From b2b26fc58c4f65efe84317032cde6f84c58ce482 Mon Sep 17 00:00:00 2001
From: coolneng <akasroua@gmail.com>
Date: Wed, 7 Apr 2021 13:18:31 +0200
Subject: [PATCH] Set up Nextcloud

---
 configuration.nix      |  1 +
 modules/datasync.nix   | 24 ++++++++++++++
 modules/networking.nix |  2 ++
 modules/webstack.nix   | 75 ++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 102 insertions(+)
 create mode 100644 modules/webstack.nix

diff --git a/configuration.nix b/configuration.nix
index 21ce292..a503fac 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -107,6 +107,7 @@
     ./modules/virtualization.nix
     ./modules/monitoring.nix
     ./modules/periodic.nix
+    ./modules/webstack.nix
   ];
 
 }
diff --git a/modules/datasync.nix b/modules/datasync.nix
index bbcae43..736943a 100644
--- a/modules/datasync.nix
+++ b/modules/datasync.nix
@@ -46,4 +46,28 @@
       };
     };
   };
+
+  # Nextcloud configuration
+  services.nextcloud = {
+    enable = true;
+    package = pkgs.nextcloud21;
+    home = "/vault/nextcloud";
+    hostName = "nextcloud.coace.duckdns.org";
+    https = true;
+    autoUpdateApps = {
+      enable = true;
+      startAt = "Sun 05:00:00";
+    };
+    config = {
+      overwriteProtocol = "https";
+      dbtype = "pgsql";
+      dbuser = "nextcloud";
+      dbname = "nextcloud";
+      dbpassFile = "/var/keys/nextcloud";
+      adminpassFile = "/var/keys/nextcloud-admin";
+      adminuser = "admin";
+      defaultPhoneRegion = "ES";
+    };
+  };
+
 }
diff --git a/modules/networking.nix b/modules/networking.nix
index b8226be..e788ae4 100644
--- a/modules/networking.nix
+++ b/modules/networking.nix
@@ -49,6 +49,8 @@ in {
       139 # Samba
       2222 # VM SSH
       5000 # Sybase
+      80 # HTTP
+      443 # HTTPS
     ];
     allowedUDPPorts = [
       137 # Samba
diff --git a/modules/webstack.nix b/modules/webstack.nix
new file mode 100644
index 0000000..1c81def
--- /dev/null
+++ b/modules/webstack.nix
@@ -0,0 +1,75 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # Reverse proxy configuration
+  services.nginx = {
+    enable = true;
+    recommendedTlsSettings = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+    recommendedOptimisation = true;
+    sslCiphers =
+      "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";
+    sslProtocols = "TLSv1.2 TLSv1.3";
+    sslDhparam = "/var/lib/dhparams/nginx.pem";
+    commonHttpConfig = ''
+      # Add HSTS header with preloading to HTTPS requests.
+      # Adding this header to HTTP requests is discouraged
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+
+      # Minimize information leaked to other domains
+      add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+      # Disable embedding as a frame
+      add_header X-Frame-Options DENY;
+
+      # Prevent injection of code in other mime types (XSS Attacks)
+      add_header X-Content-Type-Options nosniff;
+
+      # Enable XSS protection of the browser.
+      # May be unnecessary when CSP is configured properly (see above)
+      add_header X-XSS-Protection "1; mode=block";
+
+      # This might create errors
+      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+    '';
+    virtualHosts = {
+      "nextcloud.coace.duckdns.org" = {
+        enableACME = true;
+        forceSSL = true;
+      };
+    };
+  };
+
+  # ACME certs configuration
+  security.acme = {
+    acceptTerms = true;
+    email = "secretario@arquitectosdeceuta.com";
+    certs."nextcloud.coace.duckdns.org".webroot =
+      "/var/lib/acme/acme-challenge";
+  };
+
+  # Generate dhparams
+  security.dhparams = {
+    enable = true;
+    params.nginx.bits = 2048;
+  };
+
+  # PostgreSQL databases configuration
+  services.postgresql = {
+    enable = true;
+    authentication = lib.mkForce ''
+      # Generated file; do not edit!
+      # TYPE  DATABASE        USER            ADDRESS                 METHOD
+      local   all             all                                     trust
+      host    all             all             127.0.0.1/32            trust
+      host    all             all             ::1/128                 trust
+    '';
+  };
+
+  # Restart reverse proxy after services startup
+  systemd.services.nginx.after = [ "nextcloud.service" ];
+}