homeserver: added nextcloud

options/services.nix

@@ -9,5 +9,6 @@ in
     forgejo.enable = mkEnableOption "forgejo";
     kavita.enable = mkEnableOption "kavita";
     samba.enable = mkEnableOption "samba";
+    nextcloud.enable = mkEnableOption "nextcloud";
   };
 }

profiles/homeserver.nix

@@ -33,6 +33,7 @@
       forgejo.enable = true;
       kavita.enable = true;
       samba.enable = true;
+      nextcloud.enable = true;
     };
   };
 }

secrets/caddy_reverse_proxy.yaml

@@ -1,5 +1,4 @@
-forgejo: ENC[AES256_GCM,data:w/qGCqEsbzhgCmGiy4pqvwjEbIWhOIPjQyQyNtbiBzadrFxG6+cxFQJ1gY/q9tENuogKoVdCtKdHYONM6gs+yd3+/Xk=,iv:u5P7so4J3OeHmnf33ss2X7f8GAA04I0/mw1/MUy6C3Y=,tag:nYhY/ecas7dPYP6FwEnOsg==,type:str]
+router: ENC[AES256_GCM,data:AulD1VVGGYhEEnHEr8TSYLfMyA14BfTUF3QKxlKpbH7G5Eo/CGZaTSQYBzehgmNZKVAZAG1Efe60aSNhlk1ZlGxMnODGw1wV/dAnuTrqd7ixEE/hz9hO1qr1daWRmb73jQpw3XmFeAHBl4XnLIhdLFNXKEcgZBJ7piw5ZXDpG5EhaUrPhKpRMQb+yPkA9eBTI023iFOiJ8du1TF0RuqTUExUSCkcVaNgpn0pwd5tgnM/gAg7SJ0MGNRPaVL0Bq2S5e6SSO90mFcXPEQDk/1jy3Ml7ZFFQ9GrN612X3j2lYLKcwfBH5327pU=,iv:UBxOzdVt8Nof+I/H2wY0Tng8rrKZyt3fPRVLzygxIuo=,tag:TIWvIFy2QGkP1qMlnnMlbQ==,type:str]
-cockpit: ENC[AES256_GCM,data:5/ztOP1mJwKlcLS0RLqbre2nMOphIg59+/Dqz3njZW7jDJm37gMdgaPpY+eA5IWBMW7gZNCcVA==,iv:mmGsqA7U3rzhZ40BUReMlDaKxzKsDTw0mSZzcpu2QB4=,tag:jwmqiMGbENjX4B8GbPHcjw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -15,8 +14,8 @@ sops:
             OTBPaGdUZ1ZueUlKMVlhOHBreFV6OVEKBhcqTTA9Vufnn/WAhR5zb08Nsn48zmD2
             +bdJf+0B68Z57Q/47fNjvXclqLdDCWToTlIjOTnzVH2oXOWKQQxj6g==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-13T06:44:09Z"
+    lastmodified: "2024-06-13T13:48:11Z"
-    mac: ENC[AES256_GCM,data:S0/He8nAYp524SIteg1bd7aa4b7OJ2jshP/x+m9Grt+9fI8ZN42XpcW/u7JA6xV2eAJ7ZS4YBt965V6ttJu/Ric0xRzdG/evK9zrG0CFcoY8Di9eBU/KqBSyXxO7E/ZYamp9AQpkO9KzsSBYYStkZe4FjPy/5o4bSCjkLOIPO1w=,iv:OR42uFaNxMHAdaq1JZLz4B+cPZPJw5TP97W+rbHckK0=,tag:BXKF4WSHDZ63eyzNNBR2JA==,type:str]
+    mac: ENC[AES256_GCM,data:LjWV/1NPeN58VHH/lgHTukHHDu0zfqCCLeFoVS4yN91IkjdvvqwvTD74GDigw7lm++6LWILjF0zIlryUHJKg4T+Xztsj/kRntVuhSTXsDUU9mu/AOCLu5P7k4fn+N9rAMh5ML9ukeU+ZxTaOHLfezYMLv2c+01B1iMfjZ2qJ9Q4=,iv:Dh4WG98sfRUrTYnbfrZt0gX0co8lI8DUpdxFMy165GI=,tag:9Nn9UcKijyu6RhUjiUDd4g==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1

secrets/nextcloud.yaml

@@ -0,0 +1,22 @@
+nextcloud:
+    homeserver: ENC[AES256_GCM,data:ZX0LfvXQ1h1LInuvRajKpyhAP8AbyGbTs40=,iv:gpADsYG655zUdDC+j0idtVdMCmwjWSFhSJ2Us0BgBkM=,tag:JPHrZ0YZSEI+AqUm6Bb48Q==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1kruum2varzua7w5n6n52vhwyek2arc685rhcwt0u7k2jf5mecsjslkl9ll
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPeWIrNllOYlhnd3FYZGls
+            TUdDaSs0RHhVMHBxRFJwSWFxS0N5WVUxYXhNCmRTdnNMQy9TMDd1MUxLYSt0OEs5
+            VTg4TnpqVUdEY1Ywa280NktQYnVVUDgKLS0tIExtUjZXdTViMklLYVFqOHBkQnBV
+            bDN6M1ZEK3ZsdW5ydHNIc282TVo4YVkKeOgUwUJanhOn034l2B6Xp0UxogGP0/US
+            Bl+Mt+MYolkkNo3CT6w1bmsDXEDOb1Za8lmsMM1OH13bVpSQ/ygVzQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-06-13T16:14:14Z"
+    mac: ENC[AES256_GCM,data:QbHr/M2lcH0RFMHA5w+cdft803ZeDLgD7k45/gtM+09PmmQG4UMoHns4PoSxBtHUQkjNtHo53jet+sduC5fuO4Rek8xNsgmoIk7Zd46UU8I4QLxGcXLLWyOvddvR2LH5JpQCXbfHULJBynZskBtTntPg2h9F13PuTehOM0lHykM=,iv:su2ZOOK2v8x9vLgCcGTUJTSREMcxCAQXvhC/FKMk4nU=,tag:t5G+vnMw2KgiWYpSqQN1Cw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

system/services/caddy.nix

@@ -11,5 +11,11 @@ in
         import /etc/caddy/sites-enabled/*
       '';
     };
+
+    sops.secrets."router" = {
+      sopsFile = ../../secrets/caddy_reverse_proxy.yaml;
+      path = "/etc/caddy/sites-enabled/router";
+      mode = "0444";
+    };
   };
 }

system/services/default.nix

@@ -5,5 +5,6 @@
     ./cockpit.nix
     ./forgejo.nix
     ./samba.nix
+    ./nextcloud.nix
   ];
 }

system/services/forgejo.nix

@@ -6,6 +6,11 @@ in
 {
   config = mkIf cfg.enable {
     services.caddy.virtualHosts."git.tigor.web.id".extraConfig = ''
+      @home_not_login {
+            not header_regexp Cookie gitea_incredible
+            path /
+      }
+      redir @home_not_login /Tigor
       reverse_proxy * unix//run/forgejo/forgejo.sock
     '';
 
@@ -13,11 +18,11 @@ in
     services.forgejo = {
       enable = true;
       settings = {
-        server = {
+        server = rec {
           PROTOCOL = "http+unix";
           DOMAIN = "git.tigor.web.id";
           HTTP_PORT = 443;
-          ROOT_URL = "https://${config.services.forgejo.settings.server.DOMAIN}:${toString config.services.forgejo.settings.server.HTTP_PORT}";
+          ROOT_URL = "https://${DOMAIN}:${toString HTTP_PORT}";
         };
         service = {
           DISABLE_REGISTRATION = true;

system/services/nextcloud-extras.nix

@@ -0,0 +1,175 @@
+# Directly ripped from https://github.com/onny/nixos-nextcloud-testumgebung/blob/main/nextcloud-extras.nix
+
+{ config
+, lib
+, ...
+}:
+let
+
+  inherit
+    (lib)
+    optionalString
+    escapeShellArg
+    types
+    concatStringsSep
+    mapAttrsToList
+    mkIf
+    mkOption
+    mkDefault
+    mkForce
+    ;
+
+  cfg = config.services.nextcloud;
+  fpm = config.services.phpfpm.pools.nextcloud;
+  webserver = config.services.${cfg.webserver};
+
+in
+{
+
+  options = {
+    services.nextcloud = {
+
+      ensureUsers = mkOption {
+        default = { };
+        description = lib.mdDoc ''
+          List of user accounts which get automatically created if they don't
+          exist yet. This option does not delete accounts which are not listed
+          anymore.
+        '';
+        example = {
+          user1 = {
+            passwordFile = /secrets/user1-localhost;
+            email = "user1@localhost";
+          };
+          user2 = {
+            passwordFile = /secrets/user2-localhost;
+            email = "user2@localhost";
+          };
+        };
+        type = types.attrsOf (types.submodule {
+          options = {
+            passwordFile = mkOption {
+              type = types.path;
+              example = "/path/to/file";
+              default = null;
+              description = lib.mdDoc ''
+                Specifies the path to a file containing the
+                clear text password for the user.
+              '';
+            };
+            email = mkOption {
+              type = types.str;
+              example = "user1@localhost";
+              default = null;
+            };
+          };
+        });
+      };
+
+      webserver = mkOption {
+        type = types.enum [ "nginx" "caddy" ];
+        default = "nginx";
+        description = ''
+          Whether to use nginx or caddy for virtual host management.
+          Further nginx configuration can be done by adapting <literal>services.nginx.virtualHosts.&lt;name&gt;</literal>.
+          See <xref linkend="opt-services.nginx.virtualHosts"/> for further information.
+        '';
+      };
+
+    };
+  };
+
+  config = mkIf cfg.enable {
+
+    systemd.services.nextcloud-ensure-users = {
+      enable = true;
+      script = ''
+        ${optionalString (cfg.ensureUsers != {}) ''
+          ${concatStringsSep "\n" (mapAttrsToList (name: cfg: ''
+            if ${config.services.nextcloud.occ}/bin/nextcloud-occ user:info "${name}" | grep "user not found"; then
+              export OC_PASS="$(cat ${escapeShellArg cfg.passwordFile})"
+              ${config.services.nextcloud.occ}/bin/nextcloud-occ user:add --password-from-env "${name}"
+            fi
+            if ! ${config.services.nextcloud.occ}/bin/nextcloud-occ user:info "${name}" | grep "user not found"; then
+              ${optionalString (cfg.email != null) ''
+                ${config.services.nextcloud.occ}/bin/nextcloud-occ user:setting "${name}" settings email "${cfg.email}"
+              ''}
+            fi
+          '') cfg.ensureUsers)}
+        ''}
+      '';
+      wantedBy = [ "multi-user.target" ];
+      after = [ "nextcloud-setup.service" ];
+    };
+
+    services.phpfpm.pools.nextcloud.settings = {
+      "listen.owner" = webserver.user;
+      "listen.group" = webserver.group;
+    };
+
+    users.groups.nextcloud.members = [ "nextcloud" webserver.user ];
+
+    services.nginx = lib.mkIf (cfg.webserver == "caddy") {
+      enable = mkForce false;
+    };
+
+    services.caddy = lib.mkIf (cfg.webserver == "caddy") {
+      enable = mkDefault true;
+      virtualHosts."${if cfg.https then "https" else "http"}://${cfg.hostName}" = {
+        extraConfig = ''
+          encode zstd gzip
+
+          root * ${config.services.nginx.virtualHosts.${cfg.hostName}.root}
+
+          redir /.well-known/carddav /remote.php/dav 301
+          redir /.well-known/caldav /remote.php/dav 301
+          redir /.well-known/* /index.php{uri} 301
+          redir /remote/* /remote.php{uri} 301
+
+          header {
+            Strict-Transport-Security max-age=31536000
+            Permissions-Policy interest-cohort=()
+            X-Content-Type-Options nosniff
+            X-Frame-Options SAMEORIGIN
+            Referrer-Policy no-referrer
+            X-XSS-Protection "1; mode=block"
+            X-Permitted-Cross-Domain-Policies none
+            X-Robots-Tag "noindex, nofollow"
+            -X-Powered-By
+          }
+
+          php_fastcgi unix/${fpm.socket} {
+            root ${config.services.nginx.virtualHosts.${cfg.hostName}.root}
+            env front_controller_active true
+            env modHeadersAvailable true
+          }
+
+          @forbidden {
+            path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
+            path /.* /autotest* /occ* /issue* /indie* /db_* /console*
+            not path /.well-known/*
+          }
+          error @forbidden 404
+
+          @immutable {
+            path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
+            query v=*
+          }
+          header @immutable Cache-Control "max-age=15778463, immutable"
+
+          @static {
+            path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
+            not query v=*
+          }
+          header @static Cache-Control "max-age=15778463"
+
+          @woff2 path *.woff2
+          header @woff2 Cache-Control "max-age=604800"
+
+          file_server
+        '';
+      };
+    };
+
+  };
+}

system/services/nextcloud.nix

@@ -0,0 +1,42 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.profile.services.nextcloud;
+in
+{
+  imports = [ ./nextcloud-extras.nix ];
+  config = lib.mkIf cfg.enable {
+    users.groups.nextcloud.members = [ config.profile.user.name ];
+    sops.secrets =
+      let
+        opts = {
+          owner = "nextcloud";
+          sopsFile = ../../secrets/nextcloud.yaml;
+        };
+      in
+      {
+        "nextcloud/homeserver" = opts;
+      };
+
+    # Do not set services.nextcloud.home. Issues with sandboxing nature of NixOS.
+    # Instead uses bind mount and fstab to mount seeked directory to /var/lib/nextcloud.
+    fileSystems."/nas/nextcloud" = {
+      device = "/var/lib/nextcloud";
+      fsType = "none";
+      options = [ "bind" ];
+    };
+    services.nextcloud =
+      let
+        secrets = config.sops.secrets;
+      in
+      {
+        enable = true;
+        https = true;
+        webserver = "caddy";
+        hostName = "nextcloud.tigor.web.id"; # The nextcloud-extras will ensure Caddy to take care of this.
+        config = {
+          adminuser = "homeserver";
+          adminpassFile = secrets."nextcloud/homeserver".path;
+        };
+      };
+  };
+}