initial retooling

2026-03-27 14:23:08 -05:00
commit 5057ed2a05
46 changed files with 4969 additions and 0 deletions
--- a/modules/nextcloud.nix
+++ b/modules/nextcloud.nix
@@ -0,0 +1,224 @@
+{ config, pkgs, lib, ... }:
+
+let
+  cfg = config.sovran_systemsOS.services.nextcloud;
+in
+{
+  options.sovran_systemsOS.services.nextcloud = {
+    enable = lib.mkEnableOption "Nextcloud (raw PHP served by Caddy)";
+  };
+
+  config = lib.mkIf cfg.enable {
+
+    # ── Caddy vhost is now handled centrally in caddy.nix ─────
+
+    # ── PostgreSQL database ───────────────────────────────────
+    services.postgresql = {
+      enable = true;
+    };
+
+    # ── Auto-generate DB password and initialize ──────────────
+    systemd.services.nextcloud-db-init = {
+      description = "Initialize Nextcloud PostgreSQL database with auto-generated password";
+      after = [ "postgresql.service" ];
+      requires = [ "postgresql.service" ];
+      before = [ "nextcloud-init.service" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+      };
+      path = [ config.services.postgresql.package pkgs.pwgen pkgs.coreutils ];
+      script = ''
+        set -euo pipefail
+
+        SECRET_FILE="/var/lib/secrets/nextclouddb"
+
+        # Existing machines already have this file — leave it alone
+        if [ ! -f "$SECRET_FILE" ]; then
+          mkdir -p /var/lib/secrets
+          pwgen -s 64 1 > "$SECRET_FILE"
+          chmod 600 "$SECRET_FILE"
+        fi
+
+        DB_PASS=$(cat "$SECRET_FILE")
+
+        # Create role if it doesn't exist, update password either way
+        psql -U postgres <<SQL
+          DO \$\$
+          BEGIN
+            IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'ncusr') THEN
+              CREATE ROLE "ncusr" WITH LOGIN PASSWORD '$DB_PASS';
+            ELSE
+              ALTER ROLE "ncusr" WITH LOGIN PASSWORD '$DB_PASS';
+            END IF;
+          END
+          \$\$;
+        SQL
+
+        # Create database if it doesn't exist
+        if ! psql -U postgres -lqt | cut -d \| -f 1 | grep -qw "nextclouddb"; then
+          psql -U postgres -c "CREATE DATABASE nextclouddb WITH OWNER ncusr TEMPLATE template0 LC_COLLATE = 'C' LC_CTYPE = 'C';"
+        fi
+      '';
+    };
+
+    # ── Fully automated Nextcloud setup ───────────────────────
+    systemd.services.nextcloud-init = {
+      description = "Download, extract, and fully configure Nextcloud";
+      after = [ "network-online.target" "postgresql.service" "phpfpm-mypool.service" "nextcloud-db-init.service" ];
+      wants = [ "network-online.target" ];
+      requires = [ "postgresql.service" "nextcloud-db-init.service" ];
+      wantedBy = [ "multi-user.target" ];
+
+      unitConfig = {
+        ConditionPathExists = "!/var/lib/www/nextcloud/config/config.php";
+      };
+
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+      };
+
+      path = with pkgs; [ curl unzip php pwgen coreutils ];
+
+      script = ''
+        set -euo pipefail
+
+        INSTALL_DIR="/var/lib/www/nextcloud"
+        DATA_DIR="/var/lib/www/nextcloud-data"
+        DOMAIN=$(cat /var/lib/domains/nextcloud)
+        DB_NAME="nextclouddb"
+        DB_USER="ncusr"
+        DB_PASS=$(cat /var/lib/secrets/nextclouddb)
+        DB_HOST="localhost"
+        ADMIN_USER=$(pwgen -s 16 1)
+        ADMIN_PASS=$(pwgen -s 24 1)
+
+        echo "══════════════════════════════════════════════"
+        echo "  Nextcloud Automated Installation"
+        echo "══════════════════════════════════════════════"
+
+        # ── Download ────────────────────────────────────
+        if [ ! -f "$INSTALL_DIR/occ" ]; then
+            echo "Downloading Nextcloud..."
+            TEMP_DIR=$(mktemp -d)
+            curl -L -o "$TEMP_DIR/nextcloud.zip" "https://download.nextcloud.com/server/releases/latest.zip"
+            unzip -q "$TEMP_DIR/nextcloud.zip" -d "$TEMP_DIR"
+            mkdir -p "$INSTALL_DIR"
+            cp -a "$TEMP_DIR/nextcloud/"* "$INSTALL_DIR/"
+            rm -rf "$TEMP_DIR"
+            echo "Download complete."
+        fi
+
+        # ── Create data directory ───────────────────────
+        mkdir -p "$DATA_DIR"
+
+        # ── Set permissions ─────────────────────────────
+        chown -R caddy:root "$INSTALL_DIR"
+        chown -R caddy:root "$DATA_DIR"
+        find "$INSTALL_DIR" -type d -exec chmod 750 {} \;
+        find "$INSTALL_DIR" -type f -exec chmod 640 {} \;
+        chmod -R 770 "$INSTALL_DIR/apps"
+        chmod -R 770 "$INSTALL_DIR/config"
+        chmod -R 770 "$DATA_DIR"
+
+        # ── Wait for database ───────────────────────────
+        echo "Waiting for PostgreSQL..."
+        for i in $(seq 1 30); do
+            if su -s /bin/sh caddy -c "php -r \"new PDO('pgsql:host=$DB_HOST;dbname=$DB_NAME', '$DB_USER', '$DB_PASS');\"" 2>/dev/null; then
+                echo "Database ready."
+                break
+            fi
+            sleep 2
+        done
+
+        # ── Run Nextcloud install via occ ───────────────
+        echo "Running Nextcloud installation..."
+        su -s /bin/sh caddy -c "
+          php $INSTALL_DIR/occ maintenance:install \
+            --database 'pgsql' \
+            --database-name '$DB_NAME' \
+            --database-user '$DB_USER' \
+            --database-pass '$DB_PASS' \
+            --database-host '$DB_HOST' \
+            --admin-user '$ADMIN_USER' \
+            --admin-pass '$ADMIN_PASS' \
+            --data-dir '$DATA_DIR'
+        "
+
+        # ── Configure trusted domains ───────────────────
+        echo "Configuring trusted domains..."
+        su -s /bin/sh caddy -c "
+          php $INSTALL_DIR/occ config:system:set trusted_domains 0 --value='$DOMAIN'
+          php $INSTALL_DIR/occ config:system:set overwrite.cli.url --value='https://$DOMAIN'
+          php $INSTALL_DIR/occ config:system:set overwriteprotocol --value='https'
+        "
+
+        # ── Set recommended settings ─<EFBFBD><EFBFBD>──────────────────
+        echo "Applying recommended settings..."
+        su -s /bin/sh caddy -c "
+          php $INSTALL_DIR/occ config:system:set default_phone_region --value='US'
+          php $INSTALL_DIR/occ config:system:set memcache.local --value='\OC\Memcache\APCu'
+          php $INSTALL_DIR/occ background:cron
+        "
+
+        # ── Install default apps ────────────────────────
+        echo "Installing default apps..."
+        su -s /bin/sh caddy -c "
+          php $INSTALL_DIR/occ app:install calendar || true
+          php $INSTALL_DIR/occ app:install contacts || true
+          php $INSTALL_DIR/occ app:install tasks || true
+          php $INSTALL_DIR/occ app:install notes || true
+          php $INSTALL_DIR/occ app:install deck || true
+          php $INSTALL_DIR/occ app:enable calendar || true
+          php $INSTALL_DIR/occ app:enable contacts || true
+          php $INSTALL_DIR/occ app:enable tasks || true
+          php $INSTALL_DIR/occ app:enable notes || true
+          php $INSTALL_DIR/occ app:enable deck || true
+        "
+
+        # ── Save admin credentials ──────────────────────
+        CREDS_FILE="/var/lib/secrets/nextcloud-admin"
+        cat > "$CREDS_FILE" << CREDS
+Nextcloud Admin Credentials
+═══════════════════════════
+URL:      https://$DOMAIN/
+Username: $ADMIN_USER
+Password: $ADMIN_PASS
+CREDS
+        chmod 600 "$CREDS_FILE"
+
+        echo ""
+        echo "══════════════════════════════════════════════"
+        echo "  Nextcloud installation complete!"
+        echo ""
+        echo "  URL:      https://$DOMAIN/"
+        echo "  Username: $ADMIN_USER"
+        echo "  Password: $ADMIN_PASS"
+        echo ""
+        echo "  Installed apps: Calendar, Contacts, Tasks,"
+        echo "                  Notes, Deck"
+        echo ""
+        echo "  Credentials saved to: $CREDS_FILE"
+        echo "══════════════════════════════════════════════"
+      '';
+    };
+
+    # ── Cron ──────────────────────────────────────────────────
+    services.cron.systemCronJobs = [
+      "*/5 * * * * caddy /run/current-system/sw/bin/php -f /var/lib/www/nextcloud/cron.php"
+    ];
+
+    # ── Ensure directories ────────────────────────────────────
+    systemd.tmpfiles.rules = [
+      "d /var/lib/www 0755 caddy root -"
+      "d /var/lib/www/nextcloud 0750 caddy root -"
+      "d /var/lib/www/nextcloud-data 0770 caddy root -"
+    ];
+
+    environment.systemPackages = with pkgs; [
+      unzip
+    ];
+  };
+}