Add nextcloud host

hosts.nix

@@ -38,6 +38,10 @@ in
       hostNixpkgs = nixpkgs-unstable;
       site = "vs";
     };
+    nextcloud = {
+      hostNixpkgs = nixpkgs-unstable;
+      site = "vs";
+    };
     nitter = {
       site = "vs";
     };

hosts/nextcloud/configuration.nix

@@ -0,0 +1,17 @@
+{ ... }:
+{
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/vda";
+  };
+
+  networking = {
+    hostName = "nextcloud";
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 80 443 8443 ];
+    };
+  };
+
+  system.stateVersion = "23.05";
+}

hosts/nextcloud/default.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ./nextcloud.nix
+  ];
+}

hosts/nextcloud/nextcloud.nix

@@ -0,0 +1,38 @@
+{ pkgs, config, ... }:
+{
+  services.nextcloud = {
+    enable = true;
+    package = pkgs.nextcloud27;
+    hostName = "cloud.nekover.se";
+    https = true;
+    config = {
+      dbtype = "pgsql";
+      adminpassFile = "/secrets/nextcloud-adminpass.secret";
+      defaultPhoneRegion = "DE";
+    };
+    database.createLocally = true;
+    configureRedis = true;
+    extraAppsEnable = true;
+    extraApps = with config.services.nextcloud.package.packages.apps; {
+      inherit bookmarks contacts calendar tasks twofactor_webauthn;
+    };
+    maxUploadSize = "16G";
+  };
+
+  services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
+    forceSSL = true;
+    enableACME = true;
+    listen = [
+      { 
+        addr = "localhost";
+        port = 1234;
+      } # workaround for enableACME check
+      {
+        addr = "0.0.0.0";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }
+    ];
+  };
+}

hosts/nextcloud/secrets.nix

@@ -0,0 +1,11 @@
+{ ... }:
+{
+  deployment.keys."nextcloud-adminpass.secret" = {
+    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "nextcloud/adminpass" ];
+    destDir = "/secrets";
+    user = "nextcloud";
+    group = "nextcloud";
+    permissions = "0640";
+    uploadAt = "pre-activation";
+  };
+}

hosts/web-public-2/nginx.nix

@@ -11,6 +11,7 @@
       map $ssl_preread_server_name $address {
         anisync.grzb.de 127.0.0.1:8443;
         birdsite.nekover.se 127.0.0.1:8443;
+        cloud.nekover.se 10.202.41.122:8443;
         element.nekover.se 127.0.0.1:8443;
         gameserver.grzb.de 127.0.0.1:8443;
         git.grzb.de 127.0.0.1:8443;
@@ -21,7 +22,6 @@
         nextcloud.grzb.de 127.0.0.1:8443;
         nix-cache.nekover.se 10.202.41.121:8443;
         social.nekover.se 127.0.0.1:8443;
-        test.grzb.de 127.0.0.1:8443;
       }
 
       server {

hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix

@@ -15,7 +15,7 @@
       proxyProtocol = true;
     }];
     locations."/" = {
-      proxyPass = "http://nextcloud.vs.grzb.de:80";
+      proxyPass = "http://nextcloud-grzb.vs.grzb.de:80";
     };
     locations."= /.well-known/carddav" = {
       return = "301 $scheme://$host/remote.php/dav";