From 2c101e6aaa6e0bbf8fb22bfcc43bdb1da6db1515 Mon Sep 17 00:00:00 2001 From: Eli Ribble Date: Tue, 9 Sep 2025 19:47:22 +0000 Subject: [PATCH] Get cloudreve working on new corp with local database This was a huge hassle. I really wanted to see it working under a non-root user since it writes files, but that ended up being impossible because of several bugs in podman's rootless integration with NixOS. I've kept pieces of the logic around and commented out in case I can fix it in the future as it would be more secure. I also tried to connect to Postgres over the unix domain socket, but the problem here is that the container is built to run as root and I'd need to do some elaborate mapping of the root user inside the container, the non-root user outside the container, and the Postgres auth scheme. This would be great stuff to sort out, but I'm out of time now to work on it. --- modules/system/authentik.nix | 5 ----- modules/system/cloudreve.nix | 35 +++++++++++++++++++++++++++++++++-- modules/system/vikunja.nix | 5 ----- secrets/cloudreve.env | 6 ++---- 4 files changed, 35 insertions(+), 16 deletions(-) diff --git a/modules/system/authentik.nix b/modules/system/authentik.nix index fd4382f..893155d 100644 --- a/modules/system/authentik.nix +++ b/modules/system/authentik.nix @@ -38,11 +38,6 @@ with lib; reverse_proxy http://127.0.0.1:9000 ''; services.postgresql = { - authentication = pkgs.lib.mkOverride 10 '' - #type database DBuser auth-method - local all all trust - ''; - enable = true; ensureDatabases = [ "authentik" ]; ensureUsers = [{ ensureClauses.login = true; diff --git a/modules/system/cloudreve.nix b/modules/system/cloudreve.nix index 5aec730..69363b9 100644 --- a/modules/system/cloudreve.nix +++ b/modules/system/cloudreve.nix @@ -9,6 +9,29 @@ with lib; services.caddy.virtualHosts."files.gleipnir.technology".extraConfig = '' reverse_proxy http://127.0.0.1:10040 ''; + services.postgresql = { + # In the below config I've got 107.150.59.1/24, which is a total guess + # based on what I'm seeing with containers, it may be way, WAY off. + authentication = pkgs.lib.mkOverride 10 '' + #type database DBuser origin-address auth-method + local all all trust + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + host cloudreve cloudreve 10.88.0.1/16 trust + host cloudreve cloudreve 107.150.59.1/24 trust + ''; + enable = true; + ensureDatabases = [ "cloudreve" ]; + enableTCPIP = true; + ensureUsers = [{ + ensureClauses.login = true; + ensureDBOwnership = true; + name = "cloudreve"; + }]; + #settings = { + #listen_addresses = lib.mkForce "10.88.0.1,localhost"; + #}; + }; sops.secrets.cloudreve-env = with config.virtualisation.oci-containers; { format = "dotenv"; group = "cloudreve"; @@ -20,19 +43,27 @@ with lib; systemd.tmpfiles.rules = [ "d /opt/cloudreve 0755 cloudreve cloudreve" ]; + # The container here comes from a private repository. In order to get it you need to buy a pro license + # and download and configure the image via https://cloudreve.org/manage + # You'll do so by getting the image repository credentials and running + # sudo podman login -u -p cloudreve.azurecr.io virtualisation.oci-containers.containers.cloudreve = { environmentFiles = [ "/var/run/secrets/cloudreve-env" ]; - image = "cloudreve.azurecr.io/cloudreve/pro:4.3.0"; + #extraOptions = ["--network=pasta:--map-gw"]; + image = "cloudreve.azurecr.io/cloudreve/pro:4.5.0"; + # I'd much rather be doing this, but it fails in inscrutible ways + #podman.user = "cloudreve"; ports = [ "127.0.0.1:10040:5212" ]; volumes = [ - "/opt/cloudreve:/cloudreve/data" + "/var/lib/cloudreve:/cloudreve/data" ]; }; users.groups.cloudreve = {}; users.users.cloudreve = { group = "cloudreve"; + home = "/home/cloudreve"; isSystemUser = true; }; }; diff --git a/modules/system/vikunja.nix b/modules/system/vikunja.nix index 68ba637..674cb0d 100644 --- a/modules/system/vikunja.nix +++ b/modules/system/vikunja.nix @@ -8,11 +8,6 @@ with lib; reverse_proxy http://127.0.0.1:10010 ''; services.postgresql = { - authentication = pkgs.lib.mkOverride 10 '' - #type database DBuser auth-method - local all all trust - ''; - enable = true; ensureDatabases = [ "vikunja" ]; ensureUsers = [{ ensureClauses.login = true; diff --git a/secrets/cloudreve.env b/secrets/cloudreve.env index 44a2476..6172047 100644 --- a/secrets/cloudreve.env +++ b/secrets/cloudreve.env @@ -1,5 +1,3 @@ -CR_CONF_Database.Type=ENC[AES256_GCM,data:bcU1B6sOSjc=,iv:JX7r+jbeM85ai/iATvipMSsPuom0FJwDMkV0U+Waebg=,tag:ptft8MxWTkiFVx/OibpiPg==,type:str] -CR_CONF_Database.DatabaseURL=ENC[AES256_GCM,data:C2+9vVWi5JPF+IdEDBaRPk2B9VGBEwCKxC+9GcNah09fp7Nz7SBYqIbQxb+GKx6jzSUritCgwfruZN7y7p3lIUwdCOa//MJwm4FTWOX2gT8IhI8xFPr+1rNgSWM5VIS0apTE+MpFwM1QPJwRFbLyFvfD3sGP1tUIsOLNxw7iTJG4RiJLtcl8D0AHNul2awymqYc/Z82gMe9HqNRhig4EjQ==,iv:+DeCxNOQd5OdviMDXdqCT2A6Y+iAjVfFGtOfwg8nl6Y=,tag:C0mLMzs/44m3NeXDq/pwzw==,type:str] CR_LICENSE_KEY=ENC[AES256_GCM,data:TLb8iQFNLA88iLe8td0Oggd+bbNzqgxMCpP9ulMw4+B0t9l5vdKks1Vyx2hxV2Hg4BuYkoW6IW1njoWtT9gCrCAd8pGTJ7+x,iv:ywD8DlNGOA+caY0BnmgPm1r+cnjSRwZ5ZabKXrGtmxo=,tag:8ua/itSi75qjpU6Pl+6jig==,type:str] sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaS3Y2VHlSQXRYOW43djcw\nUU02QWdjNE5KSzl0dk5ybnFORERXeE5NRkVVClllMkRFa2Izek1XYXpwb3V2ekJZ\neHVaY2dlVDRxbXRieC9MMlZRb0N2eFkKLS0tIFdZQXlYZVhFdFB4K3phRFpHVFBj\nVk5BQzJuQlJZcEVTZ3NTNloxWTRjRTgK9q3orFFKI6jQ25cX4y8spBM6xYOdo5lf\nqnetsT7N0vv4qFOlkvw7SJpljX3OMxlby1CpqYe6494GF2bUsg1tIA==\n-----END AGE ENCRYPTED FILE-----\n sops_age__list_0__map_recipient=age1fnkhk9rv7r8gh84vxnhvndk4fgh20qcj4hvnfhdpumcydl6m6vrse50lrz @@ -13,7 +11,7 @@ sops_age__list_4__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb2 sops_age__list_4__map_recipient=age1t3ryfktuhr3cysf49m9q2n8fkjf9ajjjnhztxw9hz8paxgk4lpcq065jge sops_age__list_5__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLSEw1cElqRDRJRE42bXM1\nZjh3MDJQVFEwdFJmcmF2YWdvamJ4VDJKQmd3CjE2Q1FBUU10ekx0WjVNS1R6c3lF\nS0VZSkp5b0FWTDNTNTVObFVjVXZiS28KLS0tIDM1SDY1YWlLNkM5aEZoVng5NnhQ\nT3dYbTIzdlA0RDkrNDJEbE1hM04yK1UKMIdTHYf1ONLM4cG2V6+3cqZdsJCnAtPR\n6K741LxT5eHQ8o1vbtCi0/zWj/4lb/wmiCCRBgj4B88eQSdqxRhtPA==\n-----END AGE ENCRYPTED FILE-----\n sops_age__list_5__map_recipient=age1j90h7hcp4fctr2xwj4zf9cxuelm43wkujvryc9hk6rzzc37rwdmss035w7 -sops_lastmodified=2025-07-19T00:19:19Z -sops_mac=ENC[AES256_GCM,data:y0ImYOeiuYDVkBdL+PU4oWKrwpLhcylh0qYfR6BYS5dGdw4A1KMxN0vqhXM73mQaHRwEJBfGJDA6pq++/e0lMbiw7xhyWvm/AxQ8DlSo+4cV19ZAs+VwV0fGkHJ7xKVN2Yl5qQRNKvy1IhIFOd1yre8kGJKeD7FYJXpn/cdsIoE=,iv:ngvWDmaXKG2E8p0gKTGzoFzvPCHAEurMuX4M1L/xqA0=,tag:UNvtRT2JINgTg4WJomiTUA==,type:str] +sops_lastmodified=2025-09-09T19:12:50Z +sops_mac=ENC[AES256_GCM,data:YiXYB4ZgQiqWhF+XUuu6kMW1kvf4FzBOdJiwuxaww9gFS3FMztReJYNYqHuVYQyGPQZgexVRgwGqf8kZ/aSsn8mSf4Wpx9zdI69bS9+mlJUN0ndQKQhP/wiO5TP4bmJxB0W8sq62V3nCWG82tdG6jTCNrpS2y3L4U4H+tg7uD+4=,iv:le11XPbNeaNY89a6hDmx7kyQWD1BhicHaUKT43qLOEs=,tag:QFDSWFDhE7ZESI4UnDUXRQ==,type:str] sops_unencrypted_suffix=_unencrypted sops_version=3.10.2