Alejandro Angulo
d5969ca923
Made a separate ACME module to handle requesting certs from multiple machines. Right now, the module only supports exactly one wildcard cert. It might make sense to have cache.kilonull.com use a cert specific to its subdomain rather than also requesting a wildcard cert (or maybe the nginx on its host shouldn't care about TLS and it should be node's responsibility).
66 lines
1.6 KiB
Nix
66 lines
1.6 KiB
Nix
{
|
|
options,
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
format,
|
|
...
|
|
}:
|
|
with lib; let
|
|
cfg = config.aa.services.nextcloud;
|
|
in {
|
|
options.aa.services.nextcloud = with types; {
|
|
enable = mkEnableOption "nextcloud";
|
|
acmeCertName = mkOption {
|
|
type = str;
|
|
default = "";
|
|
description = ''
|
|
If set to a non-empty string, forces SSL with the supplied acme
|
|
certificate.
|
|
'';
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
age.secrets.nextcloud_admin = {
|
|
file = ../../../secrets/nextcloud_admin.age;
|
|
owner = "nextcloud";
|
|
group = "nextcloud";
|
|
};
|
|
|
|
services.nextcloud = {
|
|
enable = true;
|
|
package = pkgs.nextcloud27;
|
|
hostName = "nextcloud.kilonull.com";
|
|
https = true;
|
|
database.createLocally = true;
|
|
datadir = "/tank/nextcloud";
|
|
# Arbitrary large size
|
|
maxUploadSize = "16G";
|
|
configureRedis = true;
|
|
logType = "file";
|
|
poolSettings = {
|
|
pm = "dynamic";
|
|
"pm.max_children" = "64";
|
|
"pm.max_requests" = "500";
|
|
"pm.max_spare_servers" = "25";
|
|
"pm.min_spare_servers" = "10";
|
|
"pm.start_servers" = "15";
|
|
};
|
|
config = {
|
|
dbtype = "pgsql";
|
|
adminuser = "alejandro";
|
|
adminpassFile = config.age.secrets.nextcloud_admin.path;
|
|
};
|
|
};
|
|
|
|
# nextcloud module configures nginx, just need to specify SSL stuffs here
|
|
services.nginx.virtualHosts.${config.services.nextcloud.hostName} = mkIf (cfg.acmeCertName != "") {
|
|
forceSSL = true;
|
|
useACMEHost = cfg.acmeCertName;
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [80 443];
|
|
};
|
|
}
|