Nextcloud: enable oidc login

flake.nix

@@ -7,6 +7,7 @@
       imports = [
         inputs.git-hooks-nix.flakeModule
         ./hosts
+        ./pkgs
       ];
 
       perSystem = {

home/programs/other.nix

@@ -2,14 +2,17 @@
   pkgs,
   lib,
   osConfig,
+  self,
   ...
 }: {
-  home.packages = lib.mkIf osConfig.niksos.desktop.apps [
+  home.packages =
+    lib.optionals osConfig.niksos.desktop.apps [
       pkgs.spotify
       pkgs.signal-desktop
       pkgs.bambu-studio
       pkgs.gimp
       pkgs.inkscape
       pkgs.thunderbird
-  ];
+    ]
+    ++ lib.optional osConfig.niksos.hardware.portable.enable self.packages.${pkgs.system}.visicut;
 }

home/wayland/mako.nix

@@ -3,6 +3,6 @@
 in {
   services.mako = {
     inherit (osConfig.programs.hyprland) enable;
-    settings.defaultTimeout = 5000;
+    settings.default-timeout = 5000;
   };
 }

hosts/laptop/default.nix

@@ -2,7 +2,6 @@
   imports = [
     ./hardware-configuration.nix
     ./virt.nix
-    ./wluma.nix
   ];
 
   programs.appimage.enable = true;

hosts/laptop/wluma.nix

@@ -1,31 +0,0 @@
-{
-  hardware.sensor.iio.enable = true; # brightness sensor
-  home-manager.users.jsw.services.wluma = {
-    enable = true;
-    settings = {
-      als.iio = {
-        path = "/sys/bus/iio/devices";
-        thresholds = {
-          "0" = "night";
-          "10" = "dark";
-          "100" = "normal";
-          "20" = "dim";
-          "200" = "bright";
-          "500" = "outdoors";
-        };
-      };
-      output.backlight = [
-        {
-          capturer = "none";
-          name = "eDP-1";
-          path = "/sys/class/backlight/amdgpu_bl1";
-        }
-        {
-          capturer = "none";
-          name = "keyboard";
-          path = "/sys/bus/platform/devices/cros-keyboard-leds.5.auto/leds/chromeos::kbd_backlight";
-        }
-      ];
-    };
-  };
-}

pkgs/default.nix

@@ -0,0 +1,8 @@
+{
+  systems = ["x86_64-linux"];
+  perSystem = {pkgs, ...}: {
+    packages = {
+      visicut = pkgs.callPackage ./visicut {};
+    };
+  };
+}

pkgs/visicut/default.nix

@@ -0,0 +1,43 @@
+{
+  appimageTools,
+  fetchurl,
+  lib,
+}: let
+  pname = "VisiCut";
+  version = "2.1";
+
+  src = fetchurl {
+    url = "https://github.com/t-oster/VisiCut/releases/download/${version}/VisiCut-${version}+devel-x86_64.AppImage";
+    hash = "sha256-Mq6Rjozshwk8asY+5egScQ5TkoxzRnWlZ9p0WeEOoiE=";
+  };
+
+  appimageContents = appimageTools.extract {
+    inherit pname version src;
+    postExtract = ''
+      substituteInPlace $out/${desktopFile} --replace-fail 'Exec=visicut' 'Exec=${pname}'
+    '';
+  };
+
+  desktopFile = "VisiCut.desktop";
+  iconFile = "visicut.png";
+in
+  appimageTools.wrapType2 {
+    inherit pname version src;
+
+    extraInstallCommands = ''
+      install -m 444 -D ${appimageContents}/${desktopFile} $out/share/applications/${desktopFile}
+      install -m 444 -D ${appimageContents}/usr/share/icons/hicolor/128x128/apps/${iconFile} \
+        $out/share/icons/hicolor/128x128/apps/${iconFile}
+    '';
+
+    meta = {
+      description = "A userfriendly tool to prepare, save and send Jobs to Lasercutters.";
+      homepage = "https://visicut.org/";
+      downloadPage = "https://github.com/t-oster/VisiCut/releases/";
+      license = lib.licenses.lgpl3;
+      sourceProvenance = with lib.sourceTypes; [binaryNativeCode];
+      # maintainers = with lib.maintainers; [onny];
+      mainProgram = "VisiCut";
+      platforms = ["x86_64-linux"];
+    };
+  }

secrets/default.nix

@@ -42,5 +42,9 @@ in {
       file = ./immich-oidc.age;
       owner = abstrServiceUser "immich";
     };
+    nextcloud-admin-pass = mkIf server {
+      file = ./nextcloud-admin-pass.age;
+      owner = "nextcloud";
+    };
   };
 }

secrets/nextcloud-admin-pass.age

@@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> ssh-ed25519 GQzYWA Njcl+VZAFcfupb9luHQjSAzzPar8k0G0WVU8EtS37EY
+8IPsa1mz7qpxOmzXRNCwcp2KsBH45nM6M4D5vm1BgE8
+-> ssh-ed25519 MfR7VA WjSU/1VNHqylcPlaB+5FIyY879kQy/c+AyfdHrt6Xyo
+KIDdbbNcy+DQ9q+Eo8dzxDMlq8vR8XeKvRps+/ghe+E
+-> ssh-ed25519 +cvRTg eEExK1tU/S//HUL4x0SsJw8taRdOgLnOntUlpqVvMwk
+7pB4ROtshkMGw/D4mkVdi7a3vYGoIyCodSCsKcplTws
+-> ssh-ed25519 WCPLrA dNpd63ZB4ZlsgMlvdPeiW8VguhPkgRjCBor66cTAq1Q
+IFSbLiZs8QBAqruyV3Zuoe6iE5ctW4Aw+8ipQ/5rUGM
+-> ssh-ed25519 7/ziYw asgAI0TYuK4irNyoq/WFVCBrWC7NIJU5S4HQEfqEWTA
+YoCVz1GzZ+swKb/qT+hhnTy3/mcBDFkaHAomzyApY6I
+-> ssh-ed25519 VQy60Q 3XY6OcWrf3ZmXJNMo0tPrXofyjNtvt9VQaewkDZymTs
++JLpflAACxg6Esvq43FedOs56BuGa/6usymtfZl96nI
+--- 4dcH0MunNPsvsrUmFGYIgSMsgS2BNluJOa9ZmgZro6k
+Ød+	
+Tðß
+5òB}¢GÊkKÐ9Èšžqû$(q`†u$¶ù“»êÿ“Hˆ¦gC!÷

secrets/secrets.nix

@@ -22,4 +22,5 @@ in {
   "zitadel-key.age".publicKeys = keys;
   "forgejo-mailpass.age".publicKeys = keys;
   "immich-oidc.age".publicKeys = keys;
+  "nextcloud-admin-pass.age".publicKeys = keys;
 }

system/server/default.nix

@@ -10,6 +10,7 @@
     ./matrix.nix
     ./temp.nix
     ./zitadel.nix
+    ./nextcloud.nix
   ];
   options.niksos.server = lib.mkEnableOption "server servcies (such as caddy)."; #TODO: per service option.
 }

system/server/derekBot.nix

@@ -53,7 +53,7 @@ in {
 
         cd "${programDir}"
         git fetch
-        git reset --hard HEAD
+        git reset --hard origin/HEAD
 
         DENO_DIR=${denoDir} deno i
       '';

system/server/nextcloud.nix

@@ -0,0 +1,127 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
+  inherit (config.niksos) server;
+  host = "cloud.jsw.tf";
+  nginxRoot = config.services.nginx.virtualHosts.${host}.root;
+  fpmSocket = config.services.phpfpm.pools.nextcloud.socket;
+in {
+  config = lib.mkIf server {
+    users.groups.nextcloud.members = ["nextcloud" "caddy"];
+    services = {
+      nextcloud = {
+        enable = true;
+        hostName = host;
+
+        # Need to manually increment with every major upgrade.
+        package = pkgs.nextcloud31;
+
+        database.createLocally = true;
+        configureRedis = true;
+
+        maxUploadSize = "16G";
+        https = true;
+
+        autoUpdateApps.enable = true;
+        extraAppsEnable = true;
+        extraApps = {
+          # https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/nextcloud/packages/nextcloud-apps.json
+          inherit
+            (config.services.nextcloud.package.packages.apps)
+            calendar
+            contacts
+            mail
+            notes
+            tasks
+            user_oidc
+            ;
+        };
+
+        settings = {
+          default_phone_region = "NL";
+          enabledPreviewProviders = [
+            "OC\\Preview\\BMP"
+            "OC\\Preview\\GIF"
+            "OC\\Preview\\JPEG"
+            "OC\\Preview\\Krita"
+            "OC\\Preview\\MarkDown"
+            "OC\\Preview\\MP3"
+            "OC\\Preview\\OpenDocument"
+            "OC\\Preview\\PNG"
+            "OC\\Preview\\TXT"
+            "OC\\Preview\\XBitmap"
+            "OC\\Preview\\HEIC"
+          ];
+        };
+        config = {
+          adminuser = "jsw-admin";
+          adminpassFile = "${config.age.secrets.nextcloud-admin-pass.path}";
+          dbtype = "pgsql";
+        };
+      };
+
+      nginx.enable = lib.mkForce false;
+      phpfpm.pools.nextcloud.settings = let
+        inherit (config.services.caddy) user group;
+      in {
+        "listen.owner" = user;
+        "listen.group" = group;
+      };
+      caddy.virtualHosts."${host}".extraConfig = ''
+        encode zstd gzip
+
+        root * ${nginxRoot}
+
+        redir /.well-known/carddav /remote.php/dav 301
+        redir /.well-known/caldav /remote.php/dav 301
+        redir /.well-known/* /index.php{uri} 301
+        redir /remote/* /remote.php{uri} 301
+
+        header {
+          Strict-Transport-Security max-age=31536000
+          Permissions-Policy interest-cohort=()
+          X-Content-Type-Options nosniff
+          X-Frame-Options SAMEORIGIN
+          Referrer-Policy no-referrer
+          X-XSS-Protection "1; mode=block"
+          X-Permitted-Cross-Domain-Policies none
+          X-Robots-Tag "noindex, nofollow"
+          -X-Powered-By
+        }
+
+        php_fastcgi unix/${fpmSocket} {
+          root ${nginxRoot}
+          env front_controller_active true
+          env modHeadersAvailable true
+        }
+
+        @forbidden {
+          path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
+          path /.* /autotest* /occ* /issue* /indie* /db_* /console*
+          not path /.well-known/*
+        }
+        error @forbidden 404
+
+        @immutable {
+          path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
+          query v=*
+        }
+        header @immutable Cache-Control "max-age=15778463, immutable"
+
+        @static {
+          path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
+          not query v=*
+        }
+        header @static Cache-Control "max-age=15778463"
+
+        @woff2 path *.woff2
+        header @woff2 Cache-Control "max-age=604800"
+
+        file_server
+      '';
+    };
+  };
+}