jonas/.hive
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add live harbor cfg

Browse Source
This commit is contained in:
Jonas Röger 2025-04-05 02:22:32 +02:00
parent fb8682b0b0
commit 7a3bb5cc82
3 changed files with 36 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
hosts/harbor/configuration.nix
View File

@ -48,7 +48,7 @@
}; };
services.nextcloud-instance.enable = true; services.nextcloud-instance.enable = true;
services.nextcloud-instance.ssl = false; services.nextcloud-instance.ssl = true;
services.nextcloud-instance.adminPasswordFile = config.sops.secrets.nextcloud-admin-pass.path; services.nextcloud-instance.adminPasswordFile = config.sops.secrets.nextcloud-admin-pass.path;
services.nextcloud-instance.instanceFQDN = "nextcloud.jroeger.de"; services.nextcloud-instance.instanceFQDN = "nextcloud.jroeger.de";

18
hosts/harbor/hardware-configuration.nix
View File

@ -8,26 +8,30 @@
[ (modulesPath + "/profiles/qemu-guest.nix") [ (modulesPath + "/profiles/qemu-guest.nix")
]; ];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ]; boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" =
{ device = "/dev/disk/by-uuid/8682be2b-6620-46be-9350-c7ba0adb8f34"; { device = "/dev/disk/by-uuid/a9ac5007-f148-4001-ba49-f6a0bfad85cc";
fsType = "ext4"; fsType = "ext4";
}; };
swapDevices = fileSystems."/boot" =
[ { device = "/dev/disk/by-uuid/ee56aac9-2977-4234-9d0e-933fc2c59fdf"; } { device = "/dev/disk/by-uuid/12CE-A600";
]; fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction # still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true; networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
} }

27
modules/services/nextcloud-instance.nix
View File

@ -65,17 +65,34 @@ in {
}; };
}; };
# SSL setup # Fallback server with only 403
services.nginx.virtualHosts.${cfg.instanceFQDN} = lib.mkIf cfg.ssl { services.nginx.virtualHosts.${config.networking.domain} = lib.mkDefault {
default = true;
locations."/".return = 403;
forceSSL = cfg.ssl;
enableACME = cfg.ssl;
};
# Webserver setup with optional SSL
services.nginx.virtualHosts.${cfg.instanceFQDN} =
if cfg.ssl
then {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
}
else {
listen = [
{
addr = "0.0.0.0";
port = 80;
}
];
}; };
security.acme = lib.mkIf cfg.ssl { security.acme = lib.mkIf cfg.ssl {
acceptTerms = true; acceptTerms = true;
certs = { defaults.email = "jonas.roeger+acme@gmail.com";
${cfg.instanceFQDN}.email = "jonas.roeger+acme@gmail.com";
};
}; };
networking.firewall.allowedTCPPorts = [80] ++ lib.optional cfg.ssl 443;
# DB setup # DB setup
services.postgresql = { services.postgresql = {