mio-ops/profiles/nextcloud.nix

121 lines
3.6 KiB
Nix
Raw Normal View History

2019-12-17 01:01:02 +00:00
# NixOps configuration for the hosts running Nextcloud
{
2022-03-07 14:26:15 +00:00
config,
pkgs,
lib,
...
}: {
age.secrets = {
nextcloud-dbpass = {
file = ../secrets/nextcloud-dbpass.age;
path = "/run/keys/nextcloud-dbpass";
mode = "0640";
owner = "nextcloud";
group = "nextcloud";
};
nextcloud-adminpass = {
file = ../secrets/nextcloud-adminpass.age;
path = "/run/keys/nextcloud-adminpass";
mode = "0640";
owner = "nextcloud";
group = "nextcloud";
};
};
2019-12-17 01:01:02 +00:00
services.nextcloud = {
2021-11-16 04:57:23 +00:00
enable = true; # Enable Nextcloud
hostName = "cloud.mcwhirter.io"; # FQDN for the Nextcloud instance
https = true; # Use HTTPS for links
2022-03-07 14:26:15 +00:00
config = {
# Configure Nextcloud
2021-11-16 04:57:23 +00:00
dbtype = "pgsql"; # Set the database type
dbname = "nextcloud"; # Set the database name
dbhost = "/run/postgresql"; # Set the database connection
dbuser = "nextcloud"; # Set the database user
dbpassFile = config.age.secrets.nextcloud-dbpass.path;
adminpassFile = config.age.secrets.nextcloud-adminpass.path;
2021-11-16 04:57:23 +00:00
adminuser = "root"; # Set the admin user name
2019-12-17 01:01:02 +00:00
};
2020-05-04 09:05:37 +00:00
autoUpdateApps = {
2021-11-16 04:57:23 +00:00
enable = true; # Run regular auto update of all apps installed
startAt = "01:00:00"; # When to run the update
2020-05-04 09:05:37 +00:00
};
package = pkgs.nextcloud30;
extraApps = with config.services.nextcloud.package.packages.apps; {
2024-06-05 14:57:58 +00:00
inherit calendar contacts deck gpoddersync notes tasks twofactor_webauthn;
};
extraAppsEnable = true;
2024-06-03 10:31:24 +00:00
settings = {
default_phone_region = "AU"; # Country code for automatic phone-number detection
overwriteprotocol = "https"; # Force Nextcloud to always use HTTPS
};
2019-12-17 01:01:02 +00:00
};
systemd = {
services = {
nextcloud = {
# Ensure nextcloud starts after nixops keys are loaded
after = ["nextcloud-dbpass-key.service"];
wants = ["nextcloud-dbpass-key.service"];
};
};
};
2019-12-17 01:01:02 +00:00
services.postgresql = {
2021-11-16 04:57:23 +00:00
enable = true; # Ensure postgresql is enabled
authentication = ''
local nextcloud all ident map=nextcloud-users
'';
identMap =
2024-02-26 12:35:14 +00:00
# Map the nextcloud user to postgresql
''
nextcloud-users nextcloud nextcloud
'';
2022-03-07 14:26:15 +00:00
ensureDatabases = ["nextcloud"]; # Ensure the database persists
ensureUsers = [
{
name = "nextcloud"; # Ensure the database user persists
ensureDBOwnership = true;
2022-03-07 14:26:15 +00:00
}
];
2019-12-17 01:01:02 +00:00
};
2022-06-22 22:50:22 +00:00
services.postgresqlBackup.databases = ["nextcloud"];
2019-12-17 01:01:02 +00:00
services.nginx = {
2021-11-16 04:57:23 +00:00
enable = true; # Enable Nginx
2019-12-17 01:01:02 +00:00
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
2022-03-07 14:26:15 +00:00
virtualHosts."cloud.mcwhirter.io" = {
# Nextcloud hostname
2021-11-16 04:57:23 +00:00
enableACME = true; # Use ACME certs
forceSSL = true; # Force SSL
2019-12-17 01:01:02 +00:00
};
2022-03-07 14:26:15 +00:00
virtualHosts."owncloud.mcwhirter.io" = {
2024-02-27 14:10:45 +00:00
enableACME = true;
forceSSL = true;
2021-11-16 04:57:23 +00:00
globalRedirect = "cloud.mcwhirter.io"; # Redirect permanently to the host
2019-12-17 01:01:02 +00:00
};
};
2022-03-07 14:26:15 +00:00
systemd.services."nextcloud-setup" = {
# Ensure PostgreSQL is running first
requires = ["postgresql.service"];
after = ["postgresql.service"];
2019-12-17 01:01:02 +00:00
};
2020-08-10 11:34:39 +00:00
security.acme = {
acceptTerms = true;
2024-02-27 14:10:45 +00:00
certs = {
"cloud.mcwhirter.io" = {email = "craige@mcwhirter.io";};
"owncloud.mcwhirter.io" = {email = "craige@mcwhirter.io";};
};
2019-12-17 01:01:02 +00:00
};
2022-03-07 14:26:15 +00:00
users.groups.keys.members = ["nextcloud"]; # Required due to NixOps issue #1204
users.groups.nextcloud.members = ["nextcloud"]; # Added for keys permissions
2019-12-17 01:01:02 +00:00
2022-03-07 14:26:15 +00:00
networking.firewall.allowedTCPPorts = [80 443]; # Open the required firewall ports
2019-12-17 01:01:02 +00:00
}