Add Nextcloud service in tent

Allow access to postgresql socket from CI runner
Fixes: rarias/jungle#237 Cc: Antoni Navarro <antoni.navarro@bsc.es> Reviewed-by: Aleix Boné <abonerib@bsc.es>
2026-03-11 13:06:54 +01:00 · 2026-03-11 12:41:06 +01:00 · 2026-03-11 12:40:21 +01:00
6 changed files with 80 additions and 4 deletions
--- a/m/hut/gitlab-runner.nix
+++ b/m/hut/gitlab-runner.nix
@@ -51,6 +51,7 @@
          "/nix/store:/nix/store:ro"
          "/nix/var/nix/db:/nix/var/nix/db:ro"
          "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
+          "/var/run/postgresql/:/var/run/postgresql/"
        ];
        dockerExtraHosts = [
          # Required to pass the proxy via hut
--- a/m/hut/postgresql.nix
+++ b/m/hut/postgresql.nix
@@ -8,12 +8,14 @@
      { name = "anavarro"; ensureClauses.superuser = true; }
      { name = "rarias";   ensureClauses.superuser = true; }
      { name = "grafana"; }
+      { name = "gitlab-runner"; }
    ];
    authentication = ''
-      #type  database     DBuser    auth-method
-      local  perftestsdb  rarias    trust
-      local  perftestsdb  anavarro  trust
-      local  perftestsdb  grafana   trust
+      #type  database     DBuser         auth-method
+      local  perftestsdb  rarias         trust
+      local  perftestsdb  anavarro       trust
+      local  perftestsdb  grafana        trust
+      local  perftestsdb  gitlab-runner  trust
    '';
  };
 }
--- a/m/tent/configuration.nix
+++ b/m/tent/configuration.nix
@@ -11,6 +11,7 @@
    ./nix-serve.nix
    ./gitlab-runner.nix
    ./gitea.nix
+    ./nextcloud.nix
    ../hut/public-inbox.nix
    ../hut/msmtp.nix
    ../module/p.nix
--- a/m/tent/nextcloud.nix
+++ b/m/tent/nextcloud.nix
@@ -0,0 +1,71 @@
+{ pkgs, config, ... }:
+{
+  age.secrets.tent-nextcloud-admin-pass.file = ../../secrets/tent-nextcloud-admin-pass.age;
+
+  services.nextcloud = {
+    package = pkgs.nextcloud32;
+    enable = true;
+    hostName = "localhost";
+    config.adminpassFile = config.age.secrets.tent-nextcloud-admin-pass.path;
+    config.dbtype = "sqlite";
+    extraApps = {
+      inherit (config.services.nextcloud.package.packages.apps)
+        news
+        contacts
+        calendar
+        tasks;
+        # The app richdocuments (i.e. office) is not enabled yet as there are
+        # problems with the WOPI protocol in a subdir.
+    };
+    extraAppsEnable = true;
+    settings = let
+      prot = "https";
+      host = "jungle.bsc.es";
+      dir = "/nextcloud";
+    in {
+      overwriteprotocol = prot;
+      overwritehost = host;
+      overwritewebroot = dir;
+      overwrite.cli.url = "${prot}://${host}${dir}/";
+      htaccess.RewriteBase = dir;
+    };
+  };
+
+  services.nginx.virtualHosts."${config.services.nextcloud.hostName}".listen = [ {
+    addr = "127.0.0.1";
+    port = 8066; # NOT an exposed port
+  } ];
+
+  services.nginx.virtualHosts."jungle.bsc.es".locations = {
+    "^~ /.well-known" = {
+      priority = 9000;
+      extraConfig = ''
+              absolute_redirect off;
+              location ~ ^/\\.well-known/(?:carddav|caldav)$ {
+                return 301 /nextcloud/remote.php/dav;
+              }
+              location ~ ^/\\.well-known/host-meta(?:\\.json)?$ {
+                return 301 /nextcloud/public.php?service=host-meta-json;
+              }
+              location ~ ^/\\.well-known/(?!acme-challenge|pki-validation) {
+                return 301 /nextcloud/index.php$request_uri;
+              }
+              try_files $uri $uri/ =404;
+      '';
+    };
+
+    "/nextcloud/" = {
+      priority = 9999;
+      extraConfig = ''
+          proxy_set_header X-Real-IP $remote_addr;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header X-NginX-Proxy true;
+          proxy_set_header X-Forwarded-Proto http;
+          proxy_pass http://127.0.0.1:8066/; # tailing / is important!
+          proxy_set_header Host $host;
+          proxy_cache_bypass $http_upgrade;
+          proxy_redirect off;
+      '';
+    };
+  };
+}
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -22,6 +22,7 @@ in
  "tent-gitlab-runner-pm-docker-token.age".publicKeys = tent;
  "tent-gitlab-runner-pm-shell-token.age".publicKeys = tent;
  "tent-gitlab-runner-bsc-docker-token.age".publicKeys = tent;
+  "tent-nextcloud-admin-pass.age".publicKeys = tent;
  "vpn-dac-login.age".publicKeys = tent;
  "vpn-dac-client-key.age".publicKeys = tent;

--- a/secrets/tent-nextcloud-admin-pass.age
+++ b/secrets/tent-nextcloud-admin-pass.age
Author	SHA1	Message	Date
Rodrigo Arias Mallo	b180ea43b5	Add Nextcloud service in tent	2026-03-11 13:06:54 +01:00
Rodrigo Arias Mallo	461d96dc75	Allow access to postgresql socket from CI runner Fixes: rarias/jungle#237 Cc: Antoni Navarro <antoni.navarro@bsc.es> Reviewed-by: Aleix Boné <abonerib@bsc.es>	2026-03-11 12:41:06 +01:00
Rodrigo Arias Mallo	26d9e3d432	Grant gitlab-runner user access to perftestsdb Cc: Antoni Navarro <antoni.navarro@bsc.es> Reviewed-by: Aleix Boné <abonerib@bsc.es>	2026-03-11 12:40:21 +01:00