Use nixpkgs apps in nextcloud

defaults/meta/network-virtual.nix

@@ -15,7 +15,7 @@
           id = "100.64.0.0";
           prefixLength = 10;
         };
-        domain = "vpn.qo.is";
+        domain = "vpn.net.qo.is";
         hosts = { };
       };
 

defaults/nextcloud/default.nix

@@ -13,7 +13,7 @@
     owner = name;
   };
 
-  qois.postgresql.enable = true;
+  services.postgresql.enable = true;
   qois.backup-client.includePaths = [ config.services.nextcloud.home ];
 
   services.nextcloud = {
@@ -30,6 +30,24 @@
       dbtype = "pgsql";
     };
 
+    appstoreEnable = false;
+    extraApps = {
+      inherit (config.services.nextcloud.package.passthru.packages.apps)
+        calendar
+        contacts
+        deck
+        groupfolders
+        maps
+        memories
+        music
+        news
+        notes
+        notify_push
+        tasks
+        twofactor_webauthn
+        ;
+    };
+
     phpOptions = {
       "opcache.interned_strings_buffer" = "23";
     };

nixos-configurations/calanda/default.nix

@@ -17,5 +17,5 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.05"; # Did you read the comment?
+  system.stateVersion = "24.11"; # Did you read the comment?
 }

nixos-configurations/cyprianspitz/default.nix

@@ -24,5 +24,5 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "24.05"; # Did you read the comment?
+  system.stateVersion = "24.11"; # Did you read the comment?
 }

nixos-configurations/lindberg-build/applications/attic.nix

@@ -52,11 +52,10 @@ in
 
   imports = [ ../../../defaults/webserver ];
 
-  qois.postgresql.enable = true;
-
   # Note: Attic cache availability is "best effort", so no artifacts are backed up.
 
   services.postgresql = {
+    enable = true;
     ensureDatabases = [ "atticd" ];
     ensureUsers = [
       {

nixos-configurations/lindberg-build/applications/default.nix

@@ -7,4 +7,5 @@
   ];
 
   qois.git-ci-runner.enable = true;
+  qois.postgresql.package = pkgs.postgresql_15;
 }

nixos-configurations/lindberg-build/default.nix

@@ -22,5 +22,5 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.11"; # Did you read the comment?
+  system.stateVersion = "24.11"; # Did you read the comment?
 }

nixos-configurations/lindberg-nextcloud/applications/cloud.nix

@@ -6,7 +6,7 @@ in
 
   imports = [ ../../../defaults/nextcloud ];
 
-  qois.postgresql.enable = true;
+  services.postgresql.enable = true;
 
   services.nextcloud = {
     hostName = host;

nixos-configurations/lindberg-nextcloud/applications/default.nix

@@ -2,4 +2,6 @@
 {
 
   imports = [ ./cloud.nix ];
+
+  qois.postgresql.package = pkgs.postgresql_14;
 }

nixos-configurations/lindberg-nextcloud/default.nix

@@ -46,5 +46,5 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "22.05"; # Did you read the comment?
+  system.stateVersion = "24.11"; # Did you read the comment?
 }

nixos-configurations/lindberg-webapps/applications/default.nix

@@ -6,4 +6,5 @@
   qois.vault.enable = true;
   qois.git.enable = true;
   qois.static-page.enable = true;
+  qois.postgresql.package = pkgs.postgresql_15;
 }

nixos-configurations/lindberg-webapps/default.nix

@@ -21,5 +21,5 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.11"; # Did you read the comment?
+  system.stateVersion = "24.11"; # Did you read the comment?
 }

nixos-configurations/lindberg/default.nix

@@ -25,5 +25,5 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "21.11"; # Did you read the comment?
+  system.stateVersion = "24.11"; # Did you read the comment?
 }

nixos-configurations/tierberg/default.nix

@@ -20,5 +20,5 @@
   # compatible, in order to avoid breaking some software such as database
   # servers. You should change this only after NixOS release notes say you
   # should.
-  system.stateVersion = "23.05"; # Did you read the comment?
+  system.stateVersion = "24.11"; # Did you read the comment?
 }

nixos-modules/postgresql/default.nix

@@ -11,11 +11,15 @@ in
 with lib;
 {
   options.qois.postgresql = {
-    enable = mkEnableOption ''Enable postgresql services with defaults'';
+    # Note: this module is auto-enabled if postgres is used.
+    package = mkPackageOption pkgs "postgresql" {
+      example = "postgresql_15";
+      default = null;
+    };
   };
 
-  config = mkIf cfg.enable {
+  config = mkIf config.services.postgresql.enable {
-    services.postgresql.enable = true;
+    services.postgresql.package = cfg.package;
     services.postgresqlBackup.enable = true;
     qois.backup-client.includePaths = [ config.services.postgresqlBackup.location ];
   };

nixos-modules/qois/git/default.nix

@@ -21,7 +21,7 @@ with lib;
   };
 
   config = mkIf cfg.enable {
-    qois.postgresql.enable = true;
+    services.postgresql.enable = true;
 
     services.forgejo = {
       enable = true;

nixos-modules/qois/vpn-server/default.nix

@@ -16,6 +16,11 @@ in
 
   options.qois.vpn-server = {
     enable = mkEnableOption "Enable vpn server services";
+    domain = mkOption {
+      description = "Domain for the VPN admin server";
+      type = types.str;
+      default = "vpn.qo.is";
+    };
     dnsRecords = mkOption {
       description = "DNS records to add to Hosts";
       type = with types; attrsOf str;
@@ -36,8 +41,8 @@ in
       with config.services.headscale.settings;
       (
         [
-          db_path
+          database.sqlite.path
-          private_key_path
+          derp.server.private_key_path
           noise.private_key_path
         ]
         ++ derp.paths
@@ -56,22 +61,22 @@ in
       in
       {
         enable = true;
-        address = vnet.backplane.hosts.cyprianspitz.v4.ip;
+        address = vnet.backplane.hosts.cyprianspitz.v4.ip; # TODO: This entails that the backplane interface is up.
         port = 46084;
         settings = {
-          server_url = "https://${vpnNet.domain}:443";
+          server_url = "https://${cfg.domain}:443";
 
           tls_letsencrypt_challenge_type = "TLS-ALPN-01";
           tls_letsencrypt_hostname = vpnNet.domain;
 
-          dns_config = {
+          dns = {
-            nameservers = [ vnet.backplane.hosts.calanda.v4.ip ];
+            base_domain = vpnNet.domain;
-            domains = [
+            magic_dns = true;
-              vpnNet.domain
+            nameservers.global = [ vnet.backplane.hosts.calanda.v4.ip ];
+            search_domains = [
+              # vpnNet.domain # First by default with magic_dns
               vnet.backplane.domain
             ];
-            magic_dns = true;
-            base_domain = vpnNet.domain;
             extra_records = pipe cfg.dnsRecords [
               attrsToList
               (map (val: val // { type = "A"; }))
@@ -80,56 +85,64 @@ in
 
           ip_prefixes = [ vpnNetPrefix ];
 
-          acl_policy_path = pkgs.writeTextFile {
+          policy =
-            name = "acls";
+            let
-            text = builtins.toJSON {
+              # Note: headscale has limited acl support currently. This might change in the future.
-              hosts = {
+              aclPolicy = {
-                "clients" = vpnNetPrefix;
+                hosts = {
-              };
+                  "clients" = vpnNetPrefix;
-              groups = {
-                "group:wheel" = cfg.wheelUsers;
-              };
-              tagOwners = {
-                "tag:srv" = [ "srv" ]; # srv tag ist owned by srv user
-              };
-              autoApprovers = {
-                exitNode = [
-                  "tag:srv"
-                  "group:wheel"
-                ];
-                routes = {
-                  ${backplaneNetPrefix} = [ "tag:srv" ];
                 };
-              };
+                groups = {
-
+                  "group:wheel" = cfg.wheelUsers;
-              acls = [
+                };
-                # Allow all communication from and to srv tagged hosts
+                tagOwners = {
-                {
+                  "tag:srv" = [ "srv" ]; # srv tag ist owned by srv user
-                  action = "accept";
+                };
-                  src = [
+                autoApprovers = {
+                  exitNode = [
                     "tag:srv"
-                    "srv"
+                    "group:wheel"
                   ];
-                  dst = [ "*:*" ];
+                  routes = {
-                }
+                    ${backplaneNetPrefix} = [ "tag:srv" ];
-                {
+                  };
-                  action = "accept";
+                };
-                  src = [ "*" ];
-                  dst = [
-                    "tag:srv:*"
-                    "srv:*"
-                  ];
-                }
 
-                # Allow access to all connected hosts for wheels
+                acls = [
-                {
+                  # Allow all communication from and to srv tagged hosts
-                  action = "accept";
+                  {
-                  src = [ "group:wheel" ];
+                    action = "accept";
-                  dst = [ "*:*" ];
+                    src = [
-                }
+                      "tag:srv"
-              ];
+                      "srv"
+                    ];
+                    dst = [ "*:*" ];
+                  }
+                  {
+                    action = "accept";
+                    src = [ "*" ];
+                    dst = [
+                      "tag:srv:*"
+                      "srv:*"
+                    ];
+                  }
+
+                  # Allow access to all connected hosts for wheels
+                  {
+                    action = "accept";
+                    src = [ "group:wheel" ];
+                    dst = [ "*:*" ];
+                  }
+                ];
+              };
+            in
+            {
+              mode = "file";
+              path = pkgs.writeTextFile {
+                name = "acls";
+                text = builtins.toJSON aclPolicy;
+              };
             };
-          };
         };
       };
   });

nixos-modules/router-wireless-ap/default.nix

@@ -63,6 +63,7 @@ in
         enable = wle24GhzEnabled;
 
         radios.${cfg.wleInterface24Ghz} = {
+          channel = 6;
           wifi4.enable = true;
           wifi4.capabilities = [
             "HT40-"

nixos-modules/vault/default.nix

@@ -48,8 +48,6 @@ with lib;
       };
     };
 
-    qois.postgresql.enable = true;
-
     qois.backup-client.includePaths = [ config.services.vaultwarden.config.DATA_FOLDER ];
 
     services.postgresql =
@@ -57,6 +55,7 @@ with lib;
         name = config.users.users.vaultwarden.name;
       in
       {
+        enable = true;
         ensureUsers = [
           {
             inherit name;