From b8e9b685fe192fd4e46064df23b59d32a0fb870a Mon Sep 17 00:00:00 2001
From: Dmitriy Kholkin <ataraxiadev@ataraxiadev.com>
Date: Sun, 21 Jan 2024 16:30:50 +0300
Subject: [PATCH] add ocis to home-hypervisor

---
 machines/Home-Hypervisor/default.nix |  1 +
 profiles/servers/nginx.nix           | 20 ++++--------
 profiles/servers/ocis.nix            | 39 ++++++++++++++++++++++
 secrets/home-hypervisor/ocis.yaml    | 48 ++++++++++++++++++++++++++++
 4 files changed, 94 insertions(+), 14 deletions(-)
 create mode 100644 profiles/servers/ocis.nix
 create mode 100644 secrets/home-hypervisor/ocis.yaml

diff --git a/machines/Home-Hypervisor/default.nix b/machines/Home-Hypervisor/default.nix
index a109a1a..fc12797 100644
--- a/machines/Home-Hypervisor/default.nix
+++ b/machines/Home-Hypervisor/default.nix
@@ -9,6 +9,7 @@ in {
     ./disks.nix
     ./backups.nix
     customProfiles.hardened
+    customProfiles.ocis
 
     customRoles.hypervisor
     customProfiles.acme
diff --git a/profiles/servers/nginx.nix b/profiles/servers/nginx.nix
index 9650443..329773d 100644
--- a/profiles/servers/nginx.nix
+++ b/profiles/servers/nginx.nix
@@ -263,24 +263,16 @@ in {
       # };
       "file.ataraxiadev.com" = {
         locations."/" = {
-          proxyPass = "http://127.0.0.1:8088";
+          proxyPass = "http://127.0.0.1:9200";
           extraConfig = ''
+            proxy_set_header Host $host;
+            proxy_buffers 4 256k;
+            proxy_buffer_size 128k;
+            proxy_busy_buffers_size 256k;
+            # Disable checking of client request body size
             client_max_body_size 0;
-            proxy_buffer_size 16k;
-            proxy_busy_buffers_size 16k;
-            proxy_connect_timeout 36000s;
-            proxy_max_temp_file_size 102400m;
-            proxy_read_timeout 36000s;
-            proxy_request_buffering off;
-            send_timeout 36000s;
-            proxy_send_timeout 36000s;
-            # proxy_buffering off;
           '';
         };
-        extraConfig = ''
-          proxy_set_header X-Forwarded-Proto https;
-          proxy_set_header X-Forwarded-For $remote_addr;
-        '';
       } // default;
       # "webmail.ataraxiadev.com" = {
       #   locations."/" = {
diff --git a/profiles/servers/ocis.nix b/profiles/servers/ocis.nix
new file mode 100644
index 0000000..2222df9
--- /dev/null
+++ b/profiles/servers/ocis.nix
@@ -0,0 +1,39 @@
+{ config, lib, pkgs, inputs, ... }: {
+  sops.secrets.ocis-env-file = {
+    owner = "ocis";
+    mode = "0400";
+    sopsFile = inputs.self.secretsDir + /home-hypervisor/ocis.yaml;
+    restartUnits = [ "ocis-server.service" ];
+  };
+  services.ocis = {
+    enable = true;
+    configDir = "/var/lib/ocis";
+    baseDataPath = "/media/nas/ocis";
+    environmentFile = config.sops.secrets.ocis-env-file.path;
+    environment = {
+      # Web settings
+      OCIS_INSECURE = "false";
+      OCIS_LOG_LEVEL = "debug";
+      OCIS_URL = "https://file.ataraxiadev.com";
+      PROXY_HTTP_ADDR = "127.0.0.1:9200";
+      PROXY_TLS = "false";
+      # Disable embedded idp (we are using authentik)
+      OCIS_EXCLUDE_RUN_SERVICES = "idp";
+      # OIDC Settings
+      OCIS_OIDC_ISSUER = "https://auth.ataraxiadev.com/application/o/owncloud-web-client/";
+      PROXY_AUTOPROVISION_ACCOUNTS = "true";
+      PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD = "jwt";
+      PROXY_OIDC_REWRITE_WELLKNOWN = "true";
+      PROXY_ROLE_ASSIGNMENT_DRIVER = "oidc";
+      PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM = "groups";
+      PROXY_USER_CS3_CLAIM = "mail";
+      PROXY_USER_OIDC_CLAIM = "email";
+      # S3 storage
+      STORAGE_USERS_DRIVER = "s3ng";
+      STORAGE_SYSTEM_DRIVER = "ocis";
+      STORAGE_USERS_S3NG_BUCKET = "ocis";
+      STORAGE_USERS_S3NG_ENDPOINT = "https://s3.ataraxiadev.com";
+      STORAGE_USERS_S3NG_REGION = "us-east-1";
+    };
+  };
+}
\ No newline at end of file
diff --git a/secrets/home-hypervisor/ocis.yaml b/secrets/home-hypervisor/ocis.yaml
new file mode 100644
index 0000000..57801b9
--- /dev/null
+++ b/secrets/home-hypervisor/ocis.yaml
@@ -0,0 +1,48 @@
+ocis-admin-pass: ENC[AES256_GCM,data:WfgdyfLxojFR6/hOIu+ycFgiih8=,iv:s9GWDBrrWGWkRDzd/BB3tuyExmdKVa7qvRbjgx0N0jQ=,tag:eRFs5ZCTBjbXSRwvO8lCSg==,type:str]
+ocis-env-file: ENC[AES256_GCM,data:6oyXhsmmMzFd7CIv4j+gWbzHo4Jy4Ym5KzV6tAXdKkTP1n6Yvv1UpdebOzXfrXZTTHuEzrTJvtFAviZd526KyAeeo53iQvWDdhazeywHL5AbsmUJ7IZ0eChGiXBXsYTYSb+TyFaRHpZazpT8ePurHkVuYfE4lyKDIILu3Y4ahfyXQzRnh3lhS1SxuWtDcoG6lcuAwgLBOgcIeHWI9rqmtylneeGf70oRfd80sHQ=,iv:tlQF8b0x+qd7JuhbFY1ekZNKjT68SKW6P/DRYalYfuU=,tag:V6SjKQbZiGm7rJtCtogQRw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-01-20T20:50:32Z"
+    mac: ENC[AES256_GCM,data:0SLZnxDo9X6a6od00XKsZ45RfdC43JHom9H6lhTdgco/w7OnRFd4ukJoaQfL8OnXuS5v7UgxNByzuVNJY7cIgNXLNKKFYG7fzb8GNyTmYyFbSUyjlgQ1pDbjFdKsWTgeoUyb/Q/CzdZFWBbJLvMkwwR1pirhWCEQx3GxlaD8MNA=,iv:L6XPxjhLH0bJCveTYWL9aYXhHvxusJcbE2EO8OwPg24=,tag:GveNLkF72FSfVBazWPigrQ==,type:str]
+    pgp:
+        - created_at: "2024-01-20T17:09:10Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQEMAwcagTG/Fm6AAQf/REYKQJmtKWMBqmnDJKvcLlvdv7AFLeNG9dHdGFbBMFiv
+            viLQwAeN1DzMJMFvI9EDDYSQ7hF5MQ//AenFv2W3WSJpKAU8l5A1n8+mVHQ4CxKm
+            xBPGZhx74dghPDFuEjWfwI63Ysxy7KzEtapwJ9aWaRjNVMV6viQoav3Y9FNSiPFX
+            /ocNPqWteEzeoK+DzJLMJXCKYQVHgUgtxXAtCQa8eX+cieL8lzNIKR/jbY5lO9Wz
+            fAMS9wr1LUek/PBB5OiYkG9cBoE5z82z+70zMQNmNXb9dUBGLpSpDL7BQVNHxLhe
+            cO3GHHtn+NE/yl3LaLtpxYGaUZM8Js22yQRq00k6mNJYAR4PMeAm/lZbbGzc6zzP
+            y4UzEAWnH9S0GDnl/k050ixj1SBrdbpkAAJ6yMuu8/kKif8DXc5rXFU7+XNy3JQG
+            sfxl7NwNlZ5ElSjBqvsTlYoAHPwJdSM4og==
+            =XHRN
+            -----END PGP MESSAGE-----
+          fp: ad382d058c964607b7bbf01b071a8131bf166e80
+        - created_at: "2024-01-20T17:09:10Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQILA187ia82lSDGAQ/1G7woSu9b6Ol99Cr94gec/Uxc7EwqfITpFJs3KsVyUOZm
+            uY6J9ni6yf5wekW05+E4RIqj6S9tARmb0YIX7/aQqQMFoF7lTq68Y7M+oBn2xuUB
+            eOCOZ/ir3IRNI1lPwfQpmNqZebfkwAF9T6PjEV38mHhRP8v+gXXBS+BFBElUWp/p
+            EBPt8twveOxk/ok/LEtQtpYPNPdwv2Duxxa4oYBrjDXXzfhtLrU8ck/I+Wuvh7DH
+            WCmLmJ95bU1DiO7QbG2PJ5ElO5UZD7D1HfDv1+ql60/WBMzywuSzigsY8C2HDXA5
+            rIYdRzXMLVBRzxSOMytxQwUJHp8T3/Off0Hidx+w7qQ6J+lUvZvNQ7UoinsA0VWp
+            X49V6kRTVoy2SceWJDUq46kXsGhKCmDZlRh/LWESJwXSFxoIdHwU2s1LBJNbLuv5
+            QrYdFQuo0Z/Exhm8YWgpnOUQx+/2eRmC2V059Hu1ZInH5mUpEXjKsfQjD7GAcbq9
+            HfPriB/qh14pW9Yahm5H7snXFiQsfEEs7Kyf9e+67AzxUJL2g3pxhd+geGJAy2vS
+            wdJZaFr7Ii2GNyNfBFHcXo35aP17rcKrrI5FsrDk26d2R9KLxtY+Jkn/sIix4gR3
+            lji7YbXcSvBEmxuYz9qsKmlEFIIdbbsC/aSD1gJ7s673q27XyszO71xTpeaxPtJY
+            ATwQ2MXglpSytz/99+abS6yWIHn+F08577fczfY0RpiJRacblDnv3gUqluZvitTd
+            f6fIzvPK3AzM9WYebHr2Pk2vyLFcveM21KeLmaFUcHGl85QrA5jZVg==
+            =7up9
+            -----END PGP MESSAGE-----
+          fp: a32018133c7afbfd05d5b2795f3b89af369520c6
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1