Use nixpkgs apps in nextcloud

defaults/meta/network-virtual.nix

@@ -15,7 +15,7 @@
           id = "100.64.0.0";
           prefixLength = 10;
         };
-        domain = "vpn.qo.is";
+        domain = "vpn.net.qo.is";
         hosts = { };
       };
 

defaults/nextcloud/default.nix

@@ -13,7 +13,7 @@
     owner = name;
   };
 
-  qois.postgresql.enable = true;
+  services.postgresql.enable = true;
   qois.backup-client.includePaths = [ config.services.nextcloud.home ];
 
   services.nextcloud = {
@@ -30,6 +30,24 @@
       dbtype = "pgsql";
     };
 
+    appstoreEnable = false;
+    extraApps = {
+      inherit (config.services.nextcloud.package.passthru.packages.apps)
+        calendar
+        contacts
+        deck
+        groupfolders
+        maps
+        memories
+        music
+        news
+        notes
+        notify_push
+        tasks
+        twofactor_webauthn
+        ;
+    };
+
     phpOptions = {
       "opcache.interned_strings_buffer" = "23";
     };

nixos-configurations/calanda/default.nix

@@ -17,5 +17,5 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.05"; # Did you read the comment?
+  system.stateVersion = "24.11"; # Did you read the comment?
 }

nixos-configurations/cyprianspitz/default.nix

@@ -24,5 +24,5 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "24.05"; # Did you read the comment?
+  system.stateVersion = "24.11"; # Did you read the comment?
 }

nixos-configurations/lindberg-build/applications/attic.nix

@@ -52,11 +52,10 @@ in
 
   imports = [ ../../../defaults/webserver ];
 
-  qois.postgresql.enable = true;
-
   # Note: Attic cache availability is "best effort", so no artifacts are backed up.
 
   services.postgresql = {
+    enable = true;
     ensureDatabases = [ "atticd" ];
     ensureUsers = [
       {

nixos-configurations/lindberg-build/applications/default.nix

@@ -7,4 +7,5 @@
   ];
 
   qois.git-ci-runner.enable = true;
+  qois.postgresql.package = pkgs.postgresql_15;
 }

nixos-configurations/lindberg-build/default.nix

@@ -22,5 +22,5 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.11"; # Did you read the comment?
+  system.stateVersion = "24.11"; # Did you read the comment?
 }

nixos-configurations/lindberg-nextcloud/applications/cloud.nix

@@ -6,7 +6,7 @@ in
 
   imports = [ ../../../defaults/nextcloud ];
 
-  qois.postgresql.enable = true;
+  services.postgresql.enable = true;
 
   services.nextcloud = {
     hostName = host;

nixos-configurations/lindberg-nextcloud/applications/default.nix

@@ -2,4 +2,6 @@
 {
 
   imports = [ ./cloud.nix ];
+
+  qois.postgresql.package = pkgs.postgresql_14;
 }

nixos-configurations/lindberg-nextcloud/default.nix

@@ -46,5 +46,5 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "22.05"; # Did you read the comment?
+  system.stateVersion = "24.11"; # Did you read the comment?
 }

nixos-configurations/lindberg-webapps/applications/default.nix

@@ -6,4 +6,5 @@
   qois.vault.enable = true;
   qois.git.enable = true;
   qois.static-page.enable = true;
+  qois.postgresql.package = pkgs.postgresql_15;
 }

nixos-configurations/lindberg-webapps/default.nix

@@ -21,5 +21,5 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.11"; # Did you read the comment?
+  system.stateVersion = "24.11"; # Did you read the comment?
 }

nixos-configurations/lindberg/default.nix

@@ -25,5 +25,5 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "21.11"; # Did you read the comment?
+  system.stateVersion = "24.11"; # Did you read the comment?
 }

nixos-configurations/tierberg/default.nix

@@ -20,5 +20,5 @@
   # compatible, in order to avoid breaking some software such as database
   # servers. You should change this only after NixOS release notes say you
   # should.
-  system.stateVersion = "23.05"; # Did you read the comment?
+  system.stateVersion = "24.11"; # Did you read the comment?
 }

nixos-modules/postgresql/default.nix

@@ -11,15 +11,15 @@ in
 with lib;
 {
   options.qois.postgresql = {
-    enable = mkEnableOption ''Enable postgresql services with defaults'';
+    # Note: this module is auto-enabled if postgres is used.
     package = mkPackageOption pkgs "postgresql" {
       example = "postgresql_15";
       default = null;
     };
   };
 
-  config = mkIf cfg.enable {
+  config = mkIf config.services.postgresql.enable {
-    services.postgresql.enable = true;
+    services.postgresql.package = cfg.package;
     services.postgresqlBackup.enable = true;
     qois.backup-client.includePaths = [ config.services.postgresqlBackup.location ];
   };

nixos-modules/qois/git/default.nix

@@ -21,7 +21,7 @@ with lib;
   };
 
   config = mkIf cfg.enable {
-    qois.postgresql.enable = true;
+    services.postgresql.enable = true;
 
     services.forgejo = {
       enable = true;

nixos-modules/qois/vpn-server/default.nix

@@ -16,6 +16,11 @@ in
 
   options.qois.vpn-server = {
     enable = mkEnableOption "Enable vpn server services";
+    domain = mkOption {
+      description = "Domain for the VPN admin server";
+      type = types.str;
+      default = "vpn.qo.is";
+    };
     dnsRecords = mkOption {
       description = "DNS records to add to Hosts";
       type = with types; attrsOf str;
@@ -36,8 +41,8 @@ in
       with config.services.headscale.settings;
       (
         [
-          db_path
+          database.sqlite.path
-          private_key_path
+          derp.server.private_key_path
           noise.private_key_path
         ]
         ++ derp.paths
@@ -56,22 +61,22 @@ in
       in
       {
         enable = true;
-        address = vnet.backplane.hosts.cyprianspitz.v4.ip;
+        address = vnet.backplane.hosts.cyprianspitz.v4.ip; # TODO: This entails that the backplane interface is up.
         port = 46084;
         settings = {
-          server_url = "https://${vpnNet.domain}:443";
+          server_url = "https://${cfg.domain}:443";
 
           tls_letsencrypt_challenge_type = "TLS-ALPN-01";
           tls_letsencrypt_hostname = vpnNet.domain;
 
-          dns_config = {
+          dns = {
-            nameservers = [ vnet.backplane.hosts.calanda.v4.ip ];
+            base_domain = vpnNet.domain;
-            domains = [
+            magic_dns = true;
-              vpnNet.domain
+            nameservers.global = [ vnet.backplane.hosts.calanda.v4.ip ];
+            search_domains = [
+              # vpnNet.domain # First by default with magic_dns
               vnet.backplane.domain
             ];
-            magic_dns = true;
-            base_domain = vpnNet.domain;
             extra_records = pipe cfg.dnsRecords [
               attrsToList
               (map (val: val // { type = "A"; }))
@@ -80,9 +85,10 @@ in
 
           ip_prefixes = [ vpnNetPrefix ];
 
-          acl_policy_path = pkgs.writeTextFile {
+          policy =
-            name = "acls";
+            let
-            text = builtins.toJSON {
+              # Note: headscale has limited acl support currently. This might change in the future.
+              aclPolicy = {
                 hosts = {
                   "clients" = vpnNetPrefix;
                 };
@@ -129,6 +135,13 @@ in
                   }
                 ];
               };
+            in
+            {
+              mode = "file";
+              path = pkgs.writeTextFile {
+                name = "acls";
+                text = builtins.toJSON aclPolicy;
+              };
             };
         };
       };

nixos-modules/router-dhcp/default.nix

@@ -43,12 +43,13 @@ in
   };
 
   config = mkIf cfg.enable {
-    services.dnsmasq.enable = true;
+    services.dnsmasq = {
-    services.dnsmasq.extraConfig = ''
+      enable = true;
+      settings = {
         # Listen on this specific port instead of the standard DNS port
         # (53). Setting this to zero completely disables DNS function,
         # leaving only DHCP and/or TFTP.
-      port=${toString cfg.localDnsPort}
+        port = cfg.localDnsPort;
 
         # The following two options make you a better netizen, since they
         # tell dnsmasq to filter out queries which the public DNS cannot
@@ -57,10 +58,9 @@ in
         # these requests from bringing up the link unnecessarily.
 
         # Never forward plain names (without a dot or domain part)
-      domain-needed
+        domain-needed = true;
         # Never forward addresses in the non-routed address spaces.
-      bogus-priv
+        bogus-priv = true;
-
 
         # Uncomment this to filter useless windows-originated DNS requests
         # which can trigger dial-on-demand links needlessly.
@@ -88,7 +88,7 @@ in
 
         # If you don't want dnsmasq to poll /etc/resolv.conf or other resolv
         # files for changes and re-read them then uncomment this.
-      no-poll
+        no-poll = true;
 
         # Add other name servers here, with domain specs if they are for
         # non-public domains.
@@ -100,13 +100,13 @@ in
 
         # Add local-only domains here, queries in these domains are answered
         # from /etc/hosts or DHCP only.
-      local=/${config.networking.hostName}/
+        local = "/${config.networking.hostName}/";
 
         # Add domains which you want to force to an IP address here.
         # The example below send any host in double-click.net to a local
         # web-server.
         #address=/double-click.net/127.0.0.1
-      address=/${config.networking.hostName}.${cfg.localDomain}/${routerCfg.internalRouterIP}
+        address = "/${config.networking.hostName}.${cfg.localDomain}/${routerCfg.internalRouterIP}";
 
         # --address (and --server) work with IPv6 addresses too.
         #address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83
@@ -129,8 +129,10 @@ in
         # specified interfaces (and the loopback) give the name of the
         # interface (eg eth0) here.
         # Repeat the line for more than one interface.
-      interface=${routerCfg.internalBridgeInterfaceName}
+        interface = [
-      interface=lo
+          routerCfg.internalBridgeInterfaceName
+          "lo"
+        ];
         # Or you can specify which interface _not_ to listen on
         #except-interface=
         # Or which to listen on by address (remember to include 127.0.0.1 if
@@ -139,7 +141,7 @@ in
         # If you want dnsmasq to provide only DNS service on an interface,
         # configure it as shown above, and then use the following line to
         # disable DHCP and TFTP on it.
-      no-dhcp-interface=lo
+        no-dhcp-interface = "lo";
 
         # On systems which support it, dnsmasq binds the wildcard address,
         # even when it is listening on only some interfaces. It then discards
@@ -148,18 +150,18 @@ in
         # want dnsmasq to really bind only the interfaces it is listening on,
         # uncomment this option. About the only time you may need this is when
         # running another nameserver on the same machine.
-      bind-interfaces
+        bind-interfaces = true;
 
         # If you don't want dnsmasq to read /etc/hosts, uncomment the
         # following line.
-      no-hosts
+        no-hosts = true;
         # or if you want it to read another file, as well as /etc/hosts, use
         # this.
         #addn-hosts=/etc/banner_add_hosts
 
         # Set this (and domain: see below) if you want to have a domain
         # automatically added to simple names in a hosts-file.
-      expand-hosts
+        expand-hosts = true;
 
         # Set the domain for dnsmasq. this is optional, but if it is set, it
         # does the following things.
@@ -168,7 +170,7 @@ in
         # 2) Sets the "domain" DHCP option thereby potentially setting the
         #    domain of all systems configured by DHCP
         # 3) Provides the domain part for "expand-hosts"
-      domain=${cfg.localDomain}
+        domain = cfg.localDomain;
 
         # Set a different domain for a particular subnet
         #domain=wireless.thekelleys.org.uk,192.168.2.0/24
@@ -181,7 +183,7 @@ in
         # a lease time. If you have more than one network, you will need to
         # repeat this for each network on which you want to supply DHCP
         # service.
-      dhcp-range=${cfg.dhcpRange},48h
+        dhcp-range = "${cfg.dhcpRange},48h";
 
         # This is an example of a DHCP range where the netmask is given. This
         # is needed for networks we reach the dnsmasq DHCP server via a relay
@@ -346,10 +348,17 @@ in
         # are some options which are recommended, they are detailed at the
         # end of this section.
 
+        dhcp-option = [
           # Override the default route supplied by dnsmasq, which assumes the
           # router is the same machine as the one running dnsmasq.
           #dhcp-option=3,1.2.3.4
-      dhcp-option=6,${routerCfg.internalRouterIP}
+          "6,${routerCfg.internalRouterIP}"
+
+          # Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client
+          # probably doesn't support this......
+          "option:domain-search,${cfg.localDomain}"
+
+        ];
 
         # Do the same thing, but using the option name
         #dhcp-option=option:router,1.2.3.4
@@ -407,10 +416,6 @@ in
         # Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave.
         #dhcp-option=252,"\n"
 
-      # Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client
-      # probably doesn't support this......
-      dhcp-option=option:domain-search,${cfg.localDomain}
-
         # Send RFC-3442 classless static routes (note the netmask encoding)
         #dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8
 
@@ -504,7 +509,6 @@ in
         # to 5. See page 19 of
         # http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf
 
-
         # Enable dnsmasq's built-in TFTP server
         #enable-tftp
 
@@ -552,7 +556,7 @@ in
         # server for your campus/company accidentally. The ISC server uses
         # the same option, and this URL provides more information:
         # http://www.isc.org/files/auth.html
-      dhcp-authoritative
+        dhcp-authoritative = true;
 
         # Run an executable when a DHCP lease is created or destroyed.
         # The arguments sent to the script are "add" or "del",
@@ -661,7 +665,8 @@ in
 
         # Log lots of extra information about DHCP transactions.
         #log-dhcp
-    '';
+      };
+    };
 
     systemd.services.dnsmasq = {
       bindsTo = [ "network-addresses-${routerCfg.internalBridgeInterfaceName}.service" ];

nixos-modules/router-wireless-ap/default.nix

@@ -63,6 +63,7 @@ in
         enable = wle24GhzEnabled;
 
         radios.${cfg.wleInterface24Ghz} = {
+          channel = 6;
           wifi4.enable = true;
           wifi4.capabilities = [
             "HT40-"

nixos-modules/vault/default.nix

@@ -48,8 +48,6 @@ with lib;
       };
     };
 
-    qois.postgresql.enable = true;
-
     qois.backup-client.includePaths = [ config.services.vaultwarden.config.DATA_FOLDER ];
 
     services.postgresql =
@@ -57,6 +55,7 @@ with lib;
         name = config.users.users.vaultwarden.name;
       in
       {
+        enable = true;
         ensureUsers = [
           {
             inherit name;