Add Nextcloud service in tent

Allow access to postgresql socket from CI runner
Fixes: #237 Cc: Antoni Navarro <antoni.navarro@bsc.es> Reviewed-by: Aleix Boné <abonerib@bsc.es>
2026-03-11 13:06:54 +01:00 · 2026-03-11 12:41:06 +01:00 · 2026-03-11 12:40:21 +01:00
6 changed files with 80 additions and 4 deletions
--- a/m/hut/gitlab-runner.nix
+++ b/m/hut/gitlab-runner.nix
@@ -51,6 +51,7 @@
          "/nix/store:/nix/store:ro"
          "/nix/var/nix/db:/nix/var/nix/db:ro"
          "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
          "/var/run/postgresql/:/var/run/postgresql/"
        ];
        dockerExtraHosts = [
          # Required to pass the proxy via hut
--- a/m/hut/postgresql.nix
+++ b/m/hut/postgresql.nix
@@ -8,12 +8,14 @@
      { name = "anavarro"; ensureClauses.superuser = true; }
      { name = "rarias";   ensureClauses.superuser = true; }
      { name = "grafana"; }
      { name = "gitlab-runner"; }
    ];
    authentication = ''
-      #type  database     DBuser    auth-method
+      #type  database     DBuser         auth-method
-      local  perftestsdb  rarias    trust
+      local  perftestsdb  rarias         trust
-      local  perftestsdb  anavarro  trust
+      local  perftestsdb  anavarro       trust
-      local  perftestsdb  grafana   trust
+      local  perftestsdb  grafana        trust
      local  perftestsdb  gitlab-runner  trust
    '';
  };
 }
--- a/m/tent/configuration.nix
+++ b/m/tent/configuration.nix
@@ -11,6 +11,7 @@
    ./nix-serve.nix
    ./gitlab-runner.nix
    ./gitea.nix
    ./nextcloud.nix
    ../hut/public-inbox.nix
    ../hut/msmtp.nix
    ../module/p.nix
--- a/m/tent/nextcloud.nix
+++ b/m/tent/nextcloud.nix
@@ -0,0 +1,71 @@
 { pkgs, config, ... }:
 {
  age.secrets.tent-nextcloud-admin-pass.file = ../../secrets/tent-nextcloud-admin-pass.age;
  services.nextcloud = {
    package = pkgs.nextcloud32;
    enable = true;
    hostName = "localhost";
    config.adminpassFile = config.age.secrets.tent-nextcloud-admin-pass.path;
    config.dbtype = "sqlite";
    extraApps = {
      inherit (config.services.nextcloud.package.packages.apps)
        news
        contacts
        calendar
        tasks;
        # The app richdocuments (i.e. office) is not enabled yet as there are
        # problems with the WOPI protocol in a subdir.
    };
    extraAppsEnable = true;
    settings = let
      prot = "https";
      host = "jungle.bsc.es";
      dir = "/nextcloud";
    in {
      overwriteprotocol = prot;
      overwritehost = host;
      overwritewebroot = dir;
      overwrite.cli.url = "${prot}://${host}${dir}/";
      htaccess.RewriteBase = dir;
    };
  };
  services.nginx.virtualHosts."${config.services.nextcloud.hostName}".listen = [ {
    addr = "127.0.0.1";
    port = 8066; # NOT an exposed port
  } ];
  services.nginx.virtualHosts."jungle.bsc.es".locations = {
    "^~ /.well-known" = {
      priority = 9000;
      extraConfig = ''
              absolute_redirect off;
              location ~ ^/\\.well-known/(?:carddav|caldav)$ {
                return 301 /nextcloud/remote.php/dav;
              }
              location ~ ^/\\.well-known/host-meta(?:\\.json)?$ {
                return 301 /nextcloud/public.php?service=host-meta-json;
              }
              location ~ ^/\\.well-known/(?!acme-challenge|pki-validation) {
                return 301 /nextcloud/index.php$request_uri;
              }
              try_files $uri $uri/ =404;
      '';
    };
    "/nextcloud/" = {
      priority = 9999;
      extraConfig = ''
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-NginX-Proxy true;
          proxy_set_header X-Forwarded-Proto http;
          proxy_pass http://127.0.0.1:8066/; # tailing / is important!
          proxy_set_header Host $host;
          proxy_cache_bypass $http_upgrade;
          proxy_redirect off;
      '';
    };
  };
 }
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -22,6 +22,7 @@ in
  "tent-gitlab-runner-pm-docker-token.age".publicKeys = tent;
  "tent-gitlab-runner-pm-shell-token.age".publicKeys = tent;
  "tent-gitlab-runner-bsc-docker-token.age".publicKeys = tent;
  "tent-nextcloud-admin-pass.age".publicKeys = tent;
  "vpn-dac-login.age".publicKeys = tent;
  "vpn-dac-client-key.age".publicKeys = tent;
--- a/secrets/tent-nextcloud-admin-pass.age
+++ b/secrets/tent-nextcloud-admin-pass.age
Author	SHA1	Message	Date
Rodrigo Arias Mallo	b180ea43b5	Add Nextcloud service in tent All checks were successful CI / build:cross (pull_request) Successful in 8s Details CI / build:all (pull_request) Successful in 16s Details	2026-03-11 13:06:54 +01:00
Rodrigo Arias Mallo	461d96dc75	Allow access to postgresql socket from CI runner All checks were successful CI / build:cross (pull_request) Successful in 8s Details CI / build:all (pull_request) Successful in 16s Details CI / build:all (push) Successful in 3s Details CI / build:cross (push) Successful in 8s Details Fixes: #237 Cc: Antoni Navarro <antoni.navarro@bsc.es> Reviewed-by: Aleix Boné <abonerib@bsc.es>	2026-03-11 12:41:06 +01:00
Rodrigo Arias Mallo	26d9e3d432	Grant gitlab-runner user access to perftestsdb Cc: Antoni Navarro <antoni.navarro@bsc.es> Reviewed-by: Aleix Boné <abonerib@bsc.es>	2026-03-11 12:40:21 +01:00