Add Whiteboard app to Nextcloud

common/server/nextcloud.nix

@@ -3,28 +3,44 @@
 
 let
   cfg = config.services.nextcloud;
+
+  nextcloudHostname = "runyan.org";
+  collaboraOnlineHostname = "collabora.runyan.org";
+  whiteboardHostname = "whiteboard.runyan.org";
+  whiteboardPort = 3002; # Seems impossible to change
+
+  # Hardcoded public ip of ponyo... I wish I didn't need this...
+  public_ip_address = "147.135.114.130";
 in
 {
   config = lib.mkIf cfg.enable {
     services.nextcloud = {
       https = true;
       package = pkgs.nextcloud31;
-      hostName = "neet.cloud";
+      hostName = nextcloudHostname;
       config.dbtype = "sqlite";
       config.adminuser = "jeremy";
       config.adminpassFile = "/run/agenix/nextcloud-pw";
+
+      # Apps
       autoUpdateApps.enable = true;
+      extraAppsEnable = true;
       extraApps = with config.services.nextcloud.package.packages.apps; {
         # Want
         inherit end_to_end_encryption mail spreed;
 
+        # For file and document editing (collabora online and excalidraw)
+        inherit richdocuments whiteboard;
+
         # Might use
-        inherit bookmarks calendar cookbook deck memories onlyoffice qownnotesapi;
+        inherit calendar qownnotesapi;
 
         # Try out
-        # inherit maps music news notes phonetrack polls forms;
+        # inherit bookmarks cookbook deck memories maps music news notes phonetrack polls forms;
       };
-      extraAppsEnable = true;
+
+      # Allows installing Apps from the UI (might remove later)
+      appstoreEnable = true;
     };
     age.secrets.nextcloud-pw = {
       file = ../../secrets/nextcloud-pw.age;
@@ -40,5 +56,100 @@ in
       enableACME = true;
       forceSSL = true;
     };
+
+    # collabora-online
+    # https://diogotc.com/blog/collabora-nextcloud-nixos/
+    services.collabora-online = {
+      enable = true;
+      port = 15972;
+      settings = {
+        # Rely on reverse proxy for SSL
+        ssl = {
+          enable = false;
+          termination = true;
+        };
+
+        # Listen on loopback interface only
+        net = {
+          listen = "loopback";
+          post_allow.host = [ "localhost" ];
+        };
+
+        # Restrict loading documents from WOPI Host
+        storage.wopi = {
+          "@allow" = true;
+          host = [ config.services.nextcloud.hostName ];
+        };
+
+        server_name = collaboraOnlineHostname;
+      };
+    };
+    services.nginx.virtualHosts.${config.services.collabora-online.settings.server_name} = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://localhost:${toString config.services.collabora-online.port}";
+        proxyWebsockets = true;
+      };
+    };
+    systemd.services.nextcloud-config-collabora =
+      let
+        wopi_url = "http://localhost:${toString config.services.collabora-online.port}";
+        public_wopi_url = "https://${collaboraOnlineHostname}";
+        wopi_allowlist = lib.concatStringsSep "," [
+          "127.0.0.1"
+          "::1"
+          public_ip_address
+        ];
+      in
+      {
+        wantedBy = [ "multi-user.target" ];
+        after = [ "nextcloud-setup.service" "coolwsd.service" ];
+        requires = [ "coolwsd.service" ];
+        path = [
+          config.services.nextcloud.occ
+        ];
+        script = ''
+          nextcloud-occ -- config:app:set richdocuments wopi_url --value ${lib.escapeShellArg wopi_url}
+          nextcloud-occ -- config:app:set richdocuments public_wopi_url --value ${lib.escapeShellArg public_wopi_url}
+          nextcloud-occ -- config:app:set richdocuments wopi_allowlist --value ${lib.escapeShellArg wopi_allowlist}
+          nextcloud-occ -- richdocuments:setup
+        '';
+        serviceConfig = {
+          Type = "oneshot";
+        };
+      };
+
+    # Whiteboard
+    services.nextcloud-whiteboard-server = {
+      enable = true;
+      settings.NEXTCLOUD_URL = "https://${nextcloudHostname}";
+      secrets = [ "/run/agenix/whiteboard-server-jwt-secret" ];
+    };
+    systemd.services.nextcloud-config-whiteboard = {
+      wantedBy = [ "multi-user.target" ];
+      after = [ "nextcloud-setup.service" ];
+      requires = [ "coolwsd.service" ];
+      path = [
+        config.services.nextcloud.occ
+      ];
+      script = ''
+        nextcloud-occ -- config:app:set whiteboard collabBackendUrl --value="https://${whiteboardHostname}"
+        nextcloud-occ -- config:app:set whiteboard jwt_secret_key --value="$JWT_SECRET_KEY"
+      '';
+      serviceConfig = {
+        Type = "oneshot";
+        EnvironmentFile = [ "/run/agenix/whiteboard-server-jwt-secret" ];
+      };
+    };
+    age.secrets.whiteboard-server-jwt-secret.file = ../../secrets/whiteboard-server-jwt-secret.age;
+    services.nginx.virtualHosts.${whiteboardHostname} = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://localhost:${toString whiteboardPort}";
+        proxyWebsockets = true;
+      };
+    };
   };
 }

common/shell.nix

@@ -34,13 +34,6 @@
     io_rand_write = "${pkgs.fio}/bin/fio --name TEST --eta-newline=5s --filename=temp.file --rw=randrw --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
 
     llsblk = "lsblk -o +uuid,fsType";
-
-    sudo = "doas";
-
-    ls = "pls";
-    ls2 = "eza";
-
-    explorer = "broot";
   };
 
   nixpkgs.overlays = [

home/googlebot.nix

@@ -19,6 +19,7 @@ in
 
   # Modern "ls" replacement
   programs.pls.enable = true;
+  programs.pls.enableFishIntegration = true;
   programs.eza.enable = true;
 
   # Graphical terminal
@@ -41,6 +42,12 @@ in
   # tldr: Simplified, example based and community-driven man pages.
   programs.tealdeer.enable = true;
 
+  home.shellAliases = {
+    sudo = "doas";
+    ls2 = "eza";
+    explorer = "broot";
+  };
+
   programs.zed-editor = {
     enable = thisMachineIsPersonal;
     extensions = [

machines/ponyo/default.nix

@@ -78,7 +78,7 @@
   services.postgresql.package = pkgs.postgresql_15;
 
   # iodine DNS-based vpn
-  services.iodine.server.enable = true;
+  # services.iodine.server.enable = true;
 
   # proxied web services
   services.nginx.enable = true;
@@ -95,12 +95,12 @@
     root = "/var/www/tmp";
   };
 
-  # redirect runyan.org to github
-  services.nginx.virtualHosts."runyan.org" = {
+  # redirect neet.cloud to nextcloud instance on runyan.org
+  services.nginx.virtualHosts."neet.cloud" = {
     enableACME = true;
     forceSSL = true;
     extraConfig = ''
-      rewrite ^/(.*)$ https://github.com/GoogleBot42 redirect;
+      return 302 https://runyan.org$request_uri;
     '';
   };
 

secrets/secrets.nix

@@ -31,6 +31,7 @@ with roles;
 
   # cloud
   "nextcloud-pw.age".publicKeys = nextcloud;
+  "whiteboard-server-jwt-secret.age".publicKeys = nextcloud;
   "smb-secrets.age".publicKeys = personal ++ media-center;
   "oauth2-proxy-env.age".publicKeys = server;
 

secrets/whiteboard-server-jwt-secret.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 6AT2/g IKBONbSLcU2+HkuAsOv2Hehpx42Euw1arhM4BjNALUQ
+lGKw2+U27LHEDGBrQV9wvcF/uACjyYukFA0Mjbgvfrs
+-> ssh-ed25519 w3nu8g dYRX57rbE8OEZiK1cDJdBhUGyA/9OrhO8RMejU/nh3s
+F0Y+adJD+L+OCVCJ78o1XiS0HkVLceOadqWcKEYxOlk
+--- P3KkdM78M9DiqUOnkgnxd+JwOmFpMTYWDS3FuJZKG3M
+˜§«]Læ=r)†ä#ó™ýšEŽ~_*¥m*Ñò‡RöD`âЄVI/—³™¬ÎÝ‚Àâû.]3r<33>{^<5–YZÈX¸‘²¬å¢,,}Úñá|ªzé¸Á