voyager: add nextcloud

hosts/defiant/services/nginx.nix

@@ -45,5 +45,34 @@
     "jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/";
     "git.feal.no" = publicProxy "http://unix:${config.services.gitea.settings.server.HTTP_ADDR}";
     "wiki.wackattack.eu" = publicProxy "http://pascal.wackattack.home.feal.no/";
+
+    "cloud.feal.no" = {
+      listen = [
+        { addr = "192.168.10.175"; port = 43443; ssl = true; }
+        { addr = "192.168.10.175"; port = 43080; ssl = false; }
+      ];
+      enableACME = true;
+      forceSSL = true;
+
+      extraConfig = ''
+        server_tokens off;
+        gzip on;
+        gzip_vary on;
+        gzip_comp_level 4;
+        gzip_min_length 256;
+        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+        gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+
+        # HSTS settings
+        # WARNING: Only add the preload option once you read about
+        # the consequences in https://hstspreload.org/. This option
+        # will add the domain to a hardcoded list that is shipped
+        # in all major browsers and getting removed from this list
+        # could take several months.
+        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
+      '';
+      locations."/".proxyPass = "http://nextcloud.home.feal.no/";
+    };
   };
 }

hosts/voyager/configuration.nix

@@ -15,6 +15,7 @@
       ./services/fancontrol.nix
       ./services/jellyfin.nix
       ./services/kanidm.nix
+      ./services/nextcloud.nix
       ./services/nginx
       ./services/postgres.nix
       ./services/timemachine.nix
@@ -23,13 +24,14 @@
 
   networking = {
     hostName = "voyager";
-    defaultGateway = "192.168.10.1";
+    bridges.br0.interfaces = [ "eno1" ];
-    interfaces.eno1.ipv4 = {
+    interfaces.br0.useDHCP = false;
-      addresses = [
+    interfaces.br0.ipv4.addresses = [
       { address = "192.168.10.165"; prefixLength = 24; }
     ];
-    };
+
     hostId = "8e84b235";
+    defaultGateway = "192.168.10.1";
   };
 
   sops.defaultSopsFile = ../../secrets/voyager/voyager.yaml;

hosts/voyager/services/nextcloud.nix

@@ -0,0 +1,79 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.containers.nextcloud.config.services.nextcloud;
+  hostName = "cloud.feal.no";
+in {
+  containers.nextcloud = {
+    autoStart = true;
+    ephemeral = true;
+
+    privateNetwork = true;
+    hostBridge = "br0";
+    localAddress = "192.168.10.171/24";
+
+    bindMounts = {
+      "/var/lib/nextcloud"  = { isReadOnly = false; hostPath = "/tank/nextcloud/nextcloud/";  };
+      "/var/lib/postgresql" = { isReadOnly = false; hostPath = "/tank/nextcloud/postgresql/"; };
+      "/srv/secrets/"       = { isReadOnly = true;  hostPath = "/tank/nextcloud/secrets/";    };
+    };
+
+    config = { config, pkgs, ... }: {
+      system.stateVersion = "23.11";
+
+      networking = {
+        firewall = {
+          enable = true;
+          allowedTCPPorts = [ 80 ];
+        };
+
+        defaultGateway = "192.168.10.1";
+      };
+      time.timeZone = "Europe/Oslo";
+
+      services.nextcloud = {
+        enable = true;
+        package = pkgs.nextcloud28;
+        inherit hostName;
+        home = "/var/lib/nextcloud";
+        https = true;
+
+        config = {
+          dbtype = "pgsql";
+          dbuser = "nextcloud";
+          dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
+          dbname = "nextcloud";
+          adminpassFile = "/srv/secrets/adminpass";
+          adminuser = "ncadmin";
+        };
+
+        # phpOptions = {
+        #   "opcache.interned_strings_buffer" = "16";
+        #   "upload_max_filesize" = "4G";
+        #   "post_max_size" = "4G";
+        #   "memory_limit" = "4G";
+        # };
+
+        poolSettings = {
+          "pm" = "ondemand";
+          "pm.max_children" = 32;
+          "pm.process_idle_timeout" = "10s";
+          "pm.max_requests" = 500;
+        };
+      };
+
+      services.postgresql = {
+        enable = true;
+        ensureDatabases = [ "nextcloud" ];
+        ensureUsers = [ {
+          name = "nextcloud";
+          ensureDBOwnership = true;
+        } ];
+      };
+
+      systemd.services."nextcloud-setup" = {
+        requires = [ "postgresql.service" ];
+        after = [ "postgresql.service" ];
+      };
+    };
+  };
+}