From 470d865cdeab147379d6be4aebf6f0a914f1495c Mon Sep 17 00:00:00 2001
From: Lillian-Violet <git@gladtherescake.eu>
Date: Mon, 20 Nov 2023 15:36:39 +0100
Subject: [PATCH] A sops test in practice, not tested yet

---
 nixos/queen/configuration.nix |  1 +
 nixos/queen/nextcloud.nix     |  6 ++++--
 secrets/queen-Lillian.yaml    | 22 ++++++++++++++++++++++
 3 files changed, 27 insertions(+), 2 deletions(-)
 create mode 100644 secrets/queen-Lillian.yaml

diff --git a/nixos/queen/configuration.nix b/nixos/queen/configuration.nix
index efeb3cd..50c54f6 100644
--- a/nixos/queen/configuration.nix
+++ b/nixos/queen/configuration.nix
@@ -122,6 +122,7 @@
       extraGroups = ["sudo" "networkmanager" "wheel" "vboxsf"];
       shell = pkgs.zsh;
     };
+    nextcloud.extraGroups = [config.sops.secrets.queen-Lillian."nextcloudadmin" config.sops.secrets.queen-Lillian."nextclouddb"];
   };
 
   # Enable completion of system packages by zsh
diff --git a/nixos/queen/nextcloud.nix b/nixos/queen/nextcloud.nix
index 3fce172..d1fcf28 100644
--- a/nixos/queen/nextcloud.nix
+++ b/nixos/queen/nextcloud.nix
@@ -42,6 +42,8 @@
     # Set what time makes sense for you
     autoUpdateApps.startAt = "05:00:00";
 
+    configureRedis = true;
+
     config = {
       # Further forces Nextcloud to use HTTPS
       overwriteProtocol = "https";
@@ -51,10 +53,10 @@
       dbuser = "nextcloud";
       dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
       dbname = "nextcloud";
-      dbpassFile = "/var/nextcloud-db-pass";
+      dbpassFile = config.sops.secrets.queen-Lillian."nextclouddb".path;
 
       #TODO: work with sops to set this instead of a file & make sure the db setup is the same as on the previous server for easy migration
-      adminpassFile = "/var/nextcloud-admin-pass";
+      adminpassFile = config.sops.secrets.queen-Lillian."nextcloudadmin".path;
       adminuser = "admin";
     };
   };
diff --git a/secrets/queen-Lillian.yaml b/secrets/queen-Lillian.yaml
new file mode 100644
index 0000000..37aa2c1
--- /dev/null
+++ b/secrets/queen-Lillian.yaml
@@ -0,0 +1,22 @@
+nextcloudadmin: ENC[AES256_GCM,data:LqgutUXs1msmFUNa+4JI1BEq0R8=,iv:sLP52reqsJfUNQnA9MbtbcZjGeluHDaO3dlHpWCLU4M=,tag:ChG/hZIMcmc0wt2AWOBNCA==,type:str]
+nextclouddb: ENC[AES256_GCM,data:Jl2Lz2n64tQYVmj0t/ZIfae3KNk=,iv:e/ne3VfIMhCX1ohgGyhFK2tHGwuXJGFhxtNIR0ZHe3I=,tag:Vr1Nn2279t91LvD1XVbJKg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age12e00qvf4shtmsfq3ujamyaa72pjvad2qhrxkvpl9hryrjvgxev4sjhmkxz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUMmlWMEsrVHhYT2ZuN05a
+            alAzNWlPMDVJeVdGMTQzQXNlTmw0V3E3UHljCmQ3WnNuY0liOGtqdmNiRmQyV1RN
+            d0ZKQVUyeWFjOXpXWVVSSFlPVXhjUmcKLS0tIFA0RkltN01XVXZnR3p4SWxkVnAr
+            KzNBMCtUaS9sU21Xc1JUd1FSR29tSkEKyqaDM/WUWjK2l+ahE6sIFYsQ6Qtkf7yz
+            NWFTzsDZBmm9kpSIjchf+PuBuoRHeEKbEH8jnMlYB3J8boEnUnXMlw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-11-20T14:35:52Z"
+    mac: ENC[AES256_GCM,data:IZg0gpsnLu4/dSjeiV3nf2ZW+ifq3FvshLeYE/fNOpNWTdCRm8OhCJNxY0kTuTBae7vCQXcjUQHCuAd+1eZPQD4juBOUd7CVOE5Chn4/o01HyEncjBjwha7uxLazqe15Q3gIFxC+8vqnAbV1BVTh1gIpkSaM61nE8Thr5sE8kvg=,iv:Dg8tUPT2V+IQK7/7DhrZHcnWoxC1APwQcM9owTzU+PU=,tag:qbypt7U5r0O3RRuNdOswIQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1