From e8e216e25f39886bf05247111684d243302d17d9 Mon Sep 17 00:00:00 2001 From: Jurn Wubben Date: Fri, 25 Jul 2025 14:52:31 +0200 Subject: [PATCH] Nextcloud: added caddy to nextcloud group so that it can read socket. --- system/server/nextcloud.nix | 182 ++++++++++++++++++------------------ 1 file changed, 93 insertions(+), 89 deletions(-) diff --git a/system/server/nextcloud.nix b/system/server/nextcloud.nix index 8014370..4bfa5bf 100644 --- a/system/server/nextcloud.nix +++ b/system/server/nextcloud.nix @@ -9,101 +9,105 @@ nginxRoot = config.services.nginx.virtualHosts.${host}.root; fpmSocket = config.services.phpfpm.pools.nextcloud.socket; in { - services = lib.mkIf server { - nextcloud = { - enable = true; - hostName = host; + config = lib.mkIf server { + users.groups.nextcloud.members = ["nextcloud" "caddy"]; + services = { + nextcloud = { + enable = true; + hostName = host; - # Need to manually increment with every major upgrade. - package = pkgs.nextcloud31; + # Need to manually increment with every major upgrade. + package = pkgs.nextcloud31; - database.createLocally = true; - configureRedis = true; + database.createLocally = true; + configureRedis = true; - maxUploadSize = "16G"; - https = true; + maxUploadSize = "16G"; + https = true; - autoUpdateApps.enable = true; - extraAppsEnable = true; - extraApps = with config.services.nextcloud.package.packages.apps; { - # https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/nextcloud/packages/nextcloud-apps.json - inherit calendar contacts mail notes tasks; + autoUpdateApps.enable = true; + extraAppsEnable = true; + extraApps = with config.services.nextcloud.package.packages.apps; { + # https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/nextcloud/packages/nextcloud-apps.json + inherit calendar contacts mail notes tasks; + }; + + settings = { + default_phone_region = "NL"; + enabledPreviewProviders = [ + "OC\\Preview\\BMP" + "OC\\Preview\\GIF" + "OC\\Preview\\JPEG" + "OC\\Preview\\Krita" + "OC\\Preview\\MarkDown" + "OC\\Preview\\MP3" + "OC\\Preview\\OpenDocument" + "OC\\Preview\\PNG" + "OC\\Preview\\TXT" + "OC\\Preview\\XBitmap" + "OC\\Preview\\HEIC" + ]; + }; + config = { + adminuser = "jsw-admin"; + adminpassFile = "${config.age.secrets.nextcloud-admin-pass.path}"; + dbtype = "pgsql"; + }; }; - settings = { - default_phone_region = "NL"; - enabledPreviewProviders = [ - "OC\\Preview\\BMP" - "OC\\Preview\\GIF" - "OC\\Preview\\JPEG" - "OC\\Preview\\Krita" - "OC\\Preview\\MarkDown" - "OC\\Preview\\MP3" - "OC\\Preview\\OpenDocument" - "OC\\Preview\\PNG" - "OC\\Preview\\TXT" - "OC\\Preview\\XBitmap" - "OC\\Preview\\HEIC" - ]; - }; - config = { - adminuser = "jsw-admin"; - adminpassFile = "${config.age.secrets.nextcloud-admin-pass.path}"; - dbtype = "pgsql"; - }; + nginx.enable = lib.mkForce false; + caddy.virtualHosts."${host}".extraConfig = '' + encode zstd gzip + + root * ${nginxRoot} + + redir /.well-known/carddav /remote.php/dav 301 + redir /.well-known/caldav /remote.php/dav 301 + redir /.well-known/* /index.php{uri} 301 + redir /remote/* /remote.php{uri} 301 + + header { + Strict-Transport-Security max-age=31536000 + Permissions-Policy interest-cohort=() + X-Content-Type-Options nosniff + X-Frame-Options SAMEORIGIN + Referrer-Policy no-referrer + X-XSS-Protection "1; mode=block" + X-Permitted-Cross-Domain-Policies none + X-Robots-Tag "noindex, nofollow" + -X-Powered-By + } + + php_fastcgi unix/${fpmSocket} { + root ${nginxRoot} + env front_controller_active true + env modHeadersAvailable true + } + + @forbidden { + path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/* + path /.* /autotest* /occ* /issue* /indie* /db_* /console* + not path /.well-known/* + } + error @forbidden 404 + + @immutable { + path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite + query v=* + } + header @immutable Cache-Control "max-age=15778463, immutable" + + @static { + path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite + not query v=* + } + header @static Cache-Control "max-age=15778463" + + @woff2 path *.woff2 + header @woff2 Cache-Control "max-age=604800" + + file_server + ''; }; - - caddy.virtualHosts.${host}.extraConfig = '' - encode zstd gzip - - root * ${nginxRoot} - - redir /.well-known/carddav /remote.php/dav 301 - redir /.well-known/caldav /remote.php/dav 301 - redir /.well-known/* /index.php{uri} 301 - redir /remote/* /remote.php{uri} 301 - - header { - Strict-Transport-Security max-age=31536000 - Permissions-Policy interest-cohort=() - X-Content-Type-Options nosniff - X-Frame-Options SAMEORIGIN - Referrer-Policy no-referrer - X-XSS-Protection "1; mode=block" - X-Permitted-Cross-Domain-Policies none - X-Robots-Tag "noindex, nofollow" - -X-Powered-By - } - - php_fastcgi unix/${fpmSocket} { - root ${nginxRoot} - env front_controller_active true - env modHeadersAvailable true - } - - @forbidden { - path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/* - path /.* /autotest* /occ* /issue* /indie* /db_* /console* - not path /.well-known/* - } - error @forbidden 404 - - @immutable { - path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite - query v=* - } - header @immutable Cache-Control "max-age=15778463, immutable" - - @static { - path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite - not query v=* - } - header @static Cache-Control "max-age=15778463" - - @woff2 path *.woff2 - header @woff2 Cache-Control "max-age=604800" - - file_server - ''; }; }