From e5f2161604480288aefcd2b205887a2e90a39d88 Mon Sep 17 00:00:00 2001
From: Hadi <112569860+anotherhadi@users.noreply.github.com>
Date: Wed, 19 Mar 2025 15:46:23 +0100
Subject: [PATCH] updates

Former-commit-id: d2d113fab5c0683881d235009ad2b8c4fe8dad14
---
 hosts/server/configuration.nix   |  3 +-
 hosts/server/secrets/default.nix |  3 +-
 server-modules/bitwarden.nix     | 44 ++++++++++++----------------
 server-modules/nextcloud.nix     | 50 ++++++++++++++++++++++++++++++++
 server-modules/nginx.nix         | 11 +++++++
 5 files changed, 83 insertions(+), 28 deletions(-)
 create mode 100644 server-modules/nextcloud.nix

diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix
index ceb091f..33aa9be 100644
--- a/hosts/server/configuration.nix
+++ b/hosts/server/configuration.nix
@@ -9,9 +9,10 @@
     ../../nixos/tailscale.nix
 
     ../../server-modules/ssh.nix
-    # ../../server-modules/bitwarden.nix
+    ../../server-modules/bitwarden.nix
     ../../server-modules/firewall.nix
     ../../server-modules/nginx.nix
+    ../../server-modules/nextcloud.nix
 
     # You should let those lines as is
     ./hardware-configuration.nix
diff --git a/hosts/server/secrets/default.nix b/hosts/server/secrets/default.nix
index f8fe5df..e235a3a 100644
--- a/hosts/server/secrets/default.nix
+++ b/hosts/server/secrets/default.nix
@@ -13,7 +13,8 @@
         path = "/home/hadi/.ssh/github";
         mode = "0600";
       };
-      # cloudflare-dns-token = { path = "/etc/cloudflare/dnskey.txt"; };
+      cloudflare-dns-token = { path = "/etc/cloudflare/dnskey.txt"; };
+      nextcloud-pwd = { path = "/etc/nextcloud/pwd.txt"; };
     };
   };
 }
diff --git a/server-modules/bitwarden.nix b/server-modules/bitwarden.nix
index 6bd9def..76e3a18 100644
--- a/server-modules/bitwarden.nix
+++ b/server-modules/bitwarden.nix
@@ -1,34 +1,26 @@
 { config, ... }:
 let domain = "vault.hadi.diy";
 in {
-  services.vaultwarden = {
-    enable = true;
-    config = {
-      DOMAIN = "https://" + domain;
-      SIGNUPS_ALLOWED = true;
-      ROCKET_ADDRESS = "127.0.0.1";
-      ROCKET_PORT = 8222;
-      ROCKET_LOG = "critical";
+  services = {
+    vaultwarden = {
+      enable = true;
+      config = {
+        DOMAIN = "https://" + domain;
+        SIGNUPS_ALLOWED = true;
+        ROCKET_ADDRESS = "127.0.0.1";
+        ROCKET_PORT = 8222;
+        ROCKET_LOG = "critical";
+      };
     };
-  };
 
-  services.nginx.virtualHosts."${domain}" = {
-    useACMEHost = "hadi.diy";
-    forceSSL = true;
-    locations."/" = {
-      proxyPass = "http://127.0.0.1:${
-          toString config.services.vaultwarden.config.ROCKET_PORT
-        }";
+    nginx.virtualHosts."${domain}" = {
+      useACMEHost = "hadi.diy";
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${
+            toString config.services.vaultwarden.config.ROCKET_PORT
+          }";
+      };
     };
   };
-
-  security.acme.certs."hadi.diy" = {
-    domain = "hadi.diy";
-    extraDomainNames = [ "*.hadi.diy" ];
-    group = "nginx";
-
-    dnsProvider = "cloudflare";
-    dnsPropagationCheck = true;
-    credentialsFile = config.sops.secrets.cloudflare-dns-token.path;
-  };
 }
diff --git a/server-modules/nextcloud.nix b/server-modules/nextcloud.nix
new file mode 100644
index 0000000..4aa6a87
--- /dev/null
+++ b/server-modules/nextcloud.nix
@@ -0,0 +1,50 @@
+{ pkgs, config, ... }:
+let domain = "cloud.hadi.diy";
+in {
+  services = {
+    nginx.virtualHosts = {
+      "${domain}" = {
+        # DNS-01 challenge
+        useACMEHost = "hadi.diy";
+        forceSSL = true;
+      };
+    };
+    nextcloud = {
+      enable = true;
+      hostName = domain;
+      package = pkgs.nextcloud31;
+      database.createLocally = true;
+      configureRedis = true;
+      maxUploadSize = "16G";
+      https = true;
+      autoUpdateApps.enable = true;
+      settings = {
+        trusted_domains = [ domain ];
+        default_phone_region = "FR";
+        overwriteprotocol = "https";
+      };
+      extraAppsEnable = true;
+      extraApps = with config.services.nextcloud.package.packages.apps; {
+        # List of apps we want to install and are already packaged in
+        # https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/nextcloud/packages/nextcloud-apps.json
+        # inherit calendar contacts notes onlyoffice tasks cookbook qownnotesapi;
+        inherit cookbook;
+        # Custom app example.
+        #        socialsharing_telegram = pkgs.fetchNextcloudApp rec {
+        #          url =
+        #            "https://github.com/nextcloud-releases/socialsharing/releases/download/v3.0.1/socialsharing_telegram-v3.0.1.tar.gz";
+        #          license = "agpl3";
+        #          sha256 = "sha256-8XyOslMmzxmX2QsVzYzIJKNw6rVWJ7uDhU1jaKJ0Q8k=";
+        #        };
+      };
+      config = {
+        dbtype = "pgsql";
+        adminuser = "hadi";
+        adminpassFile = config.sops.secrets.nextcloud-pwd.path;
+      };
+      # Suggested by Nextcloud's health check.
+      phpOptions."opcache.interned_strings_buffer" = "16";
+    };
+
+  };
+}
diff --git a/server-modules/nginx.nix b/server-modules/nginx.nix
index d6c79e0..4472c77 100644
--- a/server-modules/nginx.nix
+++ b/server-modules/nginx.nix
@@ -6,5 +6,16 @@
     defaults.email = config.var.git.email;
   };
 
+  security.acme.certs."hadi.diy" = {
+    domain = "hadi.diy";
+    extraDomainNames = [ "*.hadi.diy" ];
+    group = "nginx";
+
+    dnsProvider = "cloudflare";
+    dnsPropagationCheck = true;
+    credentialsFile = config.sops.secrets.cloudflare-dns-token.path;
+  };
+
   networking.firewall.allowedTCPPorts = [ 80 443 ];
+  networking.firewall.allowedUDPPorts = [ 80 443 ];
 }