sops and onlyoffice evolution

modules/server/nextcloud.nix

@@ -20,7 +20,7 @@ in
       settings = {
         NEXTCLOUD_URL = "http://nextcloud-private.local";
       };
-      secrets = [ "${inputs.zeroq-credentials}/services/nextcloud/jwt-secret.txt" ];
+      secrets = [ config.sops.secrets.nextcloud-whiteboard-jwt.path ];
     };
     nextcloud = {
       enable = true;
@@ -39,7 +39,7 @@ in
         dbuser = "nextcloud";
         dbname = "nextcloud";
         adminuser = "oqyude";
-        adminpassFile = "${inputs.zeroq-credentials}/services/nextcloud/admin-pass.txt";
+        adminpassFile = config.sops.secrets.nextcloud-adminpass.path;
       };
       settings = {
         log_type = "file";
@@ -89,7 +89,7 @@ in
           music
           tasks
           # news
-          #           notes
+          notes
           # notify_push
           polls
           previewgenerator
@@ -133,9 +133,10 @@ in
       };
     };
     onlyoffice = {
-      enable = false;
+      enable = true;
       hostname = "0.0.0.0";
-      jwtSecretFile = "${inputs.zeroq-credentials}/services/onlyoffice/jwt.txt";
+      jwtSecretFile = config.sops.secrets.onlyoffice-jwt.path;
+      securityNonceFile = config.sops.secrets.onlyoffice-nonce.path;
     };
   };
 
@@ -187,4 +188,39 @@ in
   environment.systemPackages = [
     pkgs.nc4nix # Packaging helper for Nextcloud apps
   ];
+
+  sops.secrets = {
+    nextcloud-adminpass = {
+      format = "yaml";
+      key = "adminpass";
+      sopsFile = ./secrets/nextcloud.yaml;
+      owner = "nextcloud";
+      group = "nextcloud";
+      mode = "0650";
+    };
+    nextcloud-whiteboard-jwt = {
+      format = "yaml";
+      key = "whiteboard-jwt";
+      sopsFile = ./secrets/nextcloud.yaml;
+      owner = "nextcloud";
+      group = "nextcloud";
+      mode = "0650";
+    };
+    onlyoffice-nonce = {
+      format = "yaml";
+      key = "nonce";
+      sopsFile = ./secrets/onlyoffice.yaml;
+      owner = "onlyoffice";
+      group = "onlyoffice";
+      mode = "0650";
+    };
+    onlyoffice-jwt = {
+      format = "yaml";
+      key = "jwt";
+      sopsFile = ./secrets/onlyoffice.yaml;
+      owner = "onlyoffice";
+      group = "onlyoffice";
+      mode = "0650";
+    };
+  };
 }

modules/server/nginx.nix

@@ -96,7 +96,7 @@ in
           forceSSL = false;
           locations = {
             "/" = {
-              proxyPass = "http://${server}:9980";
+              proxyPass = "http://${server}:8000"; # 9980
               proxyWebsockets = true;
             };
           };

modules/server/secrets/nextcloud.yaml

@@ -0,0 +1,17 @@
+adminpass: ENC[AES256_GCM,data:Fm+Q6YWXxouP5cX2WHU05Jr49FU=,iv:Exf/li6bL6xpR9HQ8XDDSprjx4ltHkJFl99Ga+gXwmQ=,tag:iB9d5O4982tr7lPu1nWccQ==,type:str]
+whiteboard-jwt: ENC[AES256_GCM,data:5i+x8VODrBIhGEWS5Ua6lrk7tsfk6xTa/1qm1rXe4A==,iv:2gFEeudip7BxJh553QtZ1CZo9T8jro3Q/Afdo8ouHtw=,tag:HgBM9ta41rhXJlsQJ+asFg==,type:str]
+sops:
+    age:
+        - recipient: age13l2gtk0nzr484zprp7e0pkrt0ne0j4asyn2pjmlaw73nte7t7d8q4sqtxm
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxNWFiUlZXMEEvNll0aFFk
+            UldxNitqaDgyenBFeWRhLzUxSVVhQk55Q1FBCkdLU3p4S0NTOVhERkRoaWVwbWVB
+            cUxwdkJnQ1IyNzFTaVJvVXRwbElYbVkKLS0tIDQ5ejZvRks5U0tPU0w0WXdtM0ht
+            WGVQYjZtaHhaeC9pMzYxYmxTcVNtYk0KKxXXNA9h0fs+mA6U/Vsyg+q1CPl5hFrI
+            Ozjqh+dzwajQeqkCPUdCsoeIWsvBY2Cyabvs+f0zj8S00faXb8rVQQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-30T12:49:45Z"
+    mac: ENC[AES256_GCM,data:1EkbMGa6nK53GqGWYvXZP+sqy91AldGKy/32CVPshZwvTzJtk/VeK3W9A3fIGwvo7gl+QVWJmSiqrOTql4v+U4Yi3jVLEXsHXA5Bh28aJ7Ng9nkZmI10K7oaYF1xWNxzwss4gcDNIuomK+wG1WNLaiLbxwCBkN6xHugWQ4F+DLs=,iv:UmI6nC7dIHGeas54taf5kTIINvyd8YXyOVdIYghwHmE=,tag:VxdJLXRYin8D07r6CCA00A==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.2

modules/server/secrets/onlyoffice.yaml

@@ -0,0 +1,17 @@
+jwt: ENC[AES256_GCM,data:Mp+eAh0Nle0QDfo92isNLwvHn/E=,iv:0FLK/8QpmX5Mv7IXMy04AJAgUknp5DATpD0acyPqrUg=,tag:rP9x3G8WIDG6KWSjqPXulQ==,type:str]
+nonce: ENC[AES256_GCM,data:8/xWIu/9rl4LrPIGBRvcIaPEwCslsRbkMqJDV9P8sqfeE2Le2SnmVLKt,iv:DHxrKOzJSekKY2TlN+iBwd2HbWV0pCid+qM2xufhbrw=,tag:o0OvJUxYSyXFtyPkfh0XLA==,type:str]
+sops:
+    age:
+        - recipient: age13l2gtk0nzr484zprp7e0pkrt0ne0j4asyn2pjmlaw73nte7t7d8q4sqtxm
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVSzIwWlBrWFJWVHpIUVJk
+            eHh1MkYza28yeU54OWczY1ZjYmJHOFI3dXc4ClVKUVpoUWZTR0g5L2FTd0l4NzUr
+            R0xlYTJVQ1VLQXJuSGZJUE1Bd3Jsa00KLS0tIExPSi9Ob0ErSTRZQlhlTGN5WUV0
+            dm4xa25tSmN3VjlPaWpBWnhJdklqWEEK+sD+lvwQGjNkOic3ZCo2VGQ/+p2Nhmm+
+            g846YrGljYOib6hNryEhZWe0KmaDhn24vnEK5NS4WtqqwV+IhCZbmg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-30T12:49:52Z"
+    mac: ENC[AES256_GCM,data:OwORTRiRUImde7dlmsHuUNkln491biD8Z61nr8BPM5ATJqPug7sQzkpzGVVASmrpjtCi3lbn7XU8Fz6jLwODj9TRDOfazrlS1Oo6sE0d1yNXNbmIgK7+riNT7RtsGtAzgiNcYm+c8F9aa+UJ8Ctx20ejLBz/ZG/NjqTDVcgWgSk=,iv:DSDWrHyl9QBeyeC5r812IkBZjFwZ+VQdpBGIk/fFqiA=,tag:EvMW3Ef17IIEsg8zc8SykQ==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.2

modules/vds/nginx.nix

@@ -124,7 +124,7 @@ in
           forceSSL = true;
           locations = {
             "/" = {
-              proxyPass = "http://${server}:9980";
+              proxyPass = "http://${server}:8000"; # 9980
               proxyWebsockets = true;
             };
           };