mio-ops/profiles/nextcloud.nix
2024-12-05 22:39:40 +10:00

121 lines
3.6 KiB
Nix

# NixOps configuration for the hosts running Nextcloud
{
config,
pkgs,
lib,
...
}: {
age.secrets = {
nextcloud-dbpass = {
file = ../secrets/nextcloud-dbpass.age;
path = "/run/keys/nextcloud-dbpass";
mode = "0640";
owner = "nextcloud";
group = "nextcloud";
};
nextcloud-adminpass = {
file = ../secrets/nextcloud-adminpass.age;
path = "/run/keys/nextcloud-adminpass";
mode = "0640";
owner = "nextcloud";
group = "nextcloud";
};
};
services.nextcloud = {
enable = true; # Enable Nextcloud
hostName = "cloud.mcwhirter.io"; # FQDN for the Nextcloud instance
https = true; # Use HTTPS for links
config = {
# Configure Nextcloud
dbtype = "pgsql"; # Set the database type
dbname = "nextcloud"; # Set the database name
dbhost = "/run/postgresql"; # Set the database connection
dbuser = "nextcloud"; # Set the database user
dbpassFile = config.age.secrets.nextcloud-dbpass.path;
adminpassFile = config.age.secrets.nextcloud-adminpass.path;
adminuser = "root"; # Set the admin user name
};
autoUpdateApps = {
enable = true; # Run regular auto update of all apps installed
startAt = "01:00:00"; # When to run the update
};
package = pkgs.nextcloud30;
extraApps = with config.services.nextcloud.package.packages.apps; {
inherit calendar contacts deck gpoddersync notes tasks twofactor_webauthn;
};
extraAppsEnable = true;
settings = {
default_phone_region = "AU"; # Country code for automatic phone-number detection
overwriteprotocol = "https"; # Force Nextcloud to always use HTTPS
};
};
systemd = {
services = {
nextcloud = {
# Ensure nextcloud starts after nixops keys are loaded
after = ["nextcloud-dbpass-key.service"];
wants = ["nextcloud-dbpass-key.service"];
};
};
};
services.postgresql = {
enable = true; # Ensure postgresql is enabled
authentication = ''
local nextcloud all ident map=nextcloud-users
'';
identMap =
# Map the nextcloud user to postgresql
''
nextcloud-users nextcloud nextcloud
'';
ensureDatabases = ["nextcloud"]; # Ensure the database persists
ensureUsers = [
{
name = "nextcloud"; # Ensure the database user persists
ensureDBOwnership = true;
}
];
};
services.postgresqlBackup.databases = ["nextcloud"];
services.nginx = {
enable = true; # Enable Nginx
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts."cloud.mcwhirter.io" = {
# Nextcloud hostname
enableACME = true; # Use ACME certs
forceSSL = true; # Force SSL
};
virtualHosts."owncloud.mcwhirter.io" = {
enableACME = true;
forceSSL = true;
globalRedirect = "cloud.mcwhirter.io"; # Redirect permanently to the host
};
};
systemd.services."nextcloud-setup" = {
# Ensure PostgreSQL is running first
requires = ["postgresql.service"];
after = ["postgresql.service"];
};
security.acme = {
acceptTerms = true;
certs = {
"cloud.mcwhirter.io" = {email = "craige@mcwhirter.io";};
"owncloud.mcwhirter.io" = {email = "craige@mcwhirter.io";};
};
};
users.groups.keys.members = ["nextcloud"]; # Required due to NixOps issue #1204
users.groups.nextcloud.members = ["nextcloud"]; # Added for keys permissions
networking.firewall.allowedTCPPorts = [80 443]; # Open the required firewall ports
}