diff --git a/modules/system/authentik.nix b/modules/system/authentik.nix index fd4382f..893155d 100644 --- a/modules/system/authentik.nix +++ b/modules/system/authentik.nix @@ -38,11 +38,6 @@ with lib; reverse_proxy http://127.0.0.1:9000 ''; services.postgresql = { - authentication = pkgs.lib.mkOverride 10 '' - #type database DBuser auth-method - local all all trust - ''; - enable = true; ensureDatabases = [ "authentik" ]; ensureUsers = [{ ensureClauses.login = true; diff --git a/modules/system/cloudreve.nix b/modules/system/cloudreve.nix index 5aec730..69363b9 100644 --- a/modules/system/cloudreve.nix +++ b/modules/system/cloudreve.nix @@ -9,6 +9,29 @@ with lib; services.caddy.virtualHosts."files.gleipnir.technology".extraConfig = '' reverse_proxy http://127.0.0.1:10040 ''; + services.postgresql = { + # In the below config I've got 107.150.59.1/24, which is a total guess + # based on what I'm seeing with containers, it may be way, WAY off. + authentication = pkgs.lib.mkOverride 10 '' + #type database DBuser origin-address auth-method + local all all trust + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + host cloudreve cloudreve 10.88.0.1/16 trust + host cloudreve cloudreve 107.150.59.1/24 trust + ''; + enable = true; + ensureDatabases = [ "cloudreve" ]; + enableTCPIP = true; + ensureUsers = [{ + ensureClauses.login = true; + ensureDBOwnership = true; + name = "cloudreve"; + }]; + #settings = { + #listen_addresses = lib.mkForce "10.88.0.1,localhost"; + #}; + }; sops.secrets.cloudreve-env = with config.virtualisation.oci-containers; { format = "dotenv"; group = "cloudreve"; @@ -20,19 +43,27 @@ with lib; systemd.tmpfiles.rules = [ "d /opt/cloudreve 0755 cloudreve cloudreve" ]; + # The container here comes from a private repository. In order to get it you need to buy a pro license + # and download and configure the image via https://cloudreve.org/manage + # You'll do so by getting the image repository credentials and running + # sudo podman login -u -p cloudreve.azurecr.io virtualisation.oci-containers.containers.cloudreve = { environmentFiles = [ "/var/run/secrets/cloudreve-env" ]; - image = "cloudreve.azurecr.io/cloudreve/pro:4.3.0"; + #extraOptions = ["--network=pasta:--map-gw"]; + image = "cloudreve.azurecr.io/cloudreve/pro:4.5.0"; + # I'd much rather be doing this, but it fails in inscrutible ways + #podman.user = "cloudreve"; ports = [ "127.0.0.1:10040:5212" ]; volumes = [ - "/opt/cloudreve:/cloudreve/data" + "/var/lib/cloudreve:/cloudreve/data" ]; }; users.groups.cloudreve = {}; users.users.cloudreve = { group = "cloudreve"; + home = "/home/cloudreve"; isSystemUser = true; }; }; diff --git a/modules/system/vikunja.nix b/modules/system/vikunja.nix index 68ba637..674cb0d 100644 --- a/modules/system/vikunja.nix +++ b/modules/system/vikunja.nix @@ -8,11 +8,6 @@ with lib; reverse_proxy http://127.0.0.1:10010 ''; services.postgresql = { - authentication = pkgs.lib.mkOverride 10 '' - #type database DBuser auth-method - local all all trust - ''; - enable = true; ensureDatabases = [ "vikunja" ]; ensureUsers = [{ ensureClauses.login = true; diff --git a/secrets/cloudreve.env b/secrets/cloudreve.env index 44a2476..6172047 100644 --- a/secrets/cloudreve.env +++ b/secrets/cloudreve.env @@ -1,5 +1,3 @@ -CR_CONF_Database.Type=ENC[AES256_GCM,data:bcU1B6sOSjc=,iv:JX7r+jbeM85ai/iATvipMSsPuom0FJwDMkV0U+Waebg=,tag:ptft8MxWTkiFVx/OibpiPg==,type:str] -CR_CONF_Database.DatabaseURL=ENC[AES256_GCM,data:C2+9vVWi5JPF+IdEDBaRPk2B9VGBEwCKxC+9GcNah09fp7Nz7SBYqIbQxb+GKx6jzSUritCgwfruZN7y7p3lIUwdCOa//MJwm4FTWOX2gT8IhI8xFPr+1rNgSWM5VIS0apTE+MpFwM1QPJwRFbLyFvfD3sGP1tUIsOLNxw7iTJG4RiJLtcl8D0AHNul2awymqYc/Z82gMe9HqNRhig4EjQ==,iv:+DeCxNOQd5OdviMDXdqCT2A6Y+iAjVfFGtOfwg8nl6Y=,tag:C0mLMzs/44m3NeXDq/pwzw==,type:str] CR_LICENSE_KEY=ENC[AES256_GCM,data:TLb8iQFNLA88iLe8td0Oggd+bbNzqgxMCpP9ulMw4+B0t9l5vdKks1Vyx2hxV2Hg4BuYkoW6IW1njoWtT9gCrCAd8pGTJ7+x,iv:ywD8DlNGOA+caY0BnmgPm1r+cnjSRwZ5ZabKXrGtmxo=,tag:8ua/itSi75qjpU6Pl+6jig==,type:str] sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaS3Y2VHlSQXRYOW43djcw\nUU02QWdjNE5KSzl0dk5ybnFORERXeE5NRkVVClllMkRFa2Izek1XYXpwb3V2ekJZ\neHVaY2dlVDRxbXRieC9MMlZRb0N2eFkKLS0tIFdZQXlYZVhFdFB4K3phRFpHVFBj\nVk5BQzJuQlJZcEVTZ3NTNloxWTRjRTgK9q3orFFKI6jQ25cX4y8spBM6xYOdo5lf\nqnetsT7N0vv4qFOlkvw7SJpljX3OMxlby1CpqYe6494GF2bUsg1tIA==\n-----END AGE ENCRYPTED FILE-----\n sops_age__list_0__map_recipient=age1fnkhk9rv7r8gh84vxnhvndk4fgh20qcj4hvnfhdpumcydl6m6vrse50lrz @@ -13,7 +11,7 @@ sops_age__list_4__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb2 sops_age__list_4__map_recipient=age1t3ryfktuhr3cysf49m9q2n8fkjf9ajjjnhztxw9hz8paxgk4lpcq065jge sops_age__list_5__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLSEw1cElqRDRJRE42bXM1\nZjh3MDJQVFEwdFJmcmF2YWdvamJ4VDJKQmd3CjE2Q1FBUU10ekx0WjVNS1R6c3lF\nS0VZSkp5b0FWTDNTNTVObFVjVXZiS28KLS0tIDM1SDY1YWlLNkM5aEZoVng5NnhQ\nT3dYbTIzdlA0RDkrNDJEbE1hM04yK1UKMIdTHYf1ONLM4cG2V6+3cqZdsJCnAtPR\n6K741LxT5eHQ8o1vbtCi0/zWj/4lb/wmiCCRBgj4B88eQSdqxRhtPA==\n-----END AGE ENCRYPTED FILE-----\n sops_age__list_5__map_recipient=age1j90h7hcp4fctr2xwj4zf9cxuelm43wkujvryc9hk6rzzc37rwdmss035w7 -sops_lastmodified=2025-07-19T00:19:19Z -sops_mac=ENC[AES256_GCM,data:y0ImYOeiuYDVkBdL+PU4oWKrwpLhcylh0qYfR6BYS5dGdw4A1KMxN0vqhXM73mQaHRwEJBfGJDA6pq++/e0lMbiw7xhyWvm/AxQ8DlSo+4cV19ZAs+VwV0fGkHJ7xKVN2Yl5qQRNKvy1IhIFOd1yre8kGJKeD7FYJXpn/cdsIoE=,iv:ngvWDmaXKG2E8p0gKTGzoFzvPCHAEurMuX4M1L/xqA0=,tag:UNvtRT2JINgTg4WJomiTUA==,type:str] +sops_lastmodified=2025-09-09T19:12:50Z +sops_mac=ENC[AES256_GCM,data:YiXYB4ZgQiqWhF+XUuu6kMW1kvf4FzBOdJiwuxaww9gFS3FMztReJYNYqHuVYQyGPQZgexVRgwGqf8kZ/aSsn8mSf4Wpx9zdI69bS9+mlJUN0ndQKQhP/wiO5TP4bmJxB0W8sq62V3nCWG82tdG6jTCNrpS2y3L4U4H+tg7uD+4=,iv:le11XPbNeaNY89a6hDmx7kyQWD1BhicHaUKT43qLOEs=,tag:QFDSWFDhE7ZESI4UnDUXRQ==,type:str] sops_unencrypted_suffix=_unencrypted sops_version=3.10.2