From f47eb458ee8e2f679af667beda1e179079b78607 Mon Sep 17 00:00:00 2001
From: Jurn Wubben <jurnwubben@gmail.com>
Date: Fri, 25 Jul 2025 14:40:16 +0200
Subject: [PATCH 01/11] Added base nexcloud

---
 secrets/default.nix              |   4 ++
 secrets/nextcloud-admin-pass.age |  17 +++++
 secrets/secrets.nix              |   1 +
 system/server/default.nix        |   1 +
 system/server/nextcloud.nix      | 109 +++++++++++++++++++++++++++++++
 5 files changed, 132 insertions(+)
 create mode 100644 secrets/nextcloud-admin-pass.age
 create mode 100644 system/server/nextcloud.nix

diff --git a/secrets/default.nix b/secrets/default.nix
index b2ffdcc..eb03533 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -42,5 +42,9 @@ in {
       file = ./immich-oidc.age;
       owner = abstrServiceUser "immich";
     };
+    nextcloud-admin-pass = mkIf server {
+      file = ./nextcloud-admin-pass.age;
+      owner = "nextcloud";
+    };
   };
 }
diff --git a/secrets/nextcloud-admin-pass.age b/secrets/nextcloud-admin-pass.age
new file mode 100644
index 0000000..23c404a
--- /dev/null
+++ b/secrets/nextcloud-admin-pass.age
@@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> ssh-ed25519 GQzYWA Njcl+VZAFcfupb9luHQjSAzzPar8k0G0WVU8EtS37EY
+8IPsa1mz7qpxOmzXRNCwcp2KsBH45nM6M4D5vm1BgE8
+-> ssh-ed25519 MfR7VA WjSU/1VNHqylcPlaB+5FIyY879kQy/c+AyfdHrt6Xyo
+KIDdbbNcy+DQ9q+Eo8dzxDMlq8vR8XeKvRps+/ghe+E
+-> ssh-ed25519 +cvRTg eEExK1tU/S//HUL4x0SsJw8taRdOgLnOntUlpqVvMwk
+7pB4ROtshkMGw/D4mkVdi7a3vYGoIyCodSCsKcplTws
+-> ssh-ed25519 WCPLrA dNpd63ZB4ZlsgMlvdPeiW8VguhPkgRjCBor66cTAq1Q
+IFSbLiZs8QBAqruyV3Zuoe6iE5ctW4Aw+8ipQ/5rUGM
+-> ssh-ed25519 7/ziYw asgAI0TYuK4irNyoq/WFVCBrWC7NIJU5S4HQEfqEWTA
+YoCVz1GzZ+swKb/qT+hhnTy3/mcBDFkaHAomzyApY6I
+-> ssh-ed25519 VQy60Q 3XY6OcWrf3ZmXJNMo0tPrXofyjNtvt9VQaewkDZymTs
++JLpflAACxg6Esvq43FedOs56BuGa/6usymtfZl96nI
+--- 4dcH0MunNPsvsrUmFGYIgSMsgS2BNluJOa9ZmgZro6k
+�d+	
+T��
+5�B}�G�kK�9���q�$(q`�u$�������H��gC!�
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index df90563..72393aa 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -22,4 +22,5 @@ in {
   "zitadel-key.age".publicKeys = keys;
   "forgejo-mailpass.age".publicKeys = keys;
   "immich-oidc.age".publicKeys = keys;
+  "nextcloud-admin-pass.age".publicKeys = keys;
 }
diff --git a/system/server/default.nix b/system/server/default.nix
index c6ac1c8..7319695 100644
--- a/system/server/default.nix
+++ b/system/server/default.nix
@@ -10,6 +10,7 @@
     ./matrix.nix
     ./temp.nix
     ./zitadel.nix
+    ./nextcloud.nix
   ];
   options.niksos.server = lib.mkEnableOption "server servcies (such as caddy)."; #TODO: per service option.
 }
diff --git a/system/server/nextcloud.nix b/system/server/nextcloud.nix
new file mode 100644
index 0000000..8014370
--- /dev/null
+++ b/system/server/nextcloud.nix
@@ -0,0 +1,109 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
+  inherit (config.niksos) server;
+  host = "cloud.jsw.tf";
+  nginxRoot = config.services.nginx.virtualHosts.${host}.root;
+  fpmSocket = config.services.phpfpm.pools.nextcloud.socket;
+in {
+  services = lib.mkIf server {
+    nextcloud = {
+      enable = true;
+      hostName = host;
+
+      # Need to manually increment with every major upgrade.
+      package = pkgs.nextcloud31;
+
+      database.createLocally = true;
+      configureRedis = true;
+
+      maxUploadSize = "16G";
+      https = true;
+
+      autoUpdateApps.enable = true;
+      extraAppsEnable = true;
+      extraApps = with config.services.nextcloud.package.packages.apps; {
+        # https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/nextcloud/packages/nextcloud-apps.json
+        inherit calendar contacts mail notes tasks;
+      };
+
+      settings = {
+        default_phone_region = "NL";
+        enabledPreviewProviders = [
+          "OC\\Preview\\BMP"
+          "OC\\Preview\\GIF"
+          "OC\\Preview\\JPEG"
+          "OC\\Preview\\Krita"
+          "OC\\Preview\\MarkDown"
+          "OC\\Preview\\MP3"
+          "OC\\Preview\\OpenDocument"
+          "OC\\Preview\\PNG"
+          "OC\\Preview\\TXT"
+          "OC\\Preview\\XBitmap"
+          "OC\\Preview\\HEIC"
+        ];
+      };
+      config = {
+        adminuser = "jsw-admin";
+        adminpassFile = "${config.age.secrets.nextcloud-admin-pass.path}";
+        dbtype = "pgsql";
+      };
+    };
+
+    caddy.virtualHosts.${host}.extraConfig = ''
+      encode zstd gzip
+
+      root * ${nginxRoot}
+
+      redir /.well-known/carddav /remote.php/dav 301
+      redir /.well-known/caldav /remote.php/dav 301
+      redir /.well-known/* /index.php{uri} 301
+      redir /remote/* /remote.php{uri} 301
+
+      header {
+        Strict-Transport-Security max-age=31536000
+        Permissions-Policy interest-cohort=()
+        X-Content-Type-Options nosniff
+        X-Frame-Options SAMEORIGIN
+        Referrer-Policy no-referrer
+        X-XSS-Protection "1; mode=block"
+        X-Permitted-Cross-Domain-Policies none
+        X-Robots-Tag "noindex, nofollow"
+        -X-Powered-By
+      }
+
+      php_fastcgi unix/${fpmSocket} {
+        root ${nginxRoot}
+        env front_controller_active true
+        env modHeadersAvailable true
+      }
+
+      @forbidden {
+        path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
+        path /.* /autotest* /occ* /issue* /indie* /db_* /console*
+        not path /.well-known/*
+      }
+      error @forbidden 404
+
+      @immutable {
+        path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
+        query v=*
+      }
+      header @immutable Cache-Control "max-age=15778463, immutable"
+
+      @static {
+        path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
+        not query v=*
+      }
+      header @static Cache-Control "max-age=15778463"
+
+      @woff2 path *.woff2
+      header @woff2 Cache-Control "max-age=604800"
+
+      file_server
+    '';
+  };
+}
-- 
2.51.0


From ade92871e4ffbc523cdb6f880d5a7908b7603bdd Mon Sep 17 00:00:00 2001
From: Jurn Wubben <jurnwubben@gmail.com>
Date: Fri, 25 Jul 2025 14:52:31 +0200
Subject: [PATCH 02/11] Nextcloud: added caddy to nextcloud group so that it
 can read socket.

---
 system/server/nextcloud.nix | 182 ++++++++++++++++++------------------
 1 file changed, 93 insertions(+), 89 deletions(-)

diff --git a/system/server/nextcloud.nix b/system/server/nextcloud.nix
index 8014370..4bfa5bf 100644
--- a/system/server/nextcloud.nix
+++ b/system/server/nextcloud.nix
@@ -9,101 +9,105 @@
   nginxRoot = config.services.nginx.virtualHosts.${host}.root;
   fpmSocket = config.services.phpfpm.pools.nextcloud.socket;
 in {
-  services = lib.mkIf server {
-    nextcloud = {
-      enable = true;
-      hostName = host;
+  config = lib.mkIf server {
+    users.groups.nextcloud.members = ["nextcloud" "caddy"];
+    services = {
+      nextcloud = {
+        enable = true;
+        hostName = host;
 
-      # Need to manually increment with every major upgrade.
-      package = pkgs.nextcloud31;
+        # Need to manually increment with every major upgrade.
+        package = pkgs.nextcloud31;
 
-      database.createLocally = true;
-      configureRedis = true;
+        database.createLocally = true;
+        configureRedis = true;
 
-      maxUploadSize = "16G";
-      https = true;
+        maxUploadSize = "16G";
+        https = true;
 
-      autoUpdateApps.enable = true;
-      extraAppsEnable = true;
-      extraApps = with config.services.nextcloud.package.packages.apps; {
-        # https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/nextcloud/packages/nextcloud-apps.json
-        inherit calendar contacts mail notes tasks;
+        autoUpdateApps.enable = true;
+        extraAppsEnable = true;
+        extraApps = with config.services.nextcloud.package.packages.apps; {
+          # https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/nextcloud/packages/nextcloud-apps.json
+          inherit calendar contacts mail notes tasks;
+        };
+
+        settings = {
+          default_phone_region = "NL";
+          enabledPreviewProviders = [
+            "OC\\Preview\\BMP"
+            "OC\\Preview\\GIF"
+            "OC\\Preview\\JPEG"
+            "OC\\Preview\\Krita"
+            "OC\\Preview\\MarkDown"
+            "OC\\Preview\\MP3"
+            "OC\\Preview\\OpenDocument"
+            "OC\\Preview\\PNG"
+            "OC\\Preview\\TXT"
+            "OC\\Preview\\XBitmap"
+            "OC\\Preview\\HEIC"
+          ];
+        };
+        config = {
+          adminuser = "jsw-admin";
+          adminpassFile = "${config.age.secrets.nextcloud-admin-pass.path}";
+          dbtype = "pgsql";
+        };
       };
 
-      settings = {
-        default_phone_region = "NL";
-        enabledPreviewProviders = [
-          "OC\\Preview\\BMP"
-          "OC\\Preview\\GIF"
-          "OC\\Preview\\JPEG"
-          "OC\\Preview\\Krita"
-          "OC\\Preview\\MarkDown"
-          "OC\\Preview\\MP3"
-          "OC\\Preview\\OpenDocument"
-          "OC\\Preview\\PNG"
-          "OC\\Preview\\TXT"
-          "OC\\Preview\\XBitmap"
-          "OC\\Preview\\HEIC"
-        ];
-      };
-      config = {
-        adminuser = "jsw-admin";
-        adminpassFile = "${config.age.secrets.nextcloud-admin-pass.path}";
-        dbtype = "pgsql";
-      };
+      nginx.enable = lib.mkForce false;
+      caddy.virtualHosts."${host}".extraConfig = ''
+        encode zstd gzip
+
+        root * ${nginxRoot}
+
+        redir /.well-known/carddav /remote.php/dav 301
+        redir /.well-known/caldav /remote.php/dav 301
+        redir /.well-known/* /index.php{uri} 301
+        redir /remote/* /remote.php{uri} 301
+
+        header {
+          Strict-Transport-Security max-age=31536000
+          Permissions-Policy interest-cohort=()
+          X-Content-Type-Options nosniff
+          X-Frame-Options SAMEORIGIN
+          Referrer-Policy no-referrer
+          X-XSS-Protection "1; mode=block"
+          X-Permitted-Cross-Domain-Policies none
+          X-Robots-Tag "noindex, nofollow"
+          -X-Powered-By
+        }
+
+        php_fastcgi unix/${fpmSocket} {
+          root ${nginxRoot}
+          env front_controller_active true
+          env modHeadersAvailable true
+        }
+
+        @forbidden {
+          path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
+          path /.* /autotest* /occ* /issue* /indie* /db_* /console*
+          not path /.well-known/*
+        }
+        error @forbidden 404
+
+        @immutable {
+          path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
+          query v=*
+        }
+        header @immutable Cache-Control "max-age=15778463, immutable"
+
+        @static {
+          path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
+          not query v=*
+        }
+        header @static Cache-Control "max-age=15778463"
+
+        @woff2 path *.woff2
+        header @woff2 Cache-Control "max-age=604800"
+
+        file_server
+      '';
     };
-
-    caddy.virtualHosts.${host}.extraConfig = ''
-      encode zstd gzip
-
-      root * ${nginxRoot}
-
-      redir /.well-known/carddav /remote.php/dav 301
-      redir /.well-known/caldav /remote.php/dav 301
-      redir /.well-known/* /index.php{uri} 301
-      redir /remote/* /remote.php{uri} 301
-
-      header {
-        Strict-Transport-Security max-age=31536000
-        Permissions-Policy interest-cohort=()
-        X-Content-Type-Options nosniff
-        X-Frame-Options SAMEORIGIN
-        Referrer-Policy no-referrer
-        X-XSS-Protection "1; mode=block"
-        X-Permitted-Cross-Domain-Policies none
-        X-Robots-Tag "noindex, nofollow"
-        -X-Powered-By
-      }
-
-      php_fastcgi unix/${fpmSocket} {
-        root ${nginxRoot}
-        env front_controller_active true
-        env modHeadersAvailable true
-      }
-
-      @forbidden {
-        path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
-        path /.* /autotest* /occ* /issue* /indie* /db_* /console*
-        not path /.well-known/*
-      }
-      error @forbidden 404
-
-      @immutable {
-        path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
-        query v=*
-      }
-      header @immutable Cache-Control "max-age=15778463, immutable"
-
-      @static {
-        path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
-        not query v=*
-      }
-      header @static Cache-Control "max-age=15778463"
-
-      @woff2 path *.woff2
-      header @woff2 Cache-Control "max-age=604800"
-
-      file_server
-    '';
   };
 }
-- 
2.51.0


From d2f70557620fc47d3e6c0cce58440b0e8edb9921 Mon Sep 17 00:00:00 2001
From: Jurn Wubben <jurnwubben@gmail.com>
Date: Fri, 25 Jul 2025 23:47:13 +0200
Subject: [PATCH 03/11] Nextcloud: fix phpfm permissions

---
 system/server/nextcloud.nix | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/system/server/nextcloud.nix b/system/server/nextcloud.nix
index 4bfa5bf..ee24582 100644
--- a/system/server/nextcloud.nix
+++ b/system/server/nextcloud.nix
@@ -56,6 +56,12 @@ in {
       };
 
       nginx.enable = lib.mkForce false;
+      phpfpm.pools.nextcloud.settings = let
+        inherit (config.services.caddy) user group;
+      in {
+        "listen.owner" = user;
+        "listen.group" = group;
+      };
       caddy.virtualHosts."${host}".extraConfig = ''
         encode zstd gzip
 
-- 
2.51.0


From 6700e426619e13136f29fc2a0a8c7889141c5197 Mon Sep 17 00:00:00 2001
From: Jurn Wubben <jurnwubben@gmail.com>
Date: Fri, 25 Jul 2025 23:51:51 +0200
Subject: [PATCH 04/11] Nextcloud: enable oidc login

---
 system/server/nextcloud.nix | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/system/server/nextcloud.nix b/system/server/nextcloud.nix
index ee24582..3831684 100644
--- a/system/server/nextcloud.nix
+++ b/system/server/nextcloud.nix
@@ -27,9 +27,17 @@ in {
 
         autoUpdateApps.enable = true;
         extraAppsEnable = true;
-        extraApps = with config.services.nextcloud.package.packages.apps; {
+        extraApps = {
           # https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/nextcloud/packages/nextcloud-apps.json
-          inherit calendar contacts mail notes tasks;
+          inherit
+            (config.services.nextcloud.package.packages.apps)
+            calendar
+            contacts
+            mail
+            notes
+            tasks
+            user_oidc
+            ;
         };
 
         settings = {
-- 
2.51.0


From 2aed55df7a91692aec6c68eae83882d809e4bd86 Mon Sep 17 00:00:00 2001
From: Jurn Wubben <jurnwubben@gmail.com>
Date: Tue, 29 Jul 2025 13:25:19 +0200
Subject: [PATCH 05/11] Tiny change.

---
 system/server/index/index.html | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/system/server/index/index.html b/system/server/index/index.html
index 5e12672..6c24648 100644
--- a/system/server/index/index.html
+++ b/system/server/index/index.html
@@ -76,7 +76,8 @@
     <p>Hello! I'm <b>jsw</b>, a frontend web developer with experience in <b>Svelte + TS</b>, <b>Nix(OS)</b> and currently learning <b>Rust</b>. This site is still under development, so please bear with me. In the meantime, feel free to reach out via email or explore my projects on GitHub.</p>
     <div class="contact">
         <p class="emoji">📧 <a href="mailto:info@jsw.tf">info@jsw.tf</a></p>
-        <p class="emoji">🐙 <a href="https://github.com/jsw08" target="_blank">GitHub</a></p>
+        <p class="emoji">🔨 <a href="https://git.jsw.tf/jsw" target="_blank">Personal git</a></p>
+        <p class="emoji">🐙 <a href="https://github.com/jsw08" target="_blank">GitHub (legacy)</a></p>
     </div>
 
     <footer>
-- 
2.51.0


From e5394f89660957efc30f14e21cdb38a185f861ad Mon Sep 17 00:00:00 2001
From: Jurn Wubben <jsw@jsw.tf>
Date: Wed, 30 Jul 2025 17:27:16 +0200
Subject: [PATCH 06/11] Nextcloud: added and removed apps

---
 system/server/nextcloud.nix | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/system/server/nextcloud.nix b/system/server/nextcloud.nix
index 3831684..191d597 100644
--- a/system/server/nextcloud.nix
+++ b/system/server/nextcloud.nix
@@ -34,10 +34,15 @@ in {
             calendar
             contacts
             mail
-            notes
-            tasks
             user_oidc
+            whiteboard
+            phonetrack
             ;
+          external = pkgs.fetchNextcloudApp {
+            hash = "sha256-xVrnahqgXIXjk9gukrFgpwZiT2poUIDl83xV8hXPisw=";
+            url = "https://github.com/nextcloud-releases/external/releases/download/v6.0.2/external-v6.0.2.tar.gz";
+            license = "agpl3Plus";
+          };
         };
 
         settings = {
-- 
2.51.0


From d2ad0c259137bef63e86f815aaa5998c204a3080 Mon Sep 17 00:00:00 2001
From: Jurn Wubben <jsw@jsw.tf>
Date: Thu, 31 Jul 2025 21:25:53 +0200
Subject: [PATCH 07/11] Nextcloud: fixed reverse proxy error

---
 system/server/nextcloud.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/system/server/nextcloud.nix b/system/server/nextcloud.nix
index 191d597..0b21737 100644
--- a/system/server/nextcloud.nix
+++ b/system/server/nextcloud.nix
@@ -60,6 +60,7 @@ in {
             "OC\\Preview\\XBitmap"
             "OC\\Preview\\HEIC"
           ];
+          trusted_proxies = ["127.0.0.1"];
         };
         config = {
           adminuser = "jsw-admin";
-- 
2.51.0


From 8a946c8009d97a5701b048f4047d12f6c655a08b Mon Sep 17 00:00:00 2001
From: Jurn Wubben <jsw@jsw.tf>
Date: Thu, 31 Jul 2025 21:30:58 +0200
Subject: [PATCH 08/11] Nextcloud: increased opcache string buffer to 128mb

---
 system/server/nextcloud.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/system/server/nextcloud.nix b/system/server/nextcloud.nix
index 0b21737..f7c71b2 100644
--- a/system/server/nextcloud.nix
+++ b/system/server/nextcloud.nix
@@ -61,6 +61,9 @@ in {
             "OC\\Preview\\HEIC"
           ];
           trusted_proxies = ["127.0.0.1"];
+          maintenance_window_start = 1;
+          "opcache.interned_strings_buffer" = 256;
+          log_type = "file";
         };
         config = {
           adminuser = "jsw-admin";
-- 
2.51.0


From 2e6ad4b06819d8466b8e490861a4b920160b642f Mon Sep 17 00:00:00 2001
From: Jurn Wubben <jsw@jsw.tf>
Date: Thu, 31 Jul 2025 21:38:30 +0200
Subject: [PATCH 09/11] Nextcloud: fixed stringbuffer fr this time

---
 system/server/nextcloud.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/system/server/nextcloud.nix b/system/server/nextcloud.nix
index f7c71b2..32c299e 100644
--- a/system/server/nextcloud.nix
+++ b/system/server/nextcloud.nix
@@ -35,10 +35,10 @@ in {
             contacts
             mail
             user_oidc
-            whiteboard
             phonetrack
             ;
           external = pkgs.fetchNextcloudApp {
+            # https://github.com/helsinki-systems/nc4nix/blob/main/31.json #NOTE: 31.json is version.
             hash = "sha256-xVrnahqgXIXjk9gukrFgpwZiT2poUIDl83xV8hXPisw=";
             url = "https://github.com/nextcloud-releases/external/releases/download/v6.0.2/external-v6.0.2.tar.gz";
             license = "agpl3Plus";
@@ -62,9 +62,9 @@ in {
           ];
           trusted_proxies = ["127.0.0.1"];
           maintenance_window_start = 1;
-          "opcache.interned_strings_buffer" = 256;
           log_type = "file";
         };
+        phpOptions."opcache.interned_strings_buffer" = 24;
         config = {
           adminuser = "jsw-admin";
           adminpassFile = "${config.age.secrets.nextcloud-admin-pass.path}";
-- 
2.51.0


From 80d135d5b295143a3f23fb44fcfef31f08a88ad6 Mon Sep 17 00:00:00 2001
From: Jurn Wubben <jsw@jsw.tf>
Date: Fri, 1 Aug 2025 00:01:31 +0200
Subject: [PATCH 10/11] Nextcloud: added imaginary

---
 system/server/nextcloud.nix | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/system/server/nextcloud.nix b/system/server/nextcloud.nix
index 32c299e..a4c93d3 100644
--- a/system/server/nextcloud.nix
+++ b/system/server/nextcloud.nix
@@ -8,6 +8,7 @@
   host = "cloud.jsw.tf";
   nginxRoot = config.services.nginx.virtualHosts.${host}.root;
   fpmSocket = config.services.phpfpm.pools.nextcloud.socket;
+  imaginaryPort = 9005;
 in {
   config = lib.mkIf server {
     users.groups.nextcloud.members = ["nextcloud" "caddy"];
@@ -59,7 +60,11 @@ in {
             "OC\\Preview\\TXT"
             "OC\\Preview\\XBitmap"
             "OC\\Preview\\HEIC"
+            "OC\Preview\Imaginary"
           ];
+          preview_imaginary_url = "http://localhost:${builtins.toString imaginaryPort}";
+          preview_format = "webp";
+
           trusted_proxies = ["127.0.0.1"];
           maintenance_window_start = 1;
           log_type = "file";
@@ -71,6 +76,12 @@ in {
           dbtype = "pgsql";
         };
       };
+      imaginary = {
+        enable = true;
+        port = imaginaryPort;
+        address = "localhost";
+        settings.returnSize = true;
+      };
 
       nginx.enable = lib.mkForce false;
       phpfpm.pools.nextcloud.settings = let
-- 
2.51.0


From 8a95374decd586be20200845e11c3dd705307a75 Mon Sep 17 00:00:00 2001
From: Jurn Wubben <jsw@jsw.tf>
Date: Fri, 1 Aug 2025 13:29:27 +0200
Subject: [PATCH 11/11] Nextcloud: disable webauthn

---
 system/server/nextcloud.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/system/server/nextcloud.nix b/system/server/nextcloud.nix
index a4c93d3..775f368 100644
--- a/system/server/nextcloud.nix
+++ b/system/server/nextcloud.nix
@@ -47,6 +47,7 @@ in {
         };
 
         settings = {
+          "auth.webauthn.enabled" = false; #INFO: We use openid baby...
           default_phone_region = "NL";
           enabledPreviewProviders = [
             "OC\\Preview\\BMP"
-- 
2.51.0