Add Nextcloud service in tent

2026-03-11 13:06:54 +01:00
8 changed files with 74 additions and 31 deletions
--- a/m/hut/gitlab-runner.nix
+++ b/m/hut/gitlab-runner.nix
@@ -61,8 +61,6 @@
        registrationFlags = [
          # Increase build log length to 64 MiB
          "--output-limit 65536"
-          # Allow the runner to be used in multiple projects
-          "--locked=false"
        ];
        preBuildScript = pkgs.writeScript "setup-container" ''
          mkdir -p -m 0755 /nix/var/log/nix/drvs
--- a/m/hut/ssh-robot-probes.nix
+++ b/m/hut/ssh-robot-probes.nix
@@ -6,12 +6,6 @@ let
      chmod +x $out
    ''
  ;
-  sblame-probe-script = pkgs.runCommand "sblame-probe.sh" { }
-    ''
-      cp ${./sblame-probe.sh} $out;
-      chmod +x $out
-    ''
-  ;
 in
 {
  # Use a new user to handle the SSH keys
@@ -34,17 +28,4 @@ in
      Group = "ssh-robot";
    };
  };
-
-  systemd.services.sblame-probe = {
-    description = "Daemon to report SLURM statistics via SSH";
-    path = [ pkgs.openssh pkgs.netcat ];
-    after = [ "network.target" ];
-    wantedBy = [ "default.target" ];
-    serviceConfig = {
-      Type = "simple";
-      ExecStart = "${pkgs.socat}/bin/socat TCP4-LISTEN:9967,fork EXEC:${sblame-probe-script}";
-      User = "ssh-robot";
-      Group = "ssh-robot";
-    };
-  };
 }
--- a/m/hut/monitoring.nix
+++ b/m/hut/monitoring.nix
@@ -5,7 +5,7 @@
    ../module/slurm-exporter.nix
    ../module/meteocat-exporter.nix
    ../module/upc-qaire-exporter.nix
-    ./ssh-robot-probes.nix
+    ./gpfs-probe.nix
    ../module/nix-daemon-exporter.nix
  ];

@@ -111,7 +111,6 @@
            "127.0.0.1:${toString config.services.prometheus.exporters.smartctl.port}"
            "127.0.0.1:9341" # Slurm exporter
            "127.0.0.1:9966" # GPFS custom exporter
-            "127.0.0.1:9967" # SLURM custom exporter
            "127.0.0.1:9999" # Nix-daemon custom exporter
            "127.0.0.1:9929" # Meteocat custom exporter
            "127.0.0.1:9928" # UPC Qaire custom exporter
--- a/m/hut/sblame-probe.sh
+++ b/m/hut/sblame-probe.sh
@@ -1,8 +0,0 @@
-#!/bin/sh
-
-cat <<EOF
-HTTP/1.1 200 OK
-Content-Type: text/plain; version=0.0.4; charset=utf-8; escaping=values
-
-EOF
-ssh bsc015557@glogin2.bsc.es "timeout 3 command sblame -E"
--- a/m/tent/configuration.nix
+++ b/m/tent/configuration.nix
@@ -11,6 +11,7 @@
    ./nix-serve.nix
    ./gitlab-runner.nix
    ./gitea.nix
+    ./nextcloud.nix
    ../hut/public-inbox.nix
    ../hut/msmtp.nix
    ../module/p.nix
--- a/m/tent/nextcloud.nix
+++ b/m/tent/nextcloud.nix
@@ -0,0 +1,71 @@
+{ pkgs, config, ... }:
+{
+  age.secrets.tent-nextcloud-admin-pass.file = ../../secrets/tent-nextcloud-admin-pass.age;
+
+  services.nextcloud = {
+    package = pkgs.nextcloud32;
+    enable = true;
+    hostName = "localhost";
+    config.adminpassFile = config.age.secrets.tent-nextcloud-admin-pass.path;
+    config.dbtype = "sqlite";
+    extraApps = {
+      inherit (config.services.nextcloud.package.packages.apps)
+        news
+        contacts
+        calendar
+        tasks;
+        # The app richdocuments (i.e. office) is not enabled yet as there are
+        # problems with the WOPI protocol in a subdir.
+    };
+    extraAppsEnable = true;
+    settings = let
+      prot = "https";
+      host = "jungle.bsc.es";
+      dir = "/nextcloud";
+    in {
+      overwriteprotocol = prot;
+      overwritehost = host;
+      overwritewebroot = dir;
+      overwrite.cli.url = "${prot}://${host}${dir}/";
+      htaccess.RewriteBase = dir;
+    };
+  };
+
+  services.nginx.virtualHosts."${config.services.nextcloud.hostName}".listen = [ {
+    addr = "127.0.0.1";
+    port = 8066; # NOT an exposed port
+  } ];
+
+  services.nginx.virtualHosts."jungle.bsc.es".locations = {
+    "^~ /.well-known" = {
+      priority = 9000;
+      extraConfig = ''
+              absolute_redirect off;
+              location ~ ^/\\.well-known/(?:carddav|caldav)$ {
+                return 301 /nextcloud/remote.php/dav;
+              }
+              location ~ ^/\\.well-known/host-meta(?:\\.json)?$ {
+                return 301 /nextcloud/public.php?service=host-meta-json;
+              }
+              location ~ ^/\\.well-known/(?!acme-challenge|pki-validation) {
+                return 301 /nextcloud/index.php$request_uri;
+              }
+              try_files $uri $uri/ =404;
+      '';
+    };
+
+    "/nextcloud/" = {
+      priority = 9999;
+      extraConfig = ''
+          proxy_set_header X-Real-IP $remote_addr;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header X-NginX-Proxy true;
+          proxy_set_header X-Forwarded-Proto http;
+          proxy_pass http://127.0.0.1:8066/; # tailing / is important!
+          proxy_set_header Host $host;
+          proxy_cache_bypass $http_upgrade;
+          proxy_redirect off;
+      '';
+    };
+  };
+}
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -22,6 +22,7 @@ in
  "tent-gitlab-runner-pm-docker-token.age".publicKeys = tent;
  "tent-gitlab-runner-pm-shell-token.age".publicKeys = tent;
  "tent-gitlab-runner-bsc-docker-token.age".publicKeys = tent;
+  "tent-nextcloud-admin-pass.age".publicKeys = tent;
  "vpn-dac-login.age".publicKeys = tent;
  "vpn-dac-client-key.age".publicKeys = tent;

--- a/secrets/tent-nextcloud-admin-pass.age
+++ b/secrets/tent-nextcloud-admin-pass.age