From 7a3bb5cc8201602a71f75653fe20141a050b61e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonas=20R=C3=B6ger?= Date: Sat, 5 Apr 2025 02:22:32 +0200 Subject: [PATCH] add live harbor cfg --- hosts/harbor/configuration.nix | 2 +- hosts/harbor/hardware-configuration.nix | 18 ++++++++------ modules/services/nextcloud-instance.nix | 31 +++++++++++++++++++------ 3 files changed, 36 insertions(+), 15 deletions(-) diff --git a/hosts/harbor/configuration.nix b/hosts/harbor/configuration.nix index 1af60d9..851139f 100644 --- a/hosts/harbor/configuration.nix +++ b/hosts/harbor/configuration.nix @@ -48,7 +48,7 @@ }; services.nextcloud-instance.enable = true; - services.nextcloud-instance.ssl = false; + services.nextcloud-instance.ssl = true; services.nextcloud-instance.adminPasswordFile = config.sops.secrets.nextcloud-admin-pass.path; services.nextcloud-instance.instanceFQDN = "nextcloud.jroeger.de"; diff --git a/hosts/harbor/hardware-configuration.nix b/hosts/harbor/hardware-configuration.nix index b864c87..a4f3fbe 100644 --- a/hosts/harbor/hardware-configuration.nix +++ b/hosts/harbor/hardware-configuration.nix @@ -8,26 +8,30 @@ [ (modulesPath + "/profiles/qemu-guest.nix") ]; - boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ]; boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" ]; + boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; fileSystems."/" = - { device = "/dev/disk/by-uuid/8682be2b-6620-46be-9350-c7ba0adb8f34"; + { device = "/dev/disk/by-uuid/a9ac5007-f148-4001-ba49-f6a0bfad85cc"; fsType = "ext4"; }; - swapDevices = - [ { device = "/dev/disk/by-uuid/ee56aac9-2977-4234-9d0e-933fc2c59fdf"; } - ]; + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/12CE-A600"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + + swapDevices = [ ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's # still possible to use this option, but it's recommended to use it in conjunction # with explicit per-interface declarations with `networking.interfaces..useDHCP`. networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } diff --git a/modules/services/nextcloud-instance.nix b/modules/services/nextcloud-instance.nix index 73101a5..5bc338e 100644 --- a/modules/services/nextcloud-instance.nix +++ b/modules/services/nextcloud-instance.nix @@ -65,17 +65,34 @@ in { }; }; - # SSL setup - services.nginx.virtualHosts.${cfg.instanceFQDN} = lib.mkIf cfg.ssl { - forceSSL = true; - enableACME = true; + # Fallback server with only 403 + services.nginx.virtualHosts.${config.networking.domain} = lib.mkDefault { + default = true; + locations."/".return = 403; + forceSSL = cfg.ssl; + enableACME = cfg.ssl; }; + + # Webserver setup with optional SSL + services.nginx.virtualHosts.${cfg.instanceFQDN} = + if cfg.ssl + then { + forceSSL = true; + enableACME = true; + } + else { + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + ]; + }; security.acme = lib.mkIf cfg.ssl { acceptTerms = true; - certs = { - ${cfg.instanceFQDN}.email = "jonas.roeger+acme@gmail.com"; - }; + defaults.email = "jonas.roeger+acme@gmail.com"; }; + networking.firewall.allowedTCPPorts = [80] ++ lib.optional cfg.ssl 443; # DB setup services.postgresql = {