new ppl pw

configuration.nix

@@ -1,4 +1,4 @@
-{ pkgs, inputs, lib, host, ... }:
+{ pkgs, inputs, host, ... }:
 {
   imports = ([
     inputs.sops-nix.nixosModules.sops
@@ -43,6 +43,8 @@
     ./system-modules/postgres.nix
     ./system-modules/nx2site/proxy.nix
     ./system-modules/nx2site/gitea.nix
+    ./system-modules/nx2site/radicale.nix
+    # ./system-modules/nx2site/nextcloud.nix
     ./system-modules/nx2site/vaultwarden.nix
     ./system-modules/nx2site/paperless.nix
   ] else []);

system-modules/boot.nix

@@ -118,6 +118,7 @@ in
           efiSupport = true;
         };
       };
+      kernelPackages = pkgs-unstable.linuxPackages_6_11;
     };
   };
 }

system-modules/nx2site/nextcloud.nix

@@ -0,0 +1,26 @@
+{ config, domain, ... }:
+{
+  sops.secrets = { 
+    "nx2site/nextcloud/admin-pass" = { owner = "nextcloud"; };
+    "nx2site/nextcloud/db-pass" = { owner = "nextcloud"; };
+    # "nx2site/nextcloud/users-pass/nx2" = { owner = "nextcloud"; };
+  };
+
+  services = {
+    nextcloud = {
+      enable = true;
+      hostName = "nc.${domain}";
+      https = true;
+      configureRedis = true;
+      config = {
+        adminpassFile = config.sops.secrets."nx2site/nextcloud/admin-pass".path;
+        adminuser = "nx2";
+
+        dbtype = "pgsql";
+        # dbhost = config.services.postgresql.settings.port; # using usix socket
+        dbname = "nextcloud";
+        dbpassFile = config.sops.secrets."nx2site/nextcloud/db-pass".path;
+      };
+    };
+  };
+}

system-modules/nx2site/proxy.nix

@@ -136,6 +136,13 @@
         listen = dl;
         locations = { "/" = { proxyPass = "http://127.0.0.1:8441"; }; }; 
       };
+      "dav.${domain}" = lib.mkIf config.services.radicale.enable (vh // {
+        listen = dl;
+        locations = { "/" = { proxyPass = "http://127.0.0.1:5232"; }; }; 
+      });
+      "nc.${domain}" = vh // {
+        # directly to nc 
+      };
       "~^(.*).${domain}$" = {
         listen = dl;
         root = "/var/nginx/webroot";

system-modules/nx2site/radicale.nix

@@ -1,18 +1,28 @@
 { config, domain, ... }:
 {
   sops.secrets = { 
-    "nx2site/radicale-htpasswd" = {};
+    "nx2site/radicale-htpasswd" = {
+      owner = "radicale";
+    };
   };
 
   services = {
     radicale = {
-      server.hosts = let 
-        port = builtins.toString 5232;
-      in [ "192.168.178.32:${port}" ];
-      auth = {
-        type = "htpasswd";
-        htpasswd_filename = config.sops.secrets."nx2site/radicale-htpasswd".path;
-        htpasswd_encryption = "bcrypt";
+      # is run by user radicale
+      enable = true;
+      settings = {
+        server.hosts = let 
+          port = builtins.toString 5232;
+        in [ 
+          "0.0.0.0:${port}"
+          "${domain}:${port}"
+          # "192.168.178.32:${port}"
+        ];
+        auth = {
+          type = "htpasswd";
+          htpasswd_filename = config.sops.secrets."nx2site/radicale-htpasswd".path;
+          htpasswd_encryption = "bcrypt";
+        };
       };
     };
   };

system-modules/postgres.nix

@@ -26,6 +26,7 @@
 			ensureDatabases = [
 				"gitea"
 				"vaultwarden"
+				"nextcloud"
 			];
 			settings = {
 				port = 5432; # default
@@ -44,6 +45,10 @@
 					name = "vaultwarden";
 					ensureDBOwnership = true;
 				}
+				{
+					name = "nextcloud";
+					ensureDBOwnership = true;
+				}
 			];
 		};
 		postgresqlBackup = {

system-modules/users.nix

@@ -20,6 +20,8 @@
       "nginx" 
       "adbusers" 
       "postgres"
+      "radicale"
+      "nextcloud"
     ];
     useDefaultShell = true;
     openssh.authorizedKeys.keys = [