Merge pull request #7 from fsr/nextcloud

flake.lock

@@ -87,18 +87,16 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1662496411,
-        "narHash": "sha256-BLzFzRQewnmzdCrcOv2f+IYQI9iY25MXBmJWHoxWynY=",
-        "owner": "revol-xut",
+        "lastModified": 1668650906,
+        "narHash": "sha256-JuiYfDO23O8oxUUOmhQflmOoJovyC5G4RjcYQMQjrRE=",
+        "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "6d2d09e50ba9d12b80ed1c3be844f1d120e02682",
+        "rev": "3a86856a13c88c8c64ea32082a851fefc79aa700",
         "type": "github"
       },
       "original": {
-        "owner": "revol-xut",
-        "ref": "nixos-22.05",
-        "repo": "nixpkgs",
-        "type": "github"
+        "id": "nixpkgs",
+        "type": "indirect"
       }
     },
     "root": {

flake.nix

@@ -1,7 +1,5 @@
 {
   inputs = {
-    nixpkgs.url = github:revol-xut/nixpkgs/nixos-22.05;
-    #nixpkgs.url = github:revol-xut/nixpkgs/master;
     sops-nix.url = github:Mic92/sops-nix;
     sops-nix.inputs.nixpkgs.follows = "nixpkgs";
     fsr-infoscreen.url = github:fsr/infoscreen;
@@ -64,6 +62,7 @@
             ./modules/hedgedoc.nix
             ./modules/wiki.nix
             ./modules/stream.nix
+            ./modules/nextcloud.nix
             {
               sops.defaultSopsFile = ./secrets/quitte.yaml;
             }

modules/hedgedoc.nix

@@ -19,7 +19,7 @@ in
 
     hedgedoc = {
       enable = true;
-      configuration = {
+      settings = {
         port = 3002;
         domain = "${domain}";
         protocolUseSSL = true;
@@ -44,7 +44,7 @@ in
           enableACME = true;
           forceSSL = true;
           locations."/" = {
-            proxyPass = "http://127.0.0.1:${toString config.services.hedgedoc.configuration.port}";
+            proxyPass = "http://127.0.0.1:${toString config.services.hedgedoc.settings.port}";
             proxyWebsockets = true;
           };
         };

modules/nextcloud.nix

@@ -0,0 +1,67 @@
+{ config, pkgs, lib, ... }:
+let
+  domain = "nc.quitte.fugi.dev";
+in
+{
+  sops.secrets = {
+    postgres_nextcloud = {
+      owner = "nextcloud";
+      group = "nextcloud";
+    };
+    nextcloud_adminpass = {
+      owner = "nextcloud";
+      group = "nextcloud";
+    };
+  };
+
+  services = {
+    postgresql = {
+      enable = true;
+      ensureUsers = [
+        {
+          name = "nextcloud";
+          ensurePermissions = {
+            "DATABASE nextcloud" = "ALL PRIVILEGES";
+          };
+        }
+      ];
+      ensureDatabases = [ "nextcloud" ];
+    };
+
+    nextcloud = {
+      enable = true;
+      package = pkgs.nextcloud25; # Use current latest nextcloud package
+      hostName = "${domain}";
+      https = true; # Use https for all urls
+      phpExtraExtensions = all: [
+        all.ldap # Enable ldap php extension
+      ];
+      config = {
+        dbtype = "pgsql";
+        dbuser = "nextcloud";
+        dbhost = "/run/postgresql";
+        dbname = "nextcloud";
+        dbpassFile = config.sops.secrets.postgres_nextcloud.path;
+        adminpassFile = config.sops.secrets.nextcloud_adminpass.path;
+        adminuser = "root";
+      };
+    };
+
+    # Enable ACME and force SSL
+    nginx = {
+      recommendedProxySettings = true;
+      virtualHosts = {
+        "${domain}" = {
+          enableACME = true;
+          forceSSL = true;
+        };
+      };
+    };
+  };
+
+  # ensure that postgres is running *before* running the setup
+  systemd.services."nextcloud-setup" = {
+    requires = ["postgresql.service"];
+    after = ["postgresql.service"];
+  };
+}

secrets/quitte.yaml

@@ -1,5 +1,7 @@
 postgres_keycloak: ENC[AES256_GCM,data:Vi0NLjpYDvFGIYYL/VPdgOqAS51KXQynBFlBjK64elU=,iv:JY65V7b8zWSX4aNEK5pD7iyxnqIr8jexcG3pIBNbmvg=,tag:auDyPClH1VbWbFoWWK5E9w==,type:str]
 postgres_hedgedoc: ENC[AES256_GCM,data:VCoWXZbNGWfmorTNZRFWkDUp0B5JMmsA+bJFVrUREj0=,iv:fnSs3FOgmFn5/BqKTODpwIq023ZRMF8s/JiDyf2ZqkE=,tag:oit5sHf6QffhYYi/WJk5SQ==,type:str]
+postgres_nextcloud: ENC[AES256_GCM,data:Lv0Ld3sf+hoUE2qrsf9qGSYf5aVLqm5GIbK2hEoR5Uc=,iv:/4hqMV42J37byJgZZGhMqsHNtutikcXhun2uk2HhsHY=,tag:+L4scIHq2nopBlr64KJgjA==,type:str]
+nextcloud_adminpass: ENC[AES256_GCM,data:EMvcFOGJz45P4nvJ5Yy4SziWa2pUWBqt4ZZdde6wegk=,iv:tG9bhB7HPprZMnfV/uC/v7fqmjQd5d4Oj5avOtK2/0A=,tag:8jBDpnahwQsXsD2Ivf6jDw==,type:str]
 hedgedoc_session_secret: ENC[AES256_GCM,data:uz7KggZqeZ2eqiCnOcnYh2I1p5BBXTQbC8PUhB2kM2U=,iv:aJDHKCPkccCT/OF6AGZMfRESNmoV9muGHbuCUfLQhH8=,tag:uEVXylpE8MSebqRr+4mQOw==,type:str]
 wg-seckey: ENC[AES256_GCM,data:NHk6E5uu3CshC/0//LoGk6iCGKWbx49wVVkjoMqF19gc7MhdHAn9aJD+0Zc=,iv:N3PuU7+QSW9aD0ZhTI7CmMI3drLIzO7XaW3mgEDp/sk=,tag:fxH4eRIboy9O15oul7JOTw==,type:str]
 mediawiki:
@@ -21,8 +23,8 @@ sops:
             Z212K3JDWmRsZmVpdjBaUE1kL3phMm8K/x3Ssn0LEO7BfTUoOJQ6h88vlwA/AvQj
             KsosHSWO7vsgqKPPO+OPbHV1y8OTAKubcrk5szTUWBNOvggIw3nWDA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-10-01T12:32:58Z"
-    mac: ENC[AES256_GCM,data:s0Fj8NhTEer1evxhlXU1sAuzZjHvw+tHFJdwRCrzc5ux/JQUjGGVzEH3fbdIX41PXEhKVi64J3EJCmLfPhXOrY7idGtEyzDOfny+mswbdo6tfAn/P+G+uNw96qXh3Msq+SwDnzWuhjPYfoXX9Ku5m9rYS/qodq+huKrxV6pfu8Q=,iv:0YBxmSC5CiPO2xk65sKP8+itp3xTjQRq0t845XFpGF0=,tag:F58Iz3cteXRNpj+Jtnnoqw==,type:str]
+    lastmodified: "2022-11-18T15:28:28Z"
+    mac: ENC[AES256_GCM,data:+o08gLLG3tz9uheJOMeKWtdvcRjgdcpOFUjSW3sHdFWC/FM5dcwDgBAtTO3/pPB6+e//SfpZgIWq1EASpgChPmE61K0U1lnYK/5gBY1QMDZ9tLgl8VjQ1ShVSeTL/dLWopBEVeDT0cR8jhJ+MIaVTEzMLK8I2qn/LaZqEktMPSg=,iv:N5TPSuijpULToU4EoZ7P6bL0sMZ1Jfu10Jxmnpzh4Ec=,tag:UIHIM+CMNS70ivKtEzbR3w==,type:str]
     pgp:
         - created_at: "2022-11-18T16:37:48Z"
           enc: |

secrets/test.yaml

@@ -1,5 +1,7 @@
 postgres_keycloak: ENC[AES256_GCM,data:dHuqrGcrJUE5GZhhWG5a4Ko=,iv:bvbyDXhkovtX5BQKw36WTGyUl3KR0Df2fB5qmMWbqqU=,tag:95XJCjKJjrITsHXK8ABF6A==,type:str]
 postgres_hedgedoc: ENC[AES256_GCM,data:XWbf3F1b00RBFS9NXytzVkQ=,iv:dTbRUncYKsqOh0y0MTEJCpPcwfvROkIiO8v9OxZiHPU=,tag:YUxAkmbYKbGdGbIMS/8mOw==,type:str]
+postgres_nextcloud: ENC[AES256_GCM,data:ySjpkMh1/6JuU2JwjlJcXh0D,iv:7CWZPjX7NZt4v1V3vbm42Iw7glz5/9F4TK9GUqTNsl8=,tag:701TSuhzyR4AnDHB4bG48Q==,type:str]
+nextcloud_adminpass: ENC[AES256_GCM,data:G3FcJIAl0HmpCu4JAXQOZPmWCg==,iv:Bgk7j3EfD9a73hDe93hpzH2uZUcssgVPMxr3nEWvUvQ=,tag:ngBZEBSQHBlWr62dcQdvHA==,type:str]
 hedgedoc_session_secret: ENC[AES256_GCM,data:wi2hWcIAU2u2t0hJkSUBI5pp2T29V/M=,iv:Iph099lne6cH6V1gnobcGZl/mfJZiw1bFJMdSTiVsxE=,tag:xGI+S3Uygzmdnmd0l1kCaQ==,type:str]
 wg-seckey: ENC[AES256_GCM,data:wuDmkZgUzzK5,iv:sa2I3qVkXWddcZlItfmKj3K5vT10WE/knoVOaA/HrIQ=,tag:SzGnDifhyol63eQKeJevcA==,type:str]
 mediawiki:
@@ -21,8 +23,8 @@ sops:
             MERVUkh2ck9YWnJ5TXJDVmxpem1kTXMKCeOyjV/se1nRXsi15m/3i48hP7As6SEk
             ygtLt+UueHStX/b/OzrXk8IC5dj/mARGIJI5S61IKln6SZFbJGT6cQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-11-05T11:24:00Z"
-    mac: ENC[AES256_GCM,data:IgW58nKqznUoWBhsI+HZD47HjJ7qF8/lS5nQ2Qg2VE7JkQgs/+AYVyMNAckjnpDtHEnK/YaFmnTfRpdQ7BMGaJtGu6TT0PR60jme82rg+iMwspSOVsAIDf9YyrjIv0rF7xwCF65p4/3TIc1OohV2GzLsAykKApMA5kqAo+UNSAs=,iv:sWURn1jmZ7myC2gEuo5BdcZn8JNSXQsopLWeOoLEpkc=,tag:E5kldjnyElfvJyilPiCYUg==,type:str]
+    lastmodified: "2022-11-18T15:23:26Z"
+    mac: ENC[AES256_GCM,data:meFon3NJLJ3E7pxGFvmol2WThaTPlPUKdRzeLnPhcLeJ2cGzj/DlnjTBmsk9hKhhTsQ4osdFo/DchId0MyV7Xi5ZmMVD0lyRZEPzguIbkg3UezRiNlosm21DpQ7Pl/yEXd02x/5kLast/Ud3zF1ZNGeGTxNriZvm5XY3KFiMCSY=,iv:oPPQnA82IbMTCsivp1fh4k9hS2keyh7Zm1C1jRkYUMU=,tag:vOkON7/N4v3yXu8kYkAEMg==,type:str]
     pgp:
         - created_at: "2022-11-18T16:37:58Z"
           enc: |