# The is the system definition for vps749417.ovh.net.

{ config, pkgs, ... }:

{
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
    ];

  # Boot loader
  boot.loader = {
    grub = {
      enable = true;
      device = "/dev/sda";
    };
  };

  # Network configuration
  networking = {
    hostName = "vps749417";
    useDHCP = false;
    interfaces.ens3.useDHCP = true;
    firewall.allowedTCPPorts = [ 22 80 443 ];
    firewall.allowedTCPPortRanges = [ { from = 40000; to = 49999; } ];
  };

  # Time zone
  time.timeZone = "Europe/Paris";

  # Packages installed in system profile
  environment.systemPackages = with pkgs; [
    git htop tmux vim wget
  ];

  # OpenSSH daemon
  services.openssh = {
    enable = true;
    passwordAuthentication = false;
  };

  # Let's Encrypt certificates
  security.acme = {
    acceptTerms = true;
    email = "manu@beffara.org";
  };

  # Nginx web server
  services.nginx = {
    enable = true;
    virtualHosts."www.beffara.org" = {
      default = true;
      forceSSL = true;
      root = "/data/web/root";
      enableACME = true;

      locations."/owncloud/" = {
        alias = "/data/web/nextcloud/site/";
        extraConfig = ''
          rewrite ^/owncloud/((cal|card|web)dav.*)$ /owncloud/remote.php/$1 redirect;
        '';
      };

      locations."~ ^/owncloud/.+\.php(/|$)" = {
        alias = "/data/web/nextcloud/site/";
        extraConfig = ''
          fastcgi_pass  unix:${config.services.phpfpm.pools.nextcloud.socket};
          fastcgi_index index.php;
          include ${config.services.nginx.package}/conf/fastcgi.conf;
          fastcgi_split_path_info ^/owncloud/(.+\.php)(|/.*)$;
          fastcgi_param SCRIPT_NAME /owncloud/$fastcgi_script_name;
        '';
      };

      extraConfig = ''
        index index.php index.html;
        add_header Strict-Transport-Security "max-age=15768000;";
        rewrite ^/.well-known/host-meta /owncloud/public.php?service=host-meta last;
        rewrite ^/.well-known/host-meta.json /owncloud/public.php?service=host-meta-json last;
        rewrite ^/.well-known/(cal|card)dav /owncloud/remote.php/$1dav/ redirect;
      '';
    };
  };

  # FastCGI server for PHP
  services.phpfpm = {
    phpOptions = ''
      memory_limit = 512M
      extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
      extension=${pkgs.phpPackages.imagick}/lib/php/extensions/imagick.so
    '';

    pools.nextcloud = {
      user = "nextcloud";
      settings = {
        "listen.owner" = config.services.nginx.user;
        "pm" = "dynamic";
        "pm.max_children" = 5;
        "pm.start_servers" = 2;
        "pm.min_spare_servers" = 1;
        "pm.max_spare_servers" = 3;
        "pm.max_requests" = 500;
      };
    };
  };

  # MySQL database
  services.mysql = {
    enable = true;
    package = pkgs.mariadb;
    ensureDatabases = [ "nextcloud" ];
    ensureUsers = [
      {
        name = "nextcloud";
        ensurePermissions = { "nextcloud.*" = "ALL PRIVILEGES"; };
      }
    ];
  };

  # System user accounts
  users.users.nextcloud = {
    isSystemUser = true;
    home = "/data/web/nextcloud";
    group = "nextcloud";
  };
  users.groups.nextcloud = { };

  # Initial user account
  users.users.manu = {
    isNormalUser = true;
    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
    initialHashedPassword = "$6$40/yq55oyhD2MhbS$fox2DB5Aj4EpbQAx8z6FYEh3Jl3HKa7aHlGbijJukWxOpXIlKqNucBA8Eene7SaUQzHpvrhke9EFZIRxZpl5F/";
  };

  # This value determines the NixOS release with which your system is to be
  # compatible, in order to avoid breaking some software such as database
  # servers. You should change this only after NixOS release notes say you
  # should.
  system.stateVersion = "19.09"; # Did you read the comment?

}