +++ b/system/server/nextcloud.nix @@ -0,0 +1,109 @@ +{ + config, + pkgs, + lib, + ... +}: let + inherit (config.niksos) server; + host = "cloud.jsw.tf"; + nginxRoot = config.services.nginx.virtualHosts.${host}.root; + fpmSocket = config.services.phpfpm.pools.nextcloud.socket; +in { + services = lib.mkIf server { + nextcloud = { + enable = true; + hostName = host; + + # Need to manually increment with every major upgrade. + package = pkgs.nextcloud31; + + database.createLocally = true; + configureRedis = true; + + maxUploadSize = "16G"; + https = true; + + autoUpdateApps.enable = true; + extraAppsEnable = true; + extraApps = with config.services.nextcloud.package.packages.apps; { + # https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/nextcloud/packages/nextcloud-apps.json + inherit calendar contacts mail notes tasks; + }; + + settings = { + default_phone_region = "NL"; + enabledPreviewProviders = [ + "OC\\Preview\\BMP" + "OC\\Preview\\GIF" + "OC\\Preview\\JPEG" + "OC\\Preview\\Krita" + "OC\\Preview\\MarkDown" + "OC\\Preview\\MP3" + "OC\\Preview\\OpenDocument" + "OC\\Preview\\PNG" + "OC\\Preview\\TXT" + "OC\\Preview\\XBitmap" + "OC\\Preview\\HEIC" + ]; + }; + config = { + adminuser = "jsw-admin"; + adminpassFile = "${config.age.secrets.nextcloud-admin-pass.path}"; + dbtype = "pgsql"; + }; + }; + + caddy.virtualHosts.${host}.extraConfig = '' + encode zstd gzip + + root * ${nginxRoot} + + redir /.well-known/carddav /remote.php/dav 301 + redir /.well-known/caldav /remote.php/dav 301 + redir /.well-known/* /index.php{uri} 301 + redir /remote/* /remote.php{uri} 301 + + header { + Strict-Transport-Security max-age=31536000 + Permissions-Policy interest-cohort=() + X-Content-Type-Options nosniff + X-Frame-Options SAMEORIGIN + Referrer-Policy no-referrer + X-XSS-Protection "1; mode=block" + X-Permitted-Cross-Domain-Policies none + X-Robots-Tag "noindex, nofollow" + -X-Powered-By + } + + php_fastcgi unix/${fpmSocket} { + root ${nginxRoot} + env front_controller_active true + env modHeadersAvailable true + } + + @forbidden { + path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/* + path /.* /autotest* /occ* /issue* /indie* /db_* /console* + not path /.well-known/* + } + error @forbidden 404 + + @immutable { + path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite + query v=* + } + header @immutable Cache-Control "max-age=15778463, immutable" + + @static { + path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite + not query v=* + } + header @static Cache-Control "max-age=15778463" + + @woff2 path *.woff2 + header @woff2 Cache-Control "max-age=604800" + + file_server + ''; + }; +} From e8e216e25f39886bf05247111684d243302d17d9 Mon Sep 17 00:00:00 2001 From: Jurn Wubben Date: Fri, 25 Jul 2025 14:52:31 +0200 Subject: [PATCH 06/11] Nextcloud: added caddy to nextcloud group so that it can read socket. --- system/server/nextcloud.nix | 182 ++++++++++++++++++------------------ 1 file changed, 93 insertions(+), 89 deletions(-) diff --git a/system/server/nextcloud.nix b/system/server/nextcloud.nix index 8014370..4bfa5bf 100644 --- a/system/server/nextcloud.nix +++ b/system/server/nextcloud.nix @@ -9,101 +9,105 @@ nginxRoot = config.services.nginx.virtualHosts.${host}.root; fpmSocket = config.services.phpfpm.pools.nextcloud.socket; in { - services = lib.mkIf server { - nextcloud = { - enable = true; - hostName = host; + config = lib.mkIf server { + users.groups.nextcloud.members = ["nextcloud" "caddy"]; + services = { + nextcloud = { + enable = true; + hostName = host; - # Need to manually increment with every major upgrade. - package = pkgs.nextcloud31; + # Need to manually increment with every major upgrade. + package = pkgs.nextcloud31; - database.createLocally = true; - configureRedis = true; + database.createLocally = true; + configureRedis = true; - maxUploadSize = "16G"; - https = true; + maxUploadSize = "16G"; + https = true; - autoUpdateApps.enable = true; - extraAppsEnable = true; - extraApps = with config.services.nextcloud.package.packages.apps; { - # https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/nextcloud/packages/nextcloud-apps.json - inherit calendar contacts mail notes tasks; + autoUpdateApps.enable = true; + extraAppsEnable = true; + extraApps = with config.services.nextcloud.package.packages.apps; { + # https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/nextcloud/packages/nextcloud-apps.json + inherit calendar contacts mail notes tasks; + }; + + settings = { + default_phone_region = "NL"; + enabledPreviewProviders = [ + "OC\\Preview\\BMP" + "OC\\Preview\\GIF" + "OC\\Preview\\JPEG" + "OC\\Preview\\Krita" + "OC\\Preview\\MarkDown" + "OC\\Preview\\MP3" + "OC\\Preview\\OpenDocument" + "OC\\Preview\\PNG" + "OC\\Preview\\TXT" + "OC\\Preview\\XBitmap" + "OC\\Preview\\HEIC" + ]; + }; + config = { + adminuser = "jsw-admin"; + adminpassFile = "${config.age.secrets.nextcloud-admin-pass.path}"; + dbtype = "pgsql"; + }; }; - settings = { - default_phone_region = "NL"; - enabledPreviewProviders = [ - "OC\\Preview\\BMP" - "OC\\Preview\\GIF" - "OC\\Preview\\JPEG" - "OC\\Preview\\Krita" - "OC\\Preview\\MarkDown" - "OC\\Preview\\MP3" - "OC\\Preview\\OpenDocument" - "OC\\Preview\\PNG" - "OC\\Preview\\TXT" - "OC\\Preview\\XBitmap" - "OC\\Preview\\HEIC" - ]; - }; - config = { - adminuser = "jsw-admin"; - adminpassFile = "${config.age.secrets.nextcloud-admin-pass.path}"; - dbtype = "pgsql"; - }; + nginx.enable = lib.mkForce false; + caddy.virtualHosts."${host}".extraConfig = '' + encode zstd gzip + + root * ${nginxRoot} + + redir /.well-known/carddav /remote.php/dav 301 + redir /.well-known/caldav /remote.php/dav 301 + redir /.well-known/* /index.php{uri} 301 + redir /remote/* /remote.php{uri} 301 + + header { + Strict-Transport-Security max-age=31536000 + Permissions-Policy interest-cohort=() + X-Content-Type-Options nosniff + X-Frame-Options SAMEORIGIN + Referrer-Policy no-referrer + X-XSS-Protection "1; mode=block" + X-Permitted-Cross-Domain-Policies none + X-Robots-Tag "noindex, nofollow" + -X-Powered-By + } + + php_fastcgi unix/${fpmSocket} { + root ${nginxRoot} + env front_controller_active true + env modHeadersAvailable true + } + + @forbidden { + path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/* + path /.* /autotest* /occ* /issue* /indie* /db_* /console* + not path /.well-known/* + } + error @forbidden 404 + + @immutable { + path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite + query v=* + } + header @immutable Cache-Control "max-age=15778463, immutable" + + @static { + path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite + not query v=* + } + header @static Cache-Control "max-age=15778463" + + @woff2 path *.woff2 + header @woff2 Cache-Control "max-age=604800" + + file_server + ''; }; - - caddy.virtualHosts.${host}.extraConfig = '' - encode zstd gzip - - root * ${nginxRoot} - - redir /.well-known/carddav /remote.php/dav 301 - redir /.well-known/caldav /remote.php/dav 301 - redir /.well-known/* /index.php{uri} 301 - redir /remote/* /remote.php{uri} 301 - - header { - Strict-Transport-Security max-age=31536000 - Permissions-Policy interest-cohort=() - X-Content-Type-Options nosniff - X-Frame-Options SAMEORIGIN - Referrer-Policy no-referrer - X-XSS-Protection "1; mode=block" - X-Permitted-Cross-Domain-Policies none - X-Robots-Tag "noindex, nofollow" - -X-Powered-By - } - - php_fastcgi unix/${fpmSocket} { - root ${nginxRoot} - env front_controller_active true - env modHeadersAvailable true - } - - @forbidden { - path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/* - path /.* /autotest* /occ* /issue* /indie* /db_* /console* - not path /.well-known/* - } - error @forbidden 404 - - @immutable { - path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite - query v=* - } - header @immutable Cache-Control "max-age=15778463, immutable" - - @static { - path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite - not query v=* - } - header @static Cache-Control "max-age=15778463" - - @woff2 path *.woff2 - header @woff2 Cache-Control "max-age=604800" - - file_server - ''; }; } From aff6ae1ab314c477dc44d6706a7bacf38e383b8c Mon Sep 17 00:00:00 2001 From: Jurn Wubben Date: Tue, 29 Jul 2025 11:03:04 +0200 Subject: [PATCH 07/11] DerekBot: breadbot update --- secrets/bread-dcbot.age | Bin 1009 -> 1124 bytes system/server/derekBot.nix | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/secrets/bread-dcbot.age b/secrets/bread-dcbot.age index 81ae673fa70e39c73ce58ef4fbae133889cf1f74..e65c88bd9b882ef55c2e2bf2f372502f7b60c6d3 100644 GIT binary patch delta 1038 zcmey!{)A(KPQ6EJN^WFQZltk)g_mP~l7B|Fcc`zse`3C~QASCXp|fvURZdxMN^wbf zAeTvcuzpZjSZP?OaiP0KM3QGoRB=>Zs7JA7s7XprXl`JoNuXI?h_-u$374*&LUD11 zZfc5=si~o*f^S-od6=U@Zb6Bkc7%43rDt(^U`l{tlv|3Cp>I)Tg=LasO177CNWQOU zpl^U{s)cbVSCBLGLtJ3D+(i%0&>k=obs|gGn`zx4DzBp^E0(mvy2Q&i*r&# z1Ii-;{8B<)%aTkB(u4fH{R1p>(%dTC9gAHjpJf!U4@=J|jwlZ_@U(RCvM{O0ckxe* z$V_r_42Uo^Gmdhy46bktOA9qjD$H=@@-a5jb_uU^&NdAUO}8|O$V+wgaVZG$N^~`M z%yLPO@~QBuD2u2}@yPW>kAbkjN;88%g;WcpKo4z~0`26`#H7kVNA3FTydaabO3!>Z zGb8=b3In5JeV2?%@3JbVa;}ncUq{nS%UrLBaC4IgBkv&d5(D#aZPSXVK+~#%+^RGm z!wi4_^b%8pY%X10U4_sLZJ+EaQ{ONz-=xf-l-#HcqmsakfZ~u0uRyOXC*xHA3{St5 zfPmugY_6owC*7PxxYO#V9qBnPrky1g?dB4!AHP!Ykw?*ShAZ*&?WW5H`QF<8{?;$H ze{N0DOq-Y*@+#)-TVnH+A#0z_>m7o}iv14O=1%0<~`}XIKa{y(=}b zk9Xa3=~LIm1mpgO^W9~)C9YVlJCk*?=<@MyZHu{wz9|V?Uhb{9BY&*?<9o$>e{BU< zCOFDOHx_?7=b&(K%|gy*KCzCAFMk(I_#X7^@J=}J06^~CCSD@KVi+ehD?T5vJ-)(#I=J%63H@?M59lq1`Jtk%T zVaHj{3jbWpcjO+zMV_AM7m#v$|AAkYqEqtz N9JOV&E^n9g0RWm|lPv%M delta 922 zcmaFD@sWLkPJMobw||6Bes-dxiFsLYKxl?@ev)@oUa(hiZb(F=sfSyVf3CSvM6ypt zK37mixN};#uV;Efw^&Hpm)A+aao~xB$uw8LUD11 zZfc5=si~o*f^S-od6=U@Zm6?&qN|yAiBGv}VTGYbsGFCMb4t07vyZF3S8h^KaZYKt zo3me@t3g#VS46l)W<|1TSU_ZOrc+soTZzBBVX$XnWl?UBd2w#3L8NwguyaPCXOX|> z#E;_PQKqh`5dl#qrQVi>1tEFH5tf13e(AY|VZp)4k=mxgewE>dX=&Ptmf@aUfg$N- z7U5yq1-`~c{;7^Z=AJ2zo~eZ?k-?Q&?m<(Ji3U%=*_Y95jtTM{Y@hlH2cJ<2l zDlqVN&rON)iwN^G*AELskAbkjN;88%g*?N^LhX$F(DJOzBCpcoB#-*whz!RZFPA_! zSBngv^88Y_vOGCpgb3o zP_OigVlJ`vt%uVtEL&f1pwwe~=U_J1)mv%ZOi2M=+ve@{NUL4 z{CDg6w(r+2C#E&~9M|gT zagWaAf=5d#B7faYpS?TiO!cN$jfcKXc<}x9?F+pJ!-5x|@RX~I>{f^i(0IAuo@1)$ ztc{y^|C!HrF)@2;cHgyh^_n?X0(X9Sdb77dY+n^eQEvR2X=ndfrWvYLF10?dKb`sf xcd_YqGmMVBSv`I8;+&Uuy|1+w`fXir+9kMWhEIM2PfW)3WhQ3EpA9zK0{{fwV@Uu2 diff --git a/system/server/derekBot.nix b/system/server/derekBot.nix index 4c5791f..c71da3d 100644 --- a/system/server/derekBot.nix +++ b/system/server/derekBot.nix @@ -53,7 +53,7 @@ in { cd "${programDir}" git fetch - git reset --hard HEAD + git reset --hard origin/HEAD DENO_DIR=${denoDir} deno i ''; From f47eb458ee8e2f679af667beda1e179079b78607 Mon Sep 17 00:00:00 2001 From: Jurn Wubben Date: Fri, 25 Jul 2025 14:40:16 +0200 Subject: [PATCH 08/11] Added base nexcloud --- secrets/default.nix | 4 ++ secrets/nextcloud-admin-pass.age | 17 +++++ secrets/secrets.nix | 1 + system/server/default.nix | 1 + system/server/nextcloud.nix | 109 +++++++++++++++++++++++++++++++ 5 files changed, 132 insertions(+) create mode 100644 secrets/nextcloud-admin-pass.age create mode 100644 system/server/nextcloud.nix diff --git a/secrets/default.nix b/secrets/default.nix index b2ffdcc..eb03533 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -42,5 +42,9 @@ in { file = ./immich-oidc.age; owner = abstrServiceUser "immich"; }; + nextcloud-admin-pass = mkIf server { + file = ./nextcloud-admin-pass.age; + owner = "nextcloud"; + }; }; } diff --git a/secrets/nextcloud-admin-pass.age b/secrets/nextcloud-admin-pass.age new file mode 100644 index 0000000..23c404a --- /dev/null +++ b/secrets/nextcloud-admin-pass.age @@ -0,0 +1,17 @@ +age-encryption.org/v1 +-> ssh-ed25519 GQzYWA Njcl+VZAFcfupb9luHQjSAzzPar8k0G0WVU8EtS37EY +8IPsa1mz7qpxOmzXRNCwcp2KsBH45nM6M4D5vm1BgE8 +-> ssh-ed25519 MfR7VA WjSU/1VNHqylcPlaB+5FIyY879kQy/c+AyfdHrt6Xyo +KIDdbbNcy+DQ9q+Eo8dzxDMlq8vR8XeKvRps+/ghe+E +-> ssh-ed25519 +cvRTg eEExK1tU/S//HUL4x0SsJw8taRdOgLnOntUlpqVvMwk +7pB4ROtshkMGw/D4mkVdi7a3vYGoIyCodSCsKcplTws +-> ssh-ed25519 WCPLrA dNpd63ZB4ZlsgMlvdPeiW8VguhPkgRjCBor66cTAq1Q +IFSbLiZs8QBAqruyV3Zuoe6iE5ctW4Aw+8ipQ/5rUGM +-> ssh-ed25519 7/ziYw asgAI0TYuK4irNyoq/WFVCBrWC7NIJU5S4HQEfqEWTA +YoCVz1GzZ+swKb/qT+hhnTy3/mcBDFkaHAomzyApY6I +-> ssh-ed25519 VQy60Q 3XY6OcWrf3ZmXJNMo0tPrXofyjNtvt9VQaewkDZymTs ++JLpflAACxg6Esvq43FedOs56BuGa/6usymtfZl96nI +--- 4dcH0MunNPsvsrUmFGYIgSMsgS2BNluJOa9ZmgZro6k +Ød+ +Tðß +5òB}¢GÊkKÐ9Èšžqû$(q`†u$¶ù“»êÿ“Hˆ¦gC!÷ \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index df90563..72393aa 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -22,4 +22,5 @@ in { "zitadel-key.age".publicKeys = keys; "forgejo-mailpass.age".publicKeys = keys; "immich-oidc.age".publicKeys = keys; + "nextcloud-admin-pass.age".publicKeys = keys; } diff --git a/system/server/default.nix b/system/server/default.nix index c6ac1c8..7319695 100644 --- a/system/server/default.nix +++ b/system/server/default.nix @@ -10,6 +10,7 @@ ./matrix.nix ./temp.nix ./zitadel.nix + ./nextcloud.nix ]; options.niksos.server = lib.mkEnableOption "server servcies (such as caddy)."; #TODO: per service option. } diff --git a/system/server/nextcloud.nix b/system/server/nextcloud.nix new file mode 100644 index 0000000..8014370 --- /dev/null +++ b/system/server/nextcloud.nix @@ -0,0 +1,109 @@ +{ + config, + pkgs, + lib, + ... +}: let + inherit (config.niksos) server; + host = "cloud.jsw.tf"; + nginxRoot = config.services.nginx.virtualHosts.${host}.root; + fpmSocket = config.services.phpfpm.pools.nextcloud.socket; +in { + services = lib.mkIf server { + nextcloud = { + enable = true; + hostName = host; + + # Need to manually increment with every major upgrade. + package = pkgs.nextcloud31; + + database.createLocally = true; + configureRedis = true; + + maxUploadSize = "16G"; + https = true; + + autoUpdateApps.enable = true; + extraAppsEnable = true; + extraApps = with config.services.nextcloud.package.packages.apps; { + # https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/nextcloud/packages/nextcloud-apps.json + inherit calendar contacts mail notes tasks; + }; + + settings = { + default_phone_region = "NL"; + enabledPreviewProviders = [ + "OC\\Preview\\BMP" + "OC\\Preview\\GIF" + "OC\\Preview\\JPEG" + "OC\\Preview\\Krita" + "OC\\Preview\\MarkDown" + "OC\\Preview\\MP3" + "OC\\Preview\\OpenDocument" + "OC\\Preview\\PNG" + "OC\\Preview\\TXT" + "OC\\Preview\\XBitmap" + "OC\\Preview\\HEIC" + ]; + }; + config = { + adminuser = "jsw-admin"; + adminpassFile = "${config.age.secrets.nextcloud-admin-pass.path}"; + dbtype = "pgsql"; + }; + }; + + caddy.virtualHosts.${host}.extraConfig = '' + encode zstd gzip + + root * ${nginxRoot} + + redir /.well-known/carddav /remote.php/dav 301 + redir /.well-known/caldav /remote.php/dav 301 + redir /.well-known/* /index.php{uri} 301 + redir /remote/* /remote.php{uri} 301 + + header { + Strict-Transport-Security max-age=31536000 + Permissions-Policy interest-cohort=() + X-Content-Type-Options nosniff + X-Frame-Options SAMEORIGIN + Referrer-Policy no-referrer + X-XSS-Protection "1; mode=block" + X-Permitted-Cross-Domain-Policies none + X-Robots-Tag "noindex, nofollow" + -X-Powered-By + } + + php_fastcgi unix/${fpmSocket} { + root ${nginxRoot} + env front_controller_active true + env modHeadersAvailable true + } + + @forbidden { + path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/* + path /.* /autotest* /occ* /issue* /indie* /db_* /console* + not path /.well-known/* + } + error @forbidden 404 + + @immutable { + path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite + query v=* + } + header @immutable Cache-Control "max-age=15778463, immutable" + + @static { + path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite + not query v=* + } + header @static Cache-Control "max-age=15778463" + + @woff2 path *.woff2 + header @woff2 Cache-Control "max-age=604800" + + file_server + ''; + }; +} From ade92871e4ffbc523cdb6f880d5a7908b7603bdd Mon Sep 17 00:00:00 2001 From: Jurn Wubben Date: Fri, 25 Jul 2025 14:52:31 +0200 Subject: [PATCH 09/11] Nextcloud: added caddy to nextcloud group so that it can read socket. --- system/server/nextcloud.nix | 182 ++++++++++++++++++------------------ 1 file changed, 93 insertions(+), 89 deletions(-) diff --git a/system/server/nextcloud.nix b/system/server/nextcloud.nix index 8014370..4bfa5bf 100644 --- a/system/server/nextcloud.nix +++ b/system/server/nextcloud.nix @@ -9,101 +9,105 @@ nginxRoot = config.services.nginx.virtualHosts.${host}.root; fpmSocket = config.services.phpfpm.pools.nextcloud.socket; in { - services = lib.mkIf server { - nextcloud = { - enable = true; - hostName = host; + config = lib.mkIf server { + users.groups.nextcloud.members = ["nextcloud" "caddy"]; + services = { + nextcloud = { + enable = true; + hostName = host; - # Need to manually increment with every major upgrade. - package = pkgs.nextcloud31; + # Need to manually increment with every major upgrade. + package = pkgs.nextcloud31; - database.createLocally = true; - configureRedis = true; + database.createLocally = true; + configureRedis = true; - maxUploadSize = "16G"; - https = true; + maxUploadSize = "16G"; + https = true; - autoUpdateApps.enable = true; - extraAppsEnable = true; - extraApps = with config.services.nextcloud.package.packages.apps; { - # https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/nextcloud/packages/nextcloud-apps.json - inherit calendar contacts mail notes tasks; + autoUpdateApps.enable = true; + extraAppsEnable = true; + extraApps = with config.services.nextcloud.package.packages.apps; { + # https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/nextcloud/packages/nextcloud-apps.json + inherit calendar contacts mail notes tasks; + }; + + settings = { + default_phone_region = "NL"; + enabledPreviewProviders = [ + "OC\\Preview\\BMP" + "OC\\Preview\\GIF" + "OC\\Preview\\JPEG" + "OC\\Preview\\Krita" + "OC\\Preview\\MarkDown" + "OC\\Preview\\MP3" + "OC\\Preview\\OpenDocument" + "OC\\Preview\\PNG" + "OC\\Preview\\TXT" + "OC\\Preview\\XBitmap" + "OC\\Preview\\HEIC" + ]; + }; + config = { + adminuser = "jsw-admin"; + adminpassFile = "${config.age.secrets.nextcloud-admin-pass.path}"; + dbtype = "pgsql"; + }; }; - settings = { - default_phone_region = "NL"; - enabledPreviewProviders = [ - "OC\\Preview\\BMP" - "OC\\Preview\\GIF" - "OC\\Preview\\JPEG" - "OC\\Preview\\Krita" - "OC\\Preview\\MarkDown" - "OC\\Preview\\MP3" - "OC\\Preview\\OpenDocument" - "OC\\Preview\\PNG" - "OC\\Preview\\TXT" - "OC\\Preview\\XBitmap" - "OC\\Preview\\HEIC" - ]; - }; - config = { - adminuser = "jsw-admin"; - adminpassFile = "${config.age.secrets.nextcloud-admin-pass.path}"; - dbtype = "pgsql"; - }; + nginx.enable = lib.mkForce false; + caddy.virtualHosts."${host}".extraConfig = '' + encode zstd gzip + + root * ${nginxRoot} + + redir /.well-known/carddav /remote.php/dav 301 + redir /.well-known/caldav /remote.php/dav 301 + redir /.well-known/* /index.php{uri} 301 + redir /remote/* /remote.php{uri} 301 + + header { + Strict-Transport-Security max-age=31536000 + Permissions-Policy interest-cohort=() + X-Content-Type-Options nosniff + X-Frame-Options SAMEORIGIN + Referrer-Policy no-referrer + X-XSS-Protection "1; mode=block" + X-Permitted-Cross-Domain-Policies none + X-Robots-Tag "noindex, nofollow" + -X-Powered-By + } + + php_fastcgi unix/${fpmSocket} { + root ${nginxRoot} + env front_controller_active true + env modHeadersAvailable true + } + + @forbidden { + path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/* + path /.* /autotest* /occ* /issue* /indie* /db_* /console* + not path /.well-known/* + } + error @forbidden 404 + + @immutable { + path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite + query v=* + } + header @immutable Cache-Control "max-age=15778463, immutable" + + @static { + path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite + not query v=* + } + header @static Cache-Control "max-age=15778463" + + @woff2 path *.woff2 + header @woff2 Cache-Control "max-age=604800" + + file_server + ''; }; - - caddy.virtualHosts.${host}.extraConfig = '' - encode zstd gzip - - root * ${nginxRoot} - - redir /.well-known/carddav /remote.php/dav 301 - redir /.well-known/caldav /remote.php/dav 301 - redir /.well-known/* /index.php{uri} 301 - redir /remote/* /remote.php{uri} 301 - - header { - Strict-Transport-Security max-age=31536000 - Permissions-Policy interest-cohort=() - X-Content-Type-Options nosniff - X-Frame-Options SAMEORIGIN - Referrer-Policy no-referrer - X-XSS-Protection "1; mode=block" - X-Permitted-Cross-Domain-Policies none - X-Robots-Tag "noindex, nofollow" - -X-Powered-By - } - - php_fastcgi unix/${fpmSocket} { - root ${nginxRoot} - env front_controller_active true - env modHeadersAvailable true - } - - @forbidden { - path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/* - path /.* /autotest* /occ* /issue* /indie* /db_* /console* - not path /.well-known/* - } - error @forbidden 404 - - @immutable { - path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite - query v=* - } - header @immutable Cache-Control "max-age=15778463, immutable" - - @static { - path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite - not query v=* - } - header @static Cache-Control "max-age=15778463" - - @woff2 path *.woff2 - header @woff2 Cache-Control "max-age=604800" - - file_server - ''; }; } From d2f70557620fc47d3e6c0cce58440b0e8edb9921 Mon Sep 17 00:00:00 2001 From: Jurn Wubben Date: Fri, 25 Jul 2025 23:47:13 +0200 Subject: [PATCH 10/11] Nextcloud: fix phpfm permissions --- system/server/nextcloud.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/system/server/nextcloud.nix b/system/server/nextcloud.nix index 4bfa5bf..ee24582 100644 --- a/system/server/nextcloud.nix +++ b/system/server/nextcloud.nix @@ -56,6 +56,12 @@ in { }; nginx.enable = lib.mkForce false; + phpfpm.pools.nextcloud.settings = let + inherit (config.services.caddy) user group; + in { + "listen.owner" = user; + "listen.group" = group; + }; caddy.virtualHosts."${host}".extraConfig = '' encode zstd gzip From 6700e426619e13136f29fc2a0a8c7889141c5197 Mon Sep 17 00:00:00 2001 From: Jurn Wubben Date: Fri, 25 Jul 2025 23:51:51 +0200 Subject: [PATCH 11/11] Nextcloud: enable oidc login --- system/server/nextcloud.nix | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/system/server/nextcloud.nix b/system/server/nextcloud.nix index ee24582..3831684 100644 --- a/system/server/nextcloud.nix +++ b/system/server/nextcloud.nix @@ -27,9 +27,17 @@ in { autoUpdateApps.enable = true; extraAppsEnable = true; - extraApps = with config.services.nextcloud.package.packages.apps; { + extraApps = { # https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/nextcloud/packages/nextcloud-apps.json - inherit calendar contacts mail notes tasks; + inherit + (config.services.nextcloud.package.packages.apps) + calendar + contacts + mail + notes + tasks + user_oidc + ; }; settings = {