1 files changed, 118 insertions, 0 deletions

diff --git a/vps-configuration.nix b/vps-configuration.nix
new file mode 100644
index 0000000..8afa57d
--- /dev/null
+++ b/vps-configuration.nix
@@ -0,0 +1,118 @@
+{ config, pkgs, ... }:
+
+let
+  envsubstConfiguration = {
+    nextcloudTLD = "$NEXTCLOUD_TLD";
+    gitTLD = "$GIT_TLD";
+    letsencryptEmail = "$LETSENCRYPT_EMAIL";
+    authorizedKey = "$AUTHORIZED_KEY";
+  };
+in {
+  imports = [ ./hardware-configuration.nix ];
+
+  boot.loader.grub = {
+    enable = true;
+    version = 2;
+    device = "/dev/vda";
+  };
+
+  networking = {
+    useDHCP = false;
+    interfaces.ens3.useDHCP = true;
+  };
+
+  environment.systemPackages = with pkgs; [ vim ];
+
+  networking.firewall.allowedTCPPorts = [ 80 443 22 ];
+
+  security.acme = {
+    acceptTerms = true;
+    email = envsubstConfiguration.letsencryptEmail;
+  };
+
+  services = {
+    openssh = {
+      enable = true;
+      permitRootLogin = "no";
+      passwordAuthentication = false;
+    };
+
+    nginx = {
+      enable = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+      virtualHosts = let
+        customConfigTLDs = { };
+        defaultConfigTLDs =
+          [ envsubstConfiguration.nextcloudTLD envsubstConfiguration.gitTLD ];
+        buildDefaultConfiguration = tld: {
+          "${tld}" = {
+            forceSSL = true;
+            enableACME = true;
+          };
+        };
+      in pkgs.lib.fold
+      (tldString: acc: acc // buildDefaultConfiguration tldString)
+      customConfigTLDs defaultConfigTLDs;
+
+      gitweb = {
+        enable = true;
+        location = "/";
+        virtualHost = envsubstConfiguration.gitTLD;
+      };
+    };
+
+    nextcloud = {
+      enable = true;
+      hostName = envsubstConfiguration.nextcloudTLD;
+      nginx.enable = true;
+      https = true;
+      autoUpdateApps.enable = true;
+      autoUpdateApps.startAt = "05:00:00";
+      config = {
+        overwriteProtocol = "https";
+
+        dbtype = "pgsql";
+        dbuser = "nextcloud";
+        dbhost =
+          "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
+        dbname = "nextcloud";
+        dbpassFile = "/var/nextcloud-db-pass";
+
+        adminpassFile = "/var/nextcloud-admin-pass";
+        adminuser = "admin";
+      };
+    };
+
+    postgresql = {
+      enable = true;
+      ensureDatabases = [ "nextcloud" ];
+      ensureUsers = [{
+        name = "nextcloud";
+        ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
+      }];
+    };
+
+    gitweb = {
+      gitwebTheme = true;
+      projectroot = "/srv/git";
+    };
+  };
+
+  systemd.services."nextcloud-setup" = {
+    requires = [ "postgresql.service" ];
+    after = [ "postgresql.service" ];
+  };
+
+  users.users.nixos = {
+    uid = 1000;
+    extraGroups = [ "wheel" ];
+    useDefaultShell = true;
+    openssh.authorizedKeys.keys = [ envsubstConfiguration.authorizedKey ];
+  };
+
+  system.stateVersion = "19.09";
+}