# NixOps configuration for the hosts running Nextcloud { config, pkgs, lib, ... }: { age.secrets = { nextcloud-dbpass = { file = ../secrets/nextcloud-dbpass.age; path = "/run/keys/nextcloud-dbpass"; mode = "0640"; owner = "nextcloud"; group = "nextcloud"; }; nextcloud-adminpass = { file = ../secrets/nextcloud-adminpass.age; path = "/run/keys/nextcloud-adminpass"; mode = "0640"; owner = "nextcloud"; group = "nextcloud"; }; }; services.nextcloud = { enable = true; # Enable Nextcloud hostName = "cloud.mcwhirter.io"; # FQDN for the Nextcloud instance https = true; # Use HTTPS for links config = { # Configure Nextcloud dbtype = "pgsql"; # Set the database type dbname = "nextcloud"; # Set the database name dbhost = "/run/postgresql"; # Set the database connection dbuser = "nextcloud"; # Set the database user dbpassFile = config.age.secrets.nextcloud-dbpass.path; adminpassFile = config.age.secrets.nextcloud-adminpass.path; adminuser = "root"; # Set the admin user name }; autoUpdateApps = { enable = true; # Run regular auto update of all apps installed startAt = "01:00:00"; # When to run the update }; package = pkgs.nextcloud30; extraApps = with config.services.nextcloud.package.packages.apps; { inherit calendar contacts deck gpoddersync notes tasks twofactor_webauthn; }; extraAppsEnable = true; settings = { default_phone_region = "AU"; # Country code for automatic phone-number detection overwriteprotocol = "https"; # Force Nextcloud to always use HTTPS }; }; systemd = { services = { nextcloud = { # Ensure nextcloud starts after nixops keys are loaded after = ["nextcloud-dbpass-key.service"]; wants = ["nextcloud-dbpass-key.service"]; }; }; }; services.postgresql = { enable = true; # Ensure postgresql is enabled authentication = '' local nextcloud all ident map=nextcloud-users ''; identMap = # Map the nextcloud user to postgresql '' nextcloud-users nextcloud nextcloud ''; ensureDatabases = ["nextcloud"]; # Ensure the database persists ensureUsers = [ { name = "nextcloud"; # Ensure the database user persists ensureDBOwnership = true; } ]; }; services.postgresqlBackup.databases = ["nextcloud"]; services.nginx = { enable = true; # Enable Nginx recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; virtualHosts."cloud.mcwhirter.io" = { # Nextcloud hostname enableACME = true; # Use ACME certs forceSSL = true; # Force SSL }; virtualHosts."owncloud.mcwhirter.io" = { enableACME = true; forceSSL = true; globalRedirect = "cloud.mcwhirter.io"; # Redirect permanently to the host }; }; systemd.services."nextcloud-setup" = { # Ensure PostgreSQL is running first requires = ["postgresql.service"]; after = ["postgresql.service"]; }; security.acme = { acceptTerms = true; certs = { "cloud.mcwhirter.io" = {email = "craige@mcwhirter.io";}; "owncloud.mcwhirter.io" = {email = "craige@mcwhirter.io";}; }; }; users.groups.keys.members = ["nextcloud"]; # Required due to NixOps issue #1204 users.groups.nextcloud.members = ["nextcloud"]; # Added for keys permissions networking.firewall.allowedTCPPorts = [80 443]; # Open the required firewall ports }