121 lines
3.6 KiB
Nix
121 lines
3.6 KiB
Nix
# NixOps configuration for the hosts running Nextcloud
|
|
{
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}: {
|
|
age.secrets = {
|
|
nextcloud-dbpass = {
|
|
file = ../secrets/nextcloud-dbpass.age;
|
|
path = "/run/keys/nextcloud-dbpass";
|
|
mode = "0640";
|
|
owner = "nextcloud";
|
|
group = "nextcloud";
|
|
};
|
|
nextcloud-adminpass = {
|
|
file = ../secrets/nextcloud-adminpass.age;
|
|
path = "/run/keys/nextcloud-adminpass";
|
|
mode = "0640";
|
|
owner = "nextcloud";
|
|
group = "nextcloud";
|
|
};
|
|
};
|
|
services.nextcloud = {
|
|
enable = true; # Enable Nextcloud
|
|
hostName = "cloud.mcwhirter.io"; # FQDN for the Nextcloud instance
|
|
https = true; # Use HTTPS for links
|
|
config = {
|
|
# Configure Nextcloud
|
|
dbtype = "pgsql"; # Set the database type
|
|
dbname = "nextcloud"; # Set the database name
|
|
dbhost = "/run/postgresql"; # Set the database connection
|
|
dbuser = "nextcloud"; # Set the database user
|
|
dbpassFile = config.age.secrets.nextcloud-dbpass.path;
|
|
adminpassFile = config.age.secrets.nextcloud-adminpass.path;
|
|
adminuser = "root"; # Set the admin user name
|
|
};
|
|
autoUpdateApps = {
|
|
enable = true; # Run regular auto update of all apps installed
|
|
startAt = "01:00:00"; # When to run the update
|
|
};
|
|
package = pkgs.nextcloud30;
|
|
extraApps = with config.services.nextcloud.package.packages.apps; {
|
|
inherit calendar contacts deck gpoddersync notes tasks twofactor_webauthn;
|
|
};
|
|
extraAppsEnable = true;
|
|
settings = {
|
|
default_phone_region = "AU"; # Country code for automatic phone-number detection
|
|
overwriteprotocol = "https"; # Force Nextcloud to always use HTTPS
|
|
};
|
|
};
|
|
|
|
systemd = {
|
|
services = {
|
|
nextcloud = {
|
|
# Ensure nextcloud starts after nixops keys are loaded
|
|
after = ["nextcloud-dbpass-key.service"];
|
|
wants = ["nextcloud-dbpass-key.service"];
|
|
};
|
|
};
|
|
};
|
|
|
|
services.postgresql = {
|
|
enable = true; # Ensure postgresql is enabled
|
|
authentication = ''
|
|
local nextcloud all ident map=nextcloud-users
|
|
'';
|
|
identMap =
|
|
# Map the nextcloud user to postgresql
|
|
''
|
|
nextcloud-users nextcloud nextcloud
|
|
'';
|
|
ensureDatabases = ["nextcloud"]; # Ensure the database persists
|
|
ensureUsers = [
|
|
{
|
|
name = "nextcloud"; # Ensure the database user persists
|
|
ensureDBOwnership = true;
|
|
}
|
|
];
|
|
};
|
|
|
|
services.postgresqlBackup.databases = ["nextcloud"];
|
|
|
|
services.nginx = {
|
|
enable = true; # Enable Nginx
|
|
recommendedGzipSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedProxySettings = true;
|
|
recommendedTlsSettings = true;
|
|
virtualHosts."cloud.mcwhirter.io" = {
|
|
# Nextcloud hostname
|
|
enableACME = true; # Use ACME certs
|
|
forceSSL = true; # Force SSL
|
|
};
|
|
virtualHosts."owncloud.mcwhirter.io" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
globalRedirect = "cloud.mcwhirter.io"; # Redirect permanently to the host
|
|
};
|
|
};
|
|
|
|
systemd.services."nextcloud-setup" = {
|
|
# Ensure PostgreSQL is running first
|
|
requires = ["postgresql.service"];
|
|
after = ["postgresql.service"];
|
|
};
|
|
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
certs = {
|
|
"cloud.mcwhirter.io" = {email = "craige@mcwhirter.io";};
|
|
"owncloud.mcwhirter.io" = {email = "craige@mcwhirter.io";};
|
|
};
|
|
};
|
|
|
|
users.groups.keys.members = ["nextcloud"]; # Required due to NixOps issue #1204
|
|
users.groups.nextcloud.members = ["nextcloud"]; # Added for keys permissions
|
|
|
|
networking.firewall.allowedTCPPorts = [80 443]; # Open the required firewall ports
|
|
}
|