feat(gustave): bootstrap a new nextcloud

machines/gustave/default.nix

@@ -14,6 +14,7 @@
     ./pages.nix
     ./readeck.nix
     ./plausible.nix
+    ./nextcloud.nix
   ];
 
   machine.meta = {

machines/gustave/nextcloud.nix

@@ -0,0 +1,91 @@
+{ pkgs, config, ... }:
+
+{
+
+  environment.systemPackages = [ config.services.nextcloud.occ ];
+
+  age.secrets."nextcloud-admin-password" = {
+    file = ../../secrets/nextcloud-admin-password.age;
+    owner = "nextcloud";
+    group = "nextcloud";
+  };
+
+  age.secrets."nextcloud-s3-token" = {
+    file = ../../secrets/nextcloud-s3-token.age;
+    owner = "nextcloud";
+    group = "nextcloud";
+  };
+
+  services.nextcloud = {
+    enable = true;
+    configureRedis = true;
+    database.createLocally = true;
+    package = pkgs.nextcloud30;
+    https = true;
+    hostName = "nuage.luj.fr";
+    autoUpdateApps.enable = true;
+
+    config = {
+      dbtype = "pgsql";
+      adminuser = "admin";
+      adminpassFile = config.age.secrets."nextcloud-admin-password".path;
+      objectstore.s3 = {
+        enable = true;
+        hostname = "s3.luj.fr";
+        usePathStyle = true;
+        port = 443;
+        region = "paris";
+        bucket = "nextcloud-bucket";
+        key = "GK5e980f5f3c7e2780b931ccd0";
+        secretFile = config.age.secrets."nextcloud-s3-token".path;
+        autocreate = false;
+      };
+
+    };
+
+    settings = {
+      overwriteprotocol = "https";
+      overwritehost = "nuage.luj.fr";
+      "overwrite.cli.url" = "https://nuage.luj.fr";
+      updatechecker = false;
+      default_phone_region = "FR";
+      "memories.exiftool" = "${pkgs.exiftool}/bin/exiftool";
+      "memories.vod.ffmpeg" = "${pkgs.ffmpeg-headless}/bin/ffmpeg";
+      "memories.vod.ffprobe" = "${pkgs.ffmpeg-headless}/bin/ffprobe";
+      trusted_proxies = [ "::1" ];
+      allow_local_remote_servers = true;
+      allow_user_to_change_display_name = false;
+      lost_password_link = "disabled";
+
+    };
+
+    poolSettings = {
+      "pm" = "dynamic";
+      "pm.max_children" = "32";
+      "pm.start_servers" = "8";
+      "pm.min_spare_servers" = "2";
+      "pm.max_spare_servers" = "16";
+      "pm.max_requests" = "500";
+    };
+
+    phpOptions = {
+      "opcache.enable_cli" = "1";
+      "opcache.interned_strings_buffer" = "32";
+      "opcache.max_accelerated_files" = "10000";
+      "opcache.memory_consumption" = "256";
+      "opcache.revalidate_freq" = "1";
+      "opcache.fast_shutdown" = "0";
+      "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
+    };
+
+  };
+
+  services.nginx.virtualHosts."nuage.luj.fr" = {
+    enableACME = true;
+    forceSSL = true;
+    extraConfig = ''
+      proxy_max_temp_file_size 4096m;
+    '';
+  };
+
+}

secrets/nextcloud-admin-password.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 AqX2tg W73WX1IsIOQPX2Wb8WP0Bl9qZW+8iErpuamMZnY7mF8
+AnhzN7s2ENKpKZDg4XiFrPcxP2hoGQ5xPMp1UGO8uhw
+-> ssh-ed25519 u3yXZQ c/rvSIaVNkJtSWdBzlO5d9fafMwfPmFuShoZF0NNKnk
+93FT+zB1jhmN0Y5aXURFtCjcNwBBr33aCq2cv/BPq6I
+-> ssh-ed25519 IRHAkA kubkRI3HlbJxdEdqi0SvZqYrhSI4FId2bwtvtitK0EA
+EUl/biEKqzbwepSBy3/Eve5mkXuD78pi9gvpHy6MTiY
+--- t9sDbetXPbZxDT1X05wbEuwdMgYvRWH+JZOnc0AyuwY
+frÀiOMo	ŸTOJw+¹SÎkÑ>Sd`ôÁq¶"åùx—ìÄîÇGÉ‚]âv»zÂc¦bpÝ8»^«Ãî 1×6pC®eÕ»ëƒ

secrets/nextcloud-s3-token.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 AqX2tg vL8dQYLot6RcYa/uVFwfpPrbKThwJKi46oHx9BduOH0
+OT1BtivdKjLdi/fVobGdJqEJR90hjfhChDXf5wirS0A
+-> ssh-ed25519 u3yXZQ /RsTnzjpvCaUgBPZ8S7ciPq4zKxSZbDrVirUWzjYGgk
+YfSQt2Jnl2/YuTDTnl0KOF0HA+Sk17RhoLkEJG8cd9I
+-> ssh-ed25519 IRHAkA ADtUJc5zj2CBcPhoxImQpxKgMVqHGkoXqNTXiXFzCwM
+jMUf4OgMWD+Vlzt/zxXa5gCOHXAzENjl8mLQLkxTVhU
+--- 0N9gd5qdv1HahRlpjbDKqngW363F/ScQr5wzxF8ckNs
+
gýØx¯f]!^±M˜‰
jœ¹ ´3·«éÝ©ÅZïŒÑ2<²gÀmŽÛ0ü1º;†5´ÝƦFJËòñ0,E!§
Ã7´í 5ç<35>%&<26>£Hèšr½‚Hí³¼%¥Ã

secrets/secrets.nix

@@ -156,4 +156,16 @@ in
     biblios
   ];
 
+  "nextcloud-admin-password.age".publicKeys = [
+    tower
+    gallifrey
+    gustave
+  ];
+
+  "nextcloud-s3-token.age".publicKeys = [
+    tower
+    gallifrey
+    gustave
+  ];
+
 }