Merge pull request #26 from isabelroses/next-cloud

isabelroses · Nov 9, 2023 · 924842c · 924842c
2 parents a71a0b2 + cf2ebd5
commit 924842c
Show file tree

Hide file tree

Showing 10 changed files with 103 additions and 15 deletions.
diff --git a/home/isabel/system/ssh.nix b/home/isabel/system/ssh.nix
@@ -1,5 +1,6 @@
-{pkgs, ...}: {
-  home.packages = with pkgs; [cloudflared];
+_: {
+  # {pkgs, ...}: {
+  # home.packages = with pkgs; [cloudflared];
   programs = {
     ssh = {
       enable = true;

diff --git a/hosts/bernie/services.nix b/hosts/bernie/services.nix
@@ -1,12 +1,14 @@
 _: {
   modules.services = {
+    nextcloud.enable = true;
     vscode-server.enable = false;
     miniflux.enable = false;
     matrix.enable = true;
     forgejo.enable = true;
     vaultwarden.enable = true;
     isabelroses-web.enable = true;
     nginx.enable = true;
+    cloudflared.enable = false;
 
     mailserver = {
       enable = true;

diff --git a/modules/common/secrets/default.nix b/modules/common/secrets/default.nix
@@ -50,6 +50,11 @@ in {
 
       isabelroses-web-env = {};
 
+      nextcloud-passwd = mkIf services.nextcloud.enable {
+        owner = "nextcloud";
+        group = "nextcloud";
+      };
+
       # vaultwarden
       vaultwarden-env = {};
 

diff --git a/modules/common/secrets/secrets.yaml b/modules/common/secrets/secrets.yaml
@@ -9,6 +9,7 @@ mailserver-noreply: ENC[AES256_GCM,data:NgOZ1JI6cXRQG2AH2Rx3zXai/MYtZvrJ7DpwknTT
 mailserver-spam: ENC[AES256_GCM,data:QJKHyzY/GAwsc0sJfoCR7IEJAoakJ5KS94qIbi4fIoH4CqhJ+qjaLLvuI39Mu2Hrp2gCSvfBJ3oQlN5brQ==,iv:Acashw2STfzbzGBaXrFtHwlEc/AqSkBHKYXwVHOKC6Q=,tag:2Z6UXbe4fTxZq095vbKAZA==,type:str]
 mailserver-database: ENC[AES256_GCM,data:HR+U0nieGQjWX9iws2awtw==,iv:+Vc+3xGrZibBXZSBx6REW3u//0tzUi6a8ODNJhngS5w=,tag:oKyi1s7FzLYzEieGzuLR5Q==,type:str]
 rspamd-web: ENC[AES256_GCM,data:jgwF2Pix4QpWGJBKNibPXfh1yfs+5z2oq9XQ1B/C3xZ4BYAQ2aBIZcNoJj1U,iv:8mPIjqC47fX+8Zi5946aLMkGIeTbhVMHSpp7bTx58AA=,tag:e5hYLkgTULd1hJ/XTDwmSg==,type:str]
+nextcloud-passwd: ENC[AES256_GCM,data:2XRFDsIU4D6KgneafD9SurL3pA/9g0RN4egMo209fhnp,iv:aAPGBJDlTeoVHneDiQ2FQAsadzB5uzfdEAf2dG3ubYw=,tag:5n63TU3oor6VEMkRxHIzhg==,type:str]
 vaultwarden-env: ENC[AES256_GCM,data:RZltkcbeTObbSVPIx4x2yP/e6o/WvAuChfmLki8gkX0L5NXYbm3hBOfA1cKMN34git1xNfPyckHm1zV4ZumTfeWtyBOvUZd1TqZxCObh0v67jZUH2pXWybot+LAd+MWf4dYphxiq8/yvvmOwH5WG82HAudOKcnkQ0qDjv47gEbD87IRgeFod3su2h8zd60iMIHTb6G+ErV06XpWizEsnDxWZzpl3k1WO2V30coVY48D/Sh3FQSrEceL4xMBZzRmVhu8Xh3cOqcSejEjS/PkNUYf+7IwDMn5hFXC6/yzgHHva4w==,iv:w6u+8ME93rGbXirMIS/hSSDwiRBKFbSEcLFQjxTHGak=,tag:rDY68+rvgzvVC29Ko+69bw==,type:str]
 isabelroses-web-env: ENC[AES256_GCM,data:pw5+wVbZXkqp4jvUIGqLkiJcbIJ8pMG31Py237TKu3Fml/kYyV5NuvwZIBvvzryTfT1f1ElefVrtaQyEbV1uA5MEZYZ1h4K7Aw3iWWCzZAyMUhEUUJP5ti46YIc6hyaQeuoWkLQkLmHbazg=,iv:Dcsnj6riFUM/CWljcQeMF/YgI2M3uUf/ZFVWpbSxyI0=,tag:JxNh5LESxMtiNaL8mHxL6g==,type:str]
 miniflux-env: ENC[AES256_GCM,data:v7miyr71dg2fcMHKtmBlnlFQXafkfXLQBPOGfIA2EYs8Ew3VzhFMDfPe+zZ6upVACIZlXNcd,iv:s2SQno1o0ZyV/aZlUsXDwlOHckvTmdq41VXHzdAPaQ8=,tag:/0vFN4sR5gebiHYjPd/QXw==,type:str]
@@ -41,8 +42,8 @@ sops:
             cDRpZkkxZWhiVmN1Y1FSRm5seVpmbnMKl7CHdNdXOr67tCjYp+jhUSYImndyvhQP
             heUpcdBCJADlE9oG6lDr4ngwdHFqVrN757uMqZWEbT80hzZUXVRArw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-10-23T18:12:50Z"
-    mac: ENC[AES256_GCM,data:ShhL2973BN7dmdY+2s1NHqlgZ1PR8T82spWH2ZgYz7mKWZhfNFBiuGvBoMHAEYNUaieanI6SataTmEIq5Ud74RqskWOaKm92DVl7nfC31jqgtsshv2aj36+AREcmrKQ/dZcEVO8rnad1cTX2wyYDrkTHzFuU2ler/O+Az3y8CVU=,iv:c0eaetlOBsHe6/FKg0xGaPcENuf50pWMBbRUVVPHNKc=,tag:AJ8kyr/StFEfnX/UhAQz6A==,type:str]
+    lastmodified: "2023-10-26T22:09:17Z"
+    mac: ENC[AES256_GCM,data:nNAr/yIJ15akWZ+qQx4ax8LxNBjChkYstCKPzi89jAxmtRZNH1Io4zrDmNE4JWO4wjb9RYPtVlxeQkGZ0HeGAp5GfXnlEM8XtpMEPDfk6fLJ2yxPHdHwQs0BAdSB2QuAfDheGCJYlxSAyaUuN4EUlPHcbgFWBokdUb96JuPY1eM=,iv:wm9kq2S40pwXPCfFI2H/WwWGNofqB3PTYfxf2FSA3A0=,tag:9RPArhEwTYNEzBCX0UANSA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1
diff --git a/modules/common/types/server/services/databases/postgresql/default.nix b/modules/common/types/server/services/databases/postgresql/default.nix
@@ -28,16 +28,12 @@ in {
       };
 
       ensureDatabases = [
-        "miniflux"
+        "nextcloud"
         "forgejo"
         "grafana"
         "vaultwarden"
       ];
       ensureUsers = [
-        {
-          name = "miniflux";
-          ensurePermissions."DATABASE miniflux" = "ALL PRIVILEGES";
-        }
         {
           name = "postgres";
           ensurePermissions."ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
@@ -50,6 +46,10 @@ in {
           name = "grafana";
           ensurePermissions."DATABASE grafana" = "ALL PRIVILEGES";
         }
+        {
+          name = "nextcloud";
+          ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
+        }
         {
           name = "vaultwarden";
           ensurePermissions."DATABASE vaultwarden" = "ALL PRIVILEGES";

diff --git a/modules/common/types/server/services/databases/redis/default.nix b/modules/common/types/server/services/databases/redis/default.nix
@@ -11,6 +11,12 @@ in {
     services.redis = {
       vmOverCommit = true;
       servers = {
+        nextcloud = mkIf cfg.nextcloud.enable {
+          enable = true;
+          user = "nextcloud";
+          port = 0;
+        };
+
         forgejo = mkIf cfg.forgejo.enable {
           enable = true;
           user = "forgejo";

diff --git a/modules/common/types/server/services/default.nix b/modules/common/types/server/services/default.nix
@@ -10,6 +10,7 @@ _: {
     ./matrix
     ./miniflux
     ./monitoring
+    ./nextcloud
     ./nginx
     ./photoprism
     ./vaultwarden

diff --git a/modules/common/types/server/services/nextcloud/default.nix b/modules/common/types/server/services/nextcloud/default.nix
@@ -0,0 +1,72 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  inherit (config.networking) domain;
+  nextcloud_domain = "cloud.${domain}";
+
+  cfg = config.modules.services;
+in {
+  config = mkIf cfg.nextcloud.enable {
+    modules.services.database = {
+      redis.enable = true;
+      postgresql.enable = true;
+    };
+
+    services = {
+      nextcloud = {
+        enable = true;
+        package = pkgs.nextcloud27;
+        caching.redis = true;
+        extraOptions = {
+          redis = {
+            host = "/run/redis-default/redis.sock";
+            dbindex = 0;
+            timeout = 1.5;
+          };
+        };
+
+        hostName = nextcloud_domain;
+        home = "/opt/nextcloud";
+        maxUploadSize = "4G";
+        enableImagemagick = true;
+
+        autoUpdateApps = {
+          enable = true;
+          startAt = "02:00";
+        };
+
+        config = {
+          overwriteProtocol = "https";
+          extraTrustedDomains = ["https://${toString nextcloud_domain}"];
+          trustedProxies = ["https://${toString nextcloud_domain}"];
+          adminuser = "isabel";
+          adminpassFile = config.sops.secrets.nextcloud-passwd.path;
+          defaultPhoneRegion = "UK";
+
+          # database
+          dbtype = "pgsql";
+          dbhost = "/run/postgresql";
+          dbname = "nextcloud";
+        };
+        nginx.recommendedHttpHeaders = true;
+        https = true;
+      };
+    };
+
+    systemd.services = {
+      phpfpm-nextcloud.aliases = ["nextcloud.service"];
+      "nextcloud-setup" = {
+        requires = ["postgresql.service"];
+        after = ["postgresql.service"];
+        serviceConfig = {
+          Restart = "on-failure";
+          RestartSec = "10s";
+        };
+      };
+    };
+  };
+}
diff --git a/modules/common/types/server/services/nginx/default.nix b/modules/common/types/server/services/nginx/default.nix
@@ -56,6 +56,11 @@ in {
           enableACME = true;
         };
 
+        "cloud.${domain}" = {
+          forceSSL = true;
+          enableACME = true;
+        };
+
         # mailserver
         "mail.${domain}" = mkIf cfg.mailserver.enable {
           forceSSL = true;

diff --git a/modules/options/services/default.nix b/modules/options/services/default.nix
@@ -6,16 +6,11 @@
   inherit (lib) mkEnableOption;
   cfg = config.modules.services;
 
-  # stolen the functions https://github.com/NotAShelf/nyx/blob/614c3b0ee09b41a21bbd2395d1294bb55028657b/modules/common/options/system/services.nix
-
-  # ifOneEnabled takes a parent option and 3 child options and checks if at least one of them is enabled
-  # => ifOneEnabled config.modules.services "service1" "service2" "service3"
-  # ifOneEnabled = cfg: a: b: c: cfg.a || cfg.b || cfg.c;
-
   # mkEnableOption is the same as mkEnableOption but with the default value being equal to cfg.monitoring.enable
   mkEnableOption' = desc: mkEnableOption "${desc}" // {default = cfg.monitoring.enable;};
 in {
   options.modules.services = {
+    nextcloud.enable = mkEnableOption "Nextcloud service";
     matrix.enable = mkEnableOption "Enable matrix server";
     miniflux.enable = mkEnableOption "Enable miniflux rss news aggreator service";
     forgejo.enable = mkEnableOption "Enable the forgejo service";