From 5909a726542288b194647a9b16d72869b4ef58f6 Mon Sep 17 00:00:00 2001 From: oqyude Date: Mon, 30 Mar 2026 13:38:59 +0300 Subject: [PATCH] sops and onlyoffice evolution --- modules/server/nextcloud.nix | 46 +++++++++++++++++++++++--- modules/server/nginx.nix | 2 +- modules/server/secrets/nextcloud.yaml | 17 ++++++++++ modules/server/secrets/onlyoffice.yaml | 17 ++++++++++ modules/vds/nginx.nix | 2 +- 5 files changed, 77 insertions(+), 7 deletions(-) create mode 100644 modules/server/secrets/nextcloud.yaml create mode 100644 modules/server/secrets/onlyoffice.yaml diff --git a/modules/server/nextcloud.nix b/modules/server/nextcloud.nix index 2f9256c..7ab9576 100644 --- a/modules/server/nextcloud.nix +++ b/modules/server/nextcloud.nix @@ -20,7 +20,7 @@ in settings = { NEXTCLOUD_URL = "http://nextcloud-private.local"; }; - secrets = [ "${inputs.zeroq-credentials}/services/nextcloud/jwt-secret.txt" ]; + secrets = [ config.sops.secrets.nextcloud-whiteboard-jwt.path ]; }; nextcloud = { enable = true; @@ -39,7 +39,7 @@ in dbuser = "nextcloud"; dbname = "nextcloud"; adminuser = "oqyude"; - adminpassFile = "${inputs.zeroq-credentials}/services/nextcloud/admin-pass.txt"; + adminpassFile = config.sops.secrets.nextcloud-adminpass.path; }; settings = { log_type = "file"; @@ -89,7 +89,7 @@ in music tasks # news - # notes + notes # notify_push polls previewgenerator @@ -133,9 +133,10 @@ in }; }; onlyoffice = { - enable = false; + enable = true; hostname = "0.0.0.0"; - jwtSecretFile = "${inputs.zeroq-credentials}/services/onlyoffice/jwt.txt"; + jwtSecretFile = config.sops.secrets.onlyoffice-jwt.path; + securityNonceFile = config.sops.secrets.onlyoffice-nonce.path; }; }; @@ -187,4 +188,39 @@ in environment.systemPackages = [ pkgs.nc4nix # Packaging helper for Nextcloud apps ]; + + sops.secrets = { + nextcloud-adminpass = { + format = "yaml"; + key = "adminpass"; + sopsFile = ./secrets/nextcloud.yaml; + owner = "nextcloud"; + group = "nextcloud"; + mode = "0650"; + }; + nextcloud-whiteboard-jwt = { + format = "yaml"; + key = "whiteboard-jwt"; + sopsFile = ./secrets/nextcloud.yaml; + owner = "nextcloud"; + group = "nextcloud"; + mode = "0650"; + }; + onlyoffice-nonce = { + format = "yaml"; + key = "nonce"; + sopsFile = ./secrets/onlyoffice.yaml; + owner = "onlyoffice"; + group = "onlyoffice"; + mode = "0650"; + }; + onlyoffice-jwt = { + format = "yaml"; + key = "jwt"; + sopsFile = ./secrets/onlyoffice.yaml; + owner = "onlyoffice"; + group = "onlyoffice"; + mode = "0650"; + }; + }; } diff --git a/modules/server/nginx.nix b/modules/server/nginx.nix index c8b59d7..96496c5 100644 --- a/modules/server/nginx.nix +++ b/modules/server/nginx.nix @@ -96,7 +96,7 @@ in forceSSL = false; locations = { "/" = { - proxyPass = "http://${server}:9980"; + proxyPass = "http://${server}:8000"; # 9980 proxyWebsockets = true; }; }; diff --git a/modules/server/secrets/nextcloud.yaml b/modules/server/secrets/nextcloud.yaml new file mode 100644 index 0000000..6f27ba7 --- /dev/null +++ b/modules/server/secrets/nextcloud.yaml @@ -0,0 +1,17 @@ +adminpass: ENC[AES256_GCM,data:Fm+Q6YWXxouP5cX2WHU05Jr49FU=,iv:Exf/li6bL6xpR9HQ8XDDSprjx4ltHkJFl99Ga+gXwmQ=,tag:iB9d5O4982tr7lPu1nWccQ==,type:str] +whiteboard-jwt: ENC[AES256_GCM,data:5i+x8VODrBIhGEWS5Ua6lrk7tsfk6xTa/1qm1rXe4A==,iv:2gFEeudip7BxJh553QtZ1CZo9T8jro3Q/Afdo8ouHtw=,tag:HgBM9ta41rhXJlsQJ+asFg==,type:str] +sops: + age: + - recipient: age13l2gtk0nzr484zprp7e0pkrt0ne0j4asyn2pjmlaw73nte7t7d8q4sqtxm + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxNWFiUlZXMEEvNll0aFFk + UldxNitqaDgyenBFeWRhLzUxSVVhQk55Q1FBCkdLU3p4S0NTOVhERkRoaWVwbWVB + cUxwdkJnQ1IyNzFTaVJvVXRwbElYbVkKLS0tIDQ5ejZvRks5U0tPU0w0WXdtM0ht + WGVQYjZtaHhaeC9pMzYxYmxTcVNtYk0KKxXXNA9h0fs+mA6U/Vsyg+q1CPl5hFrI + Ozjqh+dzwajQeqkCPUdCsoeIWsvBY2Cyabvs+f0zj8S00faXb8rVQQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-30T12:49:45Z" + mac: ENC[AES256_GCM,data:1EkbMGa6nK53GqGWYvXZP+sqy91AldGKy/32CVPshZwvTzJtk/VeK3W9A3fIGwvo7gl+QVWJmSiqrOTql4v+U4Yi3jVLEXsHXA5Bh28aJ7Ng9nkZmI10K7oaYF1xWNxzwss4gcDNIuomK+wG1WNLaiLbxwCBkN6xHugWQ4F+DLs=,iv:UmI6nC7dIHGeas54taf5kTIINvyd8YXyOVdIYghwHmE=,tag:VxdJLXRYin8D07r6CCA00A==,type:str] + unencrypted_suffix: _unencrypted + version: 3.12.2 diff --git a/modules/server/secrets/onlyoffice.yaml b/modules/server/secrets/onlyoffice.yaml new file mode 100644 index 0000000..c1ab72b --- /dev/null +++ b/modules/server/secrets/onlyoffice.yaml @@ -0,0 +1,17 @@ +jwt: ENC[AES256_GCM,data:Mp+eAh0Nle0QDfo92isNLwvHn/E=,iv:0FLK/8QpmX5Mv7IXMy04AJAgUknp5DATpD0acyPqrUg=,tag:rP9x3G8WIDG6KWSjqPXulQ==,type:str] +nonce: ENC[AES256_GCM,data:8/xWIu/9rl4LrPIGBRvcIaPEwCslsRbkMqJDV9P8sqfeE2Le2SnmVLKt,iv:DHxrKOzJSekKY2TlN+iBwd2HbWV0pCid+qM2xufhbrw=,tag:o0OvJUxYSyXFtyPkfh0XLA==,type:str] +sops: + age: + - recipient: age13l2gtk0nzr484zprp7e0pkrt0ne0j4asyn2pjmlaw73nte7t7d8q4sqtxm + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVSzIwWlBrWFJWVHpIUVJk + eHh1MkYza28yeU54OWczY1ZjYmJHOFI3dXc4ClVKUVpoUWZTR0g5L2FTd0l4NzUr + R0xlYTJVQ1VLQXJuSGZJUE1Bd3Jsa00KLS0tIExPSi9Ob0ErSTRZQlhlTGN5WUV0 + dm4xa25tSmN3VjlPaWpBWnhJdklqWEEK+sD+lvwQGjNkOic3ZCo2VGQ/+p2Nhmm+ + g846YrGljYOib6hNryEhZWe0KmaDhn24vnEK5NS4WtqqwV+IhCZbmg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-30T12:49:52Z" + mac: ENC[AES256_GCM,data:OwORTRiRUImde7dlmsHuUNkln491biD8Z61nr8BPM5ATJqPug7sQzkpzGVVASmrpjtCi3lbn7XU8Fz6jLwODj9TRDOfazrlS1Oo6sE0d1yNXNbmIgK7+riNT7RtsGtAzgiNcYm+c8F9aa+UJ8Ctx20ejLBz/ZG/NjqTDVcgWgSk=,iv:DSDWrHyl9QBeyeC5r812IkBZjFwZ+VQdpBGIk/fFqiA=,tag:EvMW3Ef17IIEsg8zc8SykQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.12.2 diff --git a/modules/vds/nginx.nix b/modules/vds/nginx.nix index 4849e6c..fec4e2b 100644 --- a/modules/vds/nginx.nix +++ b/modules/vds/nginx.nix @@ -124,7 +124,7 @@ in forceSSL = true; locations = { "/" = { - proxyPass = "http://${server}:9980"; + proxyPass = "http://${server}:8000"; # 9980 proxyWebsockets = true; }; };