modules: add nextcloud and qbittorrent

modules/nextcloud.nix

@@ -0,0 +1,78 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  # Enable Nginx
+  services.nginx = {
+    enable = true;
+
+    # Use recommended settings
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    # Only allow PFS-enabled ciphers with AES256
+    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+
+    # Setup Nextcloud virtual host to listen on ports
+    virtualHosts = {
+      "nextcloud.mediabox.lan" = {
+        ## Force HTTP redirect to HTTPS
+        #forceSSL = true;
+      };
+    };
+  };
+
+  # Actual Nextcloud Config
+  services.nextcloud = {
+    enable = true;
+    hostName = "localhost";
+    enableBrokenCiphersForSSE = false;
+    package = pkgs.nextcloud25;
+
+    # Use HTTPS for links
+    https = true;
+
+    # Auto-update Nextcloud Apps
+    autoUpdateApps.enable = true;
+    # Set what time makes sense for you
+    autoUpdateApps.startAt = "05:00:00";
+
+    config = {
+      # Further forces Nextcloud to use HTTPS
+      overwriteProtocol = "https";
+
+      # Nextcloud PostegreSQL database configuration, recommended over using SQLite
+      dbtype = "pgsql";
+      dbuser = "nextcloud";
+      dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
+      dbname = "nextcloud";
+      dbpassFile = "/var/nextcloud-db-pass";
+
+      adminpassFile = "/var/nextcloud-admin-pass";
+      adminuser = "admin";
+    };
+  };
+
+  # Enable PostgreSQL
+  services.postgresql = {
+    enable = true;
+
+    # Ensure the database, user, and permissions always exist
+    ensureDatabases = ["nextcloud"];
+    ensureUsers = [
+      {
+        name = "nextcloud";
+        ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
+      }
+    ];
+  };
+
+  # Ensure that postgres is running before running the setup
+  systemd.services."nextcloud-setup" = {
+    requires = ["postgresql.service"];
+    after = ["postgresql.service"];
+  };
+}

modules/qbittorrent.nix

@@ -0,0 +1,116 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.services.qbittorrent;
+  configDir = "${cfg.dataDir}/.config";
+  openFilesLimit = 4096;
+in {
+  options.services.qbittorrent = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Run qBittorrent headlessly as systemwide daemon
+      '';
+    };
+
+    dataDir = mkOption {
+      type = types.path;
+      default = "/var/lib/qbittorrent";
+      description = ''
+        The directory where qBittorrent will create files.
+      '';
+    };
+
+    user = mkOption {
+      type = types.str;
+      default = "qbittorrent";
+      description = ''
+        User account under which qBittorrent runs.
+      '';
+    };
+
+    group = mkOption {
+      type = types.str;
+      default = "qbittorrent";
+      description = ''
+        Group under which qBittorrent runs.
+      '';
+    };
+
+    port = mkOption {
+      type = types.port;
+      default = 8080;
+      description = ''
+        qBittorrent web UI port.
+      '';
+    };
+
+    openFirewall = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Open services.qBittorrent.port to the outside network.
+      '';
+    };
+
+    openFilesLimit = mkOption {
+      default = openFilesLimit;
+      description = ''
+        Number of files to allow qBittorrent to open.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = [pkgs.qbittorrent];
+
+    nixpkgs.overlays = [
+      (final: prev: {
+        qbittorrent = prev.qbittorrent.override {guiSupport = false;};
+      })
+    ];
+
+    networking.firewall = mkIf cfg.openFirewall {
+      allowedTCPPorts = [cfg.port];
+      allowedUDPPorts = [cfg.port];
+    };
+
+    systemd.services.qbittorrent = {
+      after = ["network.target"];
+      description = "qBittorrent Daemon";
+      wantedBy = ["multi-user.target"];
+      path = [pkgs.qbittorrent];
+      serviceConfig = {
+        ExecStart = ''
+          ${pkgs.qbittorrent}/bin/qbittorrent-nox \
+            --profile=${configDir} \
+            --webui-port=${toString cfg.port}
+        '';
+        # To prevent "Quit & shutdown daemon" from working; we want systemd to
+        # manage it!
+        Restart = "on-success";
+        User = cfg.user;
+        Group = cfg.group;
+        UMask = "0002";
+        LimitNOFILE = cfg.openFilesLimit;
+      };
+    };
+
+    users.users = mkIf (cfg.user == "qbittorrent") {
+      qbittorrent = {
+        group = cfg.group;
+        home = cfg.dataDir;
+        createHome = true;
+        description = "qBittorrent Daemon user";
+      };
+    };
+
+    users.groups =
+      mkIf (cfg.group == "qbittorrent") {qbittorrent = {gid = null;};};
+  };
+}