options/services.nix

@@ -9,6 +9,5 @@ in
     forgejo.enable = mkEnableOption "forgejo";
     kavita.enable = mkEnableOption "kavita";
     samba.enable = mkEnableOption "samba";
-    nextcloud.enable = mkEnableOption "nextcloud";
   };
 }

profiles/homeserver.nix

@@ -33,7 +33,6 @@
       forgejo.enable = true;
       kavita.enable = true;
       samba.enable = true;
-      nextcloud.enable = true;
     };
   };
 }

secrets/caddy_reverse_proxy.yaml

@@ -1,4 +1,5 @@
-router: ENC[AES256_GCM,data:AulD1VVGGYhEEnHEr8TSYLfMyA14BfTUF3QKxlKpbH7G5Eo/CGZaTSQYBzehgmNZKVAZAG1Efe60aSNhlk1ZlGxMnODGw1wV/dAnuTrqd7ixEE/hz9hO1qr1daWRmb73jQpw3XmFeAHBl4XnLIhdLFNXKEcgZBJ7piw5ZXDpG5EhaUrPhKpRMQb+yPkA9eBTI023iFOiJ8du1TF0RuqTUExUSCkcVaNgpn0pwd5tgnM/gAg7SJ0MGNRPaVL0Bq2S5e6SSO90mFcXPEQDk/1jy3Ml7ZFFQ9GrN612X3j2lYLKcwfBH5327pU=,iv:UBxOzdVt8Nof+I/H2wY0Tng8rrKZyt3fPRVLzygxIuo=,tag:TIWvIFy2QGkP1qMlnnMlbQ==,type:str]
+forgejo: ENC[AES256_GCM,data:w/qGCqEsbzhgCmGiy4pqvwjEbIWhOIPjQyQyNtbiBzadrFxG6+cxFQJ1gY/q9tENuogKoVdCtKdHYONM6gs+yd3+/Xk=,iv:u5P7so4J3OeHmnf33ss2X7f8GAA04I0/mw1/MUy6C3Y=,tag:nYhY/ecas7dPYP6FwEnOsg==,type:str]
+cockpit: ENC[AES256_GCM,data:5/ztOP1mJwKlcLS0RLqbre2nMOphIg59+/Dqz3njZW7jDJm37gMdgaPpY+eA5IWBMW7gZNCcVA==,iv:mmGsqA7U3rzhZ40BUReMlDaKxzKsDTw0mSZzcpu2QB4=,tag:jwmqiMGbENjX4B8GbPHcjw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -14,8 +15,8 @@ sops:
             OTBPaGdUZ1ZueUlKMVlhOHBreFV6OVEKBhcqTTA9Vufnn/WAhR5zb08Nsn48zmD2
             +bdJf+0B68Z57Q/47fNjvXclqLdDCWToTlIjOTnzVH2oXOWKQQxj6g==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-13T13:48:11Z"
+    lastmodified: "2024-06-13T06:44:09Z"
-    mac: ENC[AES256_GCM,data:LjWV/1NPeN58VHH/lgHTukHHDu0zfqCCLeFoVS4yN91IkjdvvqwvTD74GDigw7lm++6LWILjF0zIlryUHJKg4T+Xztsj/kRntVuhSTXsDUU9mu/AOCLu5P7k4fn+N9rAMh5ML9ukeU+ZxTaOHLfezYMLv2c+01B1iMfjZ2qJ9Q4=,iv:Dh4WG98sfRUrTYnbfrZt0gX0co8lI8DUpdxFMy165GI=,tag:9Nn9UcKijyu6RhUjiUDd4g==,type:str]
+    mac: ENC[AES256_GCM,data:S0/He8nAYp524SIteg1bd7aa4b7OJ2jshP/x+m9Grt+9fI8ZN42XpcW/u7JA6xV2eAJ7ZS4YBt965V6ttJu/Ric0xRzdG/evK9zrG0CFcoY8Di9eBU/KqBSyXxO7E/ZYamp9AQpkO9KzsSBYYStkZe4FjPy/5o4bSCjkLOIPO1w=,iv:OR42uFaNxMHAdaq1JZLz4B+cPZPJw5TP97W+rbHckK0=,tag:BXKF4WSHDZ63eyzNNBR2JA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1

secrets/nextcloud.yaml

@@ -1,22 +0,0 @@
-nextcloud:
-    homeserver: ENC[AES256_GCM,data:ZX0LfvXQ1h1LInuvRajKpyhAP8AbyGbTs40=,iv:gpADsYG655zUdDC+j0idtVdMCmwjWSFhSJ2Us0BgBkM=,tag:JPHrZ0YZSEI+AqUm6Bb48Q==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1kruum2varzua7w5n6n52vhwyek2arc685rhcwt0u7k2jf5mecsjslkl9ll
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPeWIrNllOYlhnd3FYZGls
-            TUdDaSs0RHhVMHBxRFJwSWFxS0N5WVUxYXhNCmRTdnNMQy9TMDd1MUxLYSt0OEs5
-            VTg4TnpqVUdEY1Ywa280NktQYnVVUDgKLS0tIExtUjZXdTViMklLYVFqOHBkQnBV
-            bDN6M1ZEK3ZsdW5ydHNIc282TVo4YVkKeOgUwUJanhOn034l2B6Xp0UxogGP0/US
-            Bl+Mt+MYolkkNo3CT6w1bmsDXEDOb1Za8lmsMM1OH13bVpSQ/ygVzQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-13T16:14:14Z"
-    mac: ENC[AES256_GCM,data:QbHr/M2lcH0RFMHA5w+cdft803ZeDLgD7k45/gtM+09PmmQG4UMoHns4PoSxBtHUQkjNtHo53jet+sduC5fuO4Rek8xNsgmoIk7Zd46UU8I4QLxGcXLLWyOvddvR2LH5JpQCXbfHULJBynZskBtTntPg2h9F13PuTehOM0lHykM=,iv:su2ZOOK2v8x9vLgCcGTUJTSREMcxCAQXvhC/FKMk4nU=,tag:t5G+vnMw2KgiWYpSqQN1Cw==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1

system/services/caddy.nix

@@ -11,11 +11,5 @@ in
         import /etc/caddy/sites-enabled/*
       '';
     };
-
-    sops.secrets."router" = {
-      sopsFile = ../../secrets/caddy_reverse_proxy.yaml;
-      path = "/etc/caddy/sites-enabled/router";
-      mode = "0444";
-    };
   };
 }

system/services/default.nix

@@ -5,6 +5,5 @@
     ./cockpit.nix
     ./forgejo.nix
     ./samba.nix
-    ./nextcloud.nix
   ];
 }

system/services/forgejo.nix

@@ -6,11 +6,6 @@ in
 {
   config = mkIf cfg.enable {
     services.caddy.virtualHosts."git.tigor.web.id".extraConfig = ''
-      @home_not_login {
-            not header_regexp Cookie gitea_incredible
-            path /
-      }
-      redir @home_not_login /Tigor
       reverse_proxy * unix//run/forgejo/forgejo.sock
     '';
 
@@ -18,11 +13,11 @@ in
     services.forgejo = {
       enable = true;
       settings = {
-        server = rec {
+        server = {
           PROTOCOL = "http+unix";
           DOMAIN = "git.tigor.web.id";
           HTTP_PORT = 443;
-          ROOT_URL = "https://${DOMAIN}:${toString HTTP_PORT}";
+          ROOT_URL = "https://${config.services.forgejo.settings.server.DOMAIN}:${toString config.services.forgejo.settings.server.HTTP_PORT}";
         };
         service = {
           DISABLE_REGISTRATION = true;

system/services/nextcloud-extras.nix

@@ -1,175 +0,0 @@
-# Directly ripped from https://github.com/onny/nixos-nextcloud-testumgebung/blob/main/nextcloud-extras.nix
-
-{ config
-, lib
-, ...
-}:
-let
-
-  inherit
-    (lib)
-    optionalString
-    escapeShellArg
-    types
-    concatStringsSep
-    mapAttrsToList
-    mkIf
-    mkOption
-    mkDefault
-    mkForce
-    ;
-
-  cfg = config.services.nextcloud;
-  fpm = config.services.phpfpm.pools.nextcloud;
-  webserver = config.services.${cfg.webserver};
-
-in
-{
-
-  options = {
-    services.nextcloud = {
-
-      ensureUsers = mkOption {
-        default = { };
-        description = lib.mdDoc ''
-          List of user accounts which get automatically created if they don't
-          exist yet. This option does not delete accounts which are not listed
-          anymore.
-        '';
-        example = {
-          user1 = {
-            passwordFile = /secrets/user1-localhost;
-            email = "user1@localhost";
-          };
-          user2 = {
-            passwordFile = /secrets/user2-localhost;
-            email = "user2@localhost";
-          };
-        };
-        type = types.attrsOf (types.submodule {
-          options = {
-            passwordFile = mkOption {
-              type = types.path;
-              example = "/path/to/file";
-              default = null;
-              description = lib.mdDoc ''
-                Specifies the path to a file containing the
-                clear text password for the user.
-              '';
-            };
-            email = mkOption {
-              type = types.str;
-              example = "user1@localhost";
-              default = null;
-            };
-          };
-        });
-      };
-
-      webserver = mkOption {
-        type = types.enum [ "nginx" "caddy" ];
-        default = "nginx";
-        description = ''
-          Whether to use nginx or caddy for virtual host management.
-          Further nginx configuration can be done by adapting <literal>services.nginx.virtualHosts.&lt;name&gt;</literal>.
-          See <xref linkend="opt-services.nginx.virtualHosts"/> for further information.
-        '';
-      };
-
-    };
-  };
-
-  config = mkIf cfg.enable {
-
-    systemd.services.nextcloud-ensure-users = {
-      enable = true;
-      script = ''
-        ${optionalString (cfg.ensureUsers != {}) ''
-          ${concatStringsSep "\n" (mapAttrsToList (name: cfg: ''
-            if ${config.services.nextcloud.occ}/bin/nextcloud-occ user:info "${name}" | grep "user not found"; then
-              export OC_PASS="$(cat ${escapeShellArg cfg.passwordFile})"
-              ${config.services.nextcloud.occ}/bin/nextcloud-occ user:add --password-from-env "${name}"
-            fi
-            if ! ${config.services.nextcloud.occ}/bin/nextcloud-occ user:info "${name}" | grep "user not found"; then
-              ${optionalString (cfg.email != null) ''
-                ${config.services.nextcloud.occ}/bin/nextcloud-occ user:setting "${name}" settings email "${cfg.email}"
-              ''}
-            fi
-          '') cfg.ensureUsers)}
-        ''}
-      '';
-      wantedBy = [ "multi-user.target" ];
-      after = [ "nextcloud-setup.service" ];
-    };
-
-    services.phpfpm.pools.nextcloud.settings = {
-      "listen.owner" = webserver.user;
-      "listen.group" = webserver.group;
-    };
-
-    users.groups.nextcloud.members = [ "nextcloud" webserver.user ];
-
-    services.nginx = lib.mkIf (cfg.webserver == "caddy") {
-      enable = mkForce false;
-    };
-
-    services.caddy = lib.mkIf (cfg.webserver == "caddy") {
-      enable = mkDefault true;
-      virtualHosts."${if cfg.https then "https" else "http"}://${cfg.hostName}" = {
-        extraConfig = ''
-          encode zstd gzip
-
-          root * ${config.services.nginx.virtualHosts.${cfg.hostName}.root}
-
-          redir /.well-known/carddav /remote.php/dav 301
-          redir /.well-known/caldav /remote.php/dav 301
-          redir /.well-known/* /index.php{uri} 301
-          redir /remote/* /remote.php{uri} 301
-
-          header {
-            Strict-Transport-Security max-age=31536000
-            Permissions-Policy interest-cohort=()
-            X-Content-Type-Options nosniff
-            X-Frame-Options SAMEORIGIN
-            Referrer-Policy no-referrer
-            X-XSS-Protection "1; mode=block"
-            X-Permitted-Cross-Domain-Policies none
-            X-Robots-Tag "noindex, nofollow"
-            -X-Powered-By
-          }
-
-          php_fastcgi unix/${fpm.socket} {
-            root ${config.services.nginx.virtualHosts.${cfg.hostName}.root}
-            env front_controller_active true
-            env modHeadersAvailable true
-          }
-
-          @forbidden {
-            path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
-            path /.* /autotest* /occ* /issue* /indie* /db_* /console*
-            not path /.well-known/*
-          }
-          error @forbidden 404
-
-          @immutable {
-            path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
-            query v=*
-          }
-          header @immutable Cache-Control "max-age=15778463, immutable"
-
-          @static {
-            path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
-            not query v=*
-          }
-          header @static Cache-Control "max-age=15778463"
-
-          @woff2 path *.woff2
-          header @woff2 Cache-Control "max-age=604800"
-
-          file_server
-        '';
-      };
-    };
-
-  };
-}

system/services/nextcloud.nix

@@ -1,42 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
-  cfg = config.profile.services.nextcloud;
-in
-{
-  imports = [ ./nextcloud-extras.nix ];
-  config = lib.mkIf cfg.enable {
-    users.groups.nextcloud.members = [ config.profile.user.name ];
-    sops.secrets =
-      let
-        opts = {
-          owner = "nextcloud";
-          sopsFile = ../../secrets/nextcloud.yaml;
-        };
-      in
-      {
-        "nextcloud/homeserver" = opts;
-      };
-
-    # Do not set services.nextcloud.home. Issues with sandboxing nature of NixOS.
-    # Instead uses bind mount and fstab to mount seeked directory to /var/lib/nextcloud.
-    fileSystems."/nas/nextcloud" = {
-      device = "/var/lib/nextcloud";
-      fsType = "none";
-      options = [ "bind" ];
-    };
-    services.nextcloud =
-      let
-        secrets = config.sops.secrets;
-      in
-      {
-        enable = true;
-        https = true;
-        webserver = "caddy";
-        hostName = "nextcloud.tigor.web.id"; # The nextcloud-extras will ensure Caddy to take care of this.
-        config = {
-          adminuser = "homeserver";
-          adminpassFile = secrets."nextcloud/homeserver".path;
-        };
-      };
-  };
-}