diff --git a/configuration/default.nix b/configuration/default.nix index d957dba..ce509ff 100644 --- a/configuration/default.nix +++ b/configuration/default.nix @@ -9,6 +9,7 @@ ./services/nextcloud.nix ./services/webserver.nix ./services/starbound.nix + ./services/postgres.nix ./ids.nix ./sops.nix ]; @@ -81,7 +82,10 @@ in { "${domain}" = proxyPassToPort 3002 {serverAliases = ["www.${domain}"];}; "gitea.${domain}" = proxyPassToPort 3000 {}; - "nextcloud.${domain}" = proxyPassToPort 3001 {}; + "nextcloud.${domain}" = { + forceSSL = true; + enableACME = true; + }; }; }; diff --git a/configuration/services/nextcloud.nix b/configuration/services/nextcloud.nix index 5b32cf2..d864302 100644 --- a/configuration/services/nextcloud.nix +++ b/configuration/services/nextcloud.nix @@ -1,53 +1,35 @@ -{config, ...}: { - virtualisation.pods.nextcloud = { - hostname = "nextcloud.tlater.net"; - publish = ["3001:80"]; - network = "slirp4netns"; +{ + pkgs, + config, + ... +}: let + inherit (pkgs) fetchNextcloudApp; + nextcloud = pkgs.nextcloud23; +in { + services.nextcloud = { + package = nextcloud; + enable = true; + hostName = "nextcloud.${config.services.nginx.domain}"; + maxUploadSize = "2G"; + https = true; - containers = { - nextcloud = { - image = "nextcloud:fpm-alpine"; - dependsOn = ["postgres"]; - volumes = [ - "nextcloud-root:/var/www/html" - "nextcloud-apps:/var/www/html/custom_apps" - "nextcloud-config:/var/www/html/config" - "nextcloud-data:/var/www/html/data" - ]; - environment = { - POSTGRES_DB = "nextcloud"; - POSTGRES_USER = "nextcloud"; - POSTGRES_HOST = "localhost"; - OVERWRITEPROTOCOL = "https"; - TRUSTED_PROXIES = "127.0.0.1"; - }; - }; + config = { + overwriteProtocol = "https"; - cron = { - image = "nextcloud:fpm-alpine"; - entrypoint = "/cron.sh"; - dependsOn = ["postgres" "nextcloud"]; - extraOptions = ["--volumes-from=nextcloud-nextcloud"]; - }; + dbtype = "pgsql"; + dbhost = "/run/postgresql"; - nginx = { - image = "nginx:alpine"; - dependsOn = ["nextcloud"]; - volumes = [ - "nextcloud-root:/var/www/html:ro" - "${./configs/nginx-nextcloud.conf}:/etc/nginx/nginx.conf:ro" - ]; - extraOptions = ["--volumes-from=nextcloud-nextcloud"]; - }; + adminuser = "tlater"; + adminpassFile = config.sops.secrets."nextcloud/tlater".path; - postgres = { - image = "postgres:alpine"; - environment = { - POSTGRES_DB = "nextcloud"; - POSTGRES_USER = "nextcloud"; - }; - volumes = ["nextcloud-postgres-14:/var/lib/postgresql/data"]; - }; + defaultPhoneRegion = "AT"; }; + + # TODO(tlater): Add redis config. This will be much easier + # starting with 22.11, since this will add an `extraOptions` where + # the necessary redis config can go. }; + + # Ensure that this service doesn't start before postgres is ready + systemd.services.nextcloud-setup.after = ["postgresql.service"]; } diff --git a/configuration/services/postgres.nix b/configuration/services/postgres.nix new file mode 100644 index 0000000..927c073 --- /dev/null +++ b/configuration/services/postgres.nix @@ -0,0 +1,30 @@ +{ + services.postgresql = { + enable = true; + + # Only enable connections via the unix socket, and check with the + # OS to make sure the user matches the database name. + # + # See https://www.postgresql.org/docs/current/auth-pg-hba-conf.html + authentication = '' + local sameuser all peer + ''; + + # Note: The following options with ensure.* are set-only; i.e., + # when permissions/users/databases are removed from these lists, + # that operation needs to be performed manually on the system as + # well. + ensureUsers = [ + { + name = "nextcloud"; + ensurePermissions = { + "DATABASE nextcloud" = "ALL PRIVILEGES"; + }; + } + ]; + + ensureDatabases = [ + "nextcloud" + ]; + }; +}