hermit/configuration.nix: enable nextcloud

temperance/configuration.nix: enable nextcloud
nextcloud/module.nix: init
2025-03-08 14:37:05 +01:00 · 2025-03-08 14:36:42 +01:00 · 2025-03-08 14:36:33 +01:00
3 changed files with 54 additions and 0 deletions
--- a/hosts/hermit/configuration.nix
+++ b/hosts/hermit/configuration.nix
@ -27,6 +27,9 @@
  modules = {
    system = {
      impermanence.enable = false;
+      services = {
+        nextcloud.enable = true;
+      };
      hardware = {
        nvidia.enable = true;
        bluetooth = {
--- a/hosts/temperance/configuration.nix
+++ b/hosts/temperance/configuration.nix
@ -41,6 +41,9 @@ in {
  modules = {
    system = {
      impermanence.enable = true;
+      services = {
+        nextcloud.enable = true;
+      };
      programs = {
        editors = {
          emacs.enable = true;
--- a/modules/services/nextcloud/module.nix
+++ b/modules/services/nextcloud/module.nix
@ -0,0 +1,48 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  inherit (lib.meta) getExe';
+  inherit (lib.modules) mkIf;
+  cfg = config.modules.system.services.nextcloud;
+in {
+  options.modules.system.services.nextcloud.enable = lib.mkEnableOption "nextcloud";
+
+  config = {
+    systemd.user.services.nextcloud = mkIf cfg.enable {
+      description = "Nextcloud client service";
+
+      # makes the graphical session start this service when it starts
+      wantedBy = ["graphical-session.target"];
+      # when graphical session restarts or gets stopped, this also gets restarted/stopped.
+      partOf = ["graphical-session.target"];
+      # gets started only after graphical session
+      after = ["graphical-session.target"];
+
+      serviceConfig = {
+        ExecStart = "${getExe' pkgs.nextcloud-client "nextcloud"} --background";
+        Restart = "always";
+        RestartSec = 30;
+
+        # User = "cr";
+        # Group = "cr";
+
+        Keyringmode = "shared";
+        DevicePolicy = "closed";
+        PrivateDevices = true;
+        PrivateTmp = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectControlGroup = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+
+        ProtectSystem = "strict";
+        SystemCallFilter = "~@clock @cpu-emulation @debug @obsolete @module @mount @raw-io @reboot @swap @privileged";
+      };
+    };
+  };
+}
Author	SHA1	Message	Date
Charlie Root	a0bc8023a6	hermit/configuration.nix: enable nextcloud	2025-03-08 14:37:05 +01:00
Charlie Root	3158f69ab3	temperance/configuration.nix: enable nextcloud	2025-03-08 14:36:42 +01:00
Charlie Root	9cc2ff512c	nextcloud/module.nix: init Introduce a hardened systemd service for nextcloud	2025-03-08 14:36:33 +01:00