chore: removed services for now

modules/config/instances/config/caddy.nix

@@ -16,5 +16,8 @@ in
   ports = {
     port0 = 80;
     port1 = 443;
+    port2 = 8443;
+    port3 = 8444; # Nextcloud
+    port4 = 8445; # Opencloud
   };
 }

modules/nixos/default.nix

@@ -78,8 +78,8 @@ in
           acmeEris
           caddyEris
           logrotate
-          nextcloud
-          opencloud
+          # nextcloud
+          # opencloud
           postgresEris
           ;
       };

modules/nixos/services/acme/acmeCeres/default.nix

@@ -10,6 +10,7 @@ let
   domain0 = instances.web.domains.url0;
   domain1 = instances.web.domains.url1;
   domain4 = flake.inputs.linkpage.secrets.domains.projectsite;
+  service = instances.acme;
   dns0 = instances.web.dns.provider0;
   dns1 = instances.web.dns.provider1;
   dns0Path = "dns/${dns0}";
@@ -46,6 +47,8 @@ in
           instances.prompter.name
           instances.comfyui.name
           instances.firefly-iii.name
+          instances.nextcloud.name
+          instances.opencloud.name
         ]
       )
       ++ (map
@@ -108,4 +111,11 @@ in
         )
       );
     };
+
+  systemd = {
+    tmpfiles.rules = [
+      "Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
+    ];
+  };
+
 }

modules/nixos/services/acme/acmeEris/default.nix

@@ -7,7 +7,7 @@ let
   inherit (flake.config.people) user0;
   inherit (flake.config.people.users.${user0}) email;
   inherit (flake.config.services) instances;
-
+  service = instances.acme;
   domain0 = instances.web.domains.url0;
   dns0 = instances.web.dns.provider0;
   dns0Path = "dns/${dns0}";
@@ -15,7 +15,7 @@ let
 
   dnsConfig = provider: dns: {
     dnsProvider = dns;
-    directory = "/var/lib/acme";
+    directory = instances.acme.paths.path0;
     environmentFile = config.sops.secrets.${provider}.path;
   };
 in
@@ -33,8 +33,8 @@ in
           value = dnsConfig dns0Path dns0;
         })
         [
-          instances.nextcloud.name
-          instances.opencloud.name
+          # instances.nextcloud.name
+          # instances.opencloud.name
         ]
       )
     );
@@ -66,4 +66,11 @@ in
         )
       );
     };
+
+  systemd = {
+    tmpfiles.rules = [
+      "Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
+    ];
+  };
+
 }

modules/nixos/services/caddy/caddyCeres/default.nix

@@ -1,10 +1,12 @@
 { flake, ... }:
 let
-  inherit (flake.config.services.instances) caddy web;
-
-  domain0 = web.domains.url0;
-  service = caddy;
+  inherit (flake.config.services) instances;
+  inherit (flake.config.machines) devices;
 
+  domain0 = instances.web.domains.url0;
+  service = instances.caddy;
+  nextcloud = instances.nextcloud;
+  opencloud = instances.opencloud;
 in
 {
   services.caddy = {
@@ -16,9 +18,20 @@ in
           encode zstd gzip
         '';
       };
+      "${nextcloud.domains.url0}" = {
+        extraConfig = ''
+          reverse_proxy http://${devices.eris.ip.address0}:${builtins.toString service.ports.port3}
+          tls ${nextcloud.ssl.cert} ${nextcloud.ssl.key}
+        '';
+      };
+      "${opencloud.domains.url0}" = {
+        extraConfig = ''
+          reverse_proxy http://${devices.eris.ip.address0}:${builtins.toString service.ports.port4}
+          tls ${opencloud.ssl.cert} ${opencloud.ssl.key}
+        '';
+      };
     };
   };
-
   users.users.${service.name}.extraGroups = [
     "acme"
     "mastodon"

modules/nixos/services/caddy/caddyEris/default.nix

@@ -19,6 +19,7 @@ in
       allowedTCPPorts = [
         service.ports.port0
         service.ports.port1
+        service.ports.port2
       ];
     };
   };

modules/nixos/services/nextcloud/default.nix

@@ -10,6 +10,7 @@ let
   inherit (flake.config.services.instances)
     nextcloud
     nginx
+    caddy
     smtp
     web
     ;
@@ -63,33 +64,54 @@ in
         overwriteprotocol = "https";
         trusted_proxies = [
           localhost
+          web.localhost.address1
         ];
+        security.headers = {
+          Strict-Transport-Security = "max-age=15552000; includeSubDomains";
+          X-XSS-Protection = "1; mode=block";
+          X-Content-Type-Options = "nosniff";
+          X-Frame-Options = "SAMEORIGIN";
+          Referrer-Policy = "strict-origin-when-cross-origin";
+        };
       };
-    };
 
+    };
     nginx = {
       enable = true;
-      virtualHosts.${host}.listen = [
-        {
-          addr = localhost;
-          port = nginx.ports.port0;
-        }
-      ];
+      virtualHosts.${host} = {
+        listen = [
+          {
+            addr = localhost;
+            port = nginx.ports.port0;
+          }
+        ];
+        forceSSL = false;
+        onlySSL = false;
+        addSSL = false;
+      };
     };
-
     caddy = {
       virtualHosts = {
-        "${host}" = {
-          listenAddresses = [ web.localhost.address1 ];
+        ":${toString caddy.ports.port3}" = {
           extraConfig = ''
-            reverse_proxy ${localhost}:${toString nginx.ports.port0}
-            tls ${service.ssl.cert} ${service.ssl.key}
+            header {
+              # Enable XSS protection and block instead of sanitizing
+              X-XSS-Protection "1; mode=block"
+              # Enable HSTS with 6 month duration
+              Strict-Transport-Security "max-age=15552000; includeSubDomains"
+              # Additional security headers
+              X-Content-Type-Options "nosniff"
+              X-Frame-Options "SAMEORIGIN"
+              Referrer-Policy "strict-origin-when-cross-origin"
+              # Remove server identification
+              -Server
+            }
+            reverse_proxy http://${localhost}:${toString nginx.ports.port0}
           '';
         };
       };
     };
   };
-
   sops =
     let
       sopsPath = secret: {
@@ -112,17 +134,29 @@ in
       );
     };
 
-  users.users.${service.name}.extraGroups = [
-    "caddy"
-    "nginx"
-    "postgres"
-  ];
+  systemd = {
+    tmpfiles.rules = [
+      "Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
+    ];
+  };
+
+  users.users.${service.name} = {
+    packages = with pkgs; [
+      php
+    ];
+    extraGroups = [
+      "caddy"
+      "nginx"
+      "postgres"
+    ];
+  };
 
   networking = {
     firewall = {
       allowedTCPPorts = [
         nginx.ports.port0
         service.ports.port0
+        caddy.ports.port3
       ];
     };
   };

modules/nixos/services/opencloud/default.nix

@@ -1,16 +1,15 @@
 { config, flake, ... }:
 let
-  inherit (flake.config.machines.devices) ceres;
-  inherit (flake.config.services.instances) opencloud web;
+  inherit (flake.config.services.instances) opencloud web caddy;
   service = opencloud;
-  localhost = web.localhost.address0;
+  localhost = web.localhost.address1;
   host = service.domains.url0;
 in
 {
   services = {
     opencloud = {
       enable = true;
-      url = "https://${host}";
+      url = "http://${localhost}:${toString service.ports.port0}";
       port = service.ports.port0;
       address = localhost;
       stateDir = "/var/lib/${service.name}";
@@ -18,20 +17,14 @@ in
     };
     caddy = {
       virtualHosts = {
-        "${host}" = {
+        ":${toString caddy.ports.port4}" = {
           extraConfig = ''
-            reverse_proxy https://${localhost}:${toString service.ports.port0} {
-              transport http {
-                tls_insecure_skip_verify
-              }
-            }
-            tls ${service.ssl.cert} ${service.ssl.key}
+            reverse_proxy http://${localhost}:${toString service.ports.port0}
           '';
         };
       };
     };
   };
-
   sops =
     let
       sopsPath = secret: {
@@ -53,10 +46,17 @@ in
       );
     };
 
+  systemd = {
+    tmpfiles.rules = [
+      "Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
+    ];
+  };
+
   networking = {
     firewall = {
       allowedTCPPorts = [
         service.ports.port0
+        caddy.ports.port4
       ];
     };
   };