From 731c784b70ccc72b5cedfa3a8fb0552faca41bb7 Mon Sep 17 00:00:00 2001
From: Romain Paquet <rpqt@rpqt.fr>
Date: Fri, 12 Sep 2025 00:51:16 +0200
Subject: [PATCH] add nextcloud

---
 machines/crocus/configuration.nix             |  1 +
 machines/crocus/nextcloud.nix                 | 86 +++++++++++++++++++
 machines/genepi/configuration.nix             |  2 +-
 machines/genepi/glance-config.nix             |  5 ++
 .../genepi/acme.nix => modules/acme-home.nix  |  2 +-
 modules/unbound.nix                           |  5 ++
 .../access-key-id/machines/crocus             |  0
 .../access-key-id/users/rpqt                  |  0
 8 files changed, 99 insertions(+), 2 deletions(-)
 create mode 100644 machines/crocus/nextcloud.nix
 rename machines/genepi/acme.nix => modules/acme-home.nix (95%)
 mode change 120000 => 100644 vars/per-machine/crocus/nextcloud-s3-storage/access-key-id/machines/crocus
 mode change 120000 => 100644 vars/per-machine/crocus/nextcloud-s3-storage/access-key-id/users/rpqt

diff --git a/machines/crocus/configuration.nix b/machines/crocus/configuration.nix
index 4e3df56..153d99e 100644
--- a/machines/crocus/configuration.nix
+++ b/machines/crocus/configuration.nix
@@ -7,6 +7,7 @@
     # ./radicle.nix
     ../../system
     ../../modules/remote-builder.nix
+    ./nextcloud.nix
     ./topology.nix
     ../../modules/unbound.nix
     ../../modules/unbound-auth.nix
diff --git a/machines/crocus/nextcloud.nix b/machines/crocus/nextcloud.nix
new file mode 100644
index 0000000..4a2e5d0
--- /dev/null
+++ b/machines/crocus/nextcloud.nix
@@ -0,0 +1,86 @@
+{ config, ... }:
+let
+  domain = "home.rpqt.fr";
+  fqdn = "cloud.${domain}";
+in
+{
+  imports = [
+    ../../modules/acme-home.nix
+  ];
+
+  services.nextcloud = {
+    enable = true;
+    hostName = fqdn;
+    https = true;
+    config = {
+      dbtype = "pgsql";
+      dbuser = "nextcloud";
+      dbhost = "/run/postgresql";
+      dbname = "nextcloud";
+      # admin user is only for the initial setup
+      adminuser = "root";
+      adminpassFile = config.clan.core.vars.generators.nextcloud.files.admin-password.path;
+      objectstore.s3 = {
+        enable = true;
+        bucket = "garage";
+        key = config.clan.core.vars.generators.nextcloud-s3-storage.files.access-key-id.value;
+        secretFile = config.clan.core.vars.generators.nextcloud-s3-storage.files.access-key-secret.path;
+        hostname = "127.0.0.1";
+        port = 3900;
+        useSsl = false;
+        region = "garage";
+        usePathStyle = true;
+      };
+    };
+  };
+
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = [ "nextcloud" ];
+    ensureUsers = [
+      {
+        name = "nextcloud";
+        ensureDBOwnership = true;
+      }
+    ];
+  };
+
+  systemd.services."nextcloud-setup" = {
+    requires = [ "postgresql.service" ];
+    after = [ "postgresql.service" ];
+  };
+
+  services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
+    forceSSL = true;
+    useACMEHost = domain;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:8080";
+      proxyWebsockets = true;
+    };
+  };
+
+  clan.core.vars.generators.nextcloud = {
+    prompts.admin-password = {
+      description = "nextcloud admin password";
+      type = "hidden";
+      persist = true;
+    };
+    files.admin-password.owner = "nextcloud";
+  };
+
+  clan.core.vars.generators.nextcloud-s3-storage = {
+    prompts.access-key-id = {
+      description = "s3 access key id";
+      type = "line";
+      persist = true;
+    };
+    prompts.access-key-secret = {
+      description = "s3 access key secret";
+      type = "hidden";
+      persist = true;
+    };
+    files.access-key-id.owner = "nextcloud";
+    files.access-key-id.secret = false;
+    files.access-key-secret.owner = "nextcloud";
+  };
+}
diff --git a/machines/genepi/configuration.nix b/machines/genepi/configuration.nix
index 4a7471b..23fdcf6 100644
--- a/machines/genepi/configuration.nix
+++ b/machines/genepi/configuration.nix
@@ -4,7 +4,6 @@
 }:
 {
   imports = [
-    ./acme.nix
     ./actual.nix
     ./boot.nix
     ./builder.nix
@@ -21,6 +20,7 @@
     ./taskchampion.nix
     ./topology.nix
 
+    ../../modules/acme-home.nix
     ../../modules/lounge.nix
     ../../modules/unbound.nix
     ../../modules/unbound-auth.nix
diff --git a/machines/genepi/glance-config.nix b/machines/genepi/glance-config.nix
index 4a03a1f..20fc1fe 100644
--- a/machines/genepi/glance-config.nix
+++ b/machines/genepi/glance-config.nix
@@ -79,6 +79,11 @@
                   url = "https://assistant.home.rpqt.fr";
                   icon = "sh:home-assistant";
                 }
+                {
+                  title = "Nextcloud";
+                  url = "https://cloud.home.rpqt.fr";
+                  icon = "sh:nextcloud";
+                }
               ];
             }
             {
diff --git a/machines/genepi/acme.nix b/modules/acme-home.nix
similarity index 95%
rename from machines/genepi/acme.nix
rename to modules/acme-home.nix
index e0e1a3d..b348b47 100644
--- a/machines/genepi/acme.nix
+++ b/modules/acme-home.nix
@@ -1,7 +1,7 @@
 { config, ... }:
 {
   imports = [
-    ../../modules/gandi.nix
+    ./gandi.nix
   ];
 
   security.acme = {
diff --git a/modules/unbound.nix b/modules/unbound.nix
index cf4796b..0fea601 100644
--- a/modules/unbound.nix
+++ b/modules/unbound.nix
@@ -20,6 +20,11 @@ let
         "tw"
       ];
     };
+    crocus = {
+      subdomains = [
+        "cloud"
+      ];
+    };
   };
   zerotierInterface = "zts7mq7onf";
   machinesZerotierIpRecords =
diff --git a/vars/per-machine/crocus/nextcloud-s3-storage/access-key-id/machines/crocus b/vars/per-machine/crocus/nextcloud-s3-storage/access-key-id/machines/crocus
deleted file mode 120000
index efe6fd0..0000000
--- a/vars/per-machine/crocus/nextcloud-s3-storage/access-key-id/machines/crocus
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/crocus
\ No newline at end of file
diff --git a/vars/per-machine/crocus/nextcloud-s3-storage/access-key-id/machines/crocus b/vars/per-machine/crocus/nextcloud-s3-storage/access-key-id/machines/crocus
new file mode 100644
index 0000000..efe6fd0
--- /dev/null
+++ b/vars/per-machine/crocus/nextcloud-s3-storage/access-key-id/machines/crocus
@@ -0,0 +1 @@
+../../../../../../sops/machines/crocus
\ No newline at end of file
diff --git a/vars/per-machine/crocus/nextcloud-s3-storage/access-key-id/users/rpqt b/vars/per-machine/crocus/nextcloud-s3-storage/access-key-id/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/crocus/nextcloud-s3-storage/access-key-id/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/crocus/nextcloud-s3-storage/access-key-id/users/rpqt b/vars/per-machine/crocus/nextcloud-s3-storage/access-key-id/users/rpqt
new file mode 100644
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/crocus/nextcloud-s3-storage/access-key-id/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file