✨ [pi4] Initial Nextcloud config

2025-05-27 20:01:07 +00:00
parent 96d57d34c1
commit e986f337bd
3 changed files with 77 additions and 2 deletions
--- a/hosts/pi4/default.nix
+++ b/hosts/pi4/default.nix
@ -5,6 +5,7 @@
    (relativeToBase "modules")
    ./boot.nix
    ./hardware.nix
+    ./nextcloud.nix
    ./security
  ];
 }
--- a/hosts/pi4/nextcloud.nix
+++ b/hosts/pi4/nextcloud.nix
@ -0,0 +1,72 @@
+{ pkgs, config, ... }:
+let
+  adminPass = "nextcloud/admin-pass";
+  domain = "beta.nextcloud.martials.no";
+  dbname = "nextcloud";
+  dbuser = dbname;
+in
+{
+  services = {
+    nextcloud = {
+      enable = true;
+
+      autoUpdateApps.enable = true;
+
+      config = {
+        adminpassFile = config.sops.secrets.${adminPass}.path;
+        dbtype = "pgsql";
+        dbname = dbname;
+        dbuser = dbuser;
+        # default directory for postgresql, ensures automatic setup of db
+        dbhost = "/run/postgresql";
+        adminuser = "admin";
+        defaultPhoneRegion = "NO";
+      };
+
+      extraApps = {
+        inherit (config.services.nextcloud.package.packages.apps)
+          contacts
+          tasks
+          deck
+          ;
+      };
+      extraAppsEnable = true;
+
+      hostName = domain;
+      https = true;
+
+      package = pkgs.nextcloud31;
+
+      settings = {
+        trusted_domains = [
+          domain
+        ];
+      };
+    };
+    postgresql = {
+      enable = true;
+      ensureDatabases = [ dbname ];
+      ensureUsers = [
+        {
+          name = dbuser;
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+    postgresqlBackup = {
+      enable = true;
+      location = "/data/backup/nextclouddb";
+      databases = [ dbname ];
+      # time to start backup in systemd.time format
+      startAt = "*-*-* 23:15:00";
+    };
+  };
+
+  sops.secrets.${adminPass}.neededForUsers = true;
+
+  # ensure postgresql db is started with nextcloud
+  systemd.services."nextcloud-setup" = {
+    requires = [ "postgresql.service" ];
+    after = [ "postgresql.service" ];
+  };
+}
--- a/shared/secrets/secrets.yaml
+++ b/shared/secrets/secrets.yaml
@ -1,4 +1,6 @@
 password-hash: ENC[AES256_GCM,data:FsGHBAw/z4tcBRObVlo//UotWHyHns0+vdJVgt2lfGiIfQG+1I60g2Tzgv/O+gz3oz41NIwAYf61SR9AfXhpnc1AxiZRlCBwMQ==,iv:oiJndSVZQ+00UPz0TuJXV+T8x9mtecrNDUaablOGffU=,tag:wQuow7C8KqelJOE9KqCxMA==,type:str]
+nextcloud:
+  admin-pass: ENC[AES256_GCM,data:RBuuNc7J/CCJXG8n73B5cw==,iv:uKNj40SdJn6LbZoV1i9fq+5TGmRDPYVhCxAUghV4vqs=,tag:wUHBPo5T+2tyjsQFlUXDEQ==,type:str]
 sops:
  kms: []
  gcp_kms: []
@ -32,8 +34,8 @@ sops:
        SGdNMnVlQlNEeVJkWmZEM1FRT2JJMGMKbZ/znJM6tFhzhHariRXMLgH/4CRZZKrb
        YtmSdeL/Pd5YIecCpjDHDn4vQ0TBAmLaX+zVbNbRKmMZoY7777ywfA==
        -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2025-05-15T16:57:17Z"
-  mac: ENC[AES256_GCM,data:HE/liIsb/7RazR671Keo5nH9+qp3BMPGxJcm97fzXkeO8TnCk/lNy43InKu7ON316G375F2oTeiuz90JthUYV2wBQFZTVWR6pROhRSewT7T3pp3lRPtIIwmvOmvJd537OVN1iz2p+1EgW4+gERrgQ9wPHWyyeFB7a9SkTeLmmGA=,iv:bvL1WyUHnnXB7gWZyVdru+j8oAFD11lbQkMvgWkgm24=,tag:CKFt/UlRRImKYakUI44fWw==,type:str]
+  lastmodified: "2025-05-27T17:56:45Z"
+  mac: ENC[AES256_GCM,data:rXUdrKF4qcuKkk9QASAti2yk+mWLRPzqHPLV85P1nJBoqa6bnLaEoWwfclwr2riTeLjK8ASRHGzi9xiY9867+lhui7+nd0ISBPZlRKTxfXNddBNMqSh+MguJ9e02mTm6OpbSVlovT5NPLiJcQyTodtI5Cvkc0LU5v8yCwRF98jI=,iv:TCSHdf4Y9QPOFNOVjKL3vro65C9SEUhSSNFXNYchzmk=,tag:wGbBdQwPXO30ymyhtAguYg==,type:str]
  pgp: []
  unencrypted_suffix: _unencrypted
  version: 3.9.4