From c40fb2f097b1b5162a7208653be91c8b5cc773dc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kier=C3=A1n=20Meinhardt?= <kmein@posteo.de>
Date: Sat, 24 Oct 2020 13:30:30 +0200
Subject: [PATCH] feat(toum): host nextcloud

---
 configs/nextcloud.nix          | 62 ++++++++++++++++++++++++++++++++++
 systems/toum/configuration.nix |  1 +
 2 files changed, 63 insertions(+)
 create mode 100644 configs/nextcloud.nix

diff --git a/configs/nextcloud.nix b/configs/nextcloud.nix
new file mode 100644
index 0000000..6ffe18a
--- /dev/null
+++ b/configs/nextcloud.nix
@@ -0,0 +1,62 @@
+{ pkgs, lib, ... }:
+let
+  inherit (import <niveum/lib>) localAddresses;
+in
+{
+  networking.firewall.allowedTCPPorts = [ 80 ];
+
+  services.nginx = {
+    enable = true;
+
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+   # Only allow PFS-enabled ciphers with AES256
+   sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+  };
+
+  services.nextcloud = {
+    enable = true;
+    package = pkgs.nextcloud19;
+
+    autoUpdateApps = {
+      enable = true;
+      startAt = "05:00:00";
+    };
+
+    hostName = localAddresses.toum;
+
+    nginx.enable = true;
+    # https = true;
+    config = {
+      # overwriteProtocol = "https";
+      dbtype = "pgsql";
+      dbuser = "nextcloud";
+      dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
+      dbname = "nextcloud";
+      dbpass = lib.strings.fileContents <system-secrets/nextcloud/database>;
+      adminpass = lib.strings.fileContents <system-secrets/nextcloud/admin>;
+      adminuser = "admin";
+      extraTrustedDomains = [ "toum.r" ];
+    };
+  };
+
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = [ "nextcloud" ];
+    ensureUsers = [
+      {
+        name = "nextcloud";
+        ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
+      }
+    ];
+  };
+
+  # Ensure that postgres is running before running the setup
+  systemd.services."nextcloud-setup" = {
+    requires = ["postgresql.service"];
+    after = ["postgresql.service"];
+  };
+}
diff --git a/systems/toum/configuration.nix b/systems/toum/configuration.nix
index d37d0e8..410b1fa 100644
--- a/systems/toum/configuration.nix
+++ b/systems/toum/configuration.nix
@@ -11,6 +11,7 @@ in {
     ./telegram-bots
     <niveum/configs/distrobump.nix>
     <niveum/configs/nixpkgs-unstable.nix>
+    <niveum/configs/nextcloud.nix>
     <niveum/configs/save-space.nix>
     <niveum/configs/tmux.nix>
     <niveum/configs/version.nix>