Merge pull request 'add nextcloud' (#20) from add-nextcloud into main

Reviewed-on: #20

config/instance-20221213-1915.nix

@@ -19,6 +19,8 @@
     ./users/remote-build.nix
     ./services/atticd.nix
     ./services/minecraft.nix
+    ./services/postgres.nix
+    ./services/nextcloud.nix
   ];
 
   boot.initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "usbhid"];
@@ -76,9 +78,13 @@
   systemd.tmpfiles.rules = [
     "L /var/lib/acme - - - - /persist/var/lib/acme"
     "L /var/lib/tailscale/tailscaled.state - - - - /persist/var/lib/tailscale/tailscaled.state"
-    "D /build - - - - -"
+    "d /build - - - - -"
+    "L /var/lib/nextcloud - - - - /persist/var/lib/nextcloud"
+    "d /persist/var/lib/nextcloud 0750 nextcloud nextcloud - -"
   ];
 
+  services.postgresql.dataDir = "/persist/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}";
+
   networking.wireguard.interfaces."wg0".ips = ["fd0d:a262:1fa6:e621:746d:4523:5c04:1453/64"];
   home-manager.users.darkkirb = import ./home-manager/darkkirb.nix {
     desktop = false;
@@ -114,4 +120,22 @@
   boot.loader.systemd-boot.configurationLimit = lib.mkForce 1;
   system.autoUpgrade.allowReboot = true;
   services.tailscale.useRoutingFeatures = "server";
+  services.postgresql.settings = {
+    max_connections = 200;
+    shared_buffers = "6GB";
+    effective_cache_size = "18GB";
+    maintenance_work_mem = "1536MB";
+    checkpoint_completion_target = 0.9;
+    wal_buffers = "16MB";
+    default_statistics_target = 100;
+    random_page_cost = 1.1;
+    effective_io_concurrency = 200;
+    work_mem = "15728kB";
+    min_wal_size = "1GB";
+    max_wal_size = "4GB";
+    max_worker_processes = 4;
+    max_parallel_workers_per_gather = 2;
+    max_parallel_workers = 4;
+    max_parallel_maintenance_workers = 2;
+  };
 }

config/services/nextcloud.nix

@@ -0,0 +1,94 @@
+{
+  pkgs,
+  config,
+  ...
+}: {
+  services.nextcloud = {
+    caching.redis = true;
+    config = {
+      adminpassFile = config.sops.secrets."services/nextcloud/adminpass".path;
+      adminuser = "darkkirb";
+      dbhost = "/run/postgresql";
+      dbname = "nextcloud";
+      dbtype = "pgsql";
+      dbuser = "nextcloud";
+      defaultPhoneRegion = "DE";
+      objectstore.s3 = {
+        autocreate = false;
+        bucket = "nextcloud-chir-rs";
+        enable = true;
+        hostname = "s3.us-west-000.backblazeb2.com";
+        key = "000decd694f9e7d0000000021";
+        secretFile = config.sops.secrets."services/nextcloud/s3".path;
+        usePathStyle = true;
+        useSsl = true;
+      };
+      overwriteProtocol = "https";
+    };
+    enable = true;
+    enableImagemagick = true;
+    extraAppsEnable = true;
+    extraOptions = {
+      redis = {
+        host = config.services.redis.servers.nextcloud.unixSocket;
+        port = 0;
+        dbindex = 0;
+      };
+    };
+    hostName = "cloud.chir.rs";
+    https = true;
+    package = pkgs.nextcloud26;
+    phpOptions = {
+      "opcache.save_comments" = "1";
+      "opcache.validate_timestamps" = "0";
+      "opcache.jit" = "1255";
+      "opcache.jit_buffer_size" = "128M";
+    };
+    poolSettings = {
+      pm = "dynamic";
+      "pm.max_children" = 460;
+      "pm.start_servers" = 4;
+      "pm.min_spare_servers" = 4;
+      "pm.max_spare_servers" = 64;
+    };
+    webfinger = true;
+    extraApps = with pkgs.nextcloud26Packages.apps; {
+      inherit bookmarks calendar contacts deck files_texteditor forms groupfolders mail news notes notify_push onlyoffice polls previewgenerator spreed tasks twofactor_webauthn unsplash;
+    };
+  };
+  sops.secrets."services/nextcloud/adminpass".owner = "nextcloud";
+  sops.secrets."services/nextcloud/s3".owner = "nextcloud";
+  services.redis.servers.nextcloud = {
+    enable = true;
+    user = "nextcloud";
+  };
+  services.postgresql.ensureDatabases = ["nextcloud"];
+  services.postgresql.ensureUsers = [
+    {
+      name = "nextcloud";
+      ensurePermissions = {
+        "DATABASE attic" = "ALL PRIVILEGES";
+      };
+    }
+  ];
+  services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
+    listen = [
+      {
+        addr = "127.0.0.1";
+        port = 13286;
+      }
+    ];
+  };
+
+  services.caddy.virtualHosts."cloud.chir.rs" = {
+    useACMEHost = "chir.rs";
+    logFormat = pkgs.lib.mkForce "";
+    extraConfig = ''
+      import baseConfig
+      reverse_proxy {
+          to http://127.0.0.1:13286
+          header_up Host cloud.chir.rs
+      }
+    '';
+  };
+}

secrets/instance-20221213-1915.yaml

@@ -14,6 +14,9 @@ services:
     chir-rs:
         auth:
             password: ENC[AES256_GCM,data:9tJQIoCgquUkX+FeAT0+1tfyIF9YdNT26AOyd7hiS8BgLSa8WdG+v3H0zMt48ETc8duCMTDKII0sJTtgYxtaKQ==,iv:ZukeYF4yTf7fkrkTpbUsuNkpMOgjMDGbYtUcbvfu50g=,tag:HutgW+KyEVoePVZIO+uExg==,type:str]
+    nextcloud:
+        adminpass: ENC[AES256_GCM,data:xB6PspGdPXCxLW2pTTisgGSDefuUui/y0rUUCKbpSXZQcjlOu2n8T1tyFvb3sv2PwkF7bEvzIqmXLfOFxXX0mA==,iv:AwGxw3czHeD5fgAor0EZtZDXHVT71mUUeguWpXytRRI=,tag:7w0AdobWwrXEo0HMHRE2Tw==,type:str]
+        s3: ENC[AES256_GCM,data:6eaoosPsBl1K5W76/KPAkw58nMNhhMFS7b/3v3WCbg==,iv:C+JVjSN3MG4CzaYmBr6Lzh6jdFbwQsDJYJfBPfllZYw=,tag:YHie0LMPg2gahnGF+cEGZg==,type:str]
 email:
     lotte@chir.rs: ENC[AES256_GCM,data:YrJ/+VG6/ZSu8g+PQxYUqwd1RQ==,iv:IeFhCrMQ1+4KvenylyizbwmCvsCPGvTiZAw5VyZb3Zs=,tag:xoK+aBykGV2bLqHles1LMQ==,type:str]
     mdelenk@hs-mittweida.de: ENC[AES256_GCM,data:l57AwqL90zV2BIn04ZhhEB3TE0WAFNJ7Bci1ljHgYvki0mZ5TrLP4PYZ681uKdzN7xlFsDjhCQN0C+iuz3Aj0g==,iv:qXNQq+03KFTazggckGRqHbnuOHo2enmQKCSzAw6mqsY=,tag:HE+tenPWwB8FIilV2r1wRQ==,type:str]
@@ -38,8 +41,8 @@ sops:
             bVJUcDZLWTk3MiszOWp4enRRQmNsajQKF8QJs/Wb0SqnvsQEkRKlS1Ms9xLIdyvZ
             QCFAPclaOfaTLTiRJWXjDneBkMBduYKkRPiXCR+Bn7i4z8ixLXFmWw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-01-17T09:38:15Z"
-    mac: ENC[AES256_GCM,data:CNsQoD2BnsiXH/gc28/4idmaR8C2j8oIV/eoTh5VNrb0r15vDuw3XFWHSZ+6H+AM5gcuoqdo5qRcocHRc7mbp09sfOFefDmUYhPnfyx0PPIBNVH1g9QkRzsPHz8DNibgWetmVY0EGR/PhBnU/JVkaCDfl/9UJ50l9MQjtq6FC2A=,iv:jz/OVJdBhEi688B2VkFaypOUnWE6axUKJleb7TH3qO4=,tag:4pTYKMD5CvRcN8te1Bumqw==,type:str]
+    lastmodified: "2023-04-18T12:18:21Z"
+    mac: ENC[AES256_GCM,data:l78VBdvwCW4ZP6ezhyYveRfMYnIhQkAxBrsFTZdBfY7/11i6Kgzpl1ZS0q1Uvxp4i29LRvhrK3qkRsREMoCDi/CdPZXjYpaRxqN7iyDe6PEUQJq9riIViCbVzIvFnR13ZHzUx1PiyPgCJ9YJdpz8wDVz7aIDzZuu1j6l8do7lNA=,iv:EBkdg8n3/MpO0AZFAcEA4r36aNgH99mjwvL5OruqoPI=,tag:70opYR8NEBRg9o706qsQeA==,type:str]
     pgp:
         - created_at: "2022-12-14T15:34:13Z"
           enc: |

zones/chir.rs.nix

@@ -144,7 +144,7 @@ with dns.lib.combinators; let
     SOA = {
       nameServer = "ns1.chir.rs.";
       adminEmail = "lotte@chir.rs";
-      serial = 28;
+      serial = 29;
     };
     NS = [
       "ns1.chir.rs."
@@ -245,6 +245,7 @@ with dns.lib.combinators; let
       auth = createFullZone {};
       attic-nocdn = createFullZone {};
       attic.CNAME = ["attic-chir-rs.b-cdn.net."];
+      cloud = createZone oracleBase;
 
       int =
         delegateTo [