From 11fefc6296bad723971d55801afe08327c5ce0a3 Mon Sep 17 00:00:00 2001
From: Lillian-Violet <git@gladtherescake.eu>
Date: Sun, 19 Nov 2023 23:20:16 +0100
Subject: [PATCH] Initial setup for vps, no tests done

---
 nixos/queen/configuration.nix |  8 ++++
 nixos/queen/nextcloud.nix     | 83 +++++++++++++++++++++++++++++++++++
 2 files changed, 91 insertions(+)
 create mode 100644 nixos/queen/nextcloud.nix

diff --git a/nixos/queen/configuration.nix b/nixos/queen/configuration.nix
index c4675df..5a3b344 100644
--- a/nixos/queen/configuration.nix
+++ b/nixos/queen/configuration.nix
@@ -45,6 +45,8 @@
   # Enable networking
   networking.networkmanager.enable = true;
 
+  networking.firewall.allowedTCPPorts = [80 443];
+
   # Set your time zone.
   time.timeZone = "Europe/Amsterdam";
 
@@ -67,6 +69,12 @@
     enable = true;
   };
 
+  security.acme = {
+    acceptTerms = true;
+    # Replace the email here!
+    email = "letsencrypt@gladtherescake.eu";
+  };
+
   users.users = {
     lillian = {
       isNormalUser = true;
diff --git a/nixos/queen/nextcloud.nix b/nixos/queen/nextcloud.nix
new file mode 100644
index 0000000..e65cd84
--- /dev/null
+++ b/nixos/queen/nextcloud.nix
@@ -0,0 +1,83 @@
+{
+  inputs,
+  outputs,
+  lib,
+  config,
+  pkgs,
+  ...
+}: {
+  #this came from https://jacobneplokh.com/how-to-setup-nextcloud-on-nixos/
+  services.nginx = {
+    enable = true;
+
+    # Use recommended settings
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    # Only allow PFS-enabled ciphers with AES256
+    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+
+    # Setup Nextcloud virtual host to listen on ports
+    virtualHosts = {
+      "nextcloud.gladtherescake.eu" = {
+        ## Force HTTP redirect to HTTPS
+        forceSSL = true;
+        ## LetsEncrypt
+        enableACME = true;
+      };
+    };
+  };
+
+  services.nextcloud = {
+    enable = true;
+    hostName = "nextcloud.gladtherescake.eu";
+    # Enable built-in virtual host management
+    # Takes care of somewhat complicated setup
+    # See here: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/web-apps/nextcloud.nix#L529
+    nginx.enable = true;
+
+    # Use HTTPS for links
+    https = true;
+
+    # Auto-update Nextcloud Apps
+    autoUpdateApps.enable = true;
+    # Set what time makes sense for you
+    autoUpdateApps.startAt = "05:00:00";
+
+    config = {
+      # Further forces Nextcloud to use HTTPS
+      overwriteProtocol = "https";
+
+      # Nextcloud PostegreSQL database configuration, recommended over using SQLite
+      dbtype = "pgsql";
+      dbuser = "nextcloud";
+      dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
+      dbname = "nextcloud";
+      dbpassFile = "/var/nextcloud-db-pass";
+
+      #TODO: work with sops to set this instead of a file & make sure the db setup is the same as on the previous server for easy migration
+      adminpassFile = "/var/nextcloud-admin-pass";
+      adminuser = "admin";
+    };
+  };
+
+  services.postgresql = {
+    enable = true;
+
+    # Ensure the database, user, and permissions always exist
+    ensureDatabases = ["nextcloud"];
+    ensureUsers = [
+      {
+        name = "nextcloud";
+        ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
+      }
+    ];
+  };
+
+  systemd.services."nextcloud-setup" = {
+    requires = ["postgresql.service"];
+    after = ["postgresql.service"];
+  };
+}