From 6fe61dd9b693d60361bcee1947c69b76072b2285 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Wed, 12 Oct 2022 18:04:06 +0100
Subject: [PATCH] nextcloud: Use a hardened systemd unit instead of a container

---
 configuration/default.nix            |  6 ++-
 configuration/services/nextcloud.nix | 74 +++++++++++-----------------
 configuration/services/postgres.nix  | 30 +++++++++++
 3 files changed, 63 insertions(+), 47 deletions(-)
 create mode 100644 configuration/services/postgres.nix

diff --git a/configuration/default.nix b/configuration/default.nix
index d957dba..ce509ff 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -9,6 +9,7 @@
     ./services/nextcloud.nix
     ./services/webserver.nix
     ./services/starbound.nix
+    ./services/postgres.nix
     ./ids.nix
     ./sops.nix
   ];
@@ -81,7 +82,10 @@
     in {
       "${domain}" = proxyPassToPort 3002 {serverAliases = ["www.${domain}"];};
       "gitea.${domain}" = proxyPassToPort 3000 {};
-      "nextcloud.${domain}" = proxyPassToPort 3001 {};
+      "nextcloud.${domain}" = {
+        forceSSL = true;
+        enableACME = true;
+      };
     };
   };
 
diff --git a/configuration/services/nextcloud.nix b/configuration/services/nextcloud.nix
index 5b32cf2..d864302 100644
--- a/configuration/services/nextcloud.nix
+++ b/configuration/services/nextcloud.nix
@@ -1,53 +1,35 @@
-{config, ...}: {
-  virtualisation.pods.nextcloud = {
-    hostname = "nextcloud.tlater.net";
-    publish = ["3001:80"];
-    network = "slirp4netns";
+{
+  pkgs,
+  config,
+  ...
+}: let
+  inherit (pkgs) fetchNextcloudApp;
+  nextcloud = pkgs.nextcloud23;
+in {
+  services.nextcloud = {
+    package = nextcloud;
+    enable = true;
+    hostName = "nextcloud.${config.services.nginx.domain}";
+    maxUploadSize = "2G";
+    https = true;
 
-    containers = {
-      nextcloud = {
-        image = "nextcloud:fpm-alpine";
-        dependsOn = ["postgres"];
-        volumes = [
-          "nextcloud-root:/var/www/html"
-          "nextcloud-apps:/var/www/html/custom_apps"
-          "nextcloud-config:/var/www/html/config"
-          "nextcloud-data:/var/www/html/data"
-        ];
-        environment = {
-          POSTGRES_DB = "nextcloud";
-          POSTGRES_USER = "nextcloud";
-          POSTGRES_HOST = "localhost";
-          OVERWRITEPROTOCOL = "https";
-          TRUSTED_PROXIES = "127.0.0.1";
-        };
-      };
+    config = {
+      overwriteProtocol = "https";
 
-      cron = {
-        image = "nextcloud:fpm-alpine";
-        entrypoint = "/cron.sh";
-        dependsOn = ["postgres" "nextcloud"];
-        extraOptions = ["--volumes-from=nextcloud-nextcloud"];
-      };
+      dbtype = "pgsql";
+      dbhost = "/run/postgresql";
 
-      nginx = {
-        image = "nginx:alpine";
-        dependsOn = ["nextcloud"];
-        volumes = [
-          "nextcloud-root:/var/www/html:ro"
-          "${./configs/nginx-nextcloud.conf}:/etc/nginx/nginx.conf:ro"
-        ];
-        extraOptions = ["--volumes-from=nextcloud-nextcloud"];
-      };
+      adminuser = "tlater";
+      adminpassFile = config.sops.secrets."nextcloud/tlater".path;
 
-      postgres = {
-        image = "postgres:alpine";
-        environment = {
-          POSTGRES_DB = "nextcloud";
-          POSTGRES_USER = "nextcloud";
-        };
-        volumes = ["nextcloud-postgres-14:/var/lib/postgresql/data"];
-      };
+      defaultPhoneRegion = "AT";
     };
+
+    # TODO(tlater): Add redis config. This will be much easier
+    # starting with 22.11, since this will add an `extraOptions` where
+    # the necessary redis config can go.
   };
+
+  # Ensure that this service doesn't start before postgres is ready
+  systemd.services.nextcloud-setup.after = ["postgresql.service"];
 }
diff --git a/configuration/services/postgres.nix b/configuration/services/postgres.nix
new file mode 100644
index 0000000..927c073
--- /dev/null
+++ b/configuration/services/postgres.nix
@@ -0,0 +1,30 @@
+{
+  services.postgresql = {
+    enable = true;
+
+    # Only enable connections via the unix socket, and check with the
+    # OS to make sure the user matches the database name.
+    #
+    # See https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
+    authentication  = ''
+      local sameuser all peer
+    '';
+
+    # Note: The following options with ensure.* are set-only; i.e.,
+    # when permissions/users/databases are removed from these lists,
+    # that operation needs to be performed manually on the system as
+    # well.
+    ensureUsers = [
+      {
+        name = "nextcloud";
+        ensurePermissions = {
+          "DATABASE nextcloud" = "ALL PRIVILEGES";
+        };
+      }
+    ];
+
+    ensureDatabases = [
+      "nextcloud"
+    ];
+  };
+}