Added base nexcloud

2025-07-25 14:40:16 +02:00 · 2025-07-25 14:40:16 +02:00 · 1f8a4e0e79
commit 1f8a4e0e79
parent 3507a04fce
5 changed files with 132 additions and 0 deletions
--- a/secrets/default.nix
+++ b/secrets/default.nix
@ -42,5 +42,9 @@ in {
      file = ./immich-oidc.age;
      owner = abstrServiceUser "immich";
    };
+    nextcloud-admin-pass = mkIf server {
+      file = ./nextcloud-admin-pass.age;
+      owner = "nextcloud";
+    };
  };
 }
--- a/secrets/nextcloud-admin-pass.age
+++ b/secrets/nextcloud-admin-pass.age
@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> ssh-ed25519 GQzYWA Njcl+VZAFcfupb9luHQjSAzzPar8k0G0WVU8EtS37EY
+8IPsa1mz7qpxOmzXRNCwcp2KsBH45nM6M4D5vm1BgE8
+-> ssh-ed25519 MfR7VA WjSU/1VNHqylcPlaB+5FIyY879kQy/c+AyfdHrt6Xyo
+KIDdbbNcy+DQ9q+Eo8dzxDMlq8vR8XeKvRps+/ghe+E
+-> ssh-ed25519 +cvRTg eEExK1tU/S//HUL4x0SsJw8taRdOgLnOntUlpqVvMwk
+7pB4ROtshkMGw/D4mkVdi7a3vYGoIyCodSCsKcplTws
+-> ssh-ed25519 WCPLrA dNpd63ZB4ZlsgMlvdPeiW8VguhPkgRjCBor66cTAq1Q
+IFSbLiZs8QBAqruyV3Zuoe6iE5ctW4Aw+8ipQ/5rUGM
+-> ssh-ed25519 7/ziYw asgAI0TYuK4irNyoq/WFVCBrWC7NIJU5S4HQEfqEWTA
+YoCVz1GzZ+swKb/qT+hhnTy3/mcBDFkaHAomzyApY6I
+-> ssh-ed25519 VQy60Q 3XY6OcWrf3ZmXJNMo0tPrXofyjNtvt9VQaewkDZymTs
+JLpflAACxg6Esvq43FedOs56BuGa/6usymtfZl96nI
+--- 4dcH0MunNPsvsrUmFGYIgSMsgS2BNluJOa9ZmgZro6k
+Ød+	
+Tðß
+5òB}¢GÊkKÐ9Èšžqû$(q`†u$¶ù“»êÿ“Hˆ¦gC!÷
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -22,4 +22,5 @@ in {
  "zitadel-key.age".publicKeys = keys;
  "forgejo-mailpass.age".publicKeys = keys;
  "immich-oidc.age".publicKeys = keys;
+  "nextcloud-admin-pass.age".publicKeys = keys;
 }
--- a/system/server/default.nix
+++ b/system/server/default.nix
@ -10,6 +10,7 @@
    ./matrix.nix
    ./temp.nix
    ./zitadel.nix
+    ./nextcloud.nix
  ];
  options.niksos.server = lib.mkEnableOption "server servcies (such as caddy)."; #TODO: per service option.
 }
--- a/system/server/nextcloud.nix
+++ b/system/server/nextcloud.nix
@ -0,0 +1,109 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
+  inherit (config.niksos) server;
+  host = "cloud.jsw.tf";
+  nginxRoot = config.services.nginx.virtualHosts.${host}.root;
+  fpmSocket = config.services.phpfpm.pools.nextcloud.socket;
+in {
+  services = lib.mkIf server {
+    nextcloud = {
+      enable = true;
+      hostName = host;
+
+      # Need to manually increment with every major upgrade.
+      package = pkgs.nextcloud31;
+
+      database.createLocally = true;
+      configureRedis = true;
+
+      maxUploadSize = "16G";
+      https = true;
+
+      autoUpdateApps.enable = true;
+      extraAppsEnable = true;
+      extraApps = with config.services.nextcloud.package.packages.apps; {
+        # https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/nextcloud/packages/nextcloud-apps.json
+        inherit calendar contacts mail notes tasks;
+      };
+
+      settings = {
+        default_phone_region = "NL";
+        enabledPreviewProviders = [
+          "OC\\Preview\\BMP"
+          "OC\\Preview\\GIF"
+          "OC\\Preview\\JPEG"
+          "OC\\Preview\\Krita"
+          "OC\\Preview\\MarkDown"
+          "OC\\Preview\\MP3"
+          "OC\\Preview\\OpenDocument"
+          "OC\\Preview\\PNG"
+          "OC\\Preview\\TXT"
+          "OC\\Preview\\XBitmap"
+          "OC\\Preview\\HEIC"
+        ];
+      };
+      config = {
+        adminuser = "jsw-admin";
+        adminpassFile = "${config.age.secrets.nextcloud-admin-pass.path}";
+        dbtype = "pgsql";
+      };
+    };
+
+    caddy.virtualHosts.${host}.extraConfig = ''
+      encode zstd gzip
+
+      root * ${nginxRoot}
+
+      redir /.well-known/carddav /remote.php/dav 301
+      redir /.well-known/caldav /remote.php/dav 301
+      redir /.well-known/* /index.php{uri} 301
+      redir /remote/* /remote.php{uri} 301
+
+      header {
+        Strict-Transport-Security max-age=31536000
+        Permissions-Policy interest-cohort=()
+        X-Content-Type-Options nosniff
+        X-Frame-Options SAMEORIGIN
+        Referrer-Policy no-referrer
+        X-XSS-Protection "1; mode=block"
+        X-Permitted-Cross-Domain-Policies none
+        X-Robots-Tag "noindex, nofollow"
+        -X-Powered-By
+      }
+
+      php_fastcgi unix/${fpmSocket} {
+        root ${nginxRoot}
+        env front_controller_active true
+        env modHeadersAvailable true
+      }
+
+      @forbidden {
+        path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
+        path /.* /autotest* /occ* /issue* /indie* /db_* /console*
+        not path /.well-known/*
+      }
+      error @forbidden 404
+
+      @immutable {
+        path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
+        query v=*
+      }
+      header @immutable Cache-Control "max-age=15778463, immutable"
+
+      @static {
+        path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
+        not query v=*
+      }
+      header @static Cache-Control "max-age=15778463"
+
+      @woff2 path *.woff2
+      header @woff2 Cache-Control "max-age=604800"
+
+      file_server
+    '';
+  };
+}