Merge pull request #5 from Tommixe/next

LXC02

.sops.yaml

@@ -12,6 +12,7 @@ keys:
     - &cloud01 age1nx9xnrcx37z5a2nhhhatcwvejscpqpf68akkx8rgqed5lxdseu8sgfg8h5
     - &rpi01 age1js2k3gjaarfrqtcm6n00htchy350n28wfk5llpdwuuesv3t8zexqr5fldd
     - &lxc01 age1d3s3k520rsptj69rayvdyd5k28rkgx2tgpq7h9vtxe34vfm7ta2sacd28q
+    - &lxc02 age1env45y5ueq59d6344xh6unz8pmkr0g6nh0z4kavetyqjltcvlcdstcy34e
 
 creation_rules:
   - path_regex: hosts/server01/secrets.ya?ml$
@@ -49,6 +50,11 @@ creation_rules:
     - age:
       - *lxc01
       - *user01     
+  - path_regex: hosts/lxc02/secrets.ya?ml$
+    key_groups:
+    - age:
+      - *lxc02
+      - *user01
 
   - path_regex: hosts/common/secrets.ya?ml$
     key_groups:
@@ -62,4 +68,5 @@ creation_rules:
       - *cloud01
       - *rpi01
       - *lxc01
+      - *lxc02
 

flake.nix

@@ -133,6 +133,14 @@
             inherit inputs outputs;
           };
         };
+        # Proxmox lxc container
+        lxc02 = lib.nixosSystem {
+          system = "x86_64-linux";
+          modules = [ ./hosts/lxc02 ];
+          specialArgs = {
+            inherit inputs outputs;
+          };
+        };
       };
 
       homeConfigurations = {
@@ -193,6 +201,13 @@
             inherit inputs outputs;
           };
         };
+        "user01@lxc02" = lib.homeManagerConfiguration {
+          modules = [ ./home/user01/lxc02.nix ];
+          pkgs = pkgsFor.x86_64-linux;
+          extraSpecialArgs = {
+            inherit inputs outputs;
+          };
+        };
       };
     };
 }

home/user01/lxc02.nix

@@ -0,0 +1,4 @@
+{ inputs, outputs, ... }:
+{
+  imports = [ ./global ];
+}

hosts/common/secrets.yaml

@@ -45,83 +45,92 @@ sops:
         - recipient: age1z8f04yxkhz98k45gml7zdge9s0vx83lyvg6jq6wuyt7f8fy05p6sms4fek
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiSFJtNURHN213MnRSK1ZW
-            RU9URE9nbEh3d05NSzM4clRyMWRuemIxTkNvCnFyUlRkZGtJQjJ0T09IanVHbGRJ
-            NUVpUnZQTXIvKzFHU29Vb1pMYms5UlEKLS0tIFJhK2g5MXB2WlhzREZsemJwTWQr
-            SjZLeXI3SUQ1dHRad3Z5TXhKSHJlSFkK7TAlLXKVfzC8ihl1OmeoNSBwcZV8suO6
-            UuKt0ltzIqLWPgoTp6u54IOS6CbIDxREjGoUrN/JpkNZRhhk6GE2wg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLaS85ZCtTZzBScmdjdnVO
+            RFBueGUzN0FqMTYyRFcxeDQ2eFhFdXUwTTJRCkltaG1lOUNLUkxlMnUvT3gzeEpw
+            VFB4MW1YZXVPUEYyaTF1QktiaGlTTTQKLS0tIEhnaFUwYnllRXd1UzNZQmZnK2hr
+            R3NlWVRLQWswbDNpWm1RL1ZWdC9EU00KwxNehyj/21+qhuIVMgzIHkSwXNni9W0v
+            jS1enCQw31aEbgYBIZmoxingnRH5pFrTtB/MKvXuTs2yJ1RMeM4JIg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1u0ap2cpel4dph65qtuc72r45n79exvjx8xyll6m5mx7c2pq03vwqps9q5v
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkMlRxNXZScUZvR052T054
-            UUNRY1RIay9USUp3ZlZabnkzSFMwd0tRT0dZCm5lV0xUZm4zVWc4WGVPSWZSaDZN
-            SkRKbmx6d1lwS1RwMTlka2M3K29DTVUKLS0tIFdLYW1oQjhLZGtyaytzWnVkYlBn
-            YVR3OXF0bmNERFpqa0tEdEgxOTN2ZGcKIic6eZMtxQFAoRUcgIciLlnO2YROSAry
-            f7amMtGw59H3REtSwihyQDr94XANBRY8Mx5S5ZY7mQ2gKV+pIfn5Og==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjcHhRS0U5ZHJmbkpyRkxk
+            QUJYajh1MnpNenNFS2IrenhEOWhpakVEMlRjCmVsUUN0ZGlnNzE4WjMrT3BuV2k1
+            VEtlUU42K3BvVHZtOHNoM0ZQb3NRaVkKLS0tIElKMm9iZlhScFlIdkZvdW5NU3Bz
+            eENEVFk2QUs5eGQ4dTlRVWRnYUw1c1EKsL4Y/rb6Zaecz5H9h71cpgkS+WubjdbO
+            N9Fh+Yhl2Flr2lgHeJIyzJMMUpgmDiFV8EjdM9tWghYT4w4SIrOdNA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1rdpjdlkruh7h0n46gzr30c53avd42pe67vs470jejnwf65zt0sqsk5srm4
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtajJsYmxuT1FKTHF3U2hz
-            WExCUFhvdFNHV3hWK0JyWk1ZdUJWUjVEWkNrCkZ6eTdFNDh1YktjaVNEeDZ0TWsx
-            UkhmSmxwSHNGN2R1RithbGpNVzNYU0kKLS0tIGRMQ0llU1FWMURLQ0tFNHhLVEpK
-            M2NMQVhnN1RsSHdHcjRNUVJJbXpKTWMKeB3Mp1VFKv1sMNXL7Wo+9zYB/yvvozoj
-            ZuVuHSmU+o9A4KFzICyFnDHZzC/g+5s0iLOV5A+lBgQuZyCVIARYdw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqemQ2R0F0aE1BU0NpYVpj
+            c3BWYlpnNkl1S3Z2VVpUaDBXQXlsZDViSnc4CjZUbTNMKzg2ZlNpTHd3d0w2UEJr
+            ek9Dd2J1RFBrTlAzNXNadTVlMm5VRzQKLS0tIHQxbGJET0FFOXlhRXE2TERiSmFT
+            dmw5eStjd1JxZ2d4TytsbDNnd25LQWsKGcx/Iynv/fxsI8+2yjR8RcYYyLCioIsZ
+            mUAHRfTBZSF038WJ96j8ScZdX91eoTAHuCudz76+HO6+R4EJBVYldw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1kgurqmcjnhqx2pxvnj7aq0ylrtamacwypk3qf35y6td5whtqdeksd7jkdy
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4d0hsbHZueEtvUzFTVWt3
-            N3RoR24zdnBMcDdkZ002am9ub0tEZWpXZkVRClc3V2FodVFQc3F5T2kycE1KeWd5
-            SVpMWU03dGNrWk5aODBRd0dPenJLOTQKLS0tIEplWGVhMnJWdVdjUUQ5VXJaL1pO
-            R0t5RXByckZ3dWlFZTdNdFhjWXp0ZE0KFrPT84ButlU3sNA5jFfVazIOQrT/5n5h
-            R7BY5yR2czwsXfB8dMcYtujxRWUJfoMzdpwwO5jPHnxkciZdtmq40A==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuM1hxMXk4OVZad1VqbndS
+            cHlkcnNpTm5Sby96SngyK2xsMEtMbmlQS2xNCjRyVUgzUm9XaFpkYjlKSlFyYVo0
+            VGFzcS94NjhkNHFBbkRGNU9vQzlCbUkKLS0tIDgwaGtlUUdrZkgrWkxNZHJDY2xp
+            N3h6Z1ltTEtEMWEwR2hhUXFXVFVnYjAKh+n4BDGxAwcLRyMvcULYxxlU4aOhRClP
+            UtAMeZzz+Jc1Yj+1oanxkX+xP0QZ99xQndlRvlngeFbZF5appEXB+A==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1f5fmct6sts4fy885zqtntu485hr0ju3ara02ph6wshzws6hkvg3scpjzqd
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArWmpKWTJrOVNhSi9ROFpt
-            OE9ueW96L3JqUmN2bHFYbG1jSEQ1ZWF5SGpRCjROQ2o5Q04wQ3lHWTFYZkdmSlVn
-            akJMb2YybnRzQ2dZMC95Umc2elF3NTQKLS0tIGNEc1BGdDMyQnBBZlMvVlpQc3BG
-            NjM2UWYwVnpFb0Jnb3pGRWhjTEQ5c1kKVx/bVxArfaXbxOfyTpAzRfjrn05ZC/Y2
-            xp5mKFAGONv2Auq8sPY7xRG0Vw0rQiGniKkj4P97EpR2iolfMWDiiQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxUG1Ba3FQeFdZcExLbFVm
+            YTJEUkFBek04a3VrVEpDVEF4ZlJFOEgzQm1nCnhKRmo2UEtNa2ZMWEVZYjNEWWhp
+            SEdvMHRUMkh2TFpMZERsTE9zVVpRN1UKLS0tIEovdjhTeFptaG9sQ0Nhak9RUVhu
+            NXArbFJVUnBYSzJJSG9BeTc3NEwyZXMKaR1h7PLj1Wc29yMPc7GscrQl49boaNrN
+            1ia47ClqYI5asEipfLYy3dgnW5I6fSOavFHAJ1jckrC2gQ/T2mK8uA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1cs35x2jepylsxg0ftml0ht327tjq4vcrh4v6fasagq8f5k9hacjq4pnde8
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOT2FCajlPcHdaQlpnMURn
-            d1ZaYnFKUWlhbTZoN2w3NHNuSzJlRGdXTVJ3CmQ1MkZBM1FCa3hxUVREeTF1Q1VL
-            S1pIZlp3a1RQbnVWRkE2RHRUdTJhRkEKLS0tIElxNXhYMUxuZlplaWRxc0t3dUdp
-            Ym9BTDNTY0o5VTJmcExjUEROSDdmNm8KcXfDIZzkmOaPs0ajpgOoA3cedOaHmABw
-            Q2Ny8rDc3U6a1fOgV5iVEr0/bHlarlY05je8LpWxfozZZhju0NWo3A==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhTXlkZGtOOFQxZGNLVnpl
+            TGNNNUsrQUpYK1p3Zk9wWEhBN2VXQzZBL0FFClNGL2ZaWktjZlRYZ3hzNW15aFk3
+            M25xK21nZzBtVDFwOGIzcGtlVnJML28KLS0tIE1jcWhDSTQyOEJ3U3R0c3FEUjIy
+            OG05d2NISUErbnhZaTN6QnFnQjNCNDQKNI8tglVLFB+KnE3E8LuQVfyw9oHN1Dbr
+            oyMlDxKZUoN1awb8Bj80c07a1E6u1D4s9KQ/o5hP87lt13kEx/Nt7g==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1nx9xnrcx37z5a2nhhhatcwvejscpqpf68akkx8rgqed5lxdseu8sgfg8h5
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0NHJ0WWhrSnBRSHpkdUp0
-            WE5BVEE2bW5uanhXOG56ZFpkN2p6WXVKVmtrClRnaExyVFVDRDExTDlnUUFUTlRT
-            RzRTWWs1T0lMdXVMRmRjNmxkVzdXemcKLS0tIHVpOENZSjlCYnZFUmhjZ2FJTTNF
-            RjZxaHJIS2lGNEg3VytDQVVMbFVIc28KroSTwGgx/ngjPwAcSeasU6bUyWcBNwsv
-            A4fRYLQLhQyFsU8JKB1+XY/95sSOL4kHqFh2XTOPEdRDcaoUBfRc/A==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1a2FrMWcvTXBLUUdXdk16
+            ZE1mWFJMTG1KcjR3VjRjTnhvNVQ2YzZSVWpJClBMZTVPZmZyM0ZHbXEzOGJtcVFu
+            ZFFtS2RCU24xK3RWTXBlcjZROG5FOFUKLS0tIGNVNXoyYW11ZU9kbk1aNlBHV3Rp
+            a3lsVTRIMmY0QnIvN211bnBqMDVyc28KzMisGwlTVCpL0bXt2T4n5sv0jsEM7WkR
+            ep8Vk6OAE+ZoTZ4OVVzBwND38m56ngdR7kQ0qcUmMlQs6QXeo0Y6kg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1js2k3gjaarfrqtcm6n00htchy350n28wfk5llpdwuuesv3t8zexqr5fldd
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGQTBhaWVEb2JiSEk5NFBY
-            NVdvMTByMGlhOTRicVlnM0F1aGdSSHMyOUVVCjNjMW5ZelN2bTBsUVRqQUVISjVF
-            NU1vc3p3akFSUzhLUFh2RUI3NG1KQlEKLS0tIGNkNzBYdTRHRVlNYU52TE9iU0lO
-            b1V6MjUvOVpUOG5LRzRsdE90ZmFuMnMKB0gFmwJAkX0UeYcfIcFe5g5H04VD7VSI
-            y/VkqBCMpDa3aI3TESFJ9vk9g7Uqt6K8oMS0ib3ixOaTQY9vW7DAOA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoUXE0TUkrL0RMR1hya0Qz
+            TWZxckVhajh6R2NUcThzTkhGVEdsd09jSkZVCnYzeWJoNFlWSzVPRVNtOXRVTkhS
+            MVJ2eVFSRnBtckhsYWxiTzVGa0dsSWcKLS0tIGtobjVjZlBHaWsyM20rYzFtRHFL
+            c1I2WGMvc0lpOUtzc2lsSDhGMGdEOTAKysNQ8hHE1xSkrrmljHLR4DHsPGfgvpi1
+            I0gIWGrjuYVqmdZA0I2UocqoL7f+EHeZosWPIg0d2v06PsBD/WhO1A==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1d3s3k520rsptj69rayvdyd5k28rkgx2tgpq7h9vtxe34vfm7ta2sacd28q
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhdjlXVXhOcWZDWktobFZN
-            OUpaK0VHdCtveE1LeGlvR20vQ1Q1THNGRmhJCmU4NzhMYUpYRHZRd2xWUk4xMGZR
-            eGIwZlhSRUdIenZqZE9tTC91Z3pRQXMKLS0tIHV3ckVMeU50cFMrOG1HSXZIYlFW
-            enM1SlJQWDMra2dBcU5UTFh3OGd3Z1kKgHagcVZReXGyB10AmLlA0Ir4WCyyMG/R
-            AfNuCnt2jLP48SlGTBf70Al8ANqMkjbry49S7TCSeVPVj/LEmiV9Qg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAveHhLTHFMTGZEcUFGZzVJ
+            aUM5Zkc2V25CVGlIZVpQQWxkQzA3dno3SWdvCm9JTW5GMEY1R3paMGdXMWE4aHFj
+            QTJXSkt3WU5vMXdaZFJmVVp5YWFocFEKLS0tIFBxb3NoZ2dMbjBrUGdvVXg2aWI1
+            SnBHN05SQzNkYkh0RHlIMXpiaWx1eUEKd3vE7Lbw2kf9hejsB6tUHHZULwd0fX6X
+            q5WzSCOBHsJwynnddd1mcXc8DPHavZ1ZJBsIuR9eWJR+JQtvhcv91g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1env45y5ueq59d6344xh6unz8pmkr0g6nh0z4kavetyqjltcvlcdstcy34e
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJdzJYYWpuNmVRcW1rNHc4
+            dm8rejhrZmszTklYeDMyOG9xdW5pZ216TjJBClRkYzZialJjQys4d3FIWnFJcGdC
+            bXdPN0FzdVFxcmcwME5CYll0cVlQVVEKLS0tIEFJdWIvVjEwaW4xSnZNSTBsNGZU
+            a1kxdlZXMlhxd3Faa3pkRzJPcWVVM00KAlOIrrB3eovCSCLg1NTapMDgG5wDs/SJ
+            r5oc3/caF6kbWT9Gj8jEKfjXXdPtK1Tiqd7Gig4POmWzEx36sDv12A==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2024-08-24T17:36:24Z"
     mac: ENC[AES256_GCM,data:6bHtdMfuXwqQ9giegOfbOiVaBd/k0HWkU0M5n+W5Uxb/dI+F5mLMtC4JPlQQhow+Sdt9ZCQRqJ4B7+GyYIUra3raIKtYOgxDvsE8qfjLqsZWLjRqnqvQDKfIPUE3QFGxUgmT7D49NROBvHKIcqXiLgv82e3HJbMGht6u/sofIb4=,iv:BfqCcjwdGZoq2kAhp15dL4ISPs/qcjeLC8eJrlFZayw=,tag:aYBr7u2/XrHOOENTf/dSnw==,type:str]

hosts/lxc02/default.nix

@@ -0,0 +1,34 @@
+{ config, modulesPath, lib, ... }:
+{
+  imports = [
+    "${modulesPath}/virtualisation/proxmox-lxc.nix"
+
+    ../common/global/default-lxc.nix
+    ../common/users/user01
+    ../common/optional/fail2ban.nix
+    ../common/optional/docker.nix
+    ../common/optional/portainer.nix
+
+    ./services
+
+  ];
+
+  users.groups =  {
+    www-data = {
+      gid = 33;
+    };
+  };
+
+  users.users.www-data = {
+    uid = 33;
+    group = "www-data";
+  };
+
+  proxmoxLXC.manageHostName = true;
+  networking = {
+    hostName = lib.mkForce "lxc02";
+    useDHCP = lib.mkForce true;
+  };
+
+   system.stateVersion = "24.05";
+}

hosts/lxc02/services/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./nextcloud-aio.nix
+  ];
+}

hosts/lxc02/services/nexcloud.yaml

@@ -0,0 +1,64 @@
+services:
+  nextcloud-aio-mastercontainer:
+    image: nextcloud/all-in-one:latest
+    init: true
+    restart: always
+    container_name: nextcloud-aio-mastercontainer # This line is not allowed to be changed as otherwise AIO will not work correctly
+    volumes:
+      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config # This line is not allowed to be changed as otherwise the built-in backup solution will not work
+      - /var/run/docker.sock:/var/run/docker.sock:ro # May be changed on macOS, Windows or docker rootless. See the applicable documentation. If adjusting, don't forget to also set 'WATCHTOWER_DOCKER_SOCKET_PATH'!
+    ports:
+      - 80:80 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+      - 8080:8080
+      - 8443:8443 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+    environment: # Is needed when using any of the options below
+      # - AIO_DISABLE_BACKUP_SECTION=false # Setting this to true allows to hide the backup section in the AIO interface. See https://github.com/nextcloud/all-in-one#how-to-disable-the-backup-section
+        - APACHE_PORT=11000 # Is needed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+        - APACHE_IP_BINDING=0.0.0.0 # Should be set when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else) that is running on the same host. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+      # - BORG_RETENTION_POLICY=--keep-within=7d --keep-weekly=4 --keep-monthly=6 # Allows to adjust borgs retention policy. See https://github.com/nextcloud/all-in-one#how-to-adjust-borgs-retention-policy
+      # - COLLABORA_SECCOMP_DISABLED=false # Setting this to true allows to disable Collabora's Seccomp feature. See https://github.com/nextcloud/all-in-one#how-to-disable-collaboras-seccomp-feature
+        - NEXTCLOUD_DATADIR=/srv/ncdata # Allows to set the host directory for Nextcloud's datadir. ⚠️⚠️⚠️ Warning: do not set or adjust this value after the initial Nextcloud installation is done! See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir
+      # - NEXTCLOUD_MOUNT=/mnt/ # Allows the Nextcloud container to access the chosen directory on the host. See https://github.com/nextcloud/all-in-one#how-to-allow-the-nextcloud-container-to-access-directories-on-the-host
+      # - NEXTCLOUD_UPLOAD_LIMIT=10G # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-upload-limit-for-nextcloud
+      # - NEXTCLOUD_MAX_TIME=3600 # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-max-execution-time-for-nextcloud
+      # - NEXTCLOUD_MEMORY_LIMIT=512M # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-php-memory-limit-for-nextcloud
+      # - NEXTCLOUD_TRUSTED_CACERTS_DIR=/path/to/my/cacerts # CA certificates in this directory will be trusted by the OS of the nexcloud container (Useful e.g. for LDAPS) See See https://github.com/nextcloud/all-in-one#how-to-trust-user-defined-certification-authorities-ca
+      # - NEXTCLOUD_STARTUP_APPS=deck twofactor_totp tasks calendar contacts notes # Allows to modify the Nextcloud apps that are installed on starting AIO the first time. See https://github.com/nextcloud/all-in-one#how-to-change-the-nextcloud-apps-that-are-installed-on-the-first-startup
+      # - NEXTCLOUD_ADDITIONAL_APKS=imagemagick # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-os-packages-permanently-to-the-nextcloud-container
+      # - NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS=imagick # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-php-extensions-permanently-to-the-nextcloud-container
+      # - NEXTCLOUD_ENABLE_DRI_DEVICE=true # This allows to enable the /dev/dri device in the Nextcloud container. ⚠️⚠️⚠️ Warning: this only works if the '/dev/dri' device is present on the host! If it should not exist on your host, don't set this to true as otherwise the Nextcloud container will fail to start! See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-transcoding-for-nextcloud
+      # - NEXTCLOUD_KEEP_DISABLED_APPS=false # Setting this to true will keep Nextcloud apps that are disabled in the AIO interface and not uninstall them if they should be installed. See https://github.com/nextcloud/all-in-one#how-to-keep-disabled-apps
+      # - TALK_PORT=3478 # This allows to adjust the port that the talk container is using. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-talk-port
+      # - WATCHTOWER_DOCKER_SOCKET_PATH=/var/run/docker.sock # Needs to be specified if the docker socket on the host is not located in the default '/var/run/docker.sock'. Otherwise mastercontainer updates will fail. For macos it needs to be '/var/run/docker.sock'
+    # networks: # Is needed when you want to create the nextcloud-aio network with ipv6-support using this file, see the network config at the bottom of the file
+      # - nextcloud-aio # Is needed when you want to create the nextcloud-aio network with ipv6-support using this file, see the network config at the bottom of the file
+
+  # # Optional: Caddy reverse proxy. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+  # # You can find further examples here: https://github.com/nextcloud/all-in-one/discussions/588
+  # caddy:
+  #   image: caddy:alpine
+  #   restart: always
+  #   container_name: caddy
+  #   volumes:
+  #     - ./Caddyfile:/etc/caddy/Caddyfile
+  #     - ./certs:/certs
+  #     - ./config:/config
+  #     - ./data:/data
+  #     - ./sites:/srv
+  #   network_mode: "host"
+
+volumes:
+  nextcloud_aio_mastercontainer:
+    name: nextcloud_aio_mastercontainer # This line is not allowed to be changed as otherwise the built-in backup solution will not work
+
+# # Optional: If you need ipv6, follow step 1 and 2 of https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md first and then uncomment the below config in order to activate ipv6 for the internal nextcloud-aio network.
+# # Please make sure to uncomment also the networking lines of the mastercontainer above in order to actually create the network with docker-compose
+# networks:
+#   nextcloud-aio:
+#     name: nextcloud-aio # This line is not allowed to be changed as otherwise the created network will not be used by the other containers of AIO
+#     driver: bridge
+#     enable_ipv6: true
+#     ipam:
+#       driver: default
+#       config:
+#         - subnet: fd12:3456:789a:2::/64 # IPv6 subnet to use

hosts/lxc02/services/nextcloud-aio.nix

@@ -0,0 +1,29 @@
+{ config, pkgs, ... }:
+{
+  config.virtualisation.oci-containers = {
+    backend = "docker";
+    containers = {
+      nextcloud-aio-mastercontainer = {
+        image = "nextcloud/all-in-one:latest";
+        ports = [ 
+          "80:80" 
+          "8080:8080"
+          "8443:8443"
+        ];
+        autoStart = true;
+        #extraOptions = ["--restart=always"];
+        volumes = [
+          "nextcloud_aio_mastercontainer:/mnt/docker-aio-config"
+          "/var/run/docker.sock:/var/run/docker.sock:ro"
+        ];
+        environment = {
+          APACHE_PORT = "11000";
+          APACHE_IP_BINDING= "0.0.0.0" ;
+          NEXTCLOUD_DATADIR= "/nextcloud" ;
+        };
+      };
+    };
+  };
+
+
+}

hosts/lxc02/ssh_host_ed25519_key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICpqgHwlFpMbcGySouXzOsIz6UlTlXVTwn4s60LlYkmk