diff --git a/machines/gustave/default.nix b/machines/gustave/default.nix
index adea956..f54c798 100644
--- a/machines/gustave/default.nix
+++ b/machines/gustave/default.nix
@@ -14,6 +14,7 @@
./pages.nix
./readeck.nix
./plausible.nix
+ ./nextcloud.nix
];
machine.meta = {
diff --git a/machines/gustave/nextcloud.nix b/machines/gustave/nextcloud.nix
new file mode 100644
index 0000000..0a7c890
--- /dev/null
+++ b/machines/gustave/nextcloud.nix
@@ -0,0 +1,91 @@
+{ pkgs, config, ... }:
+
+{
+
+ environment.systemPackages = [ config.services.nextcloud.occ ];
+
+ age.secrets."nextcloud-admin-password" = {
+ file = ../../secrets/nextcloud-admin-password.age;
+ owner = "nextcloud";
+ group = "nextcloud";
+ };
+
+ age.secrets."nextcloud-s3-token" = {
+ file = ../../secrets/nextcloud-s3-token.age;
+ owner = "nextcloud";
+ group = "nextcloud";
+ };
+
+ services.nextcloud = {
+ enable = true;
+ configureRedis = true;
+ database.createLocally = true;
+ package = pkgs.nextcloud30;
+ https = true;
+ hostName = "nuage.luj.fr";
+ autoUpdateApps.enable = true;
+
+ config = {
+ dbtype = "pgsql";
+ adminuser = "admin";
+ adminpassFile = config.age.secrets."nextcloud-admin-password".path;
+ objectstore.s3 = {
+ enable = true;
+ hostname = "s3.luj.fr";
+ usePathStyle = true;
+ port = 443;
+ region = "paris";
+ bucket = "nextcloud-bucket";
+ key = "GK5e980f5f3c7e2780b931ccd0";
+ secretFile = config.age.secrets."nextcloud-s3-token".path;
+ autocreate = false;
+ };
+
+ };
+
+ settings = {
+ overwriteprotocol = "https";
+ overwritehost = "nuage.luj.fr";
+ "overwrite.cli.url" = "https://nuage.luj.fr";
+ updatechecker = false;
+ default_phone_region = "FR";
+ "memories.exiftool" = "${pkgs.exiftool}/bin/exiftool";
+ "memories.vod.ffmpeg" = "${pkgs.ffmpeg-headless}/bin/ffmpeg";
+ "memories.vod.ffprobe" = "${pkgs.ffmpeg-headless}/bin/ffprobe";
+ trusted_proxies = [ "::1" ];
+ allow_local_remote_servers = true;
+ allow_user_to_change_display_name = false;
+ lost_password_link = "disabled";
+
+ };
+
+ poolSettings = {
+ "pm" = "dynamic";
+ "pm.max_children" = "32";
+ "pm.start_servers" = "8";
+ "pm.min_spare_servers" = "2";
+ "pm.max_spare_servers" = "16";
+ "pm.max_requests" = "500";
+ };
+
+ phpOptions = {
+ "opcache.enable_cli" = "1";
+ "opcache.interned_strings_buffer" = "32";
+ "opcache.max_accelerated_files" = "10000";
+ "opcache.memory_consumption" = "256";
+ "opcache.revalidate_freq" = "1";
+ "opcache.fast_shutdown" = "0";
+ "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
+ };
+
+ };
+
+ services.nginx.virtualHosts."nuage.luj.fr" = {
+ enableACME = true;
+ forceSSL = true;
+ extraConfig = ''
+ proxy_max_temp_file_size 4096m;
+ '';
+ };
+
+}
diff --git a/secrets/nextcloud-admin-password.age b/secrets/nextcloud-admin-password.age
new file mode 100644
index 0000000..fe045e1
--- /dev/null
+++ b/secrets/nextcloud-admin-password.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 AqX2tg W73WX1IsIOQPX2Wb8WP0Bl9qZW+8iErpuamMZnY7mF8
+AnhzN7s2ENKpKZDg4XiFrPcxP2hoGQ5xPMp1UGO8uhw
+-> ssh-ed25519 u3yXZQ c/rvSIaVNkJtSWdBzlO5d9fafMwfPmFuShoZF0NNKnk
+93FT+zB1jhmN0Y5aXURFtCjcNwBBr33aCq2cv/BPq6I
+-> ssh-ed25519 IRHAkA kubkRI3HlbJxdEdqi0SvZqYrhSI4FId2bwtvtitK0EA
+EUl/biEKqzbwepSBy3/Eve5mkXuD78pi9gvpHy6MTiY
+--- t9sDbetXPbZxDT1X05wbEuwdMgYvRWH+JZOnc0AyuwY
+fr�iOMo �TOJw+�S�k�>Sd`��q�"��x�����Gɂ]�v�z�c�bp�8�^��� 1�6pC�eջ�
\ No newline at end of file
diff --git a/secrets/nextcloud-s3-token.age b/secrets/nextcloud-s3-token.age
new file mode 100644
index 0000000..cc52a4e
--- /dev/null
+++ b/secrets/nextcloud-s3-token.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 AqX2tg vL8dQYLot6RcYa/uVFwfpPrbKThwJKi46oHx9BduOH0
+OT1BtivdKjLdi/fVobGdJqEJR90hjfhChDXf5wirS0A
+-> ssh-ed25519 u3yXZQ /RsTnzjpvCaUgBPZ8S7ciPq4zKxSZbDrVirUWzjYGgk
+YfSQt2Jnl2/YuTDTnl0KOF0HA+Sk17RhoLkEJG8cd9I
+-> ssh-ed25519 IRHAkA ADtUJc5zj2CBcPhoxImQpxKgMVqHGkoXqNTXiXFzCwM
+jMUf4OgMWD+Vlzt/zxXa5gCOHXAzENjl8mLQLkxTVhU
+--- 0N9gd5qdv1HahRlpjbDKqngW363F/ScQr5wzxF8ckNs
+�g��x�f]!^�M��
j����3���ݩ�Z���2�<�g�m���0��1�;��5��Ʀ�FJ���0�,�E!�
�7���5�%&���H��r��H���%���
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index a7adbc9..85b401b 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -156,4 +156,16 @@ in
biblios
];
+ "nextcloud-admin-password.age".publicKeys = [
+ tower
+ gallifrey
+ gustave
+ ];
+
+ "nextcloud-s3-token.age".publicKeys = [
+ tower
+ gallifrey
+ gustave
+ ];
+
}