Set up Nextcloud

configuration.nix

@@ -107,6 +107,7 @@
     ./modules/virtualization.nix
     ./modules/monitoring.nix
     ./modules/periodic.nix
+    ./modules/webstack.nix
   ];
 
 }

modules/datasync.nix

@@ -46,4 +46,28 @@
       };
     };
   };
+
+  # Nextcloud configuration
+  services.nextcloud = {
+    enable = true;
+    package = pkgs.nextcloud21;
+    home = "/vault/nextcloud";
+    hostName = "nextcloud.coace.duckdns.org";
+    https = true;
+    autoUpdateApps = {
+      enable = true;
+      startAt = "Sun 05:00:00";
+    };
+    config = {
+      overwriteProtocol = "https";
+      dbtype = "pgsql";
+      dbuser = "nextcloud";
+      dbname = "nextcloud";
+      dbpassFile = "/var/keys/nextcloud";
+      adminpassFile = "/var/keys/nextcloud-admin";
+      adminuser = "admin";
+      defaultPhoneRegion = "ES";
+    };
+  };
+
 }

modules/networking.nix

@@ -49,6 +49,8 @@ in {
       139 # Samba
       2222 # VM SSH
       5000 # Sybase
+      80 # HTTP
+      443 # HTTPS
     ];
     allowedUDPPorts = [
       137 # Samba

modules/webstack.nix

@@ -0,0 +1,75 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # Reverse proxy configuration
+  services.nginx = {
+    enable = true;
+    recommendedTlsSettings = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+    recommendedOptimisation = true;
+    sslCiphers =
+      "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";
+    sslProtocols = "TLSv1.2 TLSv1.3";
+    sslDhparam = "/var/lib/dhparams/nginx.pem";
+    commonHttpConfig = ''
+      # Add HSTS header with preloading to HTTPS requests.
+      # Adding this header to HTTP requests is discouraged
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+
+      # Minimize information leaked to other domains
+      add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+      # Disable embedding as a frame
+      add_header X-Frame-Options DENY;
+
+      # Prevent injection of code in other mime types (XSS Attacks)
+      add_header X-Content-Type-Options nosniff;
+
+      # Enable XSS protection of the browser.
+      # May be unnecessary when CSP is configured properly (see above)
+      add_header X-XSS-Protection "1; mode=block";
+
+      # This might create errors
+      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+    '';
+    virtualHosts = {
+      "nextcloud.coace.duckdns.org" = {
+        enableACME = true;
+        forceSSL = true;
+      };
+    };
+  };
+
+  # ACME certs configuration
+  security.acme = {
+    acceptTerms = true;
+    email = "secretario@arquitectosdeceuta.com";
+    certs."nextcloud.coace.duckdns.org".webroot =
+      "/var/lib/acme/acme-challenge";
+  };
+
+  # Generate dhparams
+  security.dhparams = {
+    enable = true;
+    params.nginx.bits = 2048;
+  };
+
+  # PostgreSQL databases configuration
+  services.postgresql = {
+    enable = true;
+    authentication = lib.mkForce ''
+      # Generated file; do not edit!
+      # TYPE  DATABASE        USER            ADDRESS                 METHOD
+      local   all             all                                     trust
+      host    all             all             127.0.0.1/32            trust
+      host    all             all             ::1/128                 trust
+    '';
+  };
+
+  # Restart reverse proxy after services startup
+  systemd.services.nginx.after = [ "nextcloud.service" ];
+}