From 23fff39cf91810355b686177cf67c7e85fe41515 Mon Sep 17 00:00:00 2001
From: "Gustavo \"Guz\" L de Mello" <contact@guz.one>
Date: Tue, 16 Sep 2025 16:18:06 -0300
Subject: [PATCH] feat(abaduh): setup nextcloud instance

---
 abaduh/default.nix   |  1 +
 abaduh/nextcloud.nix | 65 ++++++++++++++++++++++++++++++++++++++++++++
 secrets.nix          | 14 ++++++++++
 secrets.yaml         |  5 ++++
 4 files changed, 85 insertions(+)
 create mode 100644 abaduh/nextcloud.nix

diff --git a/abaduh/default.nix b/abaduh/default.nix
index 1f5ca04..8a53ae3 100644
--- a/abaduh/default.nix
+++ b/abaduh/default.nix
@@ -1,6 +1,7 @@
 {...}: {
   imports = [
     ./adguard.nix
+    ./nextcloud.nix
     ./tailscale.nix
   ];
 }
diff --git a/abaduh/nextcloud.nix b/abaduh/nextcloud.nix
new file mode 100644
index 0000000..9c1bd72
--- /dev/null
+++ b/abaduh/nextcloud.nix
@@ -0,0 +1,65 @@
+{
+  config,
+  pkgs,
+  ...
+}: let
+  cfg = config.services.nextcloud;
+in {
+  imports = [
+    "${fetchTarball {
+      url = "https://github.com/onny/nixos-nextcloud-testumgebung/archive/fa6f062830b4bc3cedb9694c1dbf01d5fdf775ac.tar.gz";
+      sha256 = "0gzd0276b8da3ykapgqks2zhsqdv4jjvbv97dsxg0hgrhb74z0fs";
+    }}/nextcloud-extras.nix"
+  ];
+
+  services.nextcloud = {
+    enable = true;
+    package = pkgs.nextcloud31;
+    webserver = "caddy";
+    hostName = "nextcloud.local";
+    appstoreEnable = false;
+    configureRedis = true;
+    extraApps = {
+      inherit
+        (pkgs.nextcloud31Packages.apps)
+        # mail
+        calendar
+        contacts
+        memories
+        # recognize
+        ;
+    };
+    config = {
+      adminuser = "admin";
+      adminpassFile = config.sops.secrets."nextcloud/adminpass".path;
+
+      dbtype = "pgsql";
+      dbhost = "localhost:${toString config.services.postgresql.settings.port}";
+      dbname = "nextcloud";
+      dbuser = "nextcloud";
+
+      objectstore.s3 = {
+        enable = true;
+        verify_bucket_exists = false;
+        bucket = "nextcloud";
+        hostname = "localhost";
+        port = 3461;
+        usePathStyle = true;
+        useSsl = false;
+        region = config.services.garage.settings.s3_api.s3_region;
+        key = "GK7b6d9214adf40850e5f39d66";
+        secretFile = config.sops.secrets."nextcloud/s3/secret".path;
+        # sseCKeyFile = config.sops.secrets."nextcloud/s3/sseC".path; # Needs SSL
+      };
+    };
+    settings = {
+      "auth.authtoken.v1.disabled" = true;
+      default_language = "pt_BR";
+      default_locale = "pt_BR";
+      default_phone_region = "BR";
+      default_timezone = config.time.timeZone;
+      maintenance_window_start = 4; # 1:00 AM at UTC-3
+      trusted_proxies = ["127.0.0.1"];
+    };
+  };
+}
diff --git a/secrets.nix b/secrets.nix
index 3846b80..23e814a 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -60,6 +60,20 @@ with lib; {
       owner = config.services.keikos.web.user;
     };
 
+    "nextcloud/adminpass" = mkIf config.services.nextcloud.enable {
+      owner = "nextcloud";
+    };
+    "nextcloud/s3/secret" = mkIf config.services.nextcloud.enable {
+      owner = "nextcloud";
+    };
+    "nextcloud/s3/sseC" = mkIf config.services.nextcloud.enable {
+      owner = "nextcloud";
+    };
+
+    "pgadmin/password" = mkIf config.services.pgadmin.enable {
+      owner = config.systemd.services.pgadmin.serviceConfig.User;
+    };
+
     "medama/anubis/hexFile" = {
       owner = config.services.anubis.instances."medama".user;
     };
diff --git a/secrets.yaml b/secrets.yaml
index 30e4dac..ef005c7 100644
--- a/secrets.yaml
+++ b/secrets.yaml
@@ -18,6 +18,11 @@ guz:
     password: ENC[AES256_GCM,data:zlO5xSFho7TXjFv62lgFir9SAgn+UE6XjdNEvIAgmQG9oDkthfgxO84wYdI0mQDwRIIs2PmSdBRfo0DPc3hji+ySCrItolPL8g==,iv:MZfhTxwfcbmXh5C6DkQhnY9NQGdE8zEwwvFOHQiUgKY=,tag:JjJN2bYcSXNN3ueGj5RNLg==,type:str]
 keiko:
     env-file: ENC[AES256_GCM,data:up0VMFlG92ZAmnDk1b3DNrGJ9zUoyu3pi5poP1cgaYMAaVotRtrQkDAWLPdMKrRaXZlMFhmR0Vmy4n5wauZwiUN6nhMQOEkLZ5QOa8wiyA93JTmu0982bvMeZ+dk1HTy7nU1UI1OaejjEoGFlFV5g06qGfXnC1CFHyqwM1WeTgI6Syv431q0wutz2J6lcDvyxOU8zem3zSOpf5fg,iv:hxixIs/OoUS8Cntr7yJXZxeo5PpyPGfQLfDROQ07mr4=,tag:YUgrrP/C0ZY/SIs/wszW/w==,type:str]
+nextcloud:
+    adminpass: ENC[AES256_GCM,data:RY2BsFDSttpr,iv:Mv22/Ht4Uq0miQjKgbnu37UCk/wZMyc6t9jrWkyXsxI=,tag:ScYTA46R0ZpkeqjhRsYzYg==,type:str]
+    s3:
+        secret: ENC[AES256_GCM,data:GrkETHYY8OMGazKWvnvG1CYiRc/5O01WAof0YIhbJ+U0wSxSYJBVGqV55WVurtzR9F5VxiVpHRRs3cPvtdC8eQ==,iv:a0fMz3NtQX43VWtOfIp9mXZ/R1MCD7y/LBGuWvoxhgQ=,tag:4FjaAQTHNEBfI5q1kLw/Kg==,type:str]
+        sseC: ENC[AES256_GCM,data:VMrZoC1zvK+7aQ1nfpF0Az9OxmGAqMSFRTgz04jbj3rKkWnGFzi3wTzrfFg=,iv:Vy86k6Yz3Thn7/zqbIp1xV9j1Yi+k6x2qG4vyGHP0IQ=,tag:SnDkc2jfq4gy7OCaT4oFhg==,type:str]
 medama:
     anubis:
         hexFile: ENC[AES256_GCM,data:INM0j8uPSV60nEyGJ2/+nH1IDVL08hvBzTULBHPbChQVdYO+Z/UCI1aKCLoCwad0NAp+rAljYotZ0NxlxfjnmQ==,iv:y9F70r7erFOBe94rvv3/3P+N8SwFgW39hRcfP2SjFMA=,tag:PnjbQcCDbB/8XPJc+hM5dA==,type:str]