nixfiles/hosts/koi/containers/sftpgo/default.nix

{ config, ... }: 

let 
  UID = 1112;
  WEBDAV_PORT = 16821;
in {
  imports = [
    ./samba.nix
  ];

  desu.secrets.sftpgo-env.owner = "sftpgo";

  users.users.sftpgo = {
    isNormalUser = true;
    uid = UID;
    extraGroups = [ "geesefs" ];
  };

  virtualisation.oci-containers.containers.sftpgo = {
    image = "drakkan/sftpgo:v2.6.2";
    volumes = [
      "/srv/sftpgo/data:/srv/sftpgo"
      "/srv/sftpgo/config:/var/lib/sftpgo"
      "/mnt/puffer:/mnt/puffer"
      "/mnt/s3-desu-priv-encrypted:/mnt/s3-desu-priv-encrypted"
    ];
    user = "${builtins.toString UID}:${builtins.toString UID}";
    extraOptions = [
      "--group-add=${builtins.toString config.users.groups.geesefs.gid}"
    ];
    environment = {
      SFTPGO_SFTPD__BINDINGS__0__PORT = "22";
      SFTPGO_WEBDAVD__BINDINGS__0__PORT = "80";
      SFTPGO_WEBDAVD__BINDINGS__0__PROXY_ALLOWED = "172.17.0.1";
      SFTPGO_WEBDAVD__BINDINGS__0__CLIENT_IP_PROXY_HEADER = "X-Forwarded-For";
      SFTPGO_WEBDAVD__BINDINGS__0__PREFIX = "/dav/";
      SFTPGO_HTTPD__BINDINGS__0__PORT = "8080";
      SFTPGO_HTTPD__BINDINGS__0__ENABLED_LOGIN_METHODS = "3";
      SFTPGO_HTTPD__BINDINGS__0__SECURITY__ENABLED = "true";
      SFTPGO_HTTPD__BINDINGS__0__SECURITY__ALLOWED_HOSTS = "puffer.stupid.fish";
      SFTPGO_HTTPD__BINDINGS__0__BRANDING__NAME = "puffer";
      SFTPGO_HTTPD__BINDINGS__0__BRANDING__SHORT_NAME = "puffer";
      SFTPGO_HTTPD__BINDINGS__0__OIDC__REDIRECT_BASE_URL = "https://puffer.stupid.fish/";
      SFTPGO_HTTPD__BINDINGS__0__OIDC__USERNAME_FIELD = "preferred_username";
      SFTPGO_HTTPD__BINDINGS__0__OIDC__IMPLICIT_ROLES = "true";
    };
    environmentFiles = [
      config.desu.secrets.sftpgo-env.path
    ];
    ports = [
      "${builtins.toString WEBDAV_PORT}:80"
    ];
  };
  systemd.services.docker-sftpgo.requires = [ "ecryptfs.service" ];

  systemd.tmpfiles.rules = [
    "d /srv/sftpgo/data 0700 ${builtins.toString UID} ${builtins.toString UID} -"
    "d /srv/sftpgo/config 0700 ${builtins.toString UID} ${builtins.toString UID} -"
  ];

  services.nginx.virtualHosts = {
    "puffer.stupid.fish" = {
      forceSSL = true;
      useACMEHost = "stupid.fish";

      extraConfig = ''
        client_max_body_size 25G;
      '';

      locations."/" = {
        proxyPass = "http://sftpgo.docker:8080$request_uri";
        proxyWebsockets = true;
      };

      locations."/dav/" = {
        proxyPass = "http://sftpgo.docker:80$request_uri";
      };
    };
  };

  networking.firewall.allowedTCPPorts = [ WEBDAV_PORT ];

  services.avahi.extraServiceFiles.puffer-lan = ''
    <?xml version="1.0" standalone='no'?>
    <!DOCTYPE service-group SYSTEM "avahi-service.dtd">
    <service-group>
      <name>puffer-lan</name>
      <service>
        <port>${builtins.toString WEBDAV_PORT}</port>
        <type>_webdav._tcp</type>
        <txt-record>path=/dav/</txt-record>
      </service>
    </service-group>
  '';
}
refactor: avoid importing libs 2024-11-23 16:37:34 +03:00			`{ config, ... }:`
chore(koi): moved sftpgo to a docker container 2024-09-18 01:04:59 +03:00
			`let`
			`UID = 1112;`
feat(koi): local access to webdav share 2024-09-19 15:05:13 +03:00			`WEBDAV_PORT = 16821;`
chore(koi): moved sftpgo to a docker container 2024-09-18 01:04:59 +03:00			`in {`
			`imports = [`
			`./samba.nix`
			`];`

refactor: avoid importing libs 2024-11-23 16:37:34 +03:00			`desu.secrets.sftpgo-env.owner = "sftpgo";`

chore(koi): moved sftpgo to a docker container 2024-09-18 01:04:59 +03:00			`users.users.sftpgo = {`
			`isNormalUser = true;`
			`uid = UID;`
feat(koi): s3-backed encrypted mount for navidrome 2024-11-30 20:11:32 +03:00			`extraGroups = [ "geesefs" ];`
chore(koi): moved sftpgo to a docker container 2024-09-18 01:04:59 +03:00			`};`

			`virtualisation.oci-containers.containers.sftpgo = {`
			`image = "drakkan/sftpgo:v2.6.2";`
			`volumes = [`
			`"/srv/sftpgo/data:/srv/sftpgo"`
			`"/srv/sftpgo/config:/var/lib/sftpgo"`
			`"/mnt/puffer:/mnt/puffer"`
feat(koi): s3-backed encrypted mount for navidrome 2024-11-30 20:11:32 +03:00			`"/mnt/s3-desu-priv-encrypted:/mnt/s3-desu-priv-encrypted"`
			`];`
			`user = "${builtins.toString UID}:${builtins.toString UID}";`
			`extraOptions = [`
			`"--group-add=${builtins.toString config.users.groups.geesefs.gid}"`
chore(koi): moved sftpgo to a docker container 2024-09-18 01:04:59 +03:00			`];`
			`environment = {`
			`SFTPGO_SFTPD__BINDINGS__0__PORT = "22";`
			`SFTPGO_WEBDAVD__BINDINGS__0__PORT = "80";`
			`SFTPGO_WEBDAVD__BINDINGS__0__PROXY_ALLOWED = "172.17.0.1";`
			`SFTPGO_WEBDAVD__BINDINGS__0__CLIENT_IP_PROXY_HEADER = "X-Forwarded-For";`
			`SFTPGO_WEBDAVD__BINDINGS__0__PREFIX = "/dav/";`
			`SFTPGO_HTTPD__BINDINGS__0__PORT = "8080";`
			`SFTPGO_HTTPD__BINDINGS__0__ENABLED_LOGIN_METHODS = "3";`
			`SFTPGO_HTTPD__BINDINGS__0__SECURITY__ENABLED = "true";`
			`SFTPGO_HTTPD__BINDINGS__0__SECURITY__ALLOWED_HOSTS = "puffer.stupid.fish";`
			`SFTPGO_HTTPD__BINDINGS__0__BRANDING__NAME = "puffer";`
			`SFTPGO_HTTPD__BINDINGS__0__BRANDING__SHORT_NAME = "puffer";`
			`SFTPGO_HTTPD__BINDINGS__0__OIDC__REDIRECT_BASE_URL = "https://puffer.stupid.fish/";`
			`SFTPGO_HTTPD__BINDINGS__0__OIDC__USERNAME_FIELD = "preferred_username";`
			`SFTPGO_HTTPD__BINDINGS__0__OIDC__IMPLICIT_ROLES = "true";`
			`};`
			`environmentFiles = [`
refactor: avoid importing libs 2024-11-23 16:37:34 +03:00			`config.desu.secrets.sftpgo-env.path`
chore(koi): moved sftpgo to a docker container 2024-09-18 01:04:59 +03:00			`];`
feat(koi): local access to webdav share 2024-09-19 15:05:13 +03:00			`ports = [`
			`"${builtins.toString WEBDAV_PORT}:80"`
			`];`
chore(koi): moved sftpgo to a docker container 2024-09-18 01:04:59 +03:00			`};`
feat(koi): s3-backed encrypted mount for navidrome 2024-11-30 20:11:32 +03:00			`systemd.services.docker-sftpgo.requires = [ "ecryptfs.service" ];`
chore(koi): moved sftpgo to a docker container 2024-09-18 01:04:59 +03:00
			`systemd.tmpfiles.rules = [`
			`"d /srv/sftpgo/data 0700 ${builtins.toString UID} ${builtins.toString UID} -"`
			`"d /srv/sftpgo/config 0700 ${builtins.toString UID} ${builtins.toString UID} -"`
			`];`

feat(koi): local access to webdav share 2024-09-19 15:05:13 +03:00			`services.nginx.virtualHosts = {`
			`"puffer.stupid.fish" = {`
			`forceSSL = true;`
			`useACMEHost = "stupid.fish";`
chore(koi): moved sftpgo to a docker container 2024-09-18 01:04:59 +03:00
fix(koi): sftpgo max body size 2024-10-26 19:43:18 +03:00			`extraConfig = ''`
			`client_max_body_size 25G;`
			`'';`

feat(koi): local access to webdav share 2024-09-19 15:05:13 +03:00			`locations."/" = {`
			`proxyPass = "http://sftpgo.docker:8080$request_uri";`
			`proxyWebsockets = true;`
			`};`
chore(koi): moved sftpgo to a docker container 2024-09-18 01:04:59 +03:00
feat(koi): local access to webdav share 2024-09-19 15:05:13 +03:00			`locations."/dav/" = {`
			`proxyPass = "http://sftpgo.docker:80$request_uri";`
			`};`
chore(koi): moved sftpgo to a docker container 2024-09-18 01:04:59 +03:00			`};`
			`};`
feat(koi): local access to webdav share 2024-09-19 15:05:13 +03:00
			`networking.firewall.allowedTCPPorts = [ WEBDAV_PORT ];`

			`services.avahi.extraServiceFiles.puffer-lan = ''`
			`<?xml version="1.0" standalone='no'?>`
			`<!DOCTYPE service-group SYSTEM "avahi-service.dtd">`
			`<service-group>`
			`<name>puffer-lan</name>`
			`<service>`
			`<port>${builtins.toString WEBDAV_PORT}</port>`
			`<type>_webdav._tcp</type>`
			`<txt-record>path=/dav/</txt-record>`
			`</service>`
			`</service-group>`
			`'';`
chore(koi): moved sftpgo to a docker container 2024-09-18 01:04:59 +03:00			`}`