From 58061df4ab6a89805e0ef4d3278b822319a627a9 Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Mon, 8 May 2023 02:27:52 +0200
Subject: [PATCH] tsuki: set up nextcloud, without enabling it

---
 hosts/tsuki/configuration.nix      |  1 +
 hosts/tsuki/services/nextcloud.nix | 70 ++++++++++++++++++++++++++++++
 secrets/default.yaml               |  8 +++-
 3 files changed, 77 insertions(+), 2 deletions(-)
 create mode 100644 hosts/tsuki/services/nextcloud.nix

diff --git a/hosts/tsuki/configuration.nix b/hosts/tsuki/configuration.nix
index 1ce81ea..9d2e893 100644
--- a/hosts/tsuki/configuration.nix
+++ b/hosts/tsuki/configuration.nix
@@ -16,6 +16,7 @@
     # ./services/keycloak.nix
     ./services/matrix
     ./services/minecraft
+    ./services/nextcloud.nix
     ./services/nginx
     ./services/osuchan.nix
     ./services/pgadmin.nix
diff --git a/hosts/tsuki/services/nextcloud.nix b/hosts/tsuki/services/nextcloud.nix
new file mode 100644
index 0000000..b54c309
--- /dev/null
+++ b/hosts/tsuki/services/nextcloud.nix
@@ -0,0 +1,70 @@
+{ pkgs, config, secrets, ... }:
+
+# TODO: This kinda sucks, but nextcloud refuses to use the NFS mounted
+# drive, as it is not able to lock it properly.
+# I'll wait for a while with enabling this service, until I have gotten
+# Some proper disks into the server.
+{
+  sops.secrets."nextcloud/initialPassword" = {
+    restartUnits = [ "nextcloud.service" ];
+    owner = "nextcloud";
+    group = "nextcloud";
+  };
+  sops.secrets."postgres/nextcloud" = {
+    restartUnits = [ "nextcloud.service" ];
+    owner = "nextcloud";
+    group = "nextcloud";
+  };
+
+  services.nextcloud = {
+    enable = false;
+    hostName = "cloud.nani.wtf";
+    https = true;
+    maxUploadSize = "10G";
+    package = pkgs.nextcloud25;
+
+    datadir = "${config.machineVars.dataDrives.default}/var/nextcloud";
+
+    home = "${config.machineVars.dataDrives.default}/var/nextcloud";
+
+    enableBrokenCiphersForSSE = false;
+
+    caching.redis = true;
+    extraOptions = {
+      redis = {
+        host = config.services.redis.servers.nextcloud.unixSocket;
+        port = 0;
+        dbindex = 0;
+        timeout = 1.5;
+      };
+    };
+
+    config = {
+      defaultPhoneRegion = "NO";
+
+      dbtype = "pgsql";
+      dbport = secrets.ports.postgres;
+      dbpassFile = config.sops.secrets."postgres/nextcloud".path;
+
+      adminuser = "h7x4";
+      adminpassFile = config.sops.secrets."nextcloud/initialPassword".path;
+    };
+  };
+
+  services.redis.servers.nextcloud = {
+    enable = true;
+  };
+
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = [ "nextcloud" ];
+    ensureUsers = [
+      (rec {
+        name = "nextcloud";
+        ensurePermissions = {
+          "DATABASE \"${name}\"" = "ALL PRIVILEGES";
+        };
+      })
+    ];
+  };
+}
diff --git a/secrets/default.yaml b/secrets/default.yaml
index aa01243..179251e 100644
--- a/secrets/default.yaml
+++ b/secrets/default.yaml
@@ -7,8 +7,12 @@ cloudflare:
 drives:
     cirno:
         credentials: ENC[AES256_GCM,data:ypMZhs7dQw/IlcLwHwFcIZw0N+kCzvFGLe3gEqZVe1hj0lzK8MCfxAR8GpA=,iv:by5ljMzOuuY4b6BDUQNLhp8/gcXDNe+rHkqhFzjNA6c=,tag:3C5iYsxEWwAKs9Blgr5o6g==,type:str]
+nextcloud:
+    initialPassword: ENC[AES256_GCM,data:ROG+4u6C9zBu8Ez3Jprw8cgwVd2gFErUIOBmrWL9o7/qSGPT8jnwd0T5W8E=,iv:uRdL/3Xslu/J/aPI44WxlNw3RLAvjDRPt5VttuQL/P0=,tag:IDmGXNF9PsHPaMqK5YUKIg==,type:str]
 postgres:
     gitea: ENC[AES256_GCM,data:HyYgEgOzeOnaEvPDEXoL+fRhrnqCeGbb/wOYf2kHulxrU9PKIAcRzmNljsc=,iv:1N/N2RUQ++rAWw4VNQzhee2aV9LzOJym6cyM6CAnZUU=,tag:o7dblJrIAPd4/S8X2LKdcQ==,type:str]
+    invidious: ENC[AES256_GCM,data:r/Jzs7U1fkCi2j5L/tOcBfakR3virj8HGrDrVZdP7VwubG4BJLvoeb14eJo=,iv:3plNFOds+HeF0HAliedczpNgPL4ZgqhCOwqbnb2e8Ag=,tag:DHm/KM9UuPiqaRxqNDb7QA==,type:str]
+    nextcloud: ENC[AES256_GCM,data:E1tD6Z2SDbi5TUDAACjXSJJIn+/ySu0+8xhvRVFxumxjex4ZsEw+mofKIxM=,iv:E4iPVF3M8GOoQghVQtn/kCEpXl0b8MueCbtyvzFM8AA=,tag:IF4kWOuTsylqrXMoXzQaVQ==,type:str]
 pgadmin:
     oauth2_secret: ENC[AES256_GCM,data:A1Upe1Ja76++ZdOx5YhuKjpaont4m5ChRzn/YVpJbnFzWy1tFlBkOr6UgBj7Wopg,iv:hY+b7AVSrSgHu/10reIjUjJ8+yR4FrZe2JgGiAowfGs=,tag:thy6O1Y3FGTWaQXqlU9aYg==,type:str]
     initialPassword: ENC[AES256_GCM,data:674lqcGTDCOYBNocf0LQuQB1cbMus0iZOcvwbadpAXrF4DPQSetqrg==,iv:y8hfzLh6i7LxR11fmM9T0z2t7202JMAiZzi/1iCWPvM=,tag:lHwCBWaWsArrAJ0rZ8Xk/w==,type:str]
@@ -27,8 +31,8 @@ sops:
             UE1YWkplaFBhV01CU0FDYTQ3NlkwVkUKMJyCfyh/vcj/VU7shtFF4YRRVaWdcMNh
             rp9lZmRZpc9mARXYAj9RlkI/uuSzxshtqb5AGXKmSV0hncazxu75kg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-03-16T22:23:30Z"
-    mac: ENC[AES256_GCM,data:WhmY8htyrpTsAHuA8Q6RquBSafTZR/ocyB/OvLRhIV4gksSbzCWeMR+5Jwvvr8XYkwzD3rpCgCiqpA6R8ibxfdhHYZwHKMJNrAlpBdXSom67q9RUvDJjiCEQyJpcsvjJmT1mM9J3E6iVymoI0h2WW+rGzN3vgONBIr86p0nknKI=,iv:JdHn/qSzPCwkaBL81Wax0ThXFtSGrb26shA1tfXy/aI=,tag:dZLtLJM5mNCO6OOWLtQwXg==,type:str]
+    lastmodified: "2023-05-08T00:26:32Z"
+    mac: ENC[AES256_GCM,data:ESAcNcZu6MyT2h1gyXd7UHK5UK5slm+btmWAAaOjP4LVxn2ybNU9/K25gbiuDngH+xEclPXN8t/QtjKpHT1PtJW/nRcT7VDJ7+x50YTixvzrC7PSz2ebdm/HOG7Pb/y+Jo/I/LqKzdYmrbBfug61z84DJJqLHjzuDaWT/9s6U90=,iv:Yco3AQerNcDmO2H36Osm0XsbE7G/Yp4sTcYfutQZ7gM=,tag:/7VZifOICO+7Ebjt6RDe0g==,type:str]
     pgp:
         - created_at: "2023-03-07T12:32:53Z"
           enc: |