add nextcloud

machines/crocus/configuration.nix

@@ -7,6 +7,7 @@
     # ./radicle.nix
     ../../system
     ../../modules/remote-builder.nix
+    ./nextcloud.nix
     ./topology.nix
     ../../modules/unbound.nix
     ../../modules/unbound-auth.nix

machines/crocus/nextcloud.nix

@@ -0,0 +1,86 @@
+{ config, ... }:
+let
+  domain = "home.rpqt.fr";
+  fqdn = "cloud.${domain}";
+in
+{
+  imports = [
+    ../../modules/acme-home.nix
+  ];
+
+  services.nextcloud = {
+    enable = true;
+    hostName = fqdn;
+    https = true;
+    config = {
+      dbtype = "pgsql";
+      dbuser = "nextcloud";
+      dbhost = "/run/postgresql";
+      dbname = "nextcloud";
+      # admin user is only for the initial setup
+      adminuser = "root";
+      adminpassFile = config.clan.core.vars.generators.nextcloud.files.admin-password.path;
+      objectstore.s3 = {
+        enable = true;
+        bucket = "garage";
+        key = config.clan.core.vars.generators.nextcloud-s3-storage.files.access-key-id.value;
+        secretFile = config.clan.core.vars.generators.nextcloud-s3-storage.files.access-key-secret.path;
+        hostname = "127.0.0.1";
+        port = 3900;
+        useSsl = false;
+        region = "garage";
+        usePathStyle = true;
+      };
+    };
+  };
+
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = [ "nextcloud" ];
+    ensureUsers = [
+      {
+        name = "nextcloud";
+        ensureDBOwnership = true;
+      }
+    ];
+  };
+
+  systemd.services."nextcloud-setup" = {
+    requires = [ "postgresql.service" ];
+    after = [ "postgresql.service" ];
+  };
+
+  services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
+    forceSSL = true;
+    useACMEHost = domain;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:8080";
+      proxyWebsockets = true;
+    };
+  };
+
+  clan.core.vars.generators.nextcloud = {
+    prompts.admin-password = {
+      description = "nextcloud admin password";
+      type = "hidden";
+      persist = true;
+    };
+    files.admin-password.owner = "nextcloud";
+  };
+
+  clan.core.vars.generators.nextcloud-s3-storage = {
+    prompts.access-key-id = {
+      description = "s3 access key id";
+      type = "line";
+      persist = true;
+    };
+    prompts.access-key-secret = {
+      description = "s3 access key secret";
+      type = "hidden";
+      persist = true;
+    };
+    files.access-key-id.owner = "nextcloud";
+    files.access-key-id.secret = false;
+    files.access-key-secret.owner = "nextcloud";
+  };
+}

machines/genepi/configuration.nix

@@ -4,7 +4,6 @@
 }:
 {
   imports = [
-    ./acme.nix
     ./actual.nix
     ./boot.nix
     ./builder.nix
@@ -21,6 +20,7 @@
     ./taskchampion.nix
     ./topology.nix
 
+    ../../modules/acme-home.nix
     ../../modules/lounge.nix
     ../../modules/unbound.nix
     ../../modules/unbound-auth.nix

machines/genepi/glance-config.nix

@@ -79,6 +79,11 @@
                   url = "https://assistant.home.rpqt.fr";
                   icon = "sh:home-assistant";
                 }
+                {
+                  title = "Nextcloud";
+                  url = "https://cloud.home.rpqt.fr";
+                  icon = "sh:nextcloud";
+                }
               ];
             }
             {

modules/acme-home.nix

@@ -1,7 +1,7 @@
 { config, ... }:
 {
   imports = [
-    ../../modules/gandi.nix
+    ./gandi.nix
   ];
 
   security.acme = {

modules/unbound.nix

@@ -20,6 +20,11 @@ let
         "tw"
       ];
     };
+    crocus = {
+      subdomains = [
+        "cloud"
+      ];
+    };
   };
   zerotierInterface = "zts7mq7onf";
   machinesZerotierIpRecords =

vars/per-machine/crocus/nextcloud-s3-storage/access-key-id/machines/crocus

@@ -1 +0,0 @@
-../../../../../../sops/machines/crocus

vars/per-machine/crocus/nextcloud-s3-storage/access-key-id/machines/crocus

@@ -0,0 +1 @@
+../../../../../../sops/machines/crocus

vars/per-machine/crocus/nextcloud-s3-storage/access-key-id/users/rpqt

@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt

vars/per-machine/crocus/nextcloud-s3-storage/access-key-id/users/rpqt

@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt