{ config, pkgs, ... }: {
imports = [
./oxaproxy.nix
./secrets.nix
];
# nextcloud goes here
networking.firewall.interfaces.oxaproxy.allowedTCPPorts = [ 8080 ];
services.postgresql = {
enable = true;
package = pkgs.postgresql_14;
ensureDatabases = [ "nextcloud" ];
ensureUsers = [{
name = "nextcloud";
ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
}];
};
services.redis.servers.nextcloud.enable = true;
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
virtualHosts."nc.oxapentane.com" = {
extraConfig = ''
# HTTP response headers borrowed from Nextcloud .htaccess
add_header Referrer-Policy "no-referrer" always;
#add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
#add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
'';
listen = [{
# We are listening on wireguard interface only
addr = "10.34.45.100";
port = 8080;
ssl = false;
}];
};
};
services.nextcloud = {
enable = true;
hostName = "nc.oxapentane.com";
home = "/var/lib/nextcloud-oxa";
package = pkgs.nextcloud24;
maxUploadSize = "5000M";
caching.redis = true;
autoUpdateApps = {
enable = true;
startAt = "07:00:00";
};
config = {
overwriteProtocol = "https";
trustedProxies = [ "10.34.45.1" ];
dbtype = "pgsql";
dbuser = "nextcloud";
dbhost = "/run/postgresql";
dbname = "nextcloud";
adminuser = "admin";
adminpassFile = config.sops.secrets."nextcloud/adminpass".path;
};
};
systemd.services."nextcloud-setup" = {
requires = [ "postgresql.service" ];
after = [ "postgresql.service" ];
};
microvm = {
hypervisor = "qemu";
mem = 4 * 1024;
vcpu = 3;
shares = [{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "store";
proto = "virtiofs";
socket = "store.socket";
}] ++ map
(dir: {
source = "/var/lib/microvms/${config.networking.hostName}/${dir}";
mountPoint = "/${dir}";
tag = dir;
proto = "virtiofs";
socket = "${dir}.socket";
}) [ "etc" "var" "home" ];
interfaces = [{
type = "tap";
id = "vm-nextcloud";
mac = "EA:40:E8:60:C5:36";
}];
};
networking = {
hostName = "nextcloud";
};
services.openssh = {
enable = true;
permitRootLogin = "prohibit-password";
};
networking.firewall.allowedTCPPorts = [ 22 ];
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDP6xE2ey0C8XXfvniiiHiqXsCC277jKI9RXEA+s2LQLUI5zl7v350i3Oa8H3NCcPj39lfMreqE6ncxcOhqYyzahPrrMkOqgbPAoRvq8H3ophLK+56O3xdHoKwLBwRD1yoGACjqG4UTiTrmnN2ateENgYcnTEY1e4vDw1qMj1drUXCsZ/6mkBBmHJiFfCaR4yCMt1r4gGi/dAC7ifnBP3oSyV/lJEwPxYYkGlbOBIvX/7Ar98pJS6xYPB3jHs9gwyNNON63d0fNYrwBojXPPCnGGaRZNOkBTzex3zZYp12ThINQ2xl8tRp9D8qpZ7vrLjhTD6AXkOBRzmDj+NsCeEaeTuWajqUM93iKncYUI+JxR1t7q8gA2pBMFzLesMXnx7R+5Kw7QDtSJM7a4GMIfsocPwf64BH6rzxEz68rXFE3P+J77PPM9CuaYw90JXHo3z220zYw2nMQ/1qjATVZw/hiVrLmQMVfmFJIufnGjTBs2sy3IoNyzvYm/oDeNNg1cdSV9gyyRKZhK08fxjXN5GSf9vZkfZa9tHtqaZ99HI40GQBHUVx1K2/NQJY8TVTSA+v16SFnJK8BIbmp/WFCuvDcMkgLIbqiYtDASe7P2mKIib86uOENT+P820egeLiTQ06kFw/gfUa8t69d5qEcjiQZ+lxCeYIs/E9KrEXHvRUWew== cardno:16 811 348"
];
system.stateVersion = "22.05";
}