From 1eed275c37c860fb9db848742148a84eb3f84c38 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Victor=20I=C8=99an?= <victor@isan.ro>
Date: Wed, 4 Mar 2026 15:11:29 +0100
Subject: [PATCH] containers: added nextcloud

---
 hosts/isengard.nix               |  1 +
 modules/agenix.nix               | 12 ++++++++
 modules/containers/nextcloud.nix | 50 ++++++++++++++++++++++++++++++++
 secrets/nextcloud-db.age         | 14 +++++++++
 secrets/nextcloud.age            | 17 +++++++++++
 secrets/secrets.nix              |  2 ++
 6 files changed, 96 insertions(+)
 create mode 100644 modules/containers/nextcloud.nix
 create mode 100644 secrets/nextcloud-db.age
 create mode 100644 secrets/nextcloud.age

diff --git a/hosts/isengard.nix b/hosts/isengard.nix
index b84a41e..a3f0b22 100644
--- a/hosts/isengard.nix
+++ b/hosts/isengard.nix
@@ -12,6 +12,7 @@
         ../modules/containers/ntfy.nix
         ../modules/containers/mindwtr.nix
         ../modules/containers/vaultwarden.nix
+        ../modules/containers/nextcloud.nix
         ../modules/containers/actualbudget.nix
 
     ];
diff --git a/modules/agenix.nix b/modules/agenix.nix
index 9a60675..decc65e 100644
--- a/modules/agenix.nix
+++ b/modules/agenix.nix
@@ -17,5 +17,17 @@
             group = "root";
             mode = "0400";
         };
+        nextcloud = {
+            file = ../secrets/nextcloud.age;
+            owner = "root";
+            group = "root";
+            mode = "0400";
+        };
+        nextcloud-db = {
+            file = ../secrets/nextcloud-db.age;
+            owner = "root";
+            group = "root";
+            mode = "0400";
+        };
     };
 }
diff --git a/modules/containers/nextcloud.nix b/modules/containers/nextcloud.nix
new file mode 100644
index 0000000..4ff97f6
--- /dev/null
+++ b/modules/containers/nextcloud.nix
@@ -0,0 +1,50 @@
+{ config, ... }:
+
+let
+    workDir = "/srv/containers/nextcloud";
+in
+{
+    systemd.tmpfiles.rules = [
+        "d ${workDir} 2700 root admin"
+    ];
+
+    virtualisation.oci-containers.containers = {
+        nextcloud = {
+            autoStart = true;
+            image = "nextcloud:31-apache";
+
+            ports = [
+                "0.0.0.0:10003:80"
+            ];
+
+            volumes = [
+                "${workDir}/html:/var/www/html"
+            ];
+        
+            environmentFiles = [
+                config.age.secrets.nextcloud.path
+            ];
+
+            dependsOn = [
+                "nextcloud-db"
+                "nextcloud-redis"
+            ];
+        };
+
+        nextcloud-db = {
+            image = "postgres:18"; # trixie
+
+            volumes = [
+                "${workDir}/db:/var/lib/postgresql/data"
+            ];
+
+            environmentFiles = [
+                config.age.secrets.nextcloud-db.path
+            ];
+        };
+
+        nextcloud-redis = {
+            image = "redis:8-alpine"; # trixie
+        };
+    };
+}
diff --git a/secrets/nextcloud-db.age b/secrets/nextcloud-db.age
new file mode 100644
index 0000000..170bdf8
--- /dev/null
+++ b/secrets/nextcloud-db.age
@@ -0,0 +1,14 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFA5bEdnQSBEZ3Vz
+d3orRHowOXVDNHJwakkzT1I4d2pyZ1FsWS9VTmwyTWd6RUNZT0hZCmVhc1ZpNHhp
+cG42RytDYnp3SUpSdlk0NG9uUTE1V083bFRzcjc2U2VaZkkKLT4gc3NoLWVkMjU1
+MTkgS0tuNDVBIEY5SEVqSXVKY2RqS0pUeWxaV0ZmR29ON1Bzd1l6RjhuRWJsSzZJ
+dlpCbU0KbUFlQXY4SzRkZjBOK2ZPa3E5SDFpY1hJeW1WVG1WWkRoTEFtTmVQMzll
+OAotPiBHRyt9KmktZ3JlYXNlIERlN3ItXlBNIFIsIEdkV3M9Y2MKekNlOWpLSkNo
+QXlCK3BOZ1F5VjdOWFhpcDdmTTZQVVhzaUUwKzdHWTNTeC9NWk1rcXB3c0VLSHNV
+a2ljeHZDcwp1eTRZVEpiT3BWMGFjZmpyWVBwQmcwL2RBRkd4MFp3NU9xTmtMQmox
+Tk9aWkhVVjVtdwotLS0gK0VDelV6STAyaDdra2cxNmo3aU5oRkNaWG1BTDdGVjl2
+aHpZNEF0bXc5bwrhlJWA0sUbTA7oEgWlWf9JXHZMl7U9eSyHQG+zEkczL1BSaz9t
+fmwoLh+TjBr6iyPbzRqIl5xzgzgXINEhUlgT3XrnxCzW+L8Me2haB/aEE37+RjLk
+XX7tJ3Z07tRsPxTbJZGKM7QeYy8PeAYxTsi+0XI9NCYahg==
+-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/nextcloud.age b/secrets/nextcloud.age
new file mode 100644
index 0000000..330d081
--- /dev/null
+++ b/secrets/nextcloud.age
@@ -0,0 +1,17 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFA5bEdnQSBLU00z
+blhGYXhzTi9ZbFk0cTcwYkdCTHdubzlRMC9VNUNXTEpsYjF1SXpZCmxKNDduTUhK
+R3NrZTlIMFNiV0MwU3A2SkFadmlkOWh3SS9PSjYvdWkvYTAKLT4gc3NoLWVkMjU1
+MTkgS0tuNDVBIFA0L0wycEpHTmFxeTd1WVZCTlFnb3N3bEY4ZUpib3IwZmxjUERY
+YkdUbGsKSzA3UWV0VGUvNFc1anpNNmlCaWRkaU12bnBvaGY0M2dDNU03RENqWmNq
+SQotPiBlLWdyZWFzZQpnR2JTU1hhYThPZjZVcjhLc3ZpdTdjR0NVUnlxZG5YdkQ4
+VDN5ekZnazVURm5BN1JpM21LQmJNd1pkVitzMFIrCjJObkVIckFYTlhjQXc4NWxO
+b3pOTGUyeloxYlJRYjBmVGpvcmdKVU1oUTBxWTJJdmw3blpKZTQweFMvZnRwOAot
+LS0gWXc5V2h5bDNlSnNaZ1RSeUk2WEIrK3EvL1hSQzhIYS8vQnZnb05BbXpxNApP
+ol1JWMDsMI4WYlU5NzoQbQ7cCkXZMzpGKQe15/1BFSpoqrmx9TADFQhJGeuzGyHc
+HcI69emv77Tdq60sRQJ2dsCZccCFPGmxoAzYeXdZL6Tz6fmSvFvIra8Y0YEmYU7S
+jbfxhwutsX4TfUMILO+qM3jWX5YORLUK0XtD415T9RG4j2zV61tvsaSpANwgB+Ri
+lFz+TRm7XVWayH+hOoQWV2lcBDjEIBXgge5G2EwyEup93LUNaOmoe9np34LWGD0l
+FUUKhQJQC4knE6oabYcn4V9zmYHV+stCUr8xnc9R1HJVRIFwfQBSBkyNZyd/PzSz
+HP2rubkgW9ZR
+-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 3a733bb..814dfb5 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -7,4 +7,6 @@ let
 in
 {
   "vaultwarden.age".publicKeys = [ victor isengard ];
+  "nextcloud.age".publicKeys = [ victor isengard ];
+  "nextcloud-db.age".publicKeys = [ victor isengard ];
 }