Initial NixOS infra flake skeleton

modules/nextcloud.nix

@@ -0,0 +1,38 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports = [ ./flowback-options.nix ];
+
+  # Enable nginx + ACME (TLS). Works when DNS points correctly.
+  services.nginx.enable = true;
+
+  security.acme.acceptTerms = true;
+  # I will change this email later
+  security.acme.defaults.email = "me@example.com";
+
+  services.nextcloud = {
+    enable = true;
+    hostName = config.services.flowback.nextcloudHost;
+    https = true;
+
+    # Performance / reliability
+    configureRedis = true;
+
+    # DB locally (Postgres) — production-ready baseline
+    database.createLocally = true;
+
+    # Admin bootstrap secret will be wired via sops later.
+    # For now, placeholder: you’ll set adminpassFile via sops secret.
+    config = {
+      adminuser = "admin";
+      adminpassFile = "/var/lib/sops-nix/nextcloud-adminpass";
+      dbtype = "pgsql";
+      dbpassFile = "/var/lib/sops-nix/nextcloud-dbpass";
+    };
+  };
+
+  services.nginx.virtualHosts.${config.services.flowback.nextcloudHost} = {
+    forceSSL = true;
+    enableACME = true;
+  };
+}