diff --git a/hosts/cuallaidh.nix b/hosts/cuallaidh.nix index 3c96bbd..4f35190 100644 --- a/hosts/cuallaidh.nix +++ b/hosts/cuallaidh.nix @@ -11,6 +11,7 @@ ../roles/hydra.nix ../roles/iohk.nix ../roles/matrix.nix + ../roles/nextcloud.nix ../roles/nixpkgs-dev.nix ../roles/taskserver.nix ../roles/tt-rss.nix diff --git a/roles/nextcloud.nix b/roles/nextcloud.nix new file mode 100644 index 0000000..68aa428 --- /dev/null +++ b/roles/nextcloud.nix @@ -0,0 +1,67 @@ +# NixOps configuration for the hosts running Nextcloud + +{ config, pkgs, lib, ... }: + +{ + + imports = + [ + ../secrets/nextcloud.nix + ]; + + services.nextcloud = { + enable = true; # Enable Nextcloud + hostName = "cloud.mcwhirter.io"; # FQDN for the Nextcloud instance + nginx.enable = true; # Whether to enable nginx virtual host management + config = { # Configure Nextcloud + dbtype = "pgsql"; # Set database type + dbname = "nextcloud"; + dbhost = "/run/postgresql"; + dbuser = "nextcloud"; + dbpassFile = "/run/keys/nextcloud-dbpass"; # Where to find the password + adminpassFile = "/run/keys/nextcloud-admin"; # Where to find the password + adminuser = "root"; + overwriteProtocol = "https"; # Force Nextcloud to always use HTTPS + }; + }; + + services.postgresql = { + enable = true; # Ensure postgresql is enabled + ensureDatabases = [ "nextcloud" ]; + ensureUsers = [ + { name = "nextcloud"; + ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; + } + ]; + }; + + services.nginx = { + #enable = true; # Enable Nginx + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + virtualHosts."cloud.mcwhirter.io" = { # Nextcloud hostname + enableACME = true; # Use ACME certs + forceSSL = true; # Force SSL + }; + virtualHosts."owncloud.mcwhirter.io" = { # Hostname to be redirected + globalRedirect = "cloud.mcwhirter.io"; # Redirect permanently to the host + }; + }; + + systemd.services."nextcloud-setup" = { + requires = ["postgresql.service"]; + after = ["postgresql.service"]; + }; + + security.acme.certs = { + "cloud.mcwhirter.io".email = "craige@mcwhirter.io"; + }; + + users.groups.keys.members = [ "nextcloud" ]; # Required due to NixOps issue #1204 + users.groups.nextcloud.members = [ "nextcloud" ]; # Added for keys permissions + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + +}