Merge pull request 'nextcloud' (#3) from nextcloud into master

Reviewed-on: #3
2025-08-05 18:22:16 +00:00 · 2025-08-05 18:22:16 +00:00 · d937c68b8f
commit d937c68b8f
parent eec4d6969b 8a95374dec
6 changed files with 173 additions and 1 deletions
--- a/system/server/default.nix
+++ b/system/server/default.nix
@ -10,6 +10,7 @@
    ./matrix.nix
    ./temp.nix
    ./zitadel.nix
+    ./nextcloud.nix
  ];
  options.niksos.server = lib.mkEnableOption "server servcies (such as caddy)."; #TODO: per service option.
 }
--- a/system/server/index/index.html
+++ b/system/server/index/index.html
@ -76,7 +76,8 @@
    <p>Hello! I'm <b>jsw</b>, a frontend web developer with experience in <b>Svelte + TS</b>, <b>Nix(OS)</b> and currently learning <b>Rust</b>. This site is still under development, so please bear with me. In the meantime, feel free to reach out via email or explore my projects on GitHub.</p>
    <div class="contact">
        <p class="emoji">📧 <a href="mailto:info@jsw.tf">info@jsw.tf</a></p>
-        <p class="emoji">🐙 <a href="https://github.com/jsw08" target="_blank">GitHub</a></p>
+        <p class="emoji">🔨 <a href="https://git.jsw.tf/jsw" target="_blank">Personal git</a></p>
+        <p class="emoji">🐙 <a href="https://github.com/jsw08" target="_blank">GitHub (legacy)</a></p>
    </div>

    <footer>
--- a/system/server/nextcloud.nix
+++ b/system/server/nextcloud.nix
@ -0,0 +1,148 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
+  inherit (config.niksos) server;
+  host = "cloud.jsw.tf";
+  nginxRoot = config.services.nginx.virtualHosts.${host}.root;
+  fpmSocket = config.services.phpfpm.pools.nextcloud.socket;
+  imaginaryPort = 9005;
+in {
+  config = lib.mkIf server {
+    users.groups.nextcloud.members = ["nextcloud" "caddy"];
+    services = {
+      nextcloud = {
+        enable = true;
+        hostName = host;
+
+        # Need to manually increment with every major upgrade.
+        package = pkgs.nextcloud31;
+
+        database.createLocally = true;
+        configureRedis = true;
+
+        maxUploadSize = "16G";
+        https = true;
+
+        autoUpdateApps.enable = true;
+        extraAppsEnable = true;
+        extraApps = {
+          # https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/nextcloud/packages/nextcloud-apps.json
+          inherit
+            (config.services.nextcloud.package.packages.apps)
+            calendar
+            contacts
+            mail
+            user_oidc
+            phonetrack
+            ;
+          external = pkgs.fetchNextcloudApp {
+            # https://github.com/helsinki-systems/nc4nix/blob/main/31.json #NOTE: 31.json is version.
+            hash = "sha256-xVrnahqgXIXjk9gukrFgpwZiT2poUIDl83xV8hXPisw=";
+            url = "https://github.com/nextcloud-releases/external/releases/download/v6.0.2/external-v6.0.2.tar.gz";
+            license = "agpl3Plus";
+          };
+        };
+
+        settings = {
+          "auth.webauthn.enabled" = false; #INFO: We use openid baby...
+          default_phone_region = "NL";
+          enabledPreviewProviders = [
+            "OC\\Preview\\BMP"
+            "OC\\Preview\\GIF"
+            "OC\\Preview\\JPEG"
+            "OC\\Preview\\Krita"
+            "OC\\Preview\\MarkDown"
+            "OC\\Preview\\MP3"
+            "OC\\Preview\\OpenDocument"
+            "OC\\Preview\\PNG"
+            "OC\\Preview\\TXT"
+            "OC\\Preview\\XBitmap"
+            "OC\\Preview\\HEIC"
+            "OC\Preview\Imaginary"
+          ];
+          preview_imaginary_url = "http://localhost:${builtins.toString imaginaryPort}";
+          preview_format = "webp";
+
+          trusted_proxies = ["127.0.0.1"];
+          maintenance_window_start = 1;
+          log_type = "file";
+        };
+        phpOptions."opcache.interned_strings_buffer" = 24;
+        config = {
+          adminuser = "jsw-admin";
+          adminpassFile = "${config.age.secrets.nextcloud-admin-pass.path}";
+          dbtype = "pgsql";
+        };
+      };
+      imaginary = {
+        enable = true;
+        port = imaginaryPort;
+        address = "localhost";
+        settings.returnSize = true;
+      };
+
+      nginx.enable = lib.mkForce false;
+      phpfpm.pools.nextcloud.settings = let
+        inherit (config.services.caddy) user group;
+      in {
+        "listen.owner" = user;
+        "listen.group" = group;
+      };
+      caddy.virtualHosts."${host}".extraConfig = ''
+        encode zstd gzip
+
+        root * ${nginxRoot}
+
+        redir /.well-known/carddav /remote.php/dav 301
+        redir /.well-known/caldav /remote.php/dav 301
+        redir /.well-known/* /index.php{uri} 301
+        redir /remote/* /remote.php{uri} 301
+
+        header {
+          Strict-Transport-Security max-age=31536000
+          Permissions-Policy interest-cohort=()
+          X-Content-Type-Options nosniff
+          X-Frame-Options SAMEORIGIN
+          Referrer-Policy no-referrer
+          X-XSS-Protection "1; mode=block"
+          X-Permitted-Cross-Domain-Policies none
+          X-Robots-Tag "noindex, nofollow"
+          -X-Powered-By
+        }
+
+        php_fastcgi unix/${fpmSocket} {
+          root ${nginxRoot}
+          env front_controller_active true
+          env modHeadersAvailable true
+        }
+
+        @forbidden {
+          path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
+          path /.* /autotest* /occ* /issue* /indie* /db_* /console*
+          not path /.well-known/*
+        }
+        error @forbidden 404
+
+        @immutable {
+          path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
+          query v=*
+        }
+        header @immutable Cache-Control "max-age=15778463, immutable"
+
+        @static {
+          path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
+          not query v=*
+        }
+        header @static Cache-Control "max-age=15778463"
+
+        @woff2 path *.woff2
+        header @woff2 Cache-Control "max-age=604800"
+
+        file_server
+      '';
+    };
+  };
+}