added nextcloud

.sops.yaml

@@ -1,6 +1,7 @@
 keys:
   - &rouven 116987A8DD3F78FF8601BF4DB95E8FE6B11C4D09
   - &thinkpad age1s5aes35ku7d2600mwxu8jndvngqrpuuu2h6yrcetytgstkuzlsvstut3ge
+  - &nuc age1930r9v2y57zkwghlxapj348c4rfnmr70de898cdhu5rue5cpagzq74wymk
 creation_rules:
   - path_regex: secrets/thinkpad\.yaml$
     key_groups:
@@ -8,3 +9,9 @@ creation_rules:
       - *rouven
       age:
       - *thinkpad
+  - path_regex: secrets/nuc\.yaml$
+    key_groups:
+    - pgp:
+      - *rouven
+      age:
+      - *nuc

hosts/nuc/default.nix

@@ -7,7 +7,7 @@
       ./hardware-configuration.nix
       ./modules/networks
       ../../shared/vim.nix
-      # ../../shared/sops.nix
+      ../../shared/sops.nix
     ];
 
   boot = {

hosts/nuc/modules/nextcloud/default.nix

@@ -0,0 +1,64 @@
+{ config, pkgs, lib, ... }:
+let
+  domain = "nextcloud.rfive.de";
+in
+{
+  sops.secrets = {
+    "nextcloud/dbpass" = {
+      owner = "nextcloud";
+      group = "nextcloud";
+    };
+    "nextcloud/adminpass" = {
+      owner = "nextcloud";
+      group = "nextcloud";
+    };
+  };
+
+  services = {
+    postgresql = {
+      enable = true;
+      ensureUsers = [
+        {
+          name = "nextcloud";
+          ensurePermissions = {
+            "DATABASE nextcloud" = "ALL PRIVILEGES";
+          };
+        }
+      ];
+      ensureDatabases = [ "nextcloud" ];
+    };
+
+    nextcloud = {
+      enable = true;
+      package = pkgs.nextcloud25; # Use current latest nextcloud package
+      hostName = "${domain}";
+      https = true; # Use https for all urls
+      config = {
+        dbtype = "pgsql";
+        dbuser = "nextcloud";
+        dbhost = "/run/postgresql";
+        dbname = "nextcloud";
+        dbpassFile = config.sops.secrets."nextcloud/dbpass".path;
+        adminpassFile = config.sops.secrets."nextcloud/adminpass".path;
+        adminuser = "admin";
+      };
+    };
+
+    # Enable ACME and force SSL
+    nginx = {
+      recommendedProxySettings = true;
+      virtualHosts = {
+        "${domain}" = {
+          enableACME = true;
+          forceSSL = true;
+        };
+      };
+    };
+  };
+
+  # ensure that postgres is running *before* running the setup
+  systemd.services."nextcloud-setup" = {
+    requires = [ "postgresql.service" ];
+    after = [ "postgresql.service" ];
+  };
+}

hosts/nuc/modules/nginx/default.nix

@@ -0,0 +1,10 @@
+{ config, ... }:
+{
+  services.nginx.enable = true;
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = "rouven@rfive.de";
+    };
+  };
+}

secrets/nuc.yaml

@@ -0,0 +1,43 @@
+nextcloud:
+    dbpass: ENC[AES256_GCM,data:M8NrNlTJe9r5qUyGcSod5qGGRsJu18Ppng==,iv:YHjImCZEbJGC8Mj278Iz6ETMmCs3k+IZsCACI27bMM8=,tag:+nvMxCj8YxMIIbLoosxsvg==,type:str]
+    adminpass: ENC[AES256_GCM,data:w4gkgC0wnBh2NLjKz58JBg+FU7hLLkuaJQ==,iv:5FOBhbngHccVY9WxyjC1x93vXzHlBFsF06+oVTC1vl8=,tag:8sLPIBl2/QJTk134OEtAfw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1930r9v2y57zkwghlxapj348c4rfnmr70de898cdhu5rue5cpagzq74wymk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaS3dmRVZXV3hwbzFaYmlN
+            N2daRVlJalBkbU42OGNjU0puSFpjUEpNYXpJCkh6NmtSSllIVkl3NWdhTGpyelpw
+            VGdhcFNmQkFhcFVJUFdVa0hudXZaSTQKLS0tIExJUW9pTU9GSkltS2xqWVkzcW9i
+            cWdNRzdhOUdheFdaWlNNTG4rUFlaVlUKs+/IYY3/2n60+QbVkXZu9Sp57jh+7ncA
+            DqrjJGBo9MNXfSS7qJ+p7dVksA2kxCNwvKV7y/zbvtXKGusvs+Qe/A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-01-24T10:56:15Z"
+    mac: ENC[AES256_GCM,data:kpueAVFABUAZ6GO5NmNtTBWcxQ6SH1whTVueF5oxQFA+BxFY+J3fUBnxRk1oAlR1VEmevqtHmMYbp9U5pu17j9M7ZJ5fZZMxunB9tr3oSPDYHLgmIENaVoh1O9F/+MDA/6AamqhVlvq16Ltb/uHR7sSmR6GAh+tKEJLb7ivyPis=,iv:pN6B7GV+J+T0ZENKpH5UtWwzkjLNJkJ3hliqrcX8oBw=,tag:9Z6ujfpGu3pDcDUHnoXi3A==,type:str]
+    pgp:
+        - created_at: "2023-01-24T10:54:00Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMAzUXo8ZPJwGLAQ/9FUqs5nO82fNRJeDsjTlU/J6bo3dGZo0XzuRTGCSgMAQW
+            CB29HXbt4PV6aXF79HEVTYFWnZj0ygsyOCheI00w9Ab2MlVqMpFDB6lSYGzsVdEU
+            IyLiBALNr3ag6uBWErRVz4YOR1QVe0sTeBf/K6ei6k2A6sJGesR0awZtOvwGo7r1
+            wp9EaaWugNM0ewwG/lPXjzFJLHL9H0RJ62K+ccGBUuj6NielHFvRweJLbpUdK6Mm
+            Wji/MjZWBMIMLolGo8P7MQ4OIeCjEz8NvNCwvrwddWeSDMKB08tX+DZGtFIJm5ll
+            mU6qeTWV/SV0LO6LwzhFwyrxlBfKFJ/6VWZWsFQbilOKuhElIo3NZxKGWXP8BvT6
+            +mez3VYlPL4ExRjgzOl8DRcy/PmBRxB563PADDlAf6LSEdT886le6t6XY87RbHCa
+            oX/dmXFtC8tFsEKWsb3UP7ovhh7/z9DFexvG0nSi8mT0jvl90rCiL9lr2wLvo+dN
+            3K9EMUrEKqJWLRwmnXY0LhzV47RryDo69rk7vGH4FrDYEPGQIXBt+OakYNMjzdzO
+            v6/yYx615nw89s5whIThJ2S53SYChnWxsTZ2qgNegqWkDg2KdoQxqRT1wM6hZdBx
+            6U4DhmwIQDILaYPrWHHMsh9ob+PG9+xLemyn9SK9+zwk1v2QDqFwYnVzwLBTcU7S
+            UQGsXzXBwjxbdF0N+O8/wI/54UEMnpJ9baqFkDgGUDUeVbMMT1Rwu2Iqm5e8qwwl
+            mYY9Fgqn3ewi+7NxGb40AM/saCYlrorShiohBdvklmKvYQ==
+            =rHpH
+            -----END PGP MESSAGE-----
+          fp: 116987A8DD3F78FF8601BF4DB95E8FE6B11C4D09
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3