From 1f8a4e0e79a940dfedd8bcd97367bfdcfe5d3c2e Mon Sep 17 00:00:00 2001 From: Jurn Wubben Date: Fri, 25 Jul 2025 14:40:16 +0200 Subject: [PATCH] Added base nexcloud --- secrets/default.nix | 4 ++ secrets/nextcloud-admin-pass.age | 17 +++++ secrets/secrets.nix | 1 + system/server/default.nix | 1 + system/server/nextcloud.nix | 109 +++++++++++++++++++++++++++++++ 5 files changed, 132 insertions(+) create mode 100644 secrets/nextcloud-admin-pass.age create mode 100644 system/server/nextcloud.nix diff --git a/secrets/default.nix b/secrets/default.nix index b2ffdcc..eb03533 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -42,5 +42,9 @@ in { file = ./immich-oidc.age; owner = abstrServiceUser "immich"; }; + nextcloud-admin-pass = mkIf server { + file = ./nextcloud-admin-pass.age; + owner = "nextcloud"; + }; }; } diff --git a/secrets/nextcloud-admin-pass.age b/secrets/nextcloud-admin-pass.age new file mode 100644 index 0000000..23c404a --- /dev/null +++ b/secrets/nextcloud-admin-pass.age @@ -0,0 +1,17 @@ +age-encryption.org/v1 +-> ssh-ed25519 GQzYWA Njcl+VZAFcfupb9luHQjSAzzPar8k0G0WVU8EtS37EY +8IPsa1mz7qpxOmzXRNCwcp2KsBH45nM6M4D5vm1BgE8 +-> ssh-ed25519 MfR7VA WjSU/1VNHqylcPlaB+5FIyY879kQy/c+AyfdHrt6Xyo +KIDdbbNcy+DQ9q+Eo8dzxDMlq8vR8XeKvRps+/ghe+E +-> ssh-ed25519 +cvRTg eEExK1tU/S//HUL4x0SsJw8taRdOgLnOntUlpqVvMwk +7pB4ROtshkMGw/D4mkVdi7a3vYGoIyCodSCsKcplTws +-> ssh-ed25519 WCPLrA dNpd63ZB4ZlsgMlvdPeiW8VguhPkgRjCBor66cTAq1Q +IFSbLiZs8QBAqruyV3Zuoe6iE5ctW4Aw+8ipQ/5rUGM +-> ssh-ed25519 7/ziYw asgAI0TYuK4irNyoq/WFVCBrWC7NIJU5S4HQEfqEWTA +YoCVz1GzZ+swKb/qT+hhnTy3/mcBDFkaHAomzyApY6I +-> ssh-ed25519 VQy60Q 3XY6OcWrf3ZmXJNMo0tPrXofyjNtvt9VQaewkDZymTs ++JLpflAACxg6Esvq43FedOs56BuGa/6usymtfZl96nI +--- 4dcH0MunNPsvsrUmFGYIgSMsgS2BNluJOa9ZmgZro6k +Ød+ +Tðß +5òB}¢GÊkKÐ9Èšžqû$(q`†u$¶ù“»êÿ“Hˆ¦gC!÷ \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index df90563..72393aa 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -22,4 +22,5 @@ in { "zitadel-key.age".publicKeys = keys; "forgejo-mailpass.age".publicKeys = keys; "immich-oidc.age".publicKeys = keys; + "nextcloud-admin-pass.age".publicKeys = keys; } diff --git a/system/server/default.nix b/system/server/default.nix index c6ac1c8..7319695 100644 --- a/system/server/default.nix +++ b/system/server/default.nix @@ -10,6 +10,7 @@ ./matrix.nix ./temp.nix ./zitadel.nix + ./nextcloud.nix ]; options.niksos.server = lib.mkEnableOption "server servcies (such as caddy)."; #TODO: per service option. } diff --git a/system/server/nextcloud.nix b/system/server/nextcloud.nix new file mode 100644 index 0000000..8014370 --- /dev/null +++ b/system/server/nextcloud.nix @@ -0,0 +1,109 @@ +{ + config, + pkgs, + lib, + ... +}: let + inherit (config.niksos) server; + host = "cloud.jsw.tf"; + nginxRoot = config.services.nginx.virtualHosts.${host}.root; + fpmSocket = config.services.phpfpm.pools.nextcloud.socket; +in { + services = lib.mkIf server { + nextcloud = { + enable = true; + hostName = host; + + # Need to manually increment with every major upgrade. + package = pkgs.nextcloud31; + + database.createLocally = true; + configureRedis = true; + + maxUploadSize = "16G"; + https = true; + + autoUpdateApps.enable = true; + extraAppsEnable = true; + extraApps = with config.services.nextcloud.package.packages.apps; { + # https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/nextcloud/packages/nextcloud-apps.json + inherit calendar contacts mail notes tasks; + }; + + settings = { + default_phone_region = "NL"; + enabledPreviewProviders = [ + "OC\\Preview\\BMP" + "OC\\Preview\\GIF" + "OC\\Preview\\JPEG" + "OC\\Preview\\Krita" + "OC\\Preview\\MarkDown" + "OC\\Preview\\MP3" + "OC\\Preview\\OpenDocument" + "OC\\Preview\\PNG" + "OC\\Preview\\TXT" + "OC\\Preview\\XBitmap" + "OC\\Preview\\HEIC" + ]; + }; + config = { + adminuser = "jsw-admin"; + adminpassFile = "${config.age.secrets.nextcloud-admin-pass.path}"; + dbtype = "pgsql"; + }; + }; + + caddy.virtualHosts.${host}.extraConfig = '' + encode zstd gzip + + root * ${nginxRoot} + + redir /.well-known/carddav /remote.php/dav 301 + redir /.well-known/caldav /remote.php/dav 301 + redir /.well-known/* /index.php{uri} 301 + redir /remote/* /remote.php{uri} 301 + + header { + Strict-Transport-Security max-age=31536000 + Permissions-Policy interest-cohort=() + X-Content-Type-Options nosniff + X-Frame-Options SAMEORIGIN + Referrer-Policy no-referrer + X-XSS-Protection "1; mode=block" + X-Permitted-Cross-Domain-Policies none + X-Robots-Tag "noindex, nofollow" + -X-Powered-By + } + + php_fastcgi unix/${fpmSocket} { + root ${nginxRoot} + env front_controller_active true + env modHeadersAvailable true + } + + @forbidden { + path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/* + path /.* /autotest* /occ* /issue* /indie* /db_* /console* + not path /.well-known/* + } + error @forbidden 404 + + @immutable { + path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite + query v=* + } + header @immutable Cache-Control "max-age=15778463, immutable" + + @static { + path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite + not query v=* + } + header @static Cache-Control "max-age=15778463" + + @woff2 path *.woff2 + header @woff2 Cache-Control "max-age=604800" + + file_server + ''; + }; +}