add nextcloud my-service with sqlite

modules/services/default.nix

@@ -1,10 +1,18 @@
 { ... }:
 {
   imports = [
+    ./gitea
+    ./hedgedoc
+    ./homepage
     ./homer
     ./jellyfin
+    ./minecraft-server
     ./mumble-server
+    ./navidrome
+    ./nextcloud
     ./nginx
+    ./passworts
+    ./paperless
     ./rss-bridge
     ./ssh-server
   ];

modules/services/minecraft-server/default.nix

@@ -0,0 +1,21 @@
+# sandbox video game
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.my.services.minecraft-server;
+in
+{
+  options.my.services.minecraft-server = with lib; {
+    enable = mkEnableOption "Minecraft Server";
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.minecraft-server = {
+      enable = true;
+      eula = true;
+      package = pkgs.unstable.minecraft-server;
+      openFirewall = true;
+
+      jvmOpts = "-Xms8G -Xmx8G -XX:+UseG1GC -XX:+UnlockExperimentalVMOptions -XX:MaxGCPauseMillis=100 -XX:+DisableExplicitGC -XX:TargetSurvivorRatio=90 -XX:G1NewSizePercent=50 -XX:G1MaxNewSizePercent=80 -XX:G1MixedGCLiveThresholdPercent=50 -XX:+AlwaysPreTouch";
+    };
+  };
+}

modules/services/nextcloud/default.nix

@@ -0,0 +1,130 @@
+# self-hosted cloud
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.my.services.nextcloud;
+  domain = config.networking.domain;
+in
+{
+  options.my.services.nextcloud = with lib; {
+    enable = mkEnableOption "Nextcloud";
+    maxSize = mkOption {
+      type = types.str;
+      default = "1G";
+      example = "512M";
+      description = "Maximum file upload size";
+    };
+    admin = mkOption {
+      type = types.str;
+      default = "felix";
+      example = "admin";
+      description = "Name of the admin user";
+    };
+    defaultPhoneRegion = mkOption {
+      type = types.str;
+      default = "DE";
+      example = "US";
+      description = "country codes for automatic phone-number ";
+    };
+    passwordFile = mkOption {
+      type = types.str;
+      example = "/var/lib/nextcloud/password.txt";
+      description = ''
+        Path to a file containing the admin's password, must be readable by
+        'nextcloud' user.
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.nextcloud = {
+      enable = true;
+      package = pkgs.nextcloud25;
+      hostName = "cloud.${domain}";
+      maxUploadSize = cfg.maxSize;
+      autoUpdateApps.enable = true;
+      config = {
+        adminuser = cfg.admin;
+        adminpassFile = cfg.passwordFile;
+        defaultPhoneRegion = cfg.defaultPhoneRegion;
+
+        overwriteProtocol = "https"; # Nginx only allows SSL
+
+        #dbtype = "pgsql";
+        #dbhost = "/run/postgresql";
+      };
+
+      extraApps = {
+        calendar = pkgs.fetchNextcloudApp rec {
+          name = "calendar";
+          url = "https://github.com/nextcloud-releases/calendar/releases/download/v${version}/calendar-v${version}.tar.gz";
+          version = "4.1.0";
+          sha256 = "sha256-K5jqDgukylIREi5f4rS2OFP33u0ytmmI5ktW8ukWCjk=";
+        };
+        contacts = pkgs.fetchNextcloudApp rec {
+          name = "contacts";
+          url = "https://github.com/nextcloud-releases/contacts/releases/download/v${version}/contacts-v${version}.tar.gz";
+          version = "5.0.1";
+          sha256 = "sha256-vdSw7oF2D/2r5xl0wUyOfQXp0lbgWCedIuVn9HKkFws=";
+        };
+        tasks = pkgs.fetchNextcloudApp rec {
+          name = "tasks";
+          url = "https://github.com/nextcloud/tasks/releases/download/v${version}/tasks.tar.gz";
+          version = "0.14.5";
+          sha256 = "sha256-/foxaKyA6u8+LeUAnu4Co2msyNNd/YKD0fJUI73zxTI=";
+        };
+        deck = pkgs.fetchNextcloudApp rec {
+          name = "deck";
+          url = "https://github.com/nextcloud/deck/releases/download/v${version}/deck.tar.gz";
+          version = "1.8.2";
+          sha256 = "sha256-L8mFbKUi/LSXKTWjMTGeCzdiCvEgsk7p+xMRovxrCf0=";
+        };
+      };
+    };
+
+    #services.postgresql = {
+    #  enable = true;
+    #  ensureDatabases = [ "nextcloud" ];
+    #  ensureUsers = [
+    #    {
+    #      name = "nextcloud";
+    #      ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
+    #    }
+    #  ];
+    #};
+
+    #systemd.services."nextcloud-setup" = {
+    #  requires = [ "postgresql.service" ];
+    #  after = [ "postgresql.service" ];
+    #};
+
+    # The service above configures the domain, no need for my wrapper
+    services.nginx.virtualHosts."cloud.${domain}" = {
+      forceSSL = true;
+      useACMEHost = domain;
+
+      # so homer can get the online status
+      extraConfig = lib.optionalString config.my.services.homer.enable ''
+        add_header Access-Control-Allow-Origin https://${domain};
+      '';
+    };
+
+    #my.services.backup = {
+    #  paths = [
+    #    config.services.nextcloud.home
+    #  ];
+    #  exclude = [
+    #    # image previews can take up a lot of space
+    #    "${config.services.nextcloud.home}/data/appdata_*/preview"
+    #  ];
+    #};
+
+    webapps.apps.nextcloud = {
+      dashboard = {
+        name = "Nextcloud";
+        category = "app";
+        icon = "cloud";
+        link = "https://cloud.${domain}/login";
+      };
+    };
+  };
+}

nixos/newton/configuration.nix

@@ -12,15 +12,10 @@
     ../modules/docker.nix
     ../modules/networkdecrypt.nix
     ../modules/nix.nix
-    ../modules/ssh.nix
     ../modules/users.nix
-    ../modules/webapps/gitea.nix
+    #../modules/webapps/radicale.nix
-    ../modules/webapps/hedgedoc.nix
-    ../modules/webapps/homer.nix
-    ../modules/webapps/navidrome.nix
-    ../modules/webapps/paperless.nix
-    ../modules/webapps/radicale.nix
   ];
+
   networking.hostName = "newton";
 
   sops = {

nixos/newton/secrets.yaml

@@ -11,6 +11,8 @@ paperless:
     password: ENC[AES256_GCM,data:GrH2MEFUGSoJEUnFUb5nTxHHnnSIohwEUVU+2Xpa,iv:U9tDsq5PsqFzzl1e1sYUL5XxUqGEmdiZoJtCh96+yEA=,tag:qVu2bulQ9wz+K0lmbMULzQ==,type:str]
 freshrss:
     password: ENC[AES256_GCM,data:dUOKeRxovwIHIchkwMFxsQYEKrU2muY=,iv:OA1zbIiV3NBWIoJLpxpLBEjR/I6m5vzVKvzMEZYYE7Q=,tag:r4PbEbEkSH3bsJMamDuuFw==,type:str]
+nextcloud:
+    password: ENC[AES256_GCM,data:uE507Ij34zJVYnd2YkNCGj8hpFpEM5w=,iv:x8BNCUaAas0poQ/Lo0izZApF6l52xal8DDrClIzWjvk=,tag:sA08dmcVQbKswX9hF/txag==,type:str]
 sso:
     auth-key: ENC[AES256_GCM,data:jFDeymziDiJMnoIGjYPMmnxTzKer1bFffGDaoHnbKlpMPslP/Bmtsc5kio2tbDBlxG0TCdf+ePirPPw2,iv:8wGHEp1gB/qgkSvqkqjb9zBnqkkl1+Ezm9tCFS8tL3w=,tag:tHIT9Iw29TUXJm2e7z3Z/A==,type:str]
     felix:
@@ -42,8 +44,8 @@ sops:
             NmNwT3N5UEVabFdLTDhseFRjeVZaWFkKL3HGFqfttU1tXY4OhnIr1ABFsHB0R0CX
             s6wxb0ilut32ijjtnGXMIIa9y6XsMTpYskTb9FdRP9VnQQGVrMfdew==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-10-02T21:20:32Z"
+    lastmodified: "2022-11-13T15:50:14Z"
-    mac: ENC[AES256_GCM,data:TdxemiZ8xz3BuoBy8JB/J15Bikl6+LMR8QqVwWlo45kY1hFVKF7dJGOohGng1jX1GQ6Ec89iw1yRNtMtTpEcRzQgrcMtZQwtM7n/+YNcTVYifTGsRBt/VojB9QWRqy1xclLwWMzBL4q0PWAh1ljVtAhB2lL+QQ7aUiWeFrb969g=,iv:zjbdzkLn4YcenCcO+iP3H3RQ19Fq5eo1dai65QBahPY=,tag:ZNC27P3Jl4PlRZptxmgbAQ==,type:str]
+    mac: ENC[AES256_GCM,data:RmNsaye+hanRtzO1BNj6Q/LKS4ACRufzs7TGGcQHfVbi8QyrBqltGoox9ukgaN5PqBNR+uz3+Grpzkjj33xtdJuSRoHNk7aa/q2FHFHmJs+qIggf3HRzgfmBPkP0K9kJdFeOYvy0XoZWMdmaZ9H3fC8kqbEkQPMTrwnKEiDOx6M=,iv:ntjiRk8UUbsnPaKW1AxEoa8RRejA9LCKYNGD6s8dKwI=,tag:hKi3HZoMuOwtAcd7oyUZgw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3

nixos/newton/services.nix

@@ -4,11 +4,85 @@ let
   secrets = config.sops.secrets;
 in
 {
+  sops.secrets."acme/inwx" = { };
+  sops.secrets."sso/auth-key" = { };
+  sops.secrets."sso/felix/password-hash" = { };
+  sops.secrets."sso/felix/totp-secret" = { };
+  sops.secrets."paperless/password" = { };
+  sops.secrets."nextcloud/password" = { };
+  sops.secrets."nextcloud/password".owner = config.users.users.nextcloud.name;
+
   # List services that you want to enable:
   my.services = {
+    # My own personal homepage
+    homepage = {
+      enable = true;
+    };
+    # Dashboard
+    homer = {
+      enable = true;
+    };
     # RSS provider for websites that do not provide any feeds
-    rss-bridge.enable = true;
+    rss-bridge = {
-    # Voice-chat server
+      enable = true;
-    mumble-server.enable = true;
+    };
+    # voice-chat server
+    mumble-server = {
+      enable = true;
+    };
+    # sandbox video game
+    minecraft-server = {
+      enable = true;
+    };
+    # music streaming server
+    navidrome = {
+      enable = true;
+      musicFolder = "/srv/data/music";
+    };
+    # self-hosted cloud
+    nextcloud = {
+      enable = true;
+      passwordFile = secrets."nextcloud/password".path;
+    };
+    # document management system
+    paperless = {
+      enable = true;
+      passwordFile = secrets."paperless/password".path;
+      extraConfig.PAPERLESS_ADMIN_USER = "felix";
+    };
+    # self-hosted git service
+    gitea = {
+      enable = true;
+    };
+    # collaborative markdown editor
+    hedgedoc = {
+      enable = true;
+    };
+    # a password-generator using the marokov model
+    passworts = {
+      enable = true;
+    };
+    ssh-server = {
+      enable = true;
+    };
+    # Webserver
+    nginx = {
+      enable = true;
+      acme = {
+        credentialsFile = secrets."acme/inwx".path;
+      };
+      sso = {
+        authKeyFile = secrets."sso/auth-key".path;
+        users = {
+          felix = {
+            passwordHashFile = secrets."sso/felix/password-hash".path;
+            totpSecretFile = secrets."sso/felix/totp-secret".path;
+          };
+        };
+        groups = {
+          root = [ "felix" ];
+        };
+      };
+    };
   };
 }