From bfe73a2b813f2bf455ba46b282fe8614120c5d60 Mon Sep 17 00:00:00 2001
From: RGBCube <git@rgbcu.be>
Date: Sat, 13 Jan 2024 14:12:17 +0300
Subject: [PATCH] Add Nextcloud

---
 hosts/cube/acme.nix       |  2 +-
 hosts/cube/grafana.nix    | 10 +------
 hosts/cube/nextcloud.nix  | 58 +++++++++++++++++++++++++++++++++++++++
 hosts/cube/nginx.nix      | 13 +++++----
 hosts/cube/postgresql.nix | 13 ++++++++-
 5 files changed, 80 insertions(+), 16 deletions(-)
 create mode 100644 hosts/cube/nextcloud.nix

diff --git a/hosts/cube/acme.nix b/hosts/cube/acme.nix
index 2eb5208..f80683f 100644
--- a/hosts/cube/acme.nix
+++ b/hosts/cube/acme.nix
@@ -10,7 +10,7 @@ in serverSystemConfiguration {
       environmentFile = config.age.secrets.acme.path;
       dnsProvider     = "cloudflare";
       dnsResolver     = "1.1.1.1";
-      email           = "security@rgbcu.be";
+      email           = "security@${domain}";
     };
 
     certs.${domain} = {
diff --git a/hosts/cube/grafana.nix b/hosts/cube/grafana.nix
index 9e624e9..725d357 100644
--- a/hosts/cube/grafana.nix
+++ b/hosts/cube/grafana.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ulib, ... }: with ulib;
+{ config, ulib, ... }: with ulib;
 
 let
   inherit (config.networking) domain;
@@ -10,14 +10,6 @@ in serverSystemConfiguration {
     group = "grafana";
   };
 
-  services.postgresql = {
-    ensureDatabases = [ "grafana" ];
-    initialScript   = pkgs.writeText "postgresql-initial-script" ''
-      CREATE ROLE grafana WITH LOGIN PASSWORD NULL CREATEDB;
-      GRANT ALL PRIVILEGES ON DATABASE grafana TO grafana;
-    '';
-  };
-
   services.grafana = enabled {
     domain = fqdn;
     port   = 8999;
diff --git a/hosts/cube/nextcloud.nix b/hosts/cube/nextcloud.nix
new file mode 100644
index 0000000..6a516c0
--- /dev/null
+++ b/hosts/cube/nextcloud.nix
@@ -0,0 +1,58 @@
+ { config, ulib, pkgs, ... }: with ulib;
+
+let
+  inherit (config.networking) domain;
+
+  fqdn = "cloud.${domain}";
+in serverSystemConfiguration {
+  age.secrets."cube.nextcloud.password" = {
+    owner = "nextcloud";
+    group = "nextcloud";
+  };
+
+  services.nextcloud = enabled {
+    package  = pkgs.nextcloud28;
+
+    hostName = fqdn;
+    https    = true;
+
+    configureRedis = true;
+
+    config.adminuser     = "admin";
+    config.adminpassFile = config.age.secrets."cube.nextcloud.password".path;
+
+    config.dbtype          = "pgsql";
+    database.createLocally = true;
+
+    extraAppsEnable = true;
+    extraApps       = {
+      inherit (config.services.nextcloud.package.packages.apps)
+        bookmarks calendar contacts deck 
+        forms groupfolders impersonate
+        mail maps notes phonetrack
+        polls previewgenerator tasks;
+        # Add: files_markdown files_texteditor memories news
+    };
+
+    extraOptions.enabledPreviewProviders = [
+      "OC\\Preview\\BMP"
+      "OC\\Preview\\GIF"
+      "OC\\Preview\\JPEG"
+      "OC\\Preview\\Krita"
+      "OC\\Preview\\MarkDown"
+      "OC\\Preview\\MP3"
+      "OC\\Preview\\OpenDocument"
+      "OC\\Preview\\PNG"
+      "OC\\Preview\\TXT"
+      "OC\\Preview\\XBitmap"
+      "OC\\Preview\\HEIC"
+    ];
+
+    nginx.recommendedHttpHeaders = true;
+  };
+
+  services.nginx.virtualHosts.${fqdn} = {
+    forceSSL    = true;
+    useACMEHost = domain;
+  };
+}
diff --git a/hosts/cube/nginx.nix b/hosts/cube/nginx.nix
index 5f6fca6..e635eca 100644
--- a/hosts/cube/nginx.nix
+++ b/hosts/cube/nginx.nix
@@ -28,10 +28,13 @@ serverSystemConfiguration {
   services.nginx = enabled {
     statusPage = true;
 
-    recommendedGzipSettings  = true;
-    recommendedOptimisation  = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings   = true;
+    recommendedBrotliSettings = true;
+    recommendedGzipSettings   = true;
+    recommendedZstdSettings   = true;
+
+    recommendedOptimisation   = true;
+    recommendedProxySettings  = true;
+    recommendedTlsSettings    = true;
 
     commonHttpConfig = let
       fileToList = file: lib.splitString "\n" (builtins.readFile file);
@@ -58,7 +61,7 @@ serverSystemConfiguration {
       }
       add_header Strict-Transport-Security $hsts_header;
 
-      add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+      # add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
 
       add_header "Referrer-Policy" "no-referrer";
 
diff --git a/hosts/cube/postgresql.nix b/hosts/cube/postgresql.nix
index b2d8f3b..6365cba 100644
--- a/hosts/cube/postgresql.nix
+++ b/hosts/cube/postgresql.nix
@@ -1,4 +1,4 @@
-{ config, lib, ulib, ... }: with ulib;
+{ config, lib, ulib, pkgs, ... }: with ulib;
 
 serverSystemConfiguration {
   services.prometheus.exporters.postgres = enabled {
@@ -29,5 +29,16 @@ serverSystemConfiguration {
       superuser_map postgres postgres
       superuser_map /^(.*)$  \1
     '';
+
+    ensureDatabases = [ "grafana" "nextcloud" ];
+
+    initialScript   = pkgs.writeText "postgresql-initial-script" ''
+      CREATE ROLE grafana WITH LOGIN PASSWORD NULL CREATEDB;
+      GRANT ALL PRIVILEGES ON DATABASE grafana TO grafana;
+
+      CREATE ROLE nextcloud WITH LOGIN PASSWORD NULL CREATEDB;
+      GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud;
+    '';
   };
+
 }