From 5c1e1feffe23e6f146ed9a69caad2d3c83b2be5d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Wed, 12 Oct 2022 18:04:06 +0100
Subject: [PATCH 1/2] nextcloud: Use a hardened systemd unit instead of a
 container

---
 configuration/default.nix            |  2 +-
 configuration/services/nextcloud.nix | 82 ++++++++++++----------------
 configuration/services/postgres.nix  | 30 ++++++++++
 3 files changed, 67 insertions(+), 47 deletions(-)
 create mode 100644 configuration/services/postgres.nix

diff --git a/configuration/default.nix b/configuration/default.nix
index d957dba..5f44085 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -9,6 +9,7 @@
     ./services/nextcloud.nix
     ./services/webserver.nix
     ./services/starbound.nix
+    ./services/postgres.nix
     ./ids.nix
     ./sops.nix
   ];
@@ -81,7 +82,6 @@
     in {
       "${domain}" = proxyPassToPort 3002 {serverAliases = ["www.${domain}"];};
       "gitea.${domain}" = proxyPassToPort 3000 {};
-      "nextcloud.${domain}" = proxyPassToPort 3001 {};
     };
   };
 
diff --git a/configuration/services/nextcloud.nix b/configuration/services/nextcloud.nix
index 5b32cf2..0d4e299 100644
--- a/configuration/services/nextcloud.nix
+++ b/configuration/services/nextcloud.nix
@@ -1,53 +1,43 @@
-{config, ...}: {
-  virtualisation.pods.nextcloud = {
-    hostname = "nextcloud.tlater.net";
-    publish = ["3001:80"];
-    network = "slirp4netns";
+{
+  pkgs,
+  config,
+  ...
+}: let
+  inherit (pkgs) fetchNextcloudApp;
+  nextcloud = pkgs.nextcloud23;
+  hostName = "nextcloud.${config.services.nginx.domain}";
+in {
+  services.nextcloud = {
+    inherit hostName;
 
-    containers = {
-      nextcloud = {
-        image = "nextcloud:fpm-alpine";
-        dependsOn = ["postgres"];
-        volumes = [
-          "nextcloud-root:/var/www/html"
-          "nextcloud-apps:/var/www/html/custom_apps"
-          "nextcloud-config:/var/www/html/config"
-          "nextcloud-data:/var/www/html/data"
-        ];
-        environment = {
-          POSTGRES_DB = "nextcloud";
-          POSTGRES_USER = "nextcloud";
-          POSTGRES_HOST = "localhost";
-          OVERWRITEPROTOCOL = "https";
-          TRUSTED_PROXIES = "127.0.0.1";
-        };
-      };
+    package = nextcloud;
+    enable = true;
+    maxUploadSize = "2G";
+    https = true;
 
-      cron = {
-        image = "nextcloud:fpm-alpine";
-        entrypoint = "/cron.sh";
-        dependsOn = ["postgres" "nextcloud"];
-        extraOptions = ["--volumes-from=nextcloud-nextcloud"];
-      };
+    config = {
+      overwriteProtocol = "https";
 
-      nginx = {
-        image = "nginx:alpine";
-        dependsOn = ["nextcloud"];
-        volumes = [
-          "nextcloud-root:/var/www/html:ro"
-          "${./configs/nginx-nextcloud.conf}:/etc/nginx/nginx.conf:ro"
-        ];
-        extraOptions = ["--volumes-from=nextcloud-nextcloud"];
-      };
+      dbtype = "pgsql";
+      dbhost = "/run/postgresql";
 
-      postgres = {
-        image = "postgres:alpine";
-        environment = {
-          POSTGRES_DB = "nextcloud";
-          POSTGRES_USER = "nextcloud";
-        };
-        volumes = ["nextcloud-postgres-14:/var/lib/postgresql/data"];
-      };
+      adminuser = "tlater";
+      adminpassFile = config.sops.secrets."nextcloud/tlater".path;
+
+      defaultPhoneRegion = "AT";
     };
+
+    # TODO(tlater): Add redis config. This will be much easier
+    # starting with 22.11, since this will add an `extraOptions` where
+    # the necessary redis config can go.
+  };
+
+  # Ensure that this service doesn't start before postgres is ready
+  systemd.services.nextcloud-setup.after = ["postgresql.service"];
+
+  # Set up SSL
+  services.nginx.virtualHosts."${hostName}" = {
+    forceSSL = true;
+    enableACME = true;
   };
 }
diff --git a/configuration/services/postgres.nix b/configuration/services/postgres.nix
new file mode 100644
index 0000000..927c073
--- /dev/null
+++ b/configuration/services/postgres.nix
@@ -0,0 +1,30 @@
+{
+  services.postgresql = {
+    enable = true;
+
+    # Only enable connections via the unix socket, and check with the
+    # OS to make sure the user matches the database name.
+    #
+    # See https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
+    authentication  = ''
+      local sameuser all peer
+    '';
+
+    # Note: The following options with ensure.* are set-only; i.e.,
+    # when permissions/users/databases are removed from these lists,
+    # that operation needs to be performed manually on the system as
+    # well.
+    ensureUsers = [
+      {
+        name = "nextcloud";
+        ensurePermissions = {
+          "DATABASE nextcloud" = "ALL PRIVILEGES";
+        };
+      }
+    ];
+
+    ensureDatabases = [
+      "nextcloud"
+    ];
+  };
+}

From 54991bb8050ee1d11bc694886b5a1b8c6abb920f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Wed, 12 Oct 2022 19:43:24 +0100
Subject: [PATCH 2/2] WIP: gitea: Use a hardened systemd unit instead of a
 container

---
 configuration/default.nix        |  2 -
 configuration/services/gitea.nix | 68 ++++++++++++--------------------
 2 files changed, 25 insertions(+), 45 deletions(-)

diff --git a/configuration/default.nix b/configuration/default.nix
index 5f44085..b6cd2c3 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -5,7 +5,6 @@
   ...
 }: {
   imports = [
-    ./services/gitea.nix
     ./services/nextcloud.nix
     ./services/webserver.nix
     ./services/starbound.nix
@@ -81,7 +80,6 @@
       domain = config.services.nginx.domain;
     in {
       "${domain}" = proxyPassToPort 3002 {serverAliases = ["www.${domain}"];};
-      "gitea.${domain}" = proxyPassToPort 3000 {};
     };
   };
 
diff --git a/configuration/services/gitea.nix b/configuration/services/gitea.nix
index 5f9ebd0..1bcbe7a 100644
--- a/configuration/services/gitea.nix
+++ b/configuration/services/gitea.nix
@@ -1,48 +1,30 @@
-{config, ...}: {
-  users = {
-    extraUsers.gitea = {
-      uid = config.ids.uids.git;
-      isSystemUser = true;
-      description = "Gitea Service";
-      group = config.users.extraGroups.gitea.name;
-    };
-    extraGroups.gitea = {gid = config.ids.gids.git;};
+{config, ...}: let
+  domain = "gitea.${config.services.nginx.domain}";
+in {
+  services.gitea = {
+    inherit domain;
+    enable = true;
+
+    httpAddress = "127.0.0.1";
+    database.type = "postgres";
+
+    ssh.clonePort = 2222;
+    rootUrl = "https://gitea.tlater.net/";
+    cookieSecure = true;
+
+    appName = "Gitea: Git with a cup of tea";
   };
 
-  virtualisation.pods.gitea = {
-    hostname = "gitea.tlater.net";
-    publish = ["3000:3000" "2221:2221"];
-    network = "slirp4netns";
+  # Set up SSL
+  services.nginx.virtualHosts."${domain}" = let
+    inherit (config.services.gitea) httpAddress httpPort;
+  in {
+    forceSSL = true;
+    enableACME = true;
+    extraConfig = ''
+      add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+    '';
 
-    containers = {
-      gitea = {
-        image = "gitea/gitea:latest";
-        volumes = ["gitea:/data:Z" "/etc/localtime:/etc/localtime:ro"];
-        dependsOn = ["postgres"];
-
-        environment = {
-          DB_TYPE = "postgres";
-          DB_HOST = "localhost:5432";
-          DB_NAME = "gitea";
-          DB_USER = "gitea";
-
-          USER_UID = toString config.users.extraUsers.gitea.uid;
-          USER_GID = toString config.users.extraGroups.gitea.gid;
-
-          RUN_MODE = "prod";
-          DOMAIN = "gitea.tlater.net";
-          SSH_PORT = "2221";
-        };
-      };
-
-      postgres = {
-        image = "postgres:alpine";
-        environment = {
-          POSTGRES_DB = "gitea";
-          POSTGRES_USER = "gitea";
-        };
-        volumes = ["gitea-postgres-14:/var/lib/postgresql/data"];
-      };
-    };
+    locations."/".proxyPass = "http://${httpAddress}:httpPort";
   };
 }