diff --git a/machines/public-cof/acme.nix b/machines/public-cof/acme.nix new file mode 100644 index 0000000..3911368 --- /dev/null +++ b/machines/public-cof/acme.nix @@ -0,0 +1,5 @@ +{ ... }: +{ + security.acme.acceptTerms = true; + security.acme.email = "club-reseau@lists.ens.psl.eu"; +} diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index 190595f..1556fd3 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -6,7 +6,9 @@ ./hardware-configuration.nix ./programs.nix ./system.nix + ./acme.nix ./networking.nix + ./nextcloud.nix # TODO monitoring ]; diff --git a/machines/public-cof/nextcloud.nix b/machines/public-cof/nextcloud.nix new file mode 100644 index 0000000..4900acd --- /dev/null +++ b/machines/public-cof/nextcloud.nix @@ -0,0 +1,57 @@ +{ ... }: +{ + services.nextcloud = { + enable = true; + hostName = "nuage.beta.rz.ens.wtf"; + https = true; + + config = { + overwriteProtocol = "https"; + + dbtype = "pgsql"; + dbhost = "/run/postgresql"; + + dbpass = "TODO"; + adminpass = "TODO"; + + defaultPhoneRegion = "FR"; + }; + }; + + services.nginx = { + enable = true; + + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + # # Only allow PFS-enabled ciphers with AES256 + # sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + + virtualHosts = { + "nuage.beta.rz.ens.wtf" = { + forceSSL = true; + enableACME = true; + }; + }; + }; + + services.postgresql = { + enable = true; + + ensureDatabases = [ "nextcloud" ]; + ensureUsers = [ + { name = "nextcloud"; + ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; + } + ]; + }; + + systemd.services."nextcloud-setup" = { + requires = [ "postgresql.service" ]; + after = [ "postgresql.service" ]; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; +}