jsw/NiksOS
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Nextcloud: added caddy to nextcloud group so that it can read socket.

Browse source
This commit is contained in:
Jurn Wubben 2025-07-25 14:52:31 +02:00
parent 1f8a4e0e79
commit e8e216e25f
1 changed files with 93 additions and 89 deletions
Download patch file Download diff file Expand all files Collapse all files

182
system/server/nextcloud.nix
View file

@ -9,101 +9,105 @@
nginxRoot = config.services.nginx.virtualHosts.${host}.root; nginxRoot = config.services.nginx.virtualHosts.${host}.root;
fpmSocket = config.services.phpfpm.pools.nextcloud.socket; fpmSocket = config.services.phpfpm.pools.nextcloud.socket;
in { in {
services = lib.mkIf server { config = lib.mkIf server {
nextcloud = { users.groups.nextcloud.members = ["nextcloud" "caddy"];
enable = true; services = {
hostName = host; nextcloud = {
enable = true;
hostName = host;
# Need to manually increment with every major upgrade. # Need to manually increment with every major upgrade.
package = pkgs.nextcloud31; package = pkgs.nextcloud31;
database.createLocally = true; database.createLocally = true;
configureRedis = true; configureRedis = true;
maxUploadSize = "16G"; maxUploadSize = "16G";
https = true; https = true;
autoUpdateApps.enable = true; autoUpdateApps.enable = true;
extraAppsEnable = true; extraAppsEnable = true;
extraApps = with config.services.nextcloud.package.packages.apps; { extraApps = with config.services.nextcloud.package.packages.apps; {
# https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/nextcloud/packages/nextcloud-apps.json # https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/nextcloud/packages/nextcloud-apps.json
inherit calendar contacts mail notes tasks; inherit calendar contacts mail notes tasks;
};
settings = {
default_phone_region = "NL";
enabledPreviewProviders = [
"OC\\Preview\\BMP"
"OC\\Preview\\GIF"
"OC\\Preview\\JPEG"
"OC\\Preview\\Krita"
"OC\\Preview\\MarkDown"
"OC\\Preview\\MP3"
"OC\\Preview\\OpenDocument"
"OC\\Preview\\PNG"
"OC\\Preview\\TXT"
"OC\\Preview\\XBitmap"
"OC\\Preview\\HEIC"
];
};
config = {
adminuser = "jsw-admin";
adminpassFile = "${config.age.secrets.nextcloud-admin-pass.path}";
dbtype = "pgsql";
};
}; };
settings = { nginx.enable = lib.mkForce false;
default_phone_region = "NL"; caddy.virtualHosts."${host}".extraConfig = ''
enabledPreviewProviders = [ encode zstd gzip
"OC\\Preview\\BMP"
"OC\\Preview\\GIF" root * ${nginxRoot}
"OC\\Preview\\JPEG"
"OC\\Preview\\Krita" redir /.well-known/carddav /remote.php/dav 301
"OC\\Preview\\MarkDown" redir /.well-known/caldav /remote.php/dav 301
"OC\\Preview\\MP3" redir /.well-known/* /index.php{uri} 301
"OC\\Preview\\OpenDocument" redir /remote/* /remote.php{uri} 301
"OC\\Preview\\PNG"
"OC\\Preview\\TXT" header {
"OC\\Preview\\XBitmap" Strict-Transport-Security max-age=31536000
"OC\\Preview\\HEIC" Permissions-Policy interest-cohort=()
]; X-Content-Type-Options nosniff
}; X-Frame-Options SAMEORIGIN
config = { Referrer-Policy no-referrer
adminuser = "jsw-admin"; X-XSS-Protection "1; mode=block"
adminpassFile = "${config.age.secrets.nextcloud-admin-pass.path}"; X-Permitted-Cross-Domain-Policies none
dbtype = "pgsql"; X-Robots-Tag "noindex, nofollow"
}; -X-Powered-By
}
php_fastcgi unix/${fpmSocket} {
root ${nginxRoot}
env front_controller_active true
env modHeadersAvailable true
}
@forbidden {
path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
path /.* /autotest* /occ* /issue* /indie* /db_* /console*
not path /.well-known/*
}
error @forbidden 404
@immutable {
path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
query v=*
}
header @immutable Cache-Control "max-age=15778463, immutable"
@static {
path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
not query v=*
}
header @static Cache-Control "max-age=15778463"
@woff2 path *.woff2
header @woff2 Cache-Control "max-age=604800"
file_server
'';
}; };
caddy.virtualHosts.${host}.extraConfig = ''
encode zstd gzip
root * ${nginxRoot}
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
redir /.well-known/* /index.php{uri} 301
redir /remote/* /remote.php{uri} 301
header {
Strict-Transport-Security max-age=31536000
Permissions-Policy interest-cohort=()
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
Referrer-Policy no-referrer
X-XSS-Protection "1; mode=block"
X-Permitted-Cross-Domain-Policies none
X-Robots-Tag "noindex, nofollow"
-X-Powered-By
}
php_fastcgi unix/${fpmSocket} {
root ${nginxRoot}
env front_controller_active true
env modHeadersAvailable true
}
@forbidden {
path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
path /.* /autotest* /occ* /issue* /indie* /db_* /console*
not path /.well-known/*
}
error @forbidden 404
@immutable {
path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
query v=*
}
header @immutable Cache-Control "max-age=15778463, immutable"
@static {
path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
not query v=*
}
header @static Cache-Control "max-age=15778463"
@woff2 path *.woff2
header @woff2 Cache-Control "max-age=604800"
file_server
'';
}; };
} }